Introduce Nextcloud role and deploy Cloud on Chaosknoten

Co-authored-by: Max <max@mlem.cloud>
2023-08-25 20:50:46 +02:00 · 2023-08-25 20:50:46 +02:00 · 62b4f93218
commit 62b4f93218
parent 112f1990b9
16 changed files with 352 additions and 200 deletions
--- a/playbooks/roles/nextcloud/templates/compose.yaml.j2
+++ b/playbooks/roles/nextcloud/templates/compose.yaml.j2
@ -0,0 +1,83 @@
+---
+version: "3.6"
+
+services:
+  nextcloud:
+    build:
+      context: .
+      # Use the following example for adding cron:
+      # https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache
+      dockerfile_inline: |
+        FROM nextcloud:{{ nextcloud__version }}
+
+        RUN apt-get update && apt-get install -y \
+            supervisor \
+          && rm -rf /var/lib/apt/lists/* \
+          && mkdir /var/log/supervisord /var/run/supervisord
+
+        RUN cat <<EOF > /supervisord.conf
+{% filter indent(width=8) %}
+        {{ lookup('ansible.builtin.file', 'supervisord.conf') }}
+{% endfilter %}
+        EOF
+
+        ENV NEXTCLOUD_UPDATE=1
+
+        CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
+    restart: unless-stopped
+    ports:
+      - "8080:80"
+    # This is a hotfix until we have a new mail setup and this also really
+    # doesn't belong into this role, but whatever, it works for now and it's not
+    # like anyone else really uses this role (or would be bothered by this
+    # really).
+    extra_hosts:
+      - "send-only-mailserver.ccchh.net:185.161.129.132"
+    depends_on:
+      - db
+      - redis
+    networks:
+      - nextcloud
+    volumes:
+{% if nextcloud__use_custom_new_user_skeleton %}
+      - "./custom_new_user_skeleton:/custom_new_user_skeleton"
+{% endif %}
+      - "./nextcloud_var_www_html:/var/www/html"
+      - "{{ nextcloud__data_dir }}:/var/www/html/data"
+    environment:
+      POSTGRES_HOST: db
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+      NEXTCLOUD_ADMIN_USER: admin
+      NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
+      REDIS_HOST: redis
+      NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
+      # See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
+      APACHE_DISABLE_REWRITE_IP: 1
+      TRUSTED_PROXIES: 127.0.0.1
+      OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
+      OVERWRITEHOST: "{{ nextcloud__fqdn }}"
+      OVERWRITEPROTOCOL: "https"
+    
+  db:
+    image: postgres:{{ nextcloud__postgres_version }}
+    restart: unless-stopped
+    networks:
+      - nextcloud
+    volumes:
+      - "./database:/var/lib/postgresql/data"
+    environment:
+      POSTGRES_DB: nextcloud
+      POSTGRES_USER: nextcloud
+      POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
+
+  redis:
+    image: redis:alpine
+    restart: unless-stopped
+    networks:
+      - nextcloud
+
+networks:
+  nextcloud:
+    external: false
--- a/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
+++ b/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
@ -0,0 +1,61 @@
+# also see here:
+# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    # This should work, but isn't needed for now.
+    # # Still listen for https on 443 as usual.
+    # listen 443 ssl http2;
+    # #listen [::]:443 ssl http2;
+
+    server_name {{ nextcloud__fqdn }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 1.1.1.1;
+
+    # allow uploads of any size
+    client_max_body_size 0;
+
+    location /.well-known/carddav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        add_header Front-End-Https on;
+        proxy_pass http://127.0.0.1:8080;
+    }
+}