Introduce Nextcloud role and deploy Cloud on Chaosknoten
Co-authored-by: Max <max@mlem.cloud>
This commit is contained in:
parent
112f1990b9
commit
62b4f93218
16 changed files with 352 additions and 200 deletions
|
@ -1,14 +1,11 @@
|
|||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/compose.yaml.j2') }}"
|
||||
docker_compose__configuration_files: []
|
||||
|
||||
certbot__version_spec: ""
|
||||
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
certbot__certificate_domains:
|
||||
- "cloud.hamburg.ccc.de"
|
||||
|
||||
nextcloud__config_php: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/config.php.j2') }}"
|
||||
|
||||
nginx__version_spec: ""
|
||||
nginx__configurations:
|
||||
- name: cloud.hamburg.ccc.de
|
||||
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf') }}"
|
||||
nextcloud__version: 27
|
||||
nextcloud__postgres_version: 15.3
|
||||
nextcloud__fqdn: cloud.hamburg.ccc.de
|
||||
nextcloud__data_dir: /data/nextcloud
|
||||
nextcloud__admin_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/admin', create=false, missing='error') }}"
|
||||
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/extra_configuration.config.php.j2') }}"
|
||||
nextcloud__use_custom_new_user_skeleton: true
|
||||
nextcloud__custom_new_user_skeleton_directory: "chaosknoten/cloud/new_user_skeleton_directory/"
|
||||
nextcloud__postgres_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD', create=false, missing='error') }}"
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
|
||||
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
|
||||
|
|
|
@ -2,7 +2,6 @@ all:
|
|||
children:
|
||||
certbot_hosts:
|
||||
hosts:
|
||||
cloud:
|
||||
pad:
|
||||
keycloak:
|
||||
engelsystem:
|
||||
|
@ -11,7 +10,6 @@ all:
|
|||
hosts:
|
||||
cloud:
|
||||
ansible_host: cloud-intern.hamburg.ccc.de
|
||||
ansible_port: 42666
|
||||
ansible_user: chaos
|
||||
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
|
||||
pad:
|
||||
|
@ -37,7 +35,6 @@ all:
|
|||
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
|
||||
docker_compose_hosts:
|
||||
hosts:
|
||||
cloud:
|
||||
pad:
|
||||
keycloak:
|
||||
engelsystem:
|
||||
|
@ -46,7 +43,6 @@ all:
|
|||
cloud:
|
||||
nginx_hosts:
|
||||
hosts:
|
||||
cloud:
|
||||
pad:
|
||||
public-reverse-proxy:
|
||||
keycloak:
|
||||
|
|
Binary file not shown.
After Width: | Height: | Size: 9.7 KiB |
Binary file not shown.
After Width: | Height: | Size: 1,007 KiB |
|
@ -0,0 +1,10 @@
|
|||
# CCCHH Nextcloud
|
||||
|
||||
Willkommen auf der CCCHH Nextcloud Instanz.
|
||||
|
||||
Hier kannst du Dateien ablegen und teilen, Termine verwalten und vieles mehr.
|
||||
**Hinweis:** Die Dateien werden (zumindest zur Zeit) nicht verschlüsselt gespeichert.
|
||||
|
||||
Weitere Infos:
|
||||
|
||||
- <https://docs.nextcloud.com/server/latest/user_manual/de/>
|
|
@ -1,134 +0,0 @@
|
|||
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
|
||||
upstream nextcloud {
|
||||
server 127.0.0.1:9000;
|
||||
}
|
||||
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
server_name cloud.hamburg.ccc.de;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/cloud.hamburg.ccc.de/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/chain.pem;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Port 443;
|
||||
# This is https in any case.
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
# Hide the X-Forwarded header.
|
||||
proxy_hide_header X-Forwarded;
|
||||
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
|
||||
# is transparent).
|
||||
# Also provide "_hidden" for by, since it's not relevant.
|
||||
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
|
||||
|
||||
# HTTP response headers borrowed from Nextcloud `.htaccess`
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Download-Options "noopen" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
||||
add_header X-Robots-Tag "none" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
|
||||
# Path to the root of your installation
|
||||
root /data/docker/volumes/nextcloud;
|
||||
|
||||
# Specify how to handle directories -- specifying `/index.php$request_uri`
|
||||
# here as the fallback means that Nginx always exhibits the desired behaviour
|
||||
# when a client requests a path that corresponds to a directory that exists
|
||||
# on the server. In particular, if that directory contains an index.php file,
|
||||
# that file is correctly served; if it doesn't, then the request is passed to
|
||||
# the front-end controller. This consistent behaviour means that we don't need
|
||||
# to specify custom rules for certain paths (e.g. images and other assets,
|
||||
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
|
||||
# `try_files $uri $uri/ /index.php$request_uri`
|
||||
# always provides the desired behaviour.
|
||||
index index.php index.html /index.php$request_uri;
|
||||
|
||||
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
|
||||
location = / {
|
||||
if ( $http_user_agent ~ ^DavClnt ) {
|
||||
return 302 /remote.php/webdav/$is_args$args;
|
||||
}
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Rules borrowed from `.htaccess` to hide certain paths from clients
|
||||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
|
||||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
|
||||
|
||||
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
|
||||
# which handle static assets (as seen below). If this block is not declared first,
|
||||
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
|
||||
# to the URI, resulting in a HTTP 500 error response.
|
||||
location ~ \.php(?:$|/) {
|
||||
# Required for legacy support
|
||||
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
|
||||
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
set $path_info $fastcgi_path_info;
|
||||
|
||||
try_files $fastcgi_script_name =404;
|
||||
|
||||
include fastcgi_params;
|
||||
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param SCRIPT_FILENAME /var/www/html/index.php;
|
||||
fastcgi_param PATH_INFO $path_info;
|
||||
#fastcgi_param HTTPS on;
|
||||
|
||||
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
||||
fastcgi_param front_controller_active true; # Enable pretty urls
|
||||
fastcgi_pass nextcloud;
|
||||
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ \.(?:css|js|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
location ~ \.woff2?$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
||||
access_log off; # Optional: Don't log access to assets
|
||||
}
|
||||
|
||||
# Rule borrowed from `.htaccess`
|
||||
location /remote {
|
||||
return 301 /remote.php$request_uri;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.php$request_uri;
|
||||
}
|
||||
}
|
11
playbooks/roles/nextcloud/README.md
Normal file
11
playbooks/roles/nextcloud/README.md
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Role `nextcloud`
|
||||
|
||||
A role for deploying Nextcloud.
|
||||
|
||||
Note: PostgreSQL upgrades need manual migration steps.
|
||||
|
||||
## Links & Resources
|
||||
|
||||
- <https://github.com/nextcloud/docker>
|
||||
- <https://docs.nextcloud.com/server/latest/admin_manual/index.html>
|
||||
- <https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache>
|
5
playbooks/roles/nextcloud/defaults/main.yaml
Normal file
5
playbooks/roles/nextcloud/defaults/main.yaml
Normal file
|
@ -0,0 +1,5 @@
|
|||
nextcloud__nginx_version_spec: ""
|
||||
nextcloud__certbot_version_spec: ""
|
||||
nextcloud__extra_configuration: ""
|
||||
nextcloud__use_custom_new_user_skeleton: false
|
||||
nextcloud__custom_new_user_skeleton_directory: ""
|
22
playbooks/roles/nextcloud/files/supervisord.conf
Normal file
22
playbooks/roles/nextcloud/files/supervisord.conf
Normal file
|
@ -0,0 +1,22 @@
|
|||
[supervisord]
|
||||
nodaemon=true
|
||||
logfile=/var/log/supervisord/supervisord.log
|
||||
pidfile=/var/run/supervisord/supervisord.pid
|
||||
childlogdir=/var/log/supervisord/
|
||||
logfile_maxbytes=50MB ; maximum size of logfile before rotation
|
||||
logfile_backups=10 ; number of backed up logfiles
|
||||
loglevel=error
|
||||
|
||||
[program:apache2]
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
stderr_logfile=/dev/stderr
|
||||
stderr_logfile_maxbytes=0
|
||||
command=apache2-foreground
|
||||
|
||||
[program:cron]
|
||||
stdout_logfile=/dev/stdout
|
||||
stdout_logfile_maxbytes=0
|
||||
stderr_logfile=/dev/stderr
|
||||
stderr_logfile_maxbytes=0
|
||||
command=/cron.sh
|
63
playbooks/roles/nextcloud/meta/argument_specs.yaml
Normal file
63
playbooks/roles/nextcloud/meta/argument_specs.yaml
Normal file
|
@ -0,0 +1,63 @@
|
|||
argument_specs:
|
||||
main:
|
||||
options:
|
||||
nextcloud__version:
|
||||
description: The version label to use for the Nextcloud Docker image.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__postgres_version:
|
||||
description: The version label to use for the PostgreSQL Docker image.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__nginx_version_spec:
|
||||
description: The version spec. to pass to nginx to use for the nginx version spec.
|
||||
type: str
|
||||
required: false
|
||||
default: ""
|
||||
nextcloud__certbot_version_spec:
|
||||
description: The version spec. to pass to certbot to use for the certbot version spec.
|
||||
type: str
|
||||
required: false
|
||||
default: ""
|
||||
nextcloud__fqdn:
|
||||
description: The FQDN to use for Nextcloud.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__data_dir:
|
||||
description: The directory where to store the Nextcloud data.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__admin_password:
|
||||
description: The password to use for the Admin user.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__extra_configuration:
|
||||
description: Additional nextcloud configuration.
|
||||
type: str
|
||||
required: false
|
||||
default: ""
|
||||
nextcloud__use_custom_new_user_skeleton:
|
||||
description: >-
|
||||
Enable to make use of the given custom new user skeleton directory.
|
||||
type: bool
|
||||
required: false
|
||||
default: false
|
||||
nextcloud__custom_new_user_skeleton_directory:
|
||||
description: >-
|
||||
Path of to a custom new user skeleton directory to be used by this
|
||||
role via ansible.builtin.copy.
|
||||
type: str
|
||||
required: false
|
||||
default: ""
|
||||
nextcloud__postgres_password:
|
||||
description: The password to use for the nextcloud PostgreSQL user.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__proxy_protocol_reverse_proxy_ip:
|
||||
description: The IP of the reverse proxy to do proxy protocol with.
|
||||
type: str
|
||||
required: true
|
||||
nextcloud__certbot_acme_account_email_address:
|
||||
description: The E-Mail address to pass to certbot to use for the ACME account.
|
||||
type: str
|
||||
required: true
|
18
playbooks/roles/nextcloud/meta/main.yaml
Normal file
18
playbooks/roles/nextcloud/meta/main.yaml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
dependencies:
|
||||
- role: certbot
|
||||
vars:
|
||||
certbot__version_spec: "{{ nextcloud__certbot_version_spec }}"
|
||||
certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
|
||||
certbot__certificate_domains:
|
||||
- "{{ nextcloud__fqdn }}"
|
||||
- role: nginx
|
||||
vars:
|
||||
nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"
|
||||
nginx__configurations:
|
||||
- name: "{{ nextcloud__fqdn }}"
|
||||
content: "{{ lookup('ansible.builtin.template', 'nginx_nextcloud.conf.j2') }}"
|
||||
- role: docker_compose
|
||||
vars:
|
||||
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
|
||||
docker_compose__configuration_files: []
|
|
@ -1,9 +1,58 @@
|
|||
---
|
||||
- name: Nextcloud config
|
||||
- name: wait for existence of config directory
|
||||
ansible.builtin.wait_for:
|
||||
path: /ansible_docker_compose/nextcloud_var_www_html/config
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: extra Nextcloud configuration
|
||||
ansible.builtin.copy:
|
||||
content: "{{ nextcloud__config_php }}"
|
||||
dest: "/data/docker/volumes/nextcloud/config/config.php"
|
||||
content: "{{ nextcloud__extra_configuration }}"
|
||||
dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_extra_config.config.php
|
||||
mode: "0644"
|
||||
owner: www-data
|
||||
group: www-data
|
||||
become: true
|
||||
|
||||
- name: fail, if nextcloud__use_custom_new_user_skeleton is set, but nextcloud__custom_new_user_skeleton_directory isn't
|
||||
ansible.builtin.fail:
|
||||
msg: If you set nextcloud__use_custom_new_user_skeleton, you also need to set nextcloud__custom_new_user_skeleton_directory.
|
||||
when: nextcloud__use_custom_new_user_skeleton and nextcloud__custom_new_user_skeleton_directory == ""
|
||||
|
||||
- name: ensure custom new user skeleton
|
||||
when: nextcloud__use_custom_new_user_skeleton
|
||||
block:
|
||||
- name: ensure `rsync` package is installed
|
||||
ansible.builtin.apt:
|
||||
name: rsync
|
||||
state: present
|
||||
become: true
|
||||
|
||||
- name: ensure custom new user skeleton directory
|
||||
ansible.posix.synchronize:
|
||||
src: "{{ nextcloud__custom_new_user_skeleton_directory }}"
|
||||
dest: /ansible_docker_compose/custom_new_user_skeleton
|
||||
delete: true
|
||||
recursive: true
|
||||
use_ssh_args: true
|
||||
become: true
|
||||
|
||||
- name: ensure custom new user skeleton config
|
||||
ansible.builtin.copy:
|
||||
content: |
|
||||
<?php
|
||||
$CONFIG = array (
|
||||
'skeletondirectory' => '/custom_new_user_skeleton'
|
||||
);
|
||||
dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
|
||||
mode: "0644"
|
||||
owner: www-data
|
||||
group: www-data
|
||||
become: true
|
||||
|
||||
- name: ensure absence of custom new user skeleton config
|
||||
ansible.builtin.file:
|
||||
path: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
|
||||
state: absent
|
||||
become: true
|
||||
when: not nextcloud__use_custom_new_user_skeleton
|
||||
|
|
83
playbooks/roles/nextcloud/templates/compose.yaml.j2
Normal file
83
playbooks/roles/nextcloud/templates/compose.yaml.j2
Normal file
|
@ -0,0 +1,83 @@
|
|||
---
|
||||
version: "3.6"
|
||||
|
||||
services:
|
||||
nextcloud:
|
||||
build:
|
||||
context: .
|
||||
# Use the following example for adding cron:
|
||||
# https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache
|
||||
dockerfile_inline: |
|
||||
FROM nextcloud:{{ nextcloud__version }}
|
||||
|
||||
RUN apt-get update && apt-get install -y \
|
||||
supervisor \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& mkdir /var/log/supervisord /var/run/supervisord
|
||||
|
||||
RUN cat <<EOF > /supervisord.conf
|
||||
{% filter indent(width=8) %}
|
||||
{{ lookup('ansible.builtin.file', 'supervisord.conf') }}
|
||||
{% endfilter %}
|
||||
EOF
|
||||
|
||||
ENV NEXTCLOUD_UPDATE=1
|
||||
|
||||
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "8080:80"
|
||||
# This is a hotfix until we have a new mail setup and this also really
|
||||
# doesn't belong into this role, but whatever, it works for now and it's not
|
||||
# like anyone else really uses this role (or would be bothered by this
|
||||
# really).
|
||||
extra_hosts:
|
||||
- "send-only-mailserver.ccchh.net:185.161.129.132"
|
||||
depends_on:
|
||||
- db
|
||||
- redis
|
||||
networks:
|
||||
- nextcloud
|
||||
volumes:
|
||||
{% if nextcloud__use_custom_new_user_skeleton %}
|
||||
- "./custom_new_user_skeleton:/custom_new_user_skeleton"
|
||||
{% endif %}
|
||||
- "./nextcloud_var_www_html:/var/www/html"
|
||||
- "{{ nextcloud__data_dir }}:/var/www/html/data"
|
||||
environment:
|
||||
POSTGRES_HOST: db
|
||||
POSTGRES_DB: nextcloud
|
||||
POSTGRES_USER: nextcloud
|
||||
POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
|
||||
NEXTCLOUD_ADMIN_USER: admin
|
||||
NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
|
||||
REDIS_HOST: redis
|
||||
NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
|
||||
# See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
|
||||
APACHE_DISABLE_REWRITE_IP: 1
|
||||
TRUSTED_PROXIES: 127.0.0.1
|
||||
OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
|
||||
OVERWRITEHOST: "{{ nextcloud__fqdn }}"
|
||||
OVERWRITEPROTOCOL: "https"
|
||||
|
||||
db:
|
||||
image: postgres:{{ nextcloud__postgres_version }}
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- nextcloud
|
||||
volumes:
|
||||
- "./database:/var/lib/postgresql/data"
|
||||
environment:
|
||||
POSTGRES_DB: nextcloud
|
||||
POSTGRES_USER: nextcloud
|
||||
POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
|
||||
|
||||
redis:
|
||||
image: redis:alpine
|
||||
restart: unless-stopped
|
||||
networks:
|
||||
- nextcloud
|
||||
|
||||
networks:
|
||||
nextcloud:
|
||||
external: false
|
61
playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
Normal file
61
playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
Normal file
|
@ -0,0 +1,61 @@
|
|||
# also see here:
|
||||
# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
||||
# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
|
||||
server {
|
||||
# Listen on a custom port for the proxy protocol.
|
||||
listen 8443 ssl http2 proxy_protocol;
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
|
||||
# This should work, but isn't needed for now.
|
||||
# # Still listen for https on 443 as usual.
|
||||
# listen 443 ssl http2;
|
||||
# #listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ nextcloud__fqdn }};
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
|
||||
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
|
||||
|
||||
# replace with the IP address of your resolver
|
||||
resolver 1.1.1.1;
|
||||
|
||||
# allow uploads of any size
|
||||
client_max_body_size 0;
|
||||
|
||||
location /.well-known/carddav {
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
|
||||
location /.well-known/caldav {
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $host;
|
||||
# This is https in any case.
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||
|
||||
add_header Front-End-Https on;
|
||||
proxy_pass http://127.0.0.1:8080;
|
||||
}
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
---
|
||||
version: "3.6"
|
||||
|
||||
services:
|
||||
database:
|
||||
image: docker.io/library/mariadb:11
|
||||
restart: always
|
||||
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
|
||||
volumes:
|
||||
- /data/docker/volumes/database:/var/lib/mysql
|
||||
environment:
|
||||
- "MYSQL_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "MYSQL_DATABASE=nextcloud"
|
||||
- "MYSQL_USER=nextcloud"
|
||||
networks:
|
||||
backend: {}
|
||||
|
||||
app:
|
||||
image: docker.io/library/nextcloud:25-fpm
|
||||
restart: always
|
||||
ports:
|
||||
- 9000:9000
|
||||
links:
|
||||
- database
|
||||
volumes:
|
||||
- /data/docker/volumes/nextcloud:/var/www/html
|
||||
environment:
|
||||
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
|
||||
- "MYSQL_DATABASE=nextcloud"
|
||||
- "MYSQL_USER=nextcloud"
|
||||
- "MYSQL_HOST=database"
|
||||
networks:
|
||||
backend: {}
|
||||
frontend: {}
|
||||
|
||||
volumes: {}
|
||||
# FIXME: tell Docker to put volumes in /data instead of /var/lib/docker/
|
||||
#database: {}
|
||||
#nextcloud: {}
|
||||
|
||||
networks:
|
||||
backend:
|
||||
internal: true
|
||||
frontend: {}
|
|
@ -0,0 +1,16 @@
|
|||
<?php
|
||||
$CONFIG = array (
|
||||
'default_phone_region' => 'DE',
|
||||
'hide_login_form' => true,
|
||||
'mail_smtpmode' => 'smtp',
|
||||
'mail_smtphost' => 'send-only-mailserver.ccchh.net',
|
||||
'mail_smtpport' => 465,
|
||||
'mail_smtpsecure' => 'ssl',
|
||||
'mail_smtpauth' => true,
|
||||
'mail_smtpauthtype' => 'LOGIN',
|
||||
'mail_smtpname' => 'nextcloud',
|
||||
'mail_from_address' => 'cloud',
|
||||
'mail_domain' => 'send-only-mail.ccchh.net',
|
||||
'mail_smtppassword' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/smtp_password", create=false, missing="error") }}',
|
||||
'mail_smtpdebug' => true,
|
||||
);
|
Loading…
Reference in a new issue