Introduce Nextcloud role and deploy Cloud on Chaosknoten

Co-authored-by: Max <max@mlem.cloud>
This commit is contained in:
June 2023-08-25 20:50:46 +02:00 committed by julian
parent 112f1990b9
commit 62b4f93218
16 changed files with 352 additions and 200 deletions

View file

@ -1,14 +1,11 @@
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/compose.yaml.j2') }}"
docker_compose__configuration_files: []
certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains:
- "cloud.hamburg.ccc.de"
nextcloud__config_php: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/config.php.j2') }}"
nginx__version_spec: ""
nginx__configurations:
- name: cloud.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'chaosknoten/configs/cloud/nginx/cloud.hamburg.ccc.de.conf') }}"
nextcloud__version: 27
nextcloud__postgres_version: 15.3
nextcloud__fqdn: cloud.hamburg.ccc.de
nextcloud__data_dir: /data/nextcloud
nextcloud__admin_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/admin', create=false, missing='error') }}"
nextcloud__extra_configuration: "{{ lookup('ansible.builtin.template', 'chaosknoten/configs/cloud/extra_configuration.config.php.j2') }}"
nextcloud__use_custom_new_user_skeleton: true
nextcloud__custom_new_user_skeleton_directory: "chaosknoten/cloud/new_user_skeleton_directory/"
nextcloud__postgres_password: "{{ lookup('community.general.passwordstore', 'noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD', create=false, missing='error') }}"
nextcloud__proxy_protocol_reverse_proxy_ip: 172.31.17.140
nextcloud__certbot_acme_account_email_address: le-admin@hamburg.ccc.de

View file

@ -2,7 +2,6 @@ all:
children:
certbot_hosts:
hosts:
cloud:
pad:
keycloak:
engelsystem:
@ -11,7 +10,6 @@ all:
hosts:
cloud:
ansible_host: cloud-intern.hamburg.ccc.de
ansible_port: 42666
ansible_user: chaos
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
pad:
@ -37,7 +35,6 @@ all:
ansible_ssh_common_args: -J ssh://public-reverse-proxy.hamburg.ccc.de:42666
docker_compose_hosts:
hosts:
cloud:
pad:
keycloak:
engelsystem:
@ -46,7 +43,6 @@ all:
cloud:
nginx_hosts:
hosts:
cloud:
pad:
public-reverse-proxy:
keycloak:

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 1,007 KiB

View file

@ -0,0 +1,10 @@
# CCCHH Nextcloud
Willkommen auf der CCCHH Nextcloud Instanz.
Hier kannst du Dateien ablegen und teilen, Termine verwalten und vieles mehr.
**Hinweis:** Die Dateien werden (zumindest zur Zeit) nicht verschlüsselt gespeichert.
Weitere Infos:
- <https://docs.nextcloud.com/server/latest/user_manual/de/>

View file

@ -1,134 +0,0 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
upstream nextcloud {
server 127.0.0.1:9000;
}
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
server_name cloud.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/cloud.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
# Hide the X-Forwarded header.
proxy_hide_header X-Forwarded;
# Assume we are the only Reverse Proxy (well using Proxy Protocol, but that
# is transparent).
# Also provide "_hidden" for by, since it's not relevant.
proxy_set_header Forwarded "for=$remote_addr;proto=https;host=$host;by=_hidden";
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /data/docker/volumes/nextcloud;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME /var/www/html/index.php;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass nextcloud;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

View file

@ -0,0 +1,11 @@
# Role `nextcloud`
A role for deploying Nextcloud.
Note: PostgreSQL upgrades need manual migration steps.
## Links & Resources
- <https://github.com/nextcloud/docker>
- <https://docs.nextcloud.com/server/latest/admin_manual/index.html>
- <https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache>

View file

@ -0,0 +1,5 @@
nextcloud__nginx_version_spec: ""
nextcloud__certbot_version_spec: ""
nextcloud__extra_configuration: ""
nextcloud__use_custom_new_user_skeleton: false
nextcloud__custom_new_user_skeleton_directory: ""

View file

@ -0,0 +1,22 @@
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:apache2]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=apache2-foreground
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.sh

View file

@ -0,0 +1,63 @@
argument_specs:
main:
options:
nextcloud__version:
description: The version label to use for the Nextcloud Docker image.
type: str
required: true
nextcloud__postgres_version:
description: The version label to use for the PostgreSQL Docker image.
type: str
required: true
nextcloud__nginx_version_spec:
description: The version spec. to pass to nginx to use for the nginx version spec.
type: str
required: false
default: ""
nextcloud__certbot_version_spec:
description: The version spec. to pass to certbot to use for the certbot version spec.
type: str
required: false
default: ""
nextcloud__fqdn:
description: The FQDN to use for Nextcloud.
type: str
required: true
nextcloud__data_dir:
description: The directory where to store the Nextcloud data.
type: str
required: true
nextcloud__admin_password:
description: The password to use for the Admin user.
type: str
required: true
nextcloud__extra_configuration:
description: Additional nextcloud configuration.
type: str
required: false
default: ""
nextcloud__use_custom_new_user_skeleton:
description: >-
Enable to make use of the given custom new user skeleton directory.
type: bool
required: false
default: false
nextcloud__custom_new_user_skeleton_directory:
description: >-
Path of to a custom new user skeleton directory to be used by this
role via ansible.builtin.copy.
type: str
required: false
default: ""
nextcloud__postgres_password:
description: The password to use for the nextcloud PostgreSQL user.
type: str
required: true
nextcloud__proxy_protocol_reverse_proxy_ip:
description: The IP of the reverse proxy to do proxy protocol with.
type: str
required: true
nextcloud__certbot_acme_account_email_address:
description: The E-Mail address to pass to certbot to use for the ACME account.
type: str
required: true

View file

@ -0,0 +1,18 @@
---
dependencies:
- role: certbot
vars:
certbot__version_spec: "{{ nextcloud__certbot_version_spec }}"
certbot__acme_account_email_address: "{{ nextcloud__certbot_acme_account_email_address }}"
certbot__certificate_domains:
- "{{ nextcloud__fqdn }}"
- role: nginx
vars:
nginx__version_spec: "{{ nextcloud__nginx_version_spec }}"
nginx__configurations:
- name: "{{ nextcloud__fqdn }}"
content: "{{ lookup('ansible.builtin.template', 'nginx_nextcloud.conf.j2') }}"
- role: docker_compose
vars:
docker_compose__compose_file_content: "{{ lookup('ansible.builtin.template', 'compose.yaml.j2') }}"
docker_compose__configuration_files: []

View file

@ -1,9 +1,58 @@
---
- name: Nextcloud config
- name: wait for existence of config directory
ansible.builtin.wait_for:
path: /ansible_docker_compose/nextcloud_var_www_html/config
state: present
become: true
- name: extra Nextcloud configuration
ansible.builtin.copy:
content: "{{ nextcloud__config_php }}"
dest: "/data/docker/volumes/nextcloud/config/config.php"
content: "{{ nextcloud__extra_configuration }}"
dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_extra_config.config.php
mode: "0644"
owner: www-data
group: www-data
become: true
- name: fail, if nextcloud__use_custom_new_user_skeleton is set, but nextcloud__custom_new_user_skeleton_directory isn't
ansible.builtin.fail:
msg: If you set nextcloud__use_custom_new_user_skeleton, you also need to set nextcloud__custom_new_user_skeleton_directory.
when: nextcloud__use_custom_new_user_skeleton and nextcloud__custom_new_user_skeleton_directory == ""
- name: ensure custom new user skeleton
when: nextcloud__use_custom_new_user_skeleton
block:
- name: ensure `rsync` package is installed
ansible.builtin.apt:
name: rsync
state: present
become: true
- name: ensure custom new user skeleton directory
ansible.posix.synchronize:
src: "{{ nextcloud__custom_new_user_skeleton_directory }}"
dest: /ansible_docker_compose/custom_new_user_skeleton
delete: true
recursive: true
use_ssh_args: true
become: true
- name: ensure custom new user skeleton config
ansible.builtin.copy:
content: |
<?php
$CONFIG = array (
'skeletondirectory' => '/custom_new_user_skeleton'
);
dest: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
mode: "0644"
owner: www-data
group: www-data
become: true
- name: ensure absence of custom new user skeleton config
ansible.builtin.file:
path: /ansible_docker_compose/nextcloud_var_www_html/config/ansible_nextcloud_custom_new_user_skeleton.config.php
state: absent
become: true
when: not nextcloud__use_custom_new_user_skeleton

View file

@ -0,0 +1,83 @@
---
version: "3.6"
services:
nextcloud:
build:
context: .
# Use the following example for adding cron:
# https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/apache
dockerfile_inline: |
FROM nextcloud:{{ nextcloud__version }}
RUN apt-get update && apt-get install -y \
supervisor \
&& rm -rf /var/lib/apt/lists/* \
&& mkdir /var/log/supervisord /var/run/supervisord
RUN cat <<EOF > /supervisord.conf
{% filter indent(width=8) %}
{{ lookup('ansible.builtin.file', 'supervisord.conf') }}
{% endfilter %}
EOF
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
restart: unless-stopped
ports:
- "8080:80"
# This is a hotfix until we have a new mail setup and this also really
# doesn't belong into this role, but whatever, it works for now and it's not
# like anyone else really uses this role (or would be bothered by this
# really).
extra_hosts:
- "send-only-mailserver.ccchh.net:185.161.129.132"
depends_on:
- db
- redis
networks:
- nextcloud
volumes:
{% if nextcloud__use_custom_new_user_skeleton %}
- "./custom_new_user_skeleton:/custom_new_user_skeleton"
{% endif %}
- "./nextcloud_var_www_html:/var/www/html"
- "{{ nextcloud__data_dir }}:/var/www/html/data"
environment:
POSTGRES_HOST: db
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
NEXTCLOUD_ADMIN_USER: admin
NEXTCLOUD_ADMIN_PASSWORD: "{{ nextcloud__admin_password }}"
REDIS_HOST: redis
NEXTCLOUD_TRUSTED_DOMAINS: "{{ nextcloud__fqdn }}"
# See here: https://github.com/nextcloud/docker#using-the-apache-image-behind-a-reverse-proxy-and-auto-configure-server-host-and-protocol
APACHE_DISABLE_REWRITE_IP: 1
TRUSTED_PROXIES: 127.0.0.1
OVERWRITECLIURL: "https://{{ nextcloud__fqdn }}/"
OVERWRITEHOST: "{{ nextcloud__fqdn }}"
OVERWRITEPROTOCOL: "https"
db:
image: postgres:{{ nextcloud__postgres_version }}
restart: unless-stopped
networks:
- nextcloud
volumes:
- "./database:/var/lib/postgresql/data"
environment:
POSTGRES_DB: nextcloud
POSTGRES_USER: nextcloud
POSTGRES_PASSWORD: "{{ nextcloud__postgres_password }}"
redis:
image: redis:alpine
restart: unless-stopped
networks:
- nextcloud
networks:
nextcloud:
external: false

View file

@ -0,0 +1,61 @@
# also see here:
# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
server {
# Listen on a custom port for the proxy protocol.
listen 8443 ssl http2 proxy_protocol;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
# This should work, but isn't needed for now.
# # Still listen for https on 443 as usual.
# listen 443 ssl http2;
# #listen [::]:443 ssl http2;
server_name {{ nextcloud__fqdn }};
ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
# replace with the IP address of your resolver
resolver 1.1.1.1;
# allow uploads of any size
client_max_body_size 0;
location /.well-known/carddav {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
return 301 $scheme://$host/remote.php/dav;
}
location / {
proxy_set_header Host $host;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
add_header Front-End-Https on;
proxy_pass http://127.0.0.1:8080;
}
}

View file

@ -1,45 +0,0 @@
---
version: "3.6"
services:
database:
image: docker.io/library/mariadb:11
restart: always
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes:
- /data/docker/volumes/database:/var/lib/mysql
environment:
- "MYSQL_ROOT_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_DATABASE=nextcloud"
- "MYSQL_USER=nextcloud"
networks:
backend: {}
app:
image: docker.io/library/nextcloud:25-fpm
restart: always
ports:
- 9000:9000
links:
- database
volumes:
- /data/docker/volumes/nextcloud:/var/www/html
environment:
- "MYSQL_PASSWORD={{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/DB_PASSWORD", create=false, missing="error") }}"
- "MYSQL_DATABASE=nextcloud"
- "MYSQL_USER=nextcloud"
- "MYSQL_HOST=database"
networks:
backend: {}
frontend: {}
volumes: {}
# FIXME: tell Docker to put volumes in /data instead of /var/lib/docker/
#database: {}
#nextcloud: {}
networks:
backend:
internal: true
frontend: {}

View file

@ -0,0 +1,16 @@
<?php
$CONFIG = array (
'default_phone_region' => 'DE',
'hide_login_form' => true,
'mail_smtpmode' => 'smtp',
'mail_smtphost' => 'send-only-mailserver.ccchh.net',
'mail_smtpport' => 465,
'mail_smtpsecure' => 'ssl',
'mail_smtpauth' => true,
'mail_smtpauthtype' => 'LOGIN',
'mail_smtpname' => 'nextcloud',
'mail_from_address' => 'cloud',
'mail_domain' => 'send-only-mail.ccchh.net',
'mail_smtppassword' => '{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/cloud/smtp_password", create=false, missing="error") }}',
'mail_smtpdebug' => true,
);