June
abc738c9c2
All checks were successful
/ Ansible Lint (push) Successful in 1m33s
Because of how Ansible local relative search paths work, the global "files" and "templates" directories need to be next to the playbooks. However its not intuitive to look into the playbooks directory to find the files and templates for a host. Therefore flatten the playbooks directory to get rid of this confusing structure. Also see: https://docs.ansible.com/ansible/latest/playbook_guide/playbook_pathing.html#resolving-local-relative-paths
61 lines
2.3 KiB
Django/Jinja
61 lines
2.3 KiB
Django/Jinja
# also see here:
|
|
# - https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
|
|
# - https://nginx.org/en/docs/http/ngx_http_realip_module.html
|
|
server {
|
|
# Listen on a custom port for the proxy protocol.
|
|
listen 8443 ssl http2 proxy_protocol;
|
|
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
|
# $remote_port to the client address and client port, when using proxy
|
|
# protocol.
|
|
# First set our proxy protocol proxy as trusted.
|
|
set_real_ip_from {{ nextcloud__proxy_protocol_reverse_proxy_ip }};
|
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
|
# header.
|
|
real_ip_header proxy_protocol;
|
|
|
|
# This should work, but isn't needed for now.
|
|
# # Still listen for https on 443 as usual.
|
|
# listen 443 ssl http2;
|
|
# #listen [::]:443 ssl http2;
|
|
|
|
server_name {{ nextcloud__fqdn }};
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ nextcloud__fqdn }}/privkey.pem;
|
|
# verify chain of trust of OCSP response using Root CA and Intermediate certs
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ nextcloud__fqdn }}/chain.pem;
|
|
|
|
# replace with the IP address of your resolver
|
|
resolver 1.1.1.1;
|
|
|
|
# allow uploads of any size
|
|
client_max_body_size 0;
|
|
|
|
location /.well-known/carddav {
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
return 301 $scheme://$host/remote.php/dav;
|
|
}
|
|
|
|
location /.well-known/caldav {
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
return 301 $scheme://$host/remote.php/dav;
|
|
}
|
|
|
|
location / {
|
|
proxy_set_header Host $host;
|
|
# This is https in any case.
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
add_header Front-End-Https on;
|
|
proxy_pass http://127.0.0.1:8080;
|
|
}
|
|
}
|