-
Notifications
You must be signed in to change notification settings - Fork 0
/
cloud-nextcloud.yml
227 lines (201 loc) · 8.16 KB
/
cloud-nextcloud.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
---
- hosts: local
connection: local
roles:
- basis
- backup
- docker
- postgres
- php
- signaling
- nginx
- nextcloud
- checkmk
vars:
users_local: []
users: "{{ users_local + users_admin }}"
fail2ban_activate_modules:
- sshd
- nginx
mount_points:
- path: "{{ ncloud_data_location }}"
dev: /dev/sdb
# NextCloud
ncloud_db:
type: pgsql
name: nextcloud
user: nextclouduser
pass: FancyNextcloudDbPasswordVeryLong
ncloud_admin_user: nextcloudadmin
ncloud_admin_pass: FancyInitialAdminPasswordVeryLong!
ncloud_data_location: "{{ cloud_storage }}/nextcloud-data"
ncloud_npush_port: 7867
ncloud_website:
domain: "{{ ncloud_domain }}"
letsencrypt: true
filetag: "cloud.{{ domain_external }}"
state: present
owner: ncloud
port: 80
port_options: " ipv6only=on"
root: "{{ cloud_apps }}/nextcloud/"
root_setup: false
index:
- index.php
- index.html
- /index.php$request_uri
options:
access_log: "/var/log/nginx/cloud.{{ domain_external }}-access.log"
error_log: "/var/log/nginx/cloud.{{ domain_external }}-error.log"
client_max_body_size: 512M
client_body_timeout: 300s
fastcgi_buffers: 64 4K
gzip: !unsafe on
gzip_vary: !unsafe on
gzip_min_length: 256
gzip_proxied: expired no-cache no-store private no_last_modified no_etag auth
gzip_types: pplication/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy
fastcgi_hide_header: X-Powered-By
add_header:
- Referrer-Policy "no-referrer" always
- X-Content-Type-Options "nosniff" always
- X-Download-Options "noopen" always
- X-Frame-Options "SAMEORIGIN" always
- X-Permitted-Cross-Domain-Policies "none" always
- X-Robots-Tag "none" always
- X-XSS-Protection "1; mode=block" always
- Strict-Transport-Security "max-age=15552000; includeSubDomains" always
- X-Content-Type-Options "nosniff"
- X-XSS-Protection "1; mode=block"
- X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
- X-Frame-Options "SAMEORIGIN"
- Referrer-Policy "no-referrer"
locations:
- location: '= /'
options: |
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
- location: '= /robots.txt'
options: |
allow all;
log_not_found off;
access_log off;
- location: '^~ /.well-known'
options: |
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
- location: '~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)'
options: return 404;
- location: '~ ^/(?:\.|autotest|occ|issue|indie|db_|console)'
options: return 404;
- location: '~ \.php(?:$|/)'
options: |
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
- location: '~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$'
options: |
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
- location: '~ \.woff2?$'
options: |
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
- location: '/remote'
options: return 301 /remote.php$request_uri;
- location: '^~ /push/'
options: |
proxy_pass http://127.0.0.1:{{ ncloud_npush_port }}/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- location: '/'
options: try_files $uri $uri/ /index.php$request_uri;
# Signaling Nextcloud
signaling_listen_host: 127.0.0.1
signaling_listen_port: 8080
signaling_janus_api_key: LookUpDocumentationForSettingUpKey
signaling_hash_key: LookUpDocumentationForSettingUpHashKey
signaling_block_key: LookUpDocumentationForSettingUpBlockKey
signaling_ncloud_secret_key: LookUpDocumentationForSettingUpSecretKey
signaling_backend_name: examplecloud
signaling_website:
domain: "signaling.{{ domain_external }}"
letsencrypt: true
filetag: "signaling.{{ domain_external }}"
state: present
owner: signaling
port: 80
root: noroot
root_setup: false
index: noindex
pre_options: |
upstream signaling {
server {{ signaling_listen_host }}:{{ signaling_listen_port }};
}
options:
access_log: "/var/log/nginx/signaling.{{ domain_external }}-access.log"
error_log: "/var/log/nginx/signaling.{{ domain_external }}-error.log"
locations:
- location: '/standalone-signaling/'
options: |
proxy_pass http://signaling/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- location: '/standalone-signaling/spreed'
options: |
proxy_pass http://signaling/spreed;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Databases
db_configs:
- "{{ ncloud_db }}"
# Websites
web_sites:
- "{{ ncloud_website }}"
- "{{ signaling_website }}"
# Nginx
nginx_conf_http_local:
- |
upstream php {
server unix:/run/php/php{{ php_version }}-fpm.sock;
}
nginx_conf_http: "{{ nginx_conf_http_local }}"
# Backup
backup_dbs:
- "{{ db_configs | json_query('[*].{type: type, name: name}') }}"
backup_targets:
db: "{{ backup_dbs | flatten }}"
file:
- "{{ ncloud_data_location }}"
- "/etc/letsencrypt"
vars_files:
- "group_vars/environment.yaml"