vincent/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'master' into postgress

Browse Source 
update with new pasword
This commit is contained in:
vincent 2020-09-13 11:57:05 +02:00
commit 2340fcc1d5
5 changed files with 281 additions and 281 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
group_vars/all/all_vault
View File

@ -1,36 +1,46 @@
$ANSIBLE_VAULT;1.1;AES256
63626538383032666638383262616361666437373233393963313763393437306366396137326334
6266303033663166326638653463616231623032336333380a356564623531383963353130663866
66306431386336363938656636386162376464373931333635656561623465356637656238356562
6430343263396639610a353237333065613530636539326131363362333836626262346138346639
34353965313365353038303165643363303861626461663932333537363138313937323465626131
63666337323330663336373739333734366338653838616366613731373535363366323263343763
61316665333965656263633835316339643166393363633565643035376233363066393934333732
37653538666266366430613865336534356139656434653332326166643435333935306563373930
66326531373138333537656434343037643438646330336536353832326163393561316635333934
62383766633735343263303863353364653137363833636533613538363566326639386664393466
64353231353430336636383139616661333638323439306237623662373730393337643634336362
30623566303432653935656134353736316162383333346437643763663538326265343636643566
32616433386130616333633535613735376238663931303737326336393932646532333931306530
33643433626238626661316536643262396164356364643263323161323566626266343637376163
65643839646535343465313434396661336665313066313964386662666336616333653961613362
38343362363666646535333233633437366332336262393465633736306565343665386463613535
34346338616161386234313466653438303466343638626666633734626238643162393536656130
62313863313835373064343335383963363961656634636332393130656438623236373532323837
39613834393763656439333132366364303232373734356436353338646435313965646432396338
35663865306165373734373362626264383239626562316238613431616535306665343562356331
37303330323931626331396130393336343638646632376262383239313365313138633036353361
39333332333134316534643665343033623333626438326332396162316233653265643762663965
36373939316535653164336534663935346630626534313931343531333838326431343264306434
66623739646531313230633138303035363131366365346239616534643739316235343331336532
66386239623433336639376135343766326139663635656634373434333061636530303339613430
37613835656563323534366234383465356662333533326239303365316365663161333631313730
63373433353139383461303263633831656138383433643062386532646636633038393438373963
39316262336436306165623633333837653936396534336466323231646532633166376263633931
37383539333763356136343839653961336636303330336331306263353633626665313139343465
61353732626537656431363937333832346565653235623639376165363062303030373534383837
61333965306131663663306532656435646465646530646536343539643366616434373634313332
34386336623938366531313237353833346634326235636662623964333462386239656336303864
33306162306234303362306265663332613134623764613134653337646635346233333539663238
62386232366466356232353435633266613432633861366166373563383363323436333639623764
666363323165636465663039633537316361
30303966663337633965666566316432656266366263653830626366356335393063363037303262
6635356366326532376633643230333238636264316439660a643035626339643630373339353237
61653233623261613636636664386561363534613365373234353530633032343230333435323739
6436356333396665350a626363373465626435663835376431363530366436653633393132666633
63346631653438326164363138346464326130613537303665633630336261393535396132396665
30356338626138346661333736623463353235393039323137636562386239326138623838656135
37376336356334313762626364353739623933363832616332643132663338383833393234643532
33633036363164356236363433353563363635336561363761656561636665656336643761343431
66386263336636616433306332343337303966333566636338333466373937326132613363356561
32663033316231383436333662383038306363366661393032373963643034626433383939353434
31636133633537383664323934663962643661643135623263363235633330346532323330663763
36303033363264373836333731663335616333666430363966303836643230653837613538613933
62323363663238333764636236343466626330653265656537323533326139343336623061666463
31386262646638626565653934616564623931336331663039646562653031613935363435313861
30663639363534343662663238626630316664396439333635636333613034323731653465656430
39383531353436386464333462396139663739643231353361333361373136653339373765653234
64336336646531363364303136396537306434663635353963663063346230333639323961396666
64353036306339633635333531376164353366643365623130623263633838663737326138363763
37653563613262336264306232386464633835303539353438316632393234343966373436336465
63386264346363356331323863636665656665646262626163303336353936303063346137623635
62393430666535666261643331623735643633613362363366383138623430353262643738623936
38323964343138353566363961313062336433373463626136656336313665613233383035343538
34613562343230316632303332653461366632633830393438323638303539653833336336376563
35303438346631303932666136633139666230666338383336626630336236383936633565613032
34356162343237616639393430646439346162373765656165313364343065633464623232353864
38303637643637633663333931623663646132336166393565303065623966376264326230373264
36343266613062663836303732393633333938363138366365653739353239366563303333316537
66396132316463646435363164333134666335646336613436373036636366326563616238376565
38306434663163316632616339633066346365346462303966616263643436636534313233303364
32353266353433336237316664393532616465663432393935356563356465616361653630663630
61313964363263376438653465366537393537353431373862356134326432363335323165313232
30346530323832363365336562316637383662333164303861366262346165313930383462393733
34643738343163633164303164366665613863373130313234363964663438346661653834663831
35393362376330363165623030643135313335303564326162343765343237303535373831623363
36666364653061616433343931363866656435643131633163613432376135313561356639313266
63373630646436653338313734656161623061383166353634366364343033666666636239393765
33303833323439636234326561306638326537356565363164346663303038616531643762363135
65393366663735363133313933643961306230393833323064336139613533316261363433333432
61653362643331643030393534636133336133373439336534616235326535623463656439643632
30343166666563346637356333623566353039336133373531383436363533323330323432356365
64343738326261656134663437643438623164313638383435636263663335383234366631653465
34326166343830363435363964633535313633323735346163633865623166313066393031303537
36623035623238366265656266336164343965613132323335336166613332656363646664396361
66366337383166656162343136353935336461626639353533333465623566316163393839366433
37373964636337366235643038626366303364316634366537393865653565393133

10
group_vars/server
View File

@ -73,7 +73,7 @@ credentials_files:
type: smb
path: /etc/creds/.diskstation_credentials
username: admin
password: "{{ vault_default_password }}"
password: "{{ vault_diskstation_admin }}"
syncthing_address: "0.0.0.0:8384"
syncthing_gui_user: "{{user.name}}"
@ -82,7 +82,7 @@ syncthing_gui_password: $2a$10$nJZ8YN/1mB84Cbi79BKka.6SFMAKF.CBwyCNJDA9qUgXdkcuB
notification_mail: "{{inventory_hostname}}@{{ domain.name }}"
msmtp_mailhub: smtp.{{ domain.name }}
msmtp_auth_user: "{{ user.mail }}"
msmtp_auth_pass: "{{ vault_default_password }}"
msmtp_auth_pass: "{{ vault_email_password }}"
rsynclocations:
- name: backup nas
@ -440,7 +440,7 @@ hass_users: "{{user.name}}"
nextcloud_SQl_target_file: /mnt/diskstation/git/backup/mysql/last/nextcloud.sql
nextcloud_db_password: "{{ vault_mysql_nextcloud }}"
nextcloud_admin_password: "{{ vault_default_password }}"
nextcloud_admin_password: "{{ vault_nextcloud_admin }}"
nextcloud_admin_user: "{{user.name}}"
nextcloud_trusted_domains:
- localhost
@ -465,7 +465,7 @@ samba_shares:
write_list: "{{user.name}}"
samba_users:
- name: "{{user.name}}"
password: "{{ vault_default_password }}"
password: "{{ vault_smb_user }}"
keystodeploy:
- name: juicessh with password
@ -475,6 +475,6 @@ keystodeploy:
- name: zen-pc
sshkey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYHkEIa38p3e4+m/LScHm8Ei7H2X/pDksjVAzoJ4fHr8oXc6DKkC8SWwMnh3L4WzWBhfTbzwUgFTNpsxhp/UyJf+fdzmzetlbVlYSuA6yWuSmgMeFbXFImhZ+Sn3i59hLeqAAyrkQLjba2waehdEsuOQ/AGoDbMYm38Xf9Wka/1YIeUPE4gLeLvymRnGw7BSug6Unycy52WlFAquollObOvc7tNiX0uLDh81Dp0KZhqWRs75hfmQ9du4g4uNhFLiF11hOGNgj3PWV+nWe8GWNQYVUBChWX1dsP8ct/ahG9IFXSPEaFD1IZeFp29u2ln3mgKkBtcRTRe1e3CLQqiRsUq2aixVFbSgFMFgGSUiNGNqKR4f9DeyJrYBplSj6HXjWoBny4Wm8+yfk8qR2RtQpS6AUu81xtKnXOaj9Q5VZO3kVF0U3EXHAZutTYDj9mDlhLSBS7x7hmrkRBbIy7adSx9Gx5Ck3/RllqG6KD+LdJa4I0pUTRNetpLpYDeZpwjnDP1r7udaSQMyRMH5YKLzhtHqIV/imn9QO4KCxNxTgwxt9ho6HDvlDGERCxm+yeHUu3CPyq2ZGSF5HHsYTGUtYvQw4JfQyw/5DrZ7IIdU1e7ZuaE3h/NvFgKJPVTP52nmUtIW7pIOkHpn9mddjm/oKMayOzMspLn9HLFVbqi7A5Xw== vincent@zen-pc
pihole_admin_password: "{{ vault_default_password }}"
pihole_admin_password: "{{ vault_pihole_admin }}"
pihole_local_resolver: 192.168.1.10
pihole_local_domain: "{{ domain.name }}"

4
group_vars/workstation
View File

@ -74,12 +74,12 @@ credentials_files:
type: smb
path: /etc/creds/.diskstation_credentials
username: admin
password: "{{ vault_default_password }}"
password: "{{ vault_diskstation_admin }}"
2:
type: smb
path: /etc/creds/.oscar_credentials
username: "{{user.name}}"
password: "{{ vault_default_password }}"
password: "{{ vault_smb_user }}"
keystodeploy:
- name: juicessh without password

236
host_vars/VMAS-BUILD
View File

@ -12,7 +12,7 @@ nextcloud_trusted_domains:
- vmas-build
nextcloud_config_options: # additional options to set in config.php
- option: overwrite.cli.url
value: "'https://vmas-build'"
value: "'http://vmas-build'"
- option: maintenance
value: "false"
- option: loglevel
@ -20,6 +20,7 @@ nextcloud_config_options: # additional options to set in config.php
nginx_vhosts:
- listen: "80"
server_name: "_"
@ -27,134 +28,129 @@ nginx_vhosts:
state: "present"
template: "{{ nginx_vhost_template }}"
extra_parameters: |
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
fastcgi_hide_header X-Powered-By;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
root /usr/share/nginx/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location =/ {
rewrite ^ /starter;
}
location / {
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
index index.php index.html index.htm ;
default_type text/html;
}
location /radicale/
{
# The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
}
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 800;
fastcgi_index index.php;
include fastcgi_params;
}
location =/ {
rewrite ^ /starter;
}
location / {
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
index index.php index.html index.htm ;
default_type text/html;
}
location /radicale/
{
# The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
}
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 800;
fastcgi_index index.php;
include fastcgi_params;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
# set max upload size
location /.well-known/acme-challenge { }
location ^~ /nextcloud {
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud {
rewrite ^ /nextcloud/index.php$request_uri;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location /nextcloud {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
access_log off;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}

232
host_vars/VMAS-HML
View File

@ -33,134 +33,128 @@ nginx_vhosts:
state: "present"
template: "{{ nginx_vhost_template }}"
extra_parameters: |
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
fastcgi_hide_header X-Powered-By;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
root /usr/share/nginx/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location =/ {
rewrite ^ /starter;
}
location / {
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
index index.php index.html index.htm ;
default_type text/html;
}
location /radicale/
{
# The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
}
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 800;
fastcgi_index index.php;
include fastcgi_params;
}
location =/ {
rewrite ^ /starter;
}
location / {
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
index index.php index.html index.htm ;
default_type text/html;
}
location /radicale/
{
# The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
}
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 800;
fastcgi_index index.php;
include fastcgi_params;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
}
# set max upload size
location /.well-known/acme-challenge { }
location ^~ /nextcloud {
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud {
rewrite ^ /nextcloud/index.php$request_uri;
}
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location /nextcloud {
rewrite ^ /nextcloud/index.php;
}
location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
access_log off;
}
location ~ ^\/nextcloud\/.+[^\/]\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}