Added NextCloud, Fixed Authelia, Updated rtorrent config

2018-07-05 16:21:50 -05:00 · 2018-07-05 16:21:50 -05:00 · e99d860ac4
commit e99d860ac4
parent 61832a7c32
15 changed files with 2261 additions and 22 deletions
--- a/pillars/roles/aurpkgs/cloud.sls
+++ b/pillars/roles/aurpkgs/cloud.sls
@ -0,0 +1,3 @@
 aur:
  pkgs:
    onlyoffice-documentserver: []
--- a/pillars/roles/database/nextcloud.sls
+++ b/pillars/roles/database/nextcloud.sls
@ -0,0 +1,9 @@
 database:
  users:
    nextcloud:
      host: cloud.actcur.com
  databases:
    nextcloud:
      nextcloud:
        host: cloud.actcur.com
        grant: all privileges
--- a/pillars/roles/mount/nextcloud.sls
+++ b/pillars/roles/mount/nextcloud.sls
@ -0,0 +1,7 @@
 mount:
  sshfs:
    /mnt/nextcloud:
      name: nextcloud
      host: host.actcur.com
      directory: /mnt/butter/nextcloud
      user: mount
--- a/pillars/roles/nginx/nextcloud.sls
+++ b/pillars/roles/nginx/nextcloud.sls
@ -0,0 +1,18 @@
 nginx:
  cloud:
    auth: none
    https:
      port: 8080
      prot: http
  office:
    auth: none
    https:
      port: 8000
      prot: http
 portal:
  Misc:
    cloud:
      name: NextCloud
      summary: NextCloud Server
      public: true
--- a/pillars/servers/env/server/cloud.sls
+++ b/pillars/servers/env/server/cloud.sls
@ -0,0 +1 @@
 env: prod
--- a/pillars/servers/roles/server/cloud.sls
+++ b/pillars/servers/roles/server/cloud.sls
@ -0,0 +1,8 @@
 grains:
  roles:
    - server
    - ssh
    - nrpe
    - saltminion
    - nextcloud
    - nginx-proxy
--- a/states/roles/maintain/authelia/config.yml
+++ b/states/roles/maintain/authelia/config.yml
@ -46,6 +46,22 @@ ldap:
  user: uid=authelia_admin,cn=users,cn=accounts,dc=actcur,dc=com
  password: "{%- include 'secure/passwords/authelia_admin_password.txt' -%}"
 # Authentication methods
 #
 # Authentication methods can be defined per subdomain.
 # There are currently two available methods: "single_factor" and "two_factor"
 #
 # Note: by default a domain uses "two_factor" method.
 #
 # Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
 # values must be one of the two possible methods.
 #
 # Note: 'per_subdomain_methods' is optional.
 #
 # Note: authentication_methods is optional. If it is not set all sub-domains
 # are protected by two factors.
 authentication_methods:
  default_method: two_factor
 # Access Control
 #
@ -104,8 +120,14 @@ access_control:
        policy: allow
      - domain: 'radarr.actcur.com'
        policy: allow
-      - domain: 'deluge.actcur.com'
+      - domain: 'rtorrent.actcur.com'
        policy: allow
      - domain: 'jackett.actcur.com'
        policy: allow
  users:
    none:
      - domain: 'none'
        policy: deny
 # Configuration of session cookies
 #
@ -152,7 +174,8 @@ storage:
  # Settings to connect to mongo server
  mongo:
-    url: mongodb://127.0.0.1/authelia
+    url: mongodb://127.0.0.1/
    database: authelia
 # Configuration of the notification system.
 #
--- a/states/roles/maintain/authelia/init.sls
+++ b/states/roles/maintain/authelia/init.sls
@ -1,3 +1,13 @@
 authelia_build_pkgs:
  pkg.installed:
    - pkgs:
        - make
        - gcc
 authelia_nodejs:
  pkg.installed:
    - name: nodejs-lts-carbon
 authelia_npm:
  pkg.installed:
    - name: npm
--- a/states/roles/maintain/nextcloud/init.sls
+++ b/states/roles/maintain/nextcloud/init.sls
@ -0,0 +1,68 @@
 nextcloud-pkgs:
  pkg.installed:
    - pkgs:
      - nextcloud
      - php-gd
      - php-intl
      - nginx
      - collabora-online-server-nodocker
      - redis
      - rabbitmq
      - postgresql
 /etc/pacman.d/hooks/nextcloud.hook:
  file.managed:
    - source: salt://roles/maintain/nextcloud/nextcloud.hook
    - user: root
    - group: root
    - mode: 644
    - makedirs: true
 /etc/php/php.ini:
  file.managed:
    - source: salt://roles/maintain/nextcloud/php.ini
    - user: root
    - group: root
    - mode: 644
 rtorrent-php-fpm:
  pkg.installed:
    - name: php-fpm
  service.running:
    - name: php-fpm
    - enable: true
    - watch:
      - file: /etc/php/php.ini
 /etc/nginx/conf.d/nextcloud.conf:
  file.managed:
    - source: salt://roles/maintain/nextcloud/nginx-nextcloud.conf
    - user: root
    - group: root
    - mode: 644
 /etc/nginx/conf.d/collabora.conf:
  file.managed:
    - source: salt://roles/maintain/nextcloud/nginx-collabora.conf
    - user: root
    - group: root
    - mode: 644
 mount:
  group.present:
    - gid: 503
    - addusers:
      - http
 nginx-service:
  service.running:
    - name: nginx
    - watch:
      - file: /etc/nginx/conf.d/nextcloud.conf
 /usr/share/webapps/nextcloud/apps:
  file.directory:
    - user: http
    - group: http
    - dir_mode: 750
--- a/states/roles/maintain/nextcloud/nextcloud.hook
+++ b/states/roles/maintain/nextcloud/nextcloud.hook
@ -0,0 +1,11 @@
 [Trigger]
 Operation = Install
 Operation = Upgrade
 Type = Package
 Target = nextcloud
 Target = nextcloud-app-*
 [Action]
 Description = Update Nextcloud installation
 When = PostTransaction
 Exec = /usr/bin/runuser -u http -- /usr/bin/php /usr/share/webapps/nextcloud/occ upgrade
--- a/states/roles/maintain/nextcloud/nginx-collabora.conf
+++ b/states/roles/maintain/nextcloud/nginx-collabora.conf
@ -0,0 +1,45 @@
 upstream office.actcur.com {
    server 127.0.0.1:9980;
 }
 server {
    listen 8000;
    server_name office.actcur.com;
    # static files
    location ^~ /loleaflet {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }
    # WOPI discovery URL
    location ^~ /hosting/discovery {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }
    # Main websocket
    location ~ /lool/(.*)/ws$ {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }
    # Admin Console websocket
    location ^~ /lool/adminws {
        proxy_buffering off;
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 36000s;
    }
    # download, presentation and image upload
    location ~ /lool {
        proxy_pass http://127.0.0.1:9980;
        proxy_set_header Host $host;
    }
 }
--- a/states/roles/maintain/nextcloud/nginx-nextcloud.conf
+++ b/states/roles/maintain/nextcloud/nginx-nextcloud.conf
@ -0,0 +1,116 @@
 upstream php-handler {
    server unix:/run/php-fpm/php-fpm.sock;
 }
 server {
   listen 8080;
   server_name cloud.actcur.com;
    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    # add_header Strict-Transport-Security "max-age=15768000;
    # includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Path to the root of your installation
    root /usr/share/webapps/nextcloud/;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
    # last;
    location = /.well-known/carddav {
        return 301 $scheme://$host/remote.php/dav;
    }
    location = /.well-known/caldav {
       return 301 $scheme://$host/remote.php/dav;
    }
    location ~ /.well-known/acme-challenge {
      allow all;
    }
    # set max upload size
    client_max_body_size 512M;
    fastcgi_buffers 64 4K;
    # Disable gzip to avoid the removal of the ETag header
    gzip off;
    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;
    error_page 403 /core/templates/403.php;
    error_page 404 /core/templates/404.php;
    location / {
       rewrite ^ /index.php$uri;
    }
    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
       deny all;
    }
    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
       deny all;
     }
    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        #Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
       try_files $uri/ =404;
       index index.php;
    }
    # Adding the cache control header for js and css files
    # Make sure it is BELOW the PHP block
    location ~* \.(?:css|js)$ {
        try_files $uri /index.php$uri$is_args$args;
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        # add_header Strict-Transport-Security "max-age=15768000;
        # includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Permitted-Cross-Domain-Policies none;
        # Optional: Don't log access to assets
        access_log off;
   }
   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
        try_files $uri /index.php$uri$is_args$args;
        # Optional: Don't log access to other assets
        access_log off;
   }
 }
--- a/states/roles/maintain/nextcloud/php.ini
+++ b/states/roles/maintain/nextcloud/php.ini
--- a/states/roles/maintain/nginx-proxy/init.sls
+++ b/states/roles/maintain/nginx-proxy/init.sls
@ -89,7 +89,7 @@ nginx:
 {%- else %}
 /etc/nginx/conf.d/default.conf:
  file.managed:
-    - mkdirs: true
+    - makedirs: true
    - source: salt://roles/maintain/nginx-proxy/default.conf
    - user: root
    - group: root
--- a/states/roles/maintain/rtorrent/rtorrent.rc
+++ b/states/roles/maintain/rtorrent/rtorrent.rc
@ -1,32 +1,32 @@
 # Maximum and minimum number of peers to connect to per torrent.
-min_peers = 40
+throttle.min_peers.normal.set = 40
-max_peers = 100
+throttle.max_peers.normal.set = 100
 # Same as above but for seeding completed torrents (-1 = same as downloading)
-min_peers_seed = 25
+throttle.min_peers.seed.set = 25
-max_peers_seed = 60
+throttle.max_peers.seed.set = 60
 # Maximum number of simultaneous uploads per torrent.
-max_uploads = 30
+throttle.max_uploads.set = 30
 # Global upload and download rate in KiB. "0" for unlimited.
-download_rate = 1024
+throttle.global_down.max_rate.set_kb = 1024
-upload_rate = 50
+throttle.global_up.max_rate.set_kb = 50
 # Default directory to save the downloaded torrents.
-directory = /mnt/video/rtorrent/downloads
+directory.default.set = /mnt/video/rtorrent/downloads
 # Default session directory. Make sure you don't run multiple instance
 # of rtorrent using the same session directory. Perhaps using a
 # relative path?
-session = /mnt/video/rtorrent/.session
+session.path.set = /mnt/video/rtorrent/.session
 # Watch a directory for new torrents, and stop those that have been
 # deleted.
-schedule = watch_directory,5,5,load_start=/home/downloads/~watch/*.torrent
+schedule2 = watch_directory,5,5,load.start=/home/downloads/~watch/*.torrent
 # Close torrents when diskspace is low.
-schedule = low_diskspace,5,60,close_low_diskspace=10240M
+schedule2 = low_diskspace,5,60,close_low_diskspace=10240M
 # The ip address reported to the tracker.
 #ip = 127.0.0.1
@ -38,17 +38,17 @@ schedule = low_diskspace,5,60,close_low_diskspace=10240M
 #bind = rakshasa.no
 # Port range to use for listening.
-port_range = 55950-56000
+network.port_range.set = 55950-56000
 # Start opening ports at a random position within the port range.
-port_random = yes
+network.port_random.set = yes
 # Check hash for finished torrents. Might be usefull until the bug is
 # fixed that causes lack of diskspace not to be properly reported.
-check_hash = yes   
+pieces.hash.on_completion.set = yes   
 # Set whether the client should try to connect to UDP trackers.
-use_udp_trackers = yes
+trackers.use_udp.set = yes
 # Alternative calls to bind and ip that should handle dynamic ip's.
 #schedule = ip_tick,0,1800,ip=rakshasa
@ -61,14 +61,14 @@ use_udp_trackers = yes
 # outgoing connections but retries with encryption if they fail, preferring
 # plaintext to RC4 encryption after the encrypted handshake
 # 
-encryption = allow_incoming,enable_retry,prefer_plaintext
+protocol.encryption.set = allow_incoming,enable_retry,prefer_plaintext
 # Enable DHT support for trackerless torrents or when all trackers are down.
 # May be set to "disable" (completely disable DHT), "off" (do not start DHT),
 # "auto" (start and stop DHT as needed), or "on" (start DHT immediately). 
 # The default is "off". For DHT to work, a session directory must be defined.
 # 
-dht = on
+dht.mode.set = on
 # UDP port to use for DHT.
 #
@ -76,6 +76,6 @@ dht = on
 # Enable peer exchange (for torrents not marked private)
 # 
-peer_exchange = yes
+protocol.pex.set = yes
-scgi_port = 127.0.0.1:5050
+network.scgi.open_port = 127.0.0.1:5050