finalize nextcloud roles
This commit is contained in:
parent
e5117776ef
commit
65a945ea86
@ -1,31 +1,34 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
31363063633762613361346137656161323835326537633830333532316534346630383364313962
|
||||
6234313430383631306437323466393139303538626161630a623438323662343637313131633561
|
||||
31343532373764383738323334636238356266663863356135653931356564353132373238633035
|
||||
6164373637356664640a353134386332666134616465363635646533613439346230396130373630
|
||||
63356134646466623036383663383833656532373464376361333739306634613735626132313762
|
||||
31346637653665343966653962633861333133353065633530346235346630666539366464656339
|
||||
38666136353961353734626562666332633765393234316135353030386637653835313631343161
|
||||
64313766313061626263363061373332653136386130373037333666376664656639633637646533
|
||||
39386438656234663335373031343534383336336531623638313036623530346666326534646132
|
||||
36383430316131616463363964333732643431343962353435396238613537616332666238366136
|
||||
64363062326666333133353666353966353938376531343263663335613061643665363163303162
|
||||
38383436613262353739653036663637393639616336326238653831383134623135633738363337
|
||||
34326666323235343161316232393237366235353563613462663534633764386634623133313135
|
||||
32623366383130373030353763326362653231643165633937313234396365333038373362323361
|
||||
32653539636633643666386533333135636363633830393733353439623135653536373965326165
|
||||
38306263303964343632343862336365373132323561326264616364316331353563653538633239
|
||||
61623634616632626432303630303837363333613931313965633430393966616264386366366264
|
||||
65306564326236343531353631356235303138363037626331653865393836626666366437643764
|
||||
38353534653639316436616561346662333561663333623561393738633339386536326234636165
|
||||
31663461326538366430313831373233393431656564643332636464356465393931626461393063
|
||||
34333438653665323363373038633334323034393439616462336138616263323566303337623463
|
||||
33383664353733383139626633653531666335656566383233363066306565333438626336663066
|
||||
61386162613164613334353231646238336663353037383333653261373434346634393239646636
|
||||
65313534616462353631386538373462333863636231343863336436393038353835366331386163
|
||||
39623837623932393335333063303166643933336330656533373833653965373463643362333939
|
||||
39356661626362303830646433653264613833393034663132656431663334623339643330353166
|
||||
64316631313233633231656537376166363232643832313134633232643366353339666366316462
|
||||
30626134653031626665633761313338663565653561376364643261633534383164366339393431
|
||||
37616231396331313064646234383664616435383565373762366632383336376339336435383438
|
||||
3362613166313865333430633637343031353937633934303736
|
||||
31646137396663666139623964303632363630323437363366623064366435666537623062313239
|
||||
3034663466323134656430363832663364643935613465380a646532346564613261303030623633
|
||||
65306634376436613432666531353664303133663939383738333133323235393838353037353939
|
||||
6138313962346630300a626139613435653862663461306437333539616331323862303166356536
|
||||
65323632333336616635353138316437343638353233656635313965616636643466613236393837
|
||||
61643733633030306361373034666332376531393432636434326330316264353365623336616265
|
||||
64383033653164356339396431353637396366623835623661363361653938656136643866656230
|
||||
66653632666237346238356232643736333665663337616237663530666131346561623465386638
|
||||
31336133376330663666643064303436313162343233636566336437323733383563656266616666
|
||||
30613037656633303665326531366633313262313236376235316363393363376562353030643939
|
||||
37386539653737356364346463323332376538343939613736666566316130323132613431363466
|
||||
62633466306163616666343231363663376132383463336461396239323833316230666338613061
|
||||
36313032616131613962393130376436363061353766373266643035336533646535396437376161
|
||||
31396530343261383265346466363865653634373965373265373730313038353762333838626661
|
||||
62663039366631336330346333333832643161396234303963616163313231666332613330613134
|
||||
36303934653463646237396465623266623438313166613633383136303864666662306361393937
|
||||
32353338633761303361666161316531343361613730636163623638623832346566376636333464
|
||||
64303539313935396366313133313265663134613631613532303863353264363664376231636166
|
||||
36313662363533393731376437303465666265376533393936663865326666353138353339643035
|
||||
38666162326138386564316661653338316665333861396339396362646163393236666366396662
|
||||
39656132336630613532643332663530346361393939306265393135303337636332326234376163
|
||||
65633935313438623936633433343036393938323064303038386266303337626366613630346263
|
||||
37356166353739366431326530333339346535346366313063353738373363623333653230343764
|
||||
61653134663339633733316266646435306537366436623962313034306334633439363961383134
|
||||
65343131336262653863356330633861646665343134396664373164386336346333666164376632
|
||||
33643163623466633764306535653736383733636538333265656562613538366537326130613131
|
||||
31666630373865666564636531313238636132626163303162616533333038636531326361613665
|
||||
36303764663263613830616530313663666264313836643766613335656238643264646639666232
|
||||
61393038386431366333663632316664666530373965316465313837396662353537383934343238
|
||||
66643965343738383962633630363035363236306639613331316161656666383465663834323733
|
||||
61376135613363646335303764623031333161646537623831376636336662323337646330323831
|
||||
30373163623361393161383861323539663861643530353339386662353761393765616230633332
|
||||
36323730383436326436643165303466306238396366626231313462383833633463
|
||||
|
@ -62,6 +62,16 @@ systemd_mounts:
|
||||
- gid=100
|
||||
- vers=3.0
|
||||
automount: true
|
||||
diskstation_ebook:
|
||||
share: //diskstation.ducamps.win/ebook
|
||||
mount: /mnt/diskstation/ebook
|
||||
type: cifs
|
||||
options:
|
||||
- credentials=/etc/creds/.diskstation_credentials
|
||||
- uid=http
|
||||
- gid=100
|
||||
- vers=3.0
|
||||
automount: true
|
||||
systemd_mounts_enabled:
|
||||
- diskstation_git
|
||||
- diskstation_music
|
||||
@ -70,6 +80,7 @@ systemd_mounts_enabled:
|
||||
- diskstation_home
|
||||
- diskstation_CardDav
|
||||
- diskstation_media
|
||||
- diskstation_ebook
|
||||
|
||||
|
||||
credentials_files:
|
||||
@ -119,6 +130,10 @@ certbot_certs:
|
||||
- file.{{domain.name}}
|
||||
- hass.{{domain.name}}
|
||||
|
||||
nginx_upstreams:
|
||||
- name: PHP-handler
|
||||
servers:
|
||||
- unix:/var/run/php-fpm/php-fpm.sock
|
||||
|
||||
nginx_vhosts:
|
||||
- listen: "80"
|
||||
@ -223,19 +238,114 @@ nginx_vhosts:
|
||||
}
|
||||
- listen: "443 ssl"
|
||||
server_name: "file.{{domain.name}}"
|
||||
filename: "cloudcommander.conf"
|
||||
filename: "nextcloud.conf"
|
||||
state: "present"
|
||||
template: "{{ nginx_vhost_template }}"
|
||||
extra_parameters: |
|
||||
include /etc/nginx/conf.d/{{domain.name}}.ssl;
|
||||
location / {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-Host $host:$server_port;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
proxy_pass http://localhost:8000;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
|
||||
# Path to the root of your installation
|
||||
root /usr/share/webapps/nextcloud/;
|
||||
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# The following 2 rules are only needed for the user_webfinger app.
|
||||
# Uncomment it if you're planning to use this app.
|
||||
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
|
||||
# last;
|
||||
|
||||
location = /.well-known/carddav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
|
||||
# set max upload size
|
||||
client_max_body_size 512M;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
# Uncomment if your server is build with the ngx_pagespeed module
|
||||
# This module is currently not supported.
|
||||
#pagespeed off;
|
||||
|
||||
location / {
|
||||
rewrite ^ /index.php$request_uri;
|
||||
}
|
||||
|
||||
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
|
||||
deny all;
|
||||
}
|
||||
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
#fastcgi_param HTTPS on;
|
||||
#Avoid sending the security headers twice
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
fastcgi_param front_controller_active true;
|
||||
fastcgi_pass php-handler;
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
|
||||
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
# Adding the cache control header for js and css files
|
||||
# Make sure it is BELOW the PHP block
|
||||
location ~ \.(?:css|js|woff|svg|gif)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
add_header Cache-Control "public, max-age=15778463";
|
||||
# Add headers to serve security related headers (It is intended to
|
||||
# have those duplicated to the ones above)
|
||||
# Before enabling Strict-Transport-Security headers please read into
|
||||
# this topic first.
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
#
|
||||
# WARNING: Only add the preload option once you read about
|
||||
# the consequences in https://hstspreload.org/. This option
|
||||
# will add the domain to a hardcoded list that is shipped
|
||||
# in all major browsers and getting removed from this list
|
||||
# could take several months.
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
# Optional: Don't log access to assets
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
|
||||
try_files $uri /index.php$request_uri;
|
||||
# Optional: Don't log access to other assets
|
||||
access_log off;
|
||||
}
|
||||
- listen: "443 ssl"
|
||||
server_name: "hass.{{domain.name}}"
|
||||
@ -262,13 +372,19 @@ nginx_vhosts:
|
||||
}
|
||||
|
||||
nginx_realIP_Proxy: 192.168.1.40/24
|
||||
|
||||
PHP_ReadWritePaths:
|
||||
- /usr/share/webapps/nextcloud/apps
|
||||
- /etc/webapps/nextcloud/config
|
||||
- /var/nextcloud
|
||||
- /mnt/diskstation
|
||||
php_memory_limit: 512M #need for nextcloud be carefull on low memory device
|
||||
php_extention_enable:
|
||||
- iconv
|
||||
- mysqli
|
||||
- pdo_mysql
|
||||
- soap
|
||||
- intl
|
||||
- gd #need for nextcloud
|
||||
|
||||
mysql_root_password: "{{ vault_mysql_root }}"
|
||||
mysql_root_password_update: true
|
||||
@ -322,9 +438,23 @@ docker_users: "{{user.name}}"
|
||||
|
||||
hass_SQl_target_file: /mnt/diskstation/git/backup/mysql/last/hass.sql
|
||||
hass_db_password: "{{ vault_mysql_hass }}"
|
||||
hass_repo: gitea@git.{{ domain.name }}:vincent/HASS_conf.git
|
||||
hass_repo: "gitea@git.{{ domain.name }}:vincent/HASS_conf.git"
|
||||
hass_user: "{{user.name}}"
|
||||
|
||||
nextcloud_db_password: "{{ vault_mysql_nextcloud }}"
|
||||
nextcloud_admin_password: "{{ vault_default_password }}"
|
||||
nextcloud_admin_user: "{{user.name}}"
|
||||
nextcloud_trusted_domains:
|
||||
- localhost
|
||||
- file.ducamps.win
|
||||
nextcloud_config_options: # additional options to set in config.php
|
||||
- option: overwrite.cli.url
|
||||
value: "'https://file.ducamps.win'"
|
||||
- option: maintenance
|
||||
value: "false"
|
||||
- option: loglevel
|
||||
value: "2"
|
||||
|
||||
samba_shares:
|
||||
- name: hassconfig
|
||||
path: /var/lib/hass
|
||||
|
@ -10,7 +10,23 @@ gitea_root_url: http://vmas-hml:3000
|
||||
|
||||
chainetv_repo_branch: master
|
||||
|
||||
nextcloud_trusted_domains:
|
||||
- localhost
|
||||
- vmas-hml
|
||||
nextcloud_config_options: # additional options to set in config.php
|
||||
- option: overwrite.cli.url
|
||||
value: "'https://vmas-hml'"
|
||||
- option: maintenance
|
||||
value: "false"
|
||||
- option: loglevel
|
||||
value: "2"
|
||||
|
||||
|
||||
certbot_create_if_missing: false
|
||||
nginx_upstreams:
|
||||
- name: PHP-handler
|
||||
servers:
|
||||
- unix:/var/run/php-fpm/php-fpm.sock
|
||||
|
||||
nginx_vhosts:
|
||||
- listen: "80"
|
||||
@ -23,35 +39,130 @@ nginx_vhosts:
|
||||
location = /50x.html {
|
||||
root /usr/share/nginx/html;
|
||||
}
|
||||
location / {
|
||||
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
|
||||
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
|
||||
index index.php index.html index.htm ;
|
||||
default_type text/html;
|
||||
root /usr/share/nginx/html;
|
||||
|
||||
|
||||
}
|
||||
location =/ {
|
||||
rewrite ^ /starter;
|
||||
}
|
||||
location /radicale/
|
||||
{
|
||||
# The trailing / is important!
|
||||
proxy_pass http://localhost:5232/; # The / is important!
|
||||
proxy_set_header X-Script-Name /radicale;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass_header Authorization;
|
||||
location = /robots.txt {
|
||||
allow all;
|
||||
log_not_found off;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# The following 2 rules are only needed for the user_webfinger app.
|
||||
# Uncomment it if you're planning to use this app.
|
||||
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
|
||||
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
|
||||
# last;
|
||||
location =/ {
|
||||
rewrite ^ /starter;
|
||||
}
|
||||
location / {
|
||||
rewrite ^/.well-known/carddav /radicale/$remote_user/carddav/ redirect;
|
||||
rewrite ^/.well-known/caldav /radicale/$remote_user/caldav/ redirect;
|
||||
|
||||
location ~ \.php$ {
|
||||
# try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_read_timeout 800;
|
||||
fastcgi_index index.php;
|
||||
index index.php index.html index.htm ;
|
||||
default_type text/html;
|
||||
|
||||
}
|
||||
location /radicale/
|
||||
{
|
||||
# The trailing / is important!
|
||||
proxy_pass http://localhost:5232/; # The / is important!
|
||||
proxy_set_header X-Script-Name /radicale;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass_header Authorization;
|
||||
}
|
||||
location ~ \.php$ {
|
||||
# try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_read_timeout 800;
|
||||
fastcgi_index index.php;
|
||||
include fastcgi_params;
|
||||
}
|
||||
location = /.well-known/carddav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
location = /.well-known/caldav {
|
||||
return 301 $scheme://$host/remote.php/dav;
|
||||
}
|
||||
|
||||
# set max upload size
|
||||
location ^~ /nextcloud {
|
||||
client_max_body_size 512M;
|
||||
fastcgi_buffers 64 4K;
|
||||
|
||||
# Enable gzip but do not remove ETag headers
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 4;
|
||||
gzip_min_length 256;
|
||||
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
|
||||
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
|
||||
|
||||
# Uncomment if your server is build with the ngx_pagespeed module
|
||||
# This module is currently not supported.
|
||||
#pagespeed off;
|
||||
|
||||
location /nextcloud {
|
||||
rewrite ^ /nextcloud/index.php$request_uri;
|
||||
}
|
||||
|
||||
location ~ ^/nextcloud/(?:build|tests|config|lib|3rdparty|templates|data)/ {
|
||||
deny all;
|
||||
}
|
||||
location ~ ^/nextcloud/(?:\.|autotest|occ|issue|indie|db_|console) {
|
||||
deny all;
|
||||
}
|
||||
|
||||
location ~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
|
||||
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
||||
include fastcgi_params;
|
||||
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||||
fastcgi_param PATH_INFO $fastcgi_path_info;
|
||||
#fastcgi_param HTTPS on;
|
||||
#Avoid sending the security headers twice
|
||||
fastcgi_param modHeadersAvailable true;
|
||||
fastcgi_param front_controller_active true;
|
||||
fastcgi_pass php-handler;
|
||||
fastcgi_intercept_errors on;
|
||||
fastcgi_request_buffering off;
|
||||
}
|
||||
include /etc/nginx/conf.d/*.default;
|
||||
|
||||
|
||||
location ~ ^/nextcloud/(?:updater|ocs-provider)(?:$|/) {
|
||||
try_files $uri/ =404;
|
||||
index index.php;
|
||||
}
|
||||
|
||||
# Adding the cache control header for js and css files
|
||||
# Make sure it is BELOW the PHP block
|
||||
location ~ \.(?:css|js|woff|svg|gif)$ {
|
||||
try_files $uri /nextcloud/index.php$request_uri;
|
||||
add_header Cache-Control "public, max-age=15778463";
|
||||
# Add headers to serve security related headers (It is intended to
|
||||
# have those duplicated to the ones above)
|
||||
# Before enabling Strict-Transport-Security headers please read into
|
||||
# this topic first.
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
#
|
||||
# WARNING: Only add the preload option once you read about
|
||||
# the consequences in https://hstspreload.org/. This option
|
||||
# will add the domain to a hardcoded list that is shipped
|
||||
# in all major browsers and getting removed from this list
|
||||
# could take several months.
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header X-Robots-Tag none;
|
||||
add_header X-Download-Options noopen;
|
||||
add_header X-Permitted-Cross-Domain-Policies none;
|
||||
# Optional: Don't log access to assets
|
||||
access_log off;
|
||||
}
|
||||
|
||||
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
|
||||
try_files $uri /nextcloud/index.php$request_uri;
|
||||
# Optional: Don't log access to other assets
|
||||
access_log off;
|
||||
}
|
||||
}
|
||||
|
||||
|
16
nextcloud.yml
Normal file
16
nextcloud.yml
Normal file
@ -0,0 +1,16 @@
|
||||
---
|
||||
- hosts: server
|
||||
pre_tasks:
|
||||
- name: install terminfo
|
||||
pacman:
|
||||
state: present # not required. choices: absent;latest;present. Desired state of the package.
|
||||
name:
|
||||
- termite-terminfo # not required. Name or list of names of the packages to install, upgrade, or remove.
|
||||
become: yes
|
||||
|
||||
|
||||
|
||||
roles:
|
||||
- {role: nginx, become: yes }
|
||||
- {role: mariadb, become: yes }
|
||||
- nextcloud
|
@ -19,8 +19,8 @@
|
||||
- {role: nginx, become: yes }
|
||||
- {role: mariadb, become: yes }
|
||||
- {role: radicale , become: yes }
|
||||
- cloud-commander
|
||||
- php
|
||||
- nextcloud
|
||||
- tt-rss
|
||||
- gitea
|
||||
- supysonic
|
||||
|
Loading…
Reference in New Issue
Block a user