adrien/automation
adrien
/
automation
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

nextcloud WIP, does not work; synapse v1.20.0

This commit is contained in:
LUXEY Adrien 2020-09-20 20:34:15 +02:00
parent 5e08d68abe
commit 12319f311e
13 changed files with 497 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
deployer/README.md
View File

@ -102,6 +102,32 @@ This block will never run unless `/path/to/backup/dir/db-backup.sql.gz` exists.
Someone advised me to install matrix-media-repo to enable animated thumbnails as people's avatar (https://github.com/turt2live/matrix-media-repo/blob/master/config.sample.yaml#L394), and to setup https://github.com/ma1uta/ma1sd which is a federated identity server.
### NextCloud
Steps to dockerization:
* Check the databases
* Modify character set to utf8mb4 / collate utf8mb4_general_ci.
ALTER DATABASE owncloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
* Change the default for the whole server while at it:
SET character_set_server = 'utf8mb4';
SET collation_server = 'utf8mb4_general_ci';
* Backup:
# Database
mysqldump -u root -R owncloud > /vault/backups/owncloud.sql
# Data (exclude './data' folder which is too big):
tar --exclude='./data' -czvf /vault/backups/nextcloud.tar.gz /var/www/nextcloud
Apparently this is needed, but since I'm using a single MariaDB for every service, I won't bother changing the global config:
* “READ COMMITED” transaction isolation level (See: Database “READ COMMITTED” transaction isolation level)
* Disabled or BINLOG_FORMAT = ROW configured Binary Logging (See: https://dev.mysql.com/doc/refman/5.7/en/binary-log-formats.html)
* For Emoji (UTF8 4-byte) support see Enabling MySQL 4-byte support
### Ansible
@ -121,3 +147,4 @@ create user 'arvuhez'@'172.26.0.2' identified by 'kjhs';
grant all on arvuhez.* to 'arvuhez'@'172.26.0.2';
show grants for 'arvuhez'@'172.26.0.2';
```

11
deployer/group_vars/all/vars.yml
View File

@ -17,9 +17,12 @@ wordpress:
gitea:
version: 1.12.1
synapse:
version: v1.19.2
version: v1.20.0
drupal:
version: 8.8.5-apache
nextcloud:
version: 19.0.3
checksum: md5:2094204fd0c3471be2ec010a71231da6
postgres:
pg_hba_path: "/etc/postgresql/9.6/main/pg_hba.conf"
@ -183,6 +186,6 @@ sites:
subnet_nginx_ip: 172.27.8.2
subnet_site_ip: 172.27.8.3
# MySQL
mysql_database: lexperimental
mysql_username: lexperimental
mysql_password: "{{ vault_lexperimental_mysql_password }}"
mysql_database: cloud
mysql_username: cloud
mysql_password: "{{ vault_cloud_mysql_password }}"

126
deployer/group_vars/all/vault.yml
View File

@ -1,66 +1,62 @@
$ANSIBLE_VAULT;1.1;AES256
61346661343863613361323661306539653337373661633864646234323461613935343932356234
3239323832363330323937303731303131653632646633310a613736333165623563346238336266
38343531663532626435633435316637353366643238373238656637306161333139343865323335
3965623130313631610a613537656264613063653832323832376363396538663564663330393639
61633836613636323037663139323865613963626632366231626538363634666538393736653331
64646634393537366564393932646134626233623932653735383735303331373263326663633430
33373530613365326438353530663861323736316164656335666531646131613135376230343433
66376335336235373961333230663165306137326632353766646332386133303263383939303534
36626132363639373166353263376134656334353865313337366233303635383030653131323632
34326334646235663337613734376663356465343662653865626665363564333163343361373466
31326436626263663062376131346137393734386461366161316137323135633365663237613236
36353463666366633332663933616337346565613537633437376638373366343334343337633833
63333565346361666361333734323639383666623033393766346463643235376137653066303764
36396632383834303339623232326532663439633662343935376339386435396139326136333162
64333333356135646339623863323032363161323865323434343534393866393561623663616264
31346534653935383662643838326333363563366137323732373132333836616561663036663631
64346162303665613435623965646233623537336236643262616231643332316662373764653235
35663736346239616662303966616363393539373731323235643961393435393539383039633038
32653365633831333134613962386661643264383933343963323366333062663633333837636334
30393534306463306531613965623135663637306462396431616239663830326632633236633131
66313530646437313539386365366164303538303839343231323333366337366364633136616666
30643863666362643530386633366639333739396434616333383830613138376463613663363261
39316635303734353239313938616532366535336432353363313030646166396361363338323232
33323463636264373832306233646338653762356531636465303762623832323936353566623536
30383730393932656530643030656434313832396265663366646235626564363065666536386336
30653165383063623738393465373834396438336539643832373836303437303539646632343763
39623332633033623932376566306433363265643037616265336636363636626232666638633963
63373339663666323761383039393835333239393039656237386666343937373431306239663365
61303661326434383436373635353566306634646635646461346462393730633835363464333866
63333466666538663566646565393539376161623836663532646335636438313538303235386137
37653162633934653034656436613930653563646634346565643333396534326465386133303235
62316262373733663737623861316639386632613465616332353339343935363631623231373834
62653365646561653134653433633364333664616131663236313161393632346130653263353365
34376138616439313438666235353734383130333930316631623736346239316236373565373737
39323233313235313938663663613631373033373039393134323966663866383437623563313764
33363233313664613465346466303462363935633834653362346431323764643262376266306164
30623365653861636435626464383765346637336239313733303161393162666536373239613638
62333333373430616661653062326561663465646562343832393262333265623061653438623036
38373935313632626631353765323330643330626461393331346261363865643339306330363166
31386466386137326335363239653434633065353764653033383234303862643636636637353533
64333336306636643061643534303366666362373666366437323333666531626635353733376235
36643764623134643537373766633137383566333761343733353534326535383666396166396466
32623764646339323932383064303836656531313938656238326366363635383438333563313032
39333737626363663832326334303130633961313263663036643837366365633863373133396539
62646665373063616164343139643434386565616537646264363130653034333266363564323438
34393335306465663962376464626565363536646462323463396631623839616437346563363165
37393465393966393835396164633239643364303434633764373661366563613536386661666263
36303735343361346335613066326237633134653736316665343832626466393462366564663436
65303236393737356234383563343833333934666663323266363535333039326131666633366239
61616163386638376339633563323931653435643363303531346163323732386563643237613363
37316437393537373363383061356131363536343231633632323132383462306662613763663462
33373135383136346666393731373639656136623931616232646166643364666635656332373561
37623835613163363734333361393932333135343762373532666136633966663638353839366232
66363435343161376537653935656336363933663065383935383237313936353134653064363165
63386639363138306164373035306266303061313037626364663036336132323063643739616436
32306362343938333435383630306163303637303664306164316238343662636262326364626339
36376335333065656333303631316233633966663535343731653034393162303034346637653634
35313435323630373663626139343331323431633434633339393732373731346637346637643237
65613035323930366437393334366263306532323430363136346439623366323138643130383234
31303638333138316235666537666637393033313161666663336131373161383735653539353937
66643635613335366330643962623637316436323333333134383931386634653037653939613937
64353035653939313839373636626332363663623365353562643366636439363132623633313566
31663436393437343036376364666531316230393633383631356636386336343630616532613439
39343236333132626636373739616136623061383763313966343837386261313732393135316638
33383464653438323461353637643432396433343035336431613639306132333236
63396539316239353233336438626132623539363031646230646136363332613735653464363266
6134333039643639383565363361326631346536376162630a356539653234303034303165626364
39643037623062316237303361323037663233626464343032646265343830303932633761613335
3464643562343235300a383839636533306537303365623438623632323765333138636631386238
36653766393163313633396465643936316635316238656161376435623536396437323836653530
30633232376239666336373430383163376530343230343536646266366135643962306633396337
63386661356631373062613066383862366532396564313633646666313536326234366239353733
30303764653332333961653331613032613066643962316464373738653231336434396634636636
66646463613165396563373161366231633436616261306166626366656134366134616439616336
36623266383338326230623532653336633761326663383463653933343165613935356333353432
34366461616535303731346165333863613933363161376262393433313133626366626432303732
31306337303163656631316130383438623963363135643963656332333535303539303230376634
32373934643963393465336466373635613265386166366634656465653162373333303531363163
32636563323937393866396232356238316533303164333238666135363439616166326465306365
63363062636431663034353662623563343732313666303034613233396239366431646566366634
62613666303532303666323765363634356232396262306332306336653532663832623438646661
30316636616631353161383139383235316130626633383636633235613934643338326134363030
64636366363462616535346233636162313461643637643731323837383034383835323761613764
35383061373638643661653039393532646530303863393838316339616232396239393931343431
33366163313966373061323961383738663662373936373561363034663263353135326237653964
65373233626633313161323761333063616339636163336164353132323731326265323162363633
36623235306263386431353932626432613231366163373433393530343335396464393862636436
66613666356337373965636262666566653764353861643565613830393761333062326233643636
32643033313530346263323034376561373863316133396534396132613861623738336161306435
34373631326464323332343832336337656139616231386263653532326538616530626434663564
37633332366438326132373331353337333865366639333338306565326239646331666232616431
36323864653862386461386631306535303861336230356536393135383766636339626366316632
63643638663962373063373361363062306339373030653661666166313234353539373466613665
34646666613361643237306566393661383736386165613738646532386535336437313461373663
34333530616535316333396665633864663864373762326430666138346534646430323662353663
30636363613037313763646262376564663935663265653533313761393832393834643337633837
33633937333439666431333563323364313664666237623764303737363963393665373237313132
33316664323162643566323261326638643164653639333438623064643262373761383463313565
66636433313432636366333664306161646131303831383463656132333563363134333564356363
37613235353139353539316332646439613338623232343435323436336230303630393536663436
34313764373439323737333761346436636266313363356533343264663831376537386138396338
64663730313764626634343064333965346464366236326561353365353664366463353637393531
61363532393038626631646434653933343532373430646165646135636166353066373765323235
31323634653439316433616435623665376139613736643962323730666666316335323161666239
30613739643737303835343563636236363565633031363737633636633433323661333032626633
32333338323561613163393532313764323566363931653732333261653061333263313832343539
39663438323730393061636561373935366635613531336264393261663461336532616333653762
32306163333264336665303766633963666666313230363639363063336166396334613938643466
62353530663032363932396165303861333461306231613430376561663536316537623366626665
35306533373166306464623334366163386164393666663461333635613031396337386666323666
30666435323632363238623837356139623031323765626331613139373237396161633865303739
35653361323261613065396463663938653062376438666462666635373162336139323233303764
38396136343365346562653933373139633030336638316535643738393036303536623231306233
34663931366164376234376331633737613532313964633733363334306634326566626266313164
31373133363832346462323134306634373066666266646639623832643235633432323164643934
34353137396462313338656437653335623132623633613961656261316164303861306134653764
61613333646539316633383166383464303830383933663765656339663836616164376135636462
37396466616336636437383866313930633162363732623532393033366236653531396363656439
30333433353839353861616239656537363633626333393330346666303766653962396630353238
32373639383639333763643239393036343037383065666661643835336363333865376565663566
30386236626362343036356136383565613837383665636463363934376134316438643561353536
37366461393635383933633638663333666330623634363534306465363065643064333939383931
32303366356130383135626130626335613131663966353065333464303832653535646363636566
34386438383565663733366662373931353732393932343565646235333038313736303939616230
34653239353832326161303531336362343765373431383032366239623135623165653637393339
39623164633532613436353362626664356465386531643339326430623833353531

26
deployer/roles/build/tasks/main.yml
View File

@ -1,13 +1,4 @@
---
- name: Build Wordpress sites
include_tasks: wordpress.yml
loop: "{{ sites }}"
loop_control:
loop_var: site
when: site.type == "wordpress"
tags: wordpress
- name: Build Drupal sites
include_tasks: drupal.yml
loop: "{{ sites }}"
@ -24,6 +15,14 @@
when: site.type == "gitea"
tags: gitea
- name: Build NextCloud sites
include_tasks: nextcloud.yml
loop: "{{ sites }}"
loop_control:
loop_var: site
when: site.type == "nextcloud"
tags: nextcloud
- name: Build Synapse sites
include_tasks: synapse.yml
loop: "{{ sites }}"
@ -31,3 +30,12 @@
loop_var: site
when: site.type == "synapse"
tags: synapse
- name: Build Wordpress sites
include_tasks: wordpress.yml
loop: "{{ sites }}"
loop_control:
loop_var: site
when: site.type == "wordpress"
tags: wordpress

106
deployer/roles/build/tasks/nextcloud.yml Normal file
View File

@ -0,0 +1,106 @@
---
- block: # Used for tagging all tasks with "nextcloud"
- name: "Set site_data_path to {{ www_path }}/{{ site.slug }}"
set_fact: site_data_path="{{ www_path }}/{{ site.slug }}"
tags: always
###############################
# Create wp-content if needed #
###############################
- name: Is it a new install?
stat:
path: "{{ site_data_path }}/index.php"
register: content
tags: bootstrap
- name: Populate data folder
block:
# - name: "Clear folder {{ site_data_path }}"
# file:
# path: "{{ site_data_path }}"
# state: absent
- name: "Download NextCloud {{ nextcloud.version }} archive"
get_url:
url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud.version }}.tar.bz2"
dest: "/tmp/nextcloud.tbz2"
checksum: "{{ nextcloud.checksum }}"
- name: "Extract NextCloud {{ nextcloud.version }} archive"
unarchive:
src: "/tmp/nextcloud.tbz2"
dest: /tmp
remote_src: yes
- name: "Copy NextCloud folder to destination"
copy:
src: /tmp/nextcloud
dest: "{{ site_data_path }}"
remote_src: yes
# group: www-data
# mode: '0660'
# directory_mode: '0770'
- name: "Set proper access rights to {{ site_data_path }}"
file:
path: "{{ site_data_path }}"
state: directory
recurse: yes
group: www-data
mode: "u=rwX,g=rwX,o="
- name: "Remove downloaded content"
file:
path: "{{ toremove }}"
state: absent
loop:
- /tmp/nextcloud.tgz
loop_control:
loop_var: toremove
when: content.stat.exists is not defined or content.stat.exists == False
tags: bootstrap
####################
# Render templates #
####################
- name: "Render templates"
import_tasks: render.yml
tags: render
#######################
# MySQL configuration #
#######################
- name: "Setup MySQL"
import_tasks: mysql.yml
tags: mysql
#################
# Setup backups #
#################
# Backups would need to exclude the '/data' folder.
# Otherwise they can heavily grow in size depending on usage.
# So forget about it for now.
# - name: "Setup backups"
# import_tasks: backup.yml
# tags: backup
###################
# SSL certificate #
###################
# - name: Create Let's Encrypt certificate
# This seems hard, see:
# https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html#acme-certificate-module
# https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04
# Maybe using shell directly? e.g.
# certbot certonly --webroot -w /var/www/letsencrypt -d <url>
tags: nextcloud # / block

4
deployer/roles/build/tasks/wordpress.yml
View File

@ -23,12 +23,12 @@
file:
path: "{{ site_data_path }}"
state: absent
- name: "Download Wordpress v{{ wordpress.version }} archive"
- name: "Download Wordpress {{ wordpress.version }} archive"
get_url:
url: "https://wordpress.org/wordpress-{{ wordpress.version }}.tar.gz"
dest: "/tmp/wordpress.tgz"
checksum: "{{ wordpress.checksum }}"
- name: "Extract Wordpress v{{ wordpress.version }} archive"
- name: "Extract Wordpress {{ wordpress.version }} archive"
unarchive:
src: "/tmp/wordpress.tgz"
dest: /tmp

19
deployer/roles/build/templates/nextcloud/docker-compose.yml.j2
View File

@ -3,11 +3,11 @@ version: '3'
# Generated by ansible for site {{ site.url }}
# On network {{ site.subnet_cidr_address }}:
# - web server (nginx) at {{ site.subnet_nginx_ip }}
# - php-fpm (wordpress) at {{ site.subnet_site_ip }}
# - php-fpm (nextcloud) at {{ site.subnet_site_ip }}
services:
site:
image: nextcloud:latest-apache
image: nextcloud:{{ nextcloud.version }}-fpm
restart: always
environment:
MYSQL_HOST: "{{ site.subnet_gateway_ip }}"
@ -15,8 +15,11 @@ services:
MYSQL_PASSWORD: "{{ site.mysql_password }}"
MYSQL_DATABASE: "{{ site.mysql_database }}"
volumes:
- "html_data:/var/www/html"
- "{{ site_data_path }}:/var/www/html/wp-content"
- "{{ site_data_path }}:/var/www/html"
# These can be populated with existing content
# So make it another volume
- "{{ site_data_path }}/config:/var/www/html/config"
- "{{ site_data_path }}/data:/var/www/html/data"
networks:
net:
ipv4_address: "{{ site.subnet_site_ip }}"
@ -26,19 +29,15 @@ services:
restart: always
depends_on:
- site
volumes_from:
- site
volumes:
- "{{ site_data_path }}:/var/www/html"
networks:
net:
ipv4_address: "{{ site.subnet_nginx_ip }}"
networks:
net:
ipam:
driver: default
config:
- subnet: "{{ site.subnet_cidr_address }}"
volumes:
html_data:

56
deployer/roles/build/templates/nextcloud/nginx.host.j2
View File

@ -0,0 +1,56 @@
# Generated by ansible for site {{ site.url }}
# At {{ site.subnet_site_ip }} on {{ site.subnet_cidr_address }}
server {
listen 80;
listen [::]:80;
server_name {{ site.url }} www.{{ site.url }};
# Let's Encrypt
include snippets/letsencrypt.conf;
location / {
{% if site.redirect_to_www %}
return 301 https://www.{{ site.url }}$request_uri;
{% else %}
return 301 https://{{ site.url }}$request_uri;
{% endif %}
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name {{ site.url }} www.{{ site.url }};
access_log /var/log/nginx/{{ site.slug }}-access.log;
error_log /var/log/nginx/error.log;
{% if site.redirect_to_www %}
# Redirect non-www to www
if ($host = {{ site.url }}) {
rewrite ^ https://www.{{ site.url }}$request_uri permanent;
}
{% else %}
# Redirect www to non-www
if ($host = www.{{ site.url }}) {
rewrite ^ https://{{ site.url }}$request_uri permanent;
}
{% endif %}
# Let's Encrypt
include snippets/letsencrypt.conf;
include snippets/ssl-params.conf;
ssl_certificate /etc/letsencrypt/live/{{ site.url }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ site.url }}/privkey.pem;
include snippets/header-params_server.conf;
location / {
include snippets/header-params_location.conf;
proxy_pass http://{{ site.subnet_nginx_ip }}:80;
}
}

5
deployer/roles/build/templates/nextcloud/nginx/Dockerfile.j2 Normal file
View File

@ -0,0 +1,5 @@
FROM nginx:latest
COPY nginx.conf /etc/nginx/nginx.conf
# Should be UID & GID=33
# USER www-data:www-data

175
deployer/roles/build/templates/nextcloud/nginx/nginx.conf.j2 Normal file
View File

@ -0,0 +1,175 @@
# This config is adapted from NextCloud's github repository:
# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
user www-data www-data;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
charset utf-8;
include /etc/nginx/mime.types;
default_type application/octet-stream;
set_real_ip_from {{ site.subnet_gateway_ip }};
log_format main '$http_x_real_ip - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream php-handler {
server site:9000;
}
server {
listen 80;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
# The following rule is only needed for the Social app.
# Uncomment it if you're planning to use this app.
rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
location = /.well-known/carddav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host:$server_port/remote.php/dav;
}
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php;
}
location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
deny all;
}
location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
# fastcgi_param HTTPS on;
# Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
# Enable pretty urls
fastcgi_param front_controller_active true;
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js, css and map files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}
}

2
deployer/roles/build/templates/wordpress/nginx.host.j2
View File

@ -24,7 +24,7 @@ server {
server_name {{ site.url }} www.{{ site.url }};
access_log /var/log/nginx/{{ site.slug }}-access.log;
error_log /var/log/nginx/{{ site.slug }}-error.log;
error_log /var/log/nginx/error.log;
{% if site.redirect_to_www %}
# Redirect non-www to www

24
deployer/roles/deploy/tasks/main.yml
View File

@ -1,12 +1,5 @@
---
- name: Deploy Wordpress sites
include_tasks: wordpress.yml
loop: "{{ sites }}"
loop_control:
loop_var: site
when: site.type == "wordpress"
tags: wordpress
- name: Deploy Drupal sites
include_tasks: drupal.yml
@ -24,6 +17,13 @@
when: site.type == "gitea"
tags: gitea
- name: Deploy NextCloud sites
include_tasks: nextcloud.yml
loop: "{{ sites }}"
loop_control:
loop_var: site
when: site.type == "nextcloud"
tags: nextcloud
- name: Deploy Synapse sites
include_tasks: synapse.yml
@ -31,4 +31,12 @@
loop_control:
loop_var: site
when: site.type == "synapse"
tags: synapse
tags: synapse
- name: Deploy Wordpress sites
include_tasks: wordpress.yml
loop: "{{ sites }}"
loop_control:
loop_var: site
when: site.type == "wordpress"
tags: wordpress

15
deployer/roles/deploy/tasks/nextcloud.yml Normal file
View File

@ -0,0 +1,15 @@
---
# Needs variables:
# - site: dict describing the site install (cf group_vars/all/vars.yml)
- block: # Used for tagging all tasks with "nextcloud"
- name: Include nginx tasks
import_tasks: nginx.yml
tags: nginx
- name: Include docker tasks
import_tasks: docker.yml
tags: docker
tags: nextcloud