diff --git a/inventories/chaosknoten/host_vars/cloud.yaml b/inventories/chaosknoten/host_vars/cloud.yaml
index 887ef25..eb83d07 100644
--- a/inventories/chaosknoten/host_vars/cloud.yaml
+++ b/inventories/chaosknoten/host_vars/cloud.yaml
@@ -1,14 +1,11 @@
-docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/compose.yaml.j2') }}"
-docker_compose__configuration_files: []
-
-certbot__version_spec: ""
-certbot__acme_account_email_address: le-admin@hamburg.ccc.de
-certbot__certificate_domains:
- - "cloud.hamburg.ccc.de"
-
-nextcloud__config_php: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/config.php.j2') }}"
-
-nginx__version_spec: ""
-nginx__configurations:
- - name: cloud.hamburg.ccc.de
- content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf') }}"
+nextcloud__version: 27
+nextcloud__postgres_version: 15.3
+nextcloud__fqdn: cloud.hamburg.ccc.de
+nextcloud__data_dir: /data/nextcloud
+nextcloud__admin_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/admin', create=false, missing='error') }}"
+nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/extra_configuration.config.php.j2') }}"
+nextcloud__use_custom_new_user_skeleton: true
+nextcloud__custom_new_user_skeleton_directory: "chaosknoten/cloud/new_user_skeleton_directory/"
+nextcloud__postgres_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD', create=false, missing='error') }}"
+nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
+nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 2dee8a7..bab9b69 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -2,7 +2,6 @@ all:
children:
certbot_hosts:
hosts:
- cloud:
pad:
keycloak:
engelsystem:
@@ -11,7 +10,6 @@ all:
hosts:
cloud:
ansible_host: cloud-intern.hamburg.ccc.de
- ansible_port: 42666
ansible_user: chaos
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
pad:
@@ -37,7 +35,6 @@ all:
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
docker_compose_hosts:
hosts:
- cloud:
pad:
keycloak:
engelsystem:
@@ -46,7 +43,6 @@ all:
cloud:
nginx_hosts:
hosts:
- cloud:
pad:
public-reverse-proxy:
keycloak:
diff --git a/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/augenohrenkatze.jpg b/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/augenohrenkatze.jpg
new file mode 100644
index 0000000..f79b086
Binary files /dev/null and b/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/augenohrenkatze.jpg differ
diff --git a/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/ccclubhajs.jpg b/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/ccclubhajs.jpg
new file mode 100644
index 0000000..f2c2d5f
Binary files /dev/null and b/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/Photos/ccclubhajs.jpg differ
diff --git a/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/README.md b/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/README.md
new file mode 100644
index 0000000..f781af4
--- /dev/null
+++ b/playbooks/files/chaosknoten/cloud/new_user_skeleton_directory/README.md
@@ -0,0 +1,10 @@
+# CCCHH Nextcloud
+
+Willkommen auf der CCCHH Nextcloud Instanz.
+
+Hier kannst du Dateien ablegen und teilen, Termine verwalten und vieles mehr.
+**Hinweis:** Die Dateien werden (zumindest zur Zeit) nicht verschlüsselt gespeichert.
+
+Weitere Infos:
+
+-
diff --git a/playbooks/files/chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf b/playbooks/files/chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf
deleted file mode 100644
index 1c94733..0000000
--- a/playbooks/files/chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf
+++ /dev/null
@@ -1,134 +0,0 @@
-# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
-# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
-upstream nextcloud {
- server 127.0.0.1:9000;
-}
-
-server {
- # Listen on a custom port for the proxy protocol.
- listen 8443 ssl http2 proxy_protocol;
- # Make use of the ngx_http_realip_module to set the $remote_addr and
- # $remote_port to the client address and client port, when using proxy
- # protocol.
- # First set our proxy protocol proxy as trusted.
- set_real_ip_from 172.31.17.140;
- # Then tell the realip_module to get the addreses from the proxy protocol
- # header.
- real_ip_header proxy_protocol;
-
- server_name cloud.hamburg.ccc.de;
-
- ssl_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/cloud.hamburg.ccc.de/privkey.pem;
- # verify chain of trust of OCSP response using Root CA and Intermediate certs
- ssl_trusted_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/chain.pem;
-
- # HSTS (ngx_http_headers_module is required) (63072000 seconds)
- add_header Strict-Transport-Security "max-age=63072000" always;
-
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Port 443;
- # This is https in any case.
- proxy_set_header X-Forwarded-Proto https;
- # Hide the X-Forwarded header.
- proxy_hide_header X-Forwarded;
- # Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
- # is transparent).
- # Also provide "_hidden" for by, since it's not relevant.
- proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
-
- # HTTP response headers borrowed from Nextcloud `.htaccess`
- add_header Referrer-Policy "no-referrer" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Download-Options "noopen" always;
- add_header X-Frame-Options "SAMEORIGIN" always;
- add_header X-Permitted-Cross-Domain-Policies "none" always;
- add_header X-Robots-Tag "none" always;
- add_header X-XSS-Protection "1; mode=block" always;
-
- # Remove X-Powered-By, which is an information leak
- fastcgi_hide_header X-Powered-By;
-
- # Path to the root of your installation
- root /data/docker/volumes/nextcloud;
-
- # Specify how to handle directories -- specifying `/index.php$request_uri`
- # here as the fallback means that Nginx always exhibits the desired behaviour
- # when a client requests a path that corresponds to a directory that exists
- # on the server. In particular, if that directory contains an index.php file,
- # that file is correctly served; if it doesn't, then the request is passed to
- # the front-end controller. This consistent behaviour means that we don't need
- # to specify custom rules for certain paths (e.g. images and other assets,
- # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
- # `try_files $uri $uri/ /index.php$request_uri`
- # always provides the desired behaviour.
- index index.php index.html /index.php$request_uri;
-
- # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
- location = / {
- if ( $http_user_agent ~ ^DavClnt ) {
- return 302 /remote.php/webdav/$is_args$args;
- }
- }
-
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
-
- # Rules borrowed from `.htaccess` to hide certain paths from clients
- location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
- location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
-
- # Ensure this block, which passes PHP files to the PHP process, is above the blocks
- # which handle static assets (as seen below). If this block is not declared first,
- # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
- # to the URI, resulting in a HTTP 500 error response.
- location ~ \.php(?:$|/) {
- # Required for legacy support
- rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
-
- fastcgi_split_path_info ^(.+?\.php)(/.*)$;
- set $path_info $fastcgi_path_info;
-
- try_files $fastcgi_script_name =404;
-
- include fastcgi_params;
- #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param SCRIPT_FILENAME /var/www/html/index.php;
- fastcgi_param PATH_INFO $path_info;
- #fastcgi_param HTTPS on;
-
- fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
- fastcgi_param front_controller_active true; # Enable pretty urls
- fastcgi_pass nextcloud;
-
- fastcgi_intercept_errors on;
- fastcgi_request_buffering off;
- }
-
- location ~ \.(?:css|js|svg|gif)$ {
- try_files $uri /index.php$request_uri;
- expires 6M; # Cache-Control policy borrowed from `.htaccess`
- access_log off; # Optional: Don't log access to assets
- }
-
- location ~ \.woff2?$ {
- try_files $uri /index.php$request_uri;
- expires 7d; # Cache-Control policy borrowed from `.htaccess`
- access_log off; # Optional: Don't log access to assets
- }
-
- # Rule borrowed from `.htaccess`
- location /remote {
- return 301 /remote.php$request_uri;
- }
-
- location / {
- try_files $uri $uri/ /index.php$request_uri;
- }
-}
diff --git a/playbooks/roles/nextcloud/README.md b/playbooks/roles/nextcloud/README.md
new file mode 100644
index 0000000..89233b6
--- /dev/null
+++ b/playbooks/roles/nextcloud/README.md
@@ -0,0 +1,11 @@
+# Role `nextcloud`
+
+A role for deploying Nextcloud.
+
+Note: PostgreSQL upgrades need manual migration steps.
+
+## Links & Resources
+
+-
+-
+-
diff --git a/playbooks/roles/nextcloud/defaults/main.yaml b/playbooks/roles/nextcloud/defaults/main.yaml
new file mode 100644
index 0000000..b209ff7
--- /dev/null
+++ b/playbooks/roles/nextcloud/defaults/main.yaml
@@ -0,0 +1,5 @@
+nextcloud__nginx_version_spec: ""
+nextcloud__certbot_version_spec: ""
+nextcloud__extra_configuration: ""
+nextcloud__use_custom_new_user_skeleton: false
+nextcloud__custom_new_user_skeleton_directory: ""
diff --git a/playbooks/roles/nextcloud/files/supervisord.conf b/playbooks/roles/nextcloud/files/supervisord.conf
new file mode 100644
index 0000000..836a08a
--- /dev/null
+++ b/playbooks/roles/nextcloud/files/supervisord.conf
@@ -0,0 +1,22 @@
+[supervisord]
+nodaemon=true
+logfile=/var/log/supervisord/supervisord.log
+pidfile=/var/run/supervisord/supervisord.pid
+childlogdir=/var/log/supervisord/
+logfile_maxbytes=50MB ; maximum size of logfile before rotation
+logfile_backups=10 ; number of backed up logfiles
+loglevel=error
+
+[program:apache2]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=apache2-foreground
+
+[program:cron]
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+command=/cron.sh
diff --git a/playbooks/roles/nextcloud/meta/argument_specs.yaml b/playbooks/roles/nextcloud/meta/argument_specs.yaml
new file mode 100644
index 0000000..f67a5e7
--- /dev/null
+++ b/playbooks/roles/nextcloud/meta/argument_specs.yaml
@@ -0,0 +1,63 @@
+argument_specs:
+ main:
+ options:
+ nextcloud__version:
+ description: The version label to use for the Nextcloud Docker image.
+ type: str
+ required: true
+ nextcloud__postgres_version:
+ description: The version label to use for the PostgreSQL Docker image.
+ type: str
+ required: true
+ nextcloud__nginx_version_spec:
+ description: The version spec. to pass to nginx to use for the nginx version spec.
+ type: str
+ required: false
+ default: ""
+ nextcloud__certbot_version_spec:
+ description: The version spec. to pass to certbot to use for the certbot version spec.
+ type: str
+ required: false
+ default: ""
+ nextcloud__fqdn:
+ description: The FQDN to use for Nextcloud.
+ type: str
+ required: true
+ nextcloud__data_dir:
+ description: The directory where to store the Nextcloud data.
+ type: str
+ required: true
+ nextcloud__admin_password:
+ description: The password to use for the Admin user.
+ type: str
+ required: true
+ nextcloud__extra_configuration:
+ description: Additional nextcloud configuration.
+ type: str
+ required: false
+ default: ""
+ nextcloud__use_custom_new_user_skeleton:
+ description: >-
+ Enable to make use of the given custom new user skeleton directory.
+ type: bool
+ required: false
+ default: false
+ nextcloud__custom_new_user_skeleton_directory:
+ description: >-
+ Path of to a custom new user skeleton directory to be used by this
+ role via ansible.builtin.copy.
+ type: str
+ required: false
+ default: ""
+ nextcloud__postgres_password:
+ description: The password to use for the nextcloud PostgreSQL user.
+ type: str
+ required: true
+ nextcloud__proxy_protocol_reverse_proxy_ip:
+ description: The IP of the reverse proxy to do proxy protocol with.
+ type: str
+ required: true
+ nextcloud__certbot_acme_account_email_address:
+ description: The E-Mail address to pass to certbot to use for the ACME account.
+ type: str
+ required: true
diff --git a/playbooks/roles/nextcloud/meta/main.yaml b/playbooks/roles/nextcloud/meta/main.yaml
new file mode 100644
index 0000000..a94e578
--- /dev/null
+++ b/playbooks/roles/nextcloud/meta/main.yaml
@@ -0,0 +1,18 @@
+---
+dependencies:
+ - role: certbot
+ vars:
+ certbot__version_spec: "{{ nextcloud__certbot_version_spec }}"
+ certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
+ certbot__certificate_domains:
+ - "{{ nextcloud__fqdn }}"
+ - role: nginx
+ vars:
+ nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"
+ nginx__configurations:
+ - name: "{{ nextcloud__fqdn }}"
+ content: "{{ lookup('ansible.builtin.template', 'nginx_nextcloud.conf.j2') }}"
+ - role: docker_compose
+ vars:
+ docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
+ docker_compose__configuration_files: []
diff --git a/playbooks/roles/nextcloud/tasks/main.yaml b/playbooks/roles/nextcloud/tasks/main.yaml
index 9710763..9581d22 100644
--- a/playbooks/roles/nextcloud/tasks/main.yaml
+++ b/playbooks/roles/nextcloud/tasks/main.yaml
@@ -1,9 +1,58 @@
---
-- name: Nextcloud config
+- name: wait for existence of config directory
+ ansible.builtin.wait_for:
+ path: /ansible_docker_compose/nextcloud_var_www_html/config
+ state: present
become: true
+
+- name: extra Nextcloud configuration
ansible.builtin.copy:
- content: "{{ nextcloud__config_php }}"
- dest: "/data/docker/volumes/nextcloud/config/config.php"
+ content: "{{ nextcloud__extra_configuration }}"
+ dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_extra_config.config.php
mode: "0644"
owner: www-data
group: www-data
+ become: true
+
+- name: fail, if nextcloud__use_custom_new_user_skeleton is set, but nextcloud__custom_new_user_skeleton_directory isn't
+ ansible.builtin.fail:
+ msg: If you set nextcloud__use_custom_new_user_skeleton, you also need to set nextcloud__custom_new_user_skeleton_directory.
+ when: nextcloud__use_custom_new_user_skeleton and nextcloud__custom_new_user_skeleton_directory == ""
+
+- name: ensure custom new user skeleton
+ when: nextcloud__use_custom_new_user_skeleton
+ block:
+ - name: ensure `rsync` package is installed
+ ansible.builtin.apt:
+ name: rsync
+ state: present
+ become: true
+
+ - name: ensure custom new user skeleton directory
+ ansible.posix.synchronize:
+ src: "{{ nextcloud__custom_new_user_skeleton_directory }}"
+ dest: /ansible_docker_compose/custom_new_user_skeleton
+ delete: true
+ recursive: true
+ use_ssh_args: true
+ become: true
+
+ - name: ensure custom new user skeleton config
+ ansible.builtin.copy:
+ content: |
+ '/custom_new_user_skeleton'
+ );
+ dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
+ mode: "0644"
+ owner: www-data
+ group: www-data
+ become: true
+
+- name: ensure absence of custom new user skeleton config
+ ansible.builtin.file:
+ path: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
+ state: absent
+ become: true
+ when: not nextcloud__use_custom_new_user_skeleton
diff --git a/playbooks/roles/nextcloud/templates/compose.yaml.j2 b/playbooks/roles/nextcloud/templates/compose.yaml.j2
new file mode 100644
index 0000000..76fa6fc
--- /dev/null
+++ b/playbooks/roles/nextcloud/templates/compose.yaml.j2
@@ -0,0 +1,83 @@
+---
+version: "3.6"
+
+services:
+ nextcloud:
+ build:
+ context: .
+ # Use the following example for adding cron:
+ # https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache
+ dockerfile_inline: |
+ FROM nextcloud:{{ nextcloud__version }}
+
+ RUN apt-get update && apt-get install -y \
+ supervisor \
+ && rm -rf /var/lib/apt/lists/* \
+ && mkdir /var/log/supervisord /var/run/supervisord
+
+ RUN cat < /supervisord.conf
+{% filter indent(width=8) %}
+ {{ lookup('ansible.builtin.file', 'supervisord.conf') }}
+{% endfilter %}
+ EOF
+
+ ENV NEXTCLOUD_UPDATE=1
+
+ CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+ restart: unless-stopped
+ ports:
+ - "8080:80"
+ # This is a hotfix until we have a new mail setup and this also really
+ # doesn't belong into this role, but whatever, it works for now and it's not
+ # like anyone else really uses this role (or would be bothered by this
+ # really).
+ extra_hosts:
+ - "send-only-mailserver.ccchh.net:185.161.129.132"
+ depends_on:
+ - db
+ - redis
+ networks:
+ - nextcloud
+ volumes:
+{% if nextcloud__use_custom_new_user_skeleton %}
+ - "./custom_new_user_skeleton:/custom_new_user_skeleton"
+{% endif %}
+ - "./nextcloud_var_www_html:/var/www/html"
+ - "{{ nextcloud__data_dir }}:/var/www/html/data"
+ environment:
+ POSTGRES_HOST: db
+ POSTGRES_DB: nextcloud
+ POSTGRES_USER: nextcloud
+ POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+ NEXTCLOUD_ADMIN_USER: admin
+ NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
+ REDIS_HOST: redis
+ NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
+ # See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
+ APACHE_DISABLE_REWRITE_IP: 1
+ TRUSTED_PROXIES: 127.0.0.1
+ OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
+ OVERWRITEHOST: "{{ nextcloud__fqdn }}"
+ OVERWRITEPROTOCOL: "https"
+
+ db:
+ image: postgres:{{ nextcloud__postgres_version }}
+ restart: unless-stopped
+ networks:
+ - nextcloud
+ volumes:
+ - "./database:/var/lib/postgresql/data"
+ environment:
+ POSTGRES_DB: nextcloud
+ POSTGRES_USER: nextcloud
+ POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+
+ redis:
+ image: redis:alpine
+ restart: unless-stopped
+ networks:
+ - nextcloud
+
+networks:
+ nextcloud:
+ external: false
diff --git a/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2 b/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
new file mode 100644
index 0000000..c15a653
--- /dev/null
+++ b/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
@@ -0,0 +1,61 @@
+# also see here:
+# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
+server {
+ # Listen on a custom port for the proxy protocol.
+ listen 8443 ssl http2 proxy_protocol;
+ # Make use of the ngx_http_realip_module to set the $remote_addr and
+ # $remote_port to the client address and client port, when using proxy
+ # protocol.
+ # First set our proxy protocol proxy as trusted.
+ set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
+ # Then tell the realip_module to get the addreses from the proxy protocol
+ # header.
+ real_ip_header proxy_protocol;
+
+ # This should work, but isn't needed for now.
+ # # Still listen for https on 443 as usual.
+ # listen 443 ssl http2;
+ # #listen [::]:443 ssl http2;
+
+ server_name {{ nextcloud__fqdn }};
+
+ ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
+ # verify chain of trust of OCSP response using Root CA and Intermediate certs
+ ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
+
+ # replace with the IP address of your resolver
+ resolver 1.1.1.1;
+
+ # allow uploads of any size
+ client_max_body_size 0;
+
+ location /.well-known/carddav {
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ return 301 $scheme://$host/remote.php/dav;
+ }
+
+ location /.well-known/caldav {
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ return 301 $scheme://$host/remote.php/dav;
+ }
+
+ location / {
+ proxy_set_header Host $host;
+ # This is https in any case.
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+ # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ add_header Front-End-Https on;
+ proxy_pass http://127.0.0.1:8080;
+ }
+}
diff --git a/playbooks/templates/chaosknoten/configs/cloud/compose.yaml.j2 b/playbooks/templates/chaosknoten/configs/cloud/compose.yaml.j2
deleted file mode 100644
index b6c883d..0000000
--- a/playbooks/templates/chaosknoten/configs/cloud/compose.yaml.j2
+++ /dev/null
@@ -1,45 +0,0 @@
----
-version: "3.6"
-
-services:
- database:
- image: docker.io/library/mariadb:11
- restart: always
- command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
- volumes:
- - /data/docker/volumes/database:/var/lib/mysql
- environment:
- - "MYSQL_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- - "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- - "MYSQL_DATABASE=nextcloud"
- - "MYSQL_USER=nextcloud"
- networks:
- backend: {}
-
- app:
- image: docker.io/library/nextcloud:25-fpm
- restart: always
- ports:
- - 9000:9000
- links:
- - database
- volumes:
- - /data/docker/volumes/nextcloud:/var/www/html
- environment:
- - "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- - "MYSQL_DATABASE=nextcloud"
- - "MYSQL_USER=nextcloud"
- - "MYSQL_HOST=database"
- networks:
- backend: {}
- frontend: {}
-
-volumes: {}
- # FIXME: tell Docker to put volumes in /data instead of /var/lib/docker/
- #database: {}
- #nextcloud: {}
-
-networks:
- backend:
- internal: true
- frontend: {}
diff --git a/playbooks/templates/chaosknoten/configs/cloud/extra_configuration.config.php.j2 b/playbooks/templates/chaosknoten/configs/cloud/extra_configuration.config.php.j2
new file mode 100644
index 0000000..ee6bf1a
--- /dev/null
+++ b/playbooks/templates/chaosknoten/configs/cloud/extra_configuration.config.php.j2
@@ -0,0 +1,16 @@
+ 'DE',
+ 'hide_login_form' => true,
+ 'mail_smtpmode' => 'smtp',
+ 'mail_smtphost' => 'send-only-mailserver.ccchh.net',
+ 'mail_smtpport' => 465,
+ 'mail_smtpsecure' => 'ssl',
+ 'mail_smtpauth' => true,
+ 'mail_smtpauthtype' => 'LOGIN',
+ 'mail_smtpname' => 'nextcloud',
+ 'mail_from_address' => 'cloud',
+ 'mail_domain' => 'send-only-mail.ccchh.net',
+ 'mail_smtppassword' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/smtp_password", create=false, missing="error") }}',
+ 'mail_smtpdebug' => true,
+);