Remote deployment of ownCloud with Ansible

This article is going to explain how to setup ownCloud with Ansible on a centos7 remote host with ssl certificate.

image

Steps

A. Prerequisites:

  1. Mac or Linux PC as Workstation. WSL on Windows 10 could work as well
  2. Server running Linux on it (centos7, centos8, ubuntu, suse)
  3. git, python3.x on the workstation
  4. ssh access to the server
  5. An administrative user on the server (root or password less sudo)
  6. wildcard or domain certificate

B. Deployment

  1. To start, pull the playground repo from owncloud-ansible

git clone https: //github .com /owncloud-ansible/playground

  1. after cloning from the repository, open the folder ‘playground’ with the editor of your choice.

code playground

  1. Next, you have to edit the files in the inventory folder that fits to your server e.g. centos7

playground/
├── inventories/
│   ├── centos7/
│   │     ├── hosts
│   │     └── group_vars/
│   │     │     ├── database.yml
│   │     │     ├── redis.yml
│   │     │     └── owncloud.yml
│   │     └── host_vars/
│   ├── centos8/
│   ├── ubuntu-minimal/
│   └── suse/
├── playbooks/
│   ├── setup.yml
│   ├── redis.yml
│   ├── database.yml
│   └── owncloud.yml
└── roles/
    └── requirements.yml

Since you will setup an centos7 server, you can either delete or ignore the inventory folders, you don’t need.

  1. Now execute the following command in the root of your playground folder. The command will download the roles, declared in /roles/requirements.yml to a local folder (usually ~/.ansible/roles/).

ansible-galaxy install -r roles/requirements.yml --force

  1. For this standard setup, you have to make changes in the folder group_vars and in the file hosts.
[database]
db1 ansible_host=<server.ip>
 
[redis]
redis1 ansible_host=<server.ip>
 
[owncloud]
owncloud1 ansible_host=<server.ip>

The changes from above declare three hosts in three groups. In the group [databases] you declare the host ‘db1’ in [redis] ‘redis1’ and in [owncloud] ‘owncloud1’. When you run the playbook, ansible first applies the group vars, and then the host vars. In order to understand, what that means we have a look on ‘database.yml’ in 'group_vars/‘


---
mariadb_root_password: root
 
mariadb_port: "3306"
mariadb_bind_address: "127.0.0.0"
 
mariadb_databases:
  - name: owncloud
    collation: utf8mb4_bin
    encoding: utf8mb4
 
mariadb_users:
  - name: owncloud
    host: localhost
    password: owncloud
    priv: "owncloud.*:ALL"
 
mariadb_packages_extra:
  - centos-release-scl
...

Here you can see, the config for MariaDB. The Ansible role, that will install MariaDB, expects a couple of variables to be set. Since this file is located in the ‘group_vars’ folder, it will be applied to all hosts in the group [databases].

  1. In the next step, owncloud is configured
---
owncloud_version: "10.6.0"
owncloud_fqdn: your.domain.tld
owncloud_admin_username: admin
owncloud_admin_password: owncloud
 
owncloud_db_name: owncloud
owncloud_db_user: owncloud
owncloud_db_password: owncloud
apache_vhosts:
- servername: "{{ owncloud_fqdn }}"
  documentroot: "{{ owncloud_deploy_path }}"
...

Since the group owncloud, includes the roles, php, apache and owncloud, you can overwrite any of the defaults defined for the roles in .ansible/roles/{owncloud,php,apache}/defaults/main.yml .

A good reference is the documentation owncloud role.

  1. If apache shall terminate ssl, you have to provide certificates either wildcard or for the domain. Make sure they are either copied to /root/cert.pem and /root/privkey.pem or fix the location to match your certificates path on the servers storage. As a last step, set the following vhost declaration in owncloud.yml

apache_vhosts:
  - servername: "{{ owncloud_fqdn }}"
    documentroot: "{{ owncloud_deploy_path }}"
apache_vhosts_ssl:
  - servername: "{{ owncloud_fqdn }}"
    documentroot: "{{ owncloud_deploy_path }}"
    certificate_file: "/etc/pki/tls/certs/full-chain.pem"
    certificate_file_source: "/root/cert.pem"
    certificate_key_file: "/etc/pki/tls/private/privkey.pem"
    certificate_key_source: "/root/privkey.pem"
    header_ocsp_trusted_certificate:
    header_hsts_options:
      - max-age=15552000
      - includeSubDomains
    header_xfo_policy: deny
    header_xcto_enabled: True
    header_csp_options:
      - directive: frame-ancestors
        parameters:
          - https://your.domain.tld
    header_xxxsp_parameters:
      - mode=block
...
  1. As a last step run
ansible-playbook -i inventories/centos7/hosts playbooks/setup.yml

The playbook run for this deployment needs 15 to 30 minutes and should create perfect preconfigured owncloud Installation.