Introduce Nextcloud role and deploy Cloud on Chaosknoten

Co-authored-by: Max <max@mlem.cloud>
2023-08-25 20:50:46 +02:00 · 2023-08-25 20:50:46 +02:00 · 62b4f93218
commit 62b4f93218
parent 112f1990b9
16 changed files with 352 additions and 200 deletions
--- a/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
+++ b/playbooks/roles/nextcloud/templates/nginx_nextcloud.conf.j2
@ -0,0 +1,61 @@
+# also see here:
+# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
+# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
+server {
+    # Listen on a custom port for the proxy protocol.
+    listen 8443 ssl http2 proxy_protocol;
+    # Make use of the ngx_http_realip_module to set the $remote_addr and
+    # $remote_port to the client address and client port, when using proxy
+    # protocol.
+    # First set our proxy protocol proxy as trusted.
+    set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
+    # Then tell the realip_module to get the addreses from the proxy protocol
+    # header.
+    real_ip_header proxy_protocol;
+
+    # This should work, but isn't needed for now.
+    # # Still listen for https on 443 as usual.
+    # listen 443 ssl http2;
+    # #listen [::]:443 ssl http2;
+
+    server_name {{ nextcloud__fqdn }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 1.1.1.1;
+
+    # allow uploads of any size
+    client_max_body_size 0;
+
+    location /.well-known/carddav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location /.well-known/caldav {
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        add_header Front-End-Https on;
+        proxy_pass http://127.0.0.1:8080;
+    }
+}