finalize nextcloud roles

This commit is contained in:
vincent 2020-02-16 16:22:01 +01:00
parent e5117776ef
commit 65a945ea86
5 changed files with 328 additions and 68 deletions

View File

@ -1,31 +1,34 @@
$ANSIBLE_VAULT;1.1;AES256
31363063633762613361346137656161323835326537633830333532316534346630383364313962
6234313430383631306437323466393139303538626161630a623438323662343637313131633561
31343532373764383738323334636238356266663863356135653931356564353132373238633035
6164373637356664640a353134386332666134616465363635646533613439346230396130373630
63356134646466623036383663383833656532373464376361333739306634613735626132313762
31346637653665343966653962633861333133353065633530346235346630666539366464656339
38666136353961353734626562666332633765393234316135353030386637653835313631343161
64313766313061626263363061373332653136386130373037333666376664656639633637646533
39386438656234663335373031343534383336336531623638313036623530346666326534646132
36383430316131616463363964333732643431343962353435396238613537616332666238366136
64363062326666333133353666353966353938376531343263663335613061643665363163303162
38383436613262353739653036663637393639616336326238653831383134623135633738363337
34326666323235343161316232393237366235353563613462663534633764386634623133313135
32623366383130373030353763326362653231643165633937313234396365333038373362323361
32653539636633643666386533333135636363633830393733353439623135653536373965326165
38306263303964343632343862336365373132323561326264616364316331353563653538633239
61623634616632626432303630303837363333613931313965633430393966616264386366366264
65306564326236343531353631356235303138363037626331653865393836626666366437643764
38353534653639316436616561346662333561663333623561393738633339386536326234636165
31663461326538366430313831373233393431656564643332636464356465393931626461393063
34333438653665323363373038633334323034393439616462336138616263323566303337623463
33383664353733383139626633653531666335656566383233363066306565333438626336663066
61386162613164613334353231646238336663353037383333653261373434346634393239646636
65313534616462353631386538373462333863636231343863336436393038353835366331386163
39623837623932393335333063303166643933336330656533373833653965373463643362333939
39356661626362303830646433653264613833393034663132656431663334623339643330353166
64316631313233633231656537376166363232643832313134633232643366353339666366316462
30626134653031626665633761313338663565653561376364643261633534383164366339393431
37616231396331313064646234383664616435383565373762366632383336376339336435383438
3362613166313865333430633637343031353937633934303736
31646137396663666139623964303632363630323437363366623064366435666537623062313239
3034663466323134656430363832663364643935613465380a646532346564613261303030623633
65306634376436613432666531353664303133663939383738333133323235393838353037353939
6138313962346630300a626139613435653862663461306437333539616331323862303166356536
65323632333336616635353138316437343638353233656635313965616636643466613236393837
61643733633030306361373034666332376531393432636434326330316264353365623336616265
64383033653164356339396431353637396366623835623661363361653938656136643866656230
66653632666237346238356232643736333665663337616237663530666131346561623465386638
31336133376330663666643064303436313162343233636566336437323733383563656266616666
30613037656633303665326531366633313262313236376235316363393363376562353030643939
37386539653737356364346463323332376538343939613736666566316130323132613431363466
62633466306163616666343231363663376132383463336461396239323833316230666338613061
36313032616131613962393130376436363061353766373266643035336533646535396437376161
31396530343261383265346466363865653634373965373265373730313038353762333838626661
62663039366631336330346333333832643161396234303963616163313231666332613330613134
36303934653463646237396465623266623438313166613633383136303864666662306361393937
32353338633761303361666161316531343361613730636163623638623832346566376636333464
64303539313935396366313133313265663134613631613532303863353264363664376231636166
36313662363533393731376437303465666265376533393936663865326666353138353339643035
38666162326138386564316661653338316665333861396339396362646163393236666366396662
39656132336630613532643332663530346361393939306265393135303337636332326234376163
65633935313438623936633433343036393938323064303038386266303337626366613630346263
37356166353739366431326530333339346535346366313063353738373363623333653230343764
61653134663339633733316266646435306537366436623962313034306334633439363961383134
65343131336262653863356330633861646665343134396664373164386336346333666164376632
33643163623466633764306535653736383733636538333265656562613538366537326130613131
31666630373865666564636531313238636132626163303162616533333038636531326361613665
36303764663263613830616530313663666264313836643766613335656238643264646639666232
61393038386431366333663632316664666530373965316465313837396662353537383934343238
66643965343738383962633630363035363236306639613331316161656666383465663834323733
61376135613363646335303764623031333161646537623831376636336662323337646330323831
30373163623361393161383861323539663861643530353339386662353761393765616230633332
36323730383436326436643165303466306238396366626231313462383833633463

View File

@ -62,6 +62,16 @@ systemd_mounts:
- gid=100
- vers=3.0
automount: true
diskstation_ebook:
share: //diskstation.ducamps.win/ebook
mount: /mnt/diskstation/ebook
type: cifs
options:
- credentials=/etc/creds/.diskstation_credentials
- uid=http
- gid=100
- vers=3.0
automount: true
systemd_mounts_enabled:
- diskstation_git
- diskstation_music
@ -70,6 +80,7 @@ systemd_mounts_enabled:
- diskstation_home
- diskstation_CardDav
- diskstation_media
- diskstation_ebook
credentials_files:
@ -119,6 +130,10 @@ certbot_certs:
- file.{{domain.name}}
- hass.{{domain.name}}
nginx_upstreams:
- name: PHP-handler
servers:
- unix:/var/run/php-fpm/php-fpm.sock
nginx_vhosts:
- listen: "80"
@ -223,19 +238,114 @@ nginx_vhosts:
}
- listen: "443 ssl"
server_name: "file.{{domain.name}}"
filename: "cloudcommander.conf"
filename: "nextcloud.conf"
state: "present"
template: "{{ nginx_vhost_template }}"
extra_parameters: |
include /etc/nginx/conf.d/{{domain.name}}.ssl;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
proxy_pass http://localhost:8000;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /usr/share/webapps/nextcloud/;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
- listen: "443 ssl"
server_name: "hass.{{domain.name}}"
@ -262,13 +372,19 @@ nginx_vhosts:
}
nginx_realIP_Proxy: 192.168.1.40/24
PHP_ReadWritePaths:
- /usr/share/webapps/nextcloud/apps
- /etc/webapps/nextcloud/config
- /var/nextcloud
- /mnt/diskstation
php_memory_limit: 512M #need for nextcloud be carefull on low memory device
php_extention_enable:
- iconv
- mysqli
- pdo_mysql
- soap
- intl
- gd #need for nextcloud
mysql_root_password: "{{ vault_mysql_root }}"
mysql_root_password_update: true
@ -322,9 +438,23 @@ docker_users: "{{user.name}}"
hass_SQl_target_file: /mnt/diskstation/git/backup/mysql/last/hass.sql
hass_db_password: "{{ vault_mysql_hass }}"
hass_repo: gitea@git.{{ domain.name }}:vincent/HASS_conf.git
hass_repo: "gitea@git.{{ domain.name }}:vincent/HASS_conf.git"
hass_user: "{{user.name}}"
nextcloud_db_password: "{{ vault_mysql_nextcloud }}"
nextcloud_admin_password: "{{ vault_default_password }}"
nextcloud_admin_user: "{{user.name}}"
nextcloud_trusted_domains:
- localhost
- file.ducamps.win
nextcloud_config_options: # additional options to set in config.php
- option: overwrite.cli.url
value: "'https://file.ducamps.win'"
- option: maintenance
value: "false"
- option: loglevel
value: "2"
samba_shares:
- name: hassconfig
path: /var/lib/hass

View File

@ -10,7 +10,23 @@ gitea_root_url: http://vmas-hml:3000
chainetv_repo_branch: master
nextcloud_trusted_domains:
- localhost
- vmas-hml
nextcloud_config_options: # additional options to set in config.php
- option: overwrite.cli.url
value: "'https://vmas-hml'"
- option: maintenance
value: "false"
- option: loglevel
value: "2"
certbot_create_if_missing: false
nginx_upstreams:
- name: PHP-handler
servers:
- unix:/var/run/php-fpm/php-fpm.sock
nginx_vhosts:
- listen: "80"
@ -23,35 +39,130 @@ nginx_vhosts:
location = /50x.html {
root /usr/share/nginx/html;
}
location / {
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
index index.php index.html index.htm ;
default_type text/html;
root /usr/share/nginx/html;
}
location =/ {
rewrite ^ /starter;
}
location /radicale/
{
# The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location =/ {
rewrite ^ /starter;
}
location / {
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 800;
fastcgi_index index.php;
index index.php index.html index.htm ;
default_type text/html;
}
location /radicale/
{
# The trailing / is important!
proxy_pass http://localhost:5232/; # The / is important!
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
}
location ~ \.php$ {
# try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 800;
fastcgi_index index.php;
include fastcgi_params;
}
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
location ^~ /nextcloud {
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location /nextcloud {
rewrite ^ /nextcloud/index.php$request_uri;
}
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
include /etc/nginx/conf.d/*.default;
location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff|svg|gif)$ {
try_files $uri /nextcloud/index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /nextcloud/index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}

16
nextcloud.yml Normal file
View File

@ -0,0 +1,16 @@
---
- hosts: server
pre_tasks:
- name: install terminfo
pacman:
state: present # not required. choices: absent;latest;present. Desired state of the package.
name:
- termite-terminfo # not required. Name or list of names of the packages to install, upgrade, or remove.
become: yes
roles:
- {role: nginx, become: yes }
- {role: mariadb, become: yes }
- nextcloud

View File

@ -19,8 +19,8 @@
- {role: nginx, become: yes }
- {role: mariadb, become: yes }
- {role: radicale , become: yes }
- cloud-commander
- php
- nextcloud
- tt-rss
- gitea
- supysonic