From 12319f311eff5c4ea50fb5eb874c04be215b1880 Mon Sep 17 00:00:00 2001 From: LUXEY Adrien Date: Sun, 20 Sep 2020 20:34:15 +0200 Subject: [PATCH] nextcloud WIP, does not work; synapse v1.20.0 --- deployer/README.md | 27 +++ deployer/group_vars/all/vars.yml | 11 +- deployer/group_vars/all/vault.yml | 126 ++++++------- deployer/roles/build/tasks/main.yml | 26 ++- deployer/roles/build/tasks/nextcloud.yml | 106 +++++++++++ deployer/roles/build/tasks/wordpress.yml | 4 +- .../templates/nextcloud/docker-compose.yml.j2 | 19 +- .../build/templates/nextcloud/nginx.host.j2 | 56 ++++++ .../templates/nextcloud/nginx/Dockerfile.j2 | 5 + .../templates/nextcloud/nginx/nginx.conf.j2 | 175 ++++++++++++++++++ .../build/templates/wordpress/nginx.host.j2 | 2 +- deployer/roles/deploy/tasks/main.yml | 24 ++- deployer/roles/deploy/tasks/nextcloud.yml | 15 ++ 13 files changed, 497 insertions(+), 99 deletions(-) create mode 100644 deployer/roles/build/tasks/nextcloud.yml create mode 100644 deployer/roles/build/templates/nextcloud/nginx/Dockerfile.j2 create mode 100644 deployer/roles/build/templates/nextcloud/nginx/nginx.conf.j2 create mode 100644 deployer/roles/deploy/tasks/nextcloud.yml diff --git a/deployer/README.md b/deployer/README.md index cbc370e..d689742 100644 --- a/deployer/README.md +++ b/deployer/README.md @@ -102,6 +102,32 @@ This block will never run unless `/path/to/backup/dir/db-backup.sql.gz` exists. Someone advised me to install matrix-media-repo to enable animated thumbnails as people's avatar (https://github.com/turt2live/matrix-media-repo/blob/master/config.sample.yaml#L394), and to setup https://github.com/ma1uta/ma1sd which is a federated identity server. +### NextCloud + +Steps to dockerization: + +* Check the databases + * Modify character set to utf8mb4 / collate utf8mb4_general_ci. + + ALTER DATABASE owncloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci; + + * Change the default for the whole server while at it: + + SET character_set_server = 'utf8mb4'; + SET collation_server = 'utf8mb4_general_ci'; + +* Backup: + + # Database + mysqldump -u root -R owncloud > /vault/backups/owncloud.sql + # Data (exclude './data' folder which is too big): + tar --exclude='./data' -czvf /vault/backups/nextcloud.tar.gz /var/www/nextcloud + +Apparently this is needed, but since I'm using a single MariaDB for every service, I won't bother changing the global config: + +* “READ COMMITED” transaction isolation level (See: Database “READ COMMITTED” transaction isolation level) +* Disabled or BINLOG_FORMAT = ROW configured Binary Logging (See: https://dev.mysql.com/doc/refman/5.7/en/binary-log-formats.html) +* For Emoji (UTF8 4-byte) support see Enabling MySQL 4-byte support ### Ansible @@ -121,3 +147,4 @@ create user 'arvuhez'@'172.26.0.2' identified by 'kjhs'; grant all on arvuhez.* to 'arvuhez'@'172.26.0.2'; show grants for 'arvuhez'@'172.26.0.2'; ``` + diff --git a/deployer/group_vars/all/vars.yml b/deployer/group_vars/all/vars.yml index 5bf1ded..e24437d 100644 --- a/deployer/group_vars/all/vars.yml +++ b/deployer/group_vars/all/vars.yml @@ -17,9 +17,12 @@ wordpress: gitea: version: 1.12.1 synapse: - version: v1.19.2 + version: v1.20.0 drupal: version: 8.8.5-apache +nextcloud: + version: 19.0.3 + checksum: md5:2094204fd0c3471be2ec010a71231da6 postgres: pg_hba_path: "/etc/postgresql/9.6/main/pg_hba.conf" @@ -183,6 +186,6 @@ sites: subnet_nginx_ip: 172.27.8.2 subnet_site_ip: 172.27.8.3 # MySQL - mysql_database: lexperimental - mysql_username: lexperimental - mysql_password: "{{ vault_lexperimental_mysql_password }}" \ No newline at end of file + mysql_database: cloud + mysql_username: cloud + mysql_password: "{{ vault_cloud_mysql_password }}" \ No newline at end of file diff --git a/deployer/group_vars/all/vault.yml b/deployer/group_vars/all/vault.yml index 227d708..16b24c4 100644 --- a/deployer/group_vars/all/vault.yml +++ b/deployer/group_vars/all/vault.yml @@ -1,66 +1,62 @@ $ANSIBLE_VAULT;1.1;AES256 -61346661343863613361323661306539653337373661633864646234323461613935343932356234 -3239323832363330323937303731303131653632646633310a613736333165623563346238336266 -38343531663532626435633435316637353366643238373238656637306161333139343865323335 -3965623130313631610a613537656264613063653832323832376363396538663564663330393639 -61633836613636323037663139323865613963626632366231626538363634666538393736653331 -64646634393537366564393932646134626233623932653735383735303331373263326663633430 -33373530613365326438353530663861323736316164656335666531646131613135376230343433 -66376335336235373961333230663165306137326632353766646332386133303263383939303534 -36626132363639373166353263376134656334353865313337366233303635383030653131323632 -34326334646235663337613734376663356465343662653865626665363564333163343361373466 -31326436626263663062376131346137393734386461366161316137323135633365663237613236 -36353463666366633332663933616337346565613537633437376638373366343334343337633833 -63333565346361666361333734323639383666623033393766346463643235376137653066303764 -36396632383834303339623232326532663439633662343935376339386435396139326136333162 -64333333356135646339623863323032363161323865323434343534393866393561623663616264 -31346534653935383662643838326333363563366137323732373132333836616561663036663631 -64346162303665613435623965646233623537336236643262616231643332316662373764653235 -35663736346239616662303966616363393539373731323235643961393435393539383039633038 -32653365633831333134613962386661643264383933343963323366333062663633333837636334 -30393534306463306531613965623135663637306462396431616239663830326632633236633131 -66313530646437313539386365366164303538303839343231323333366337366364633136616666 -30643863666362643530386633366639333739396434616333383830613138376463613663363261 -39316635303734353239313938616532366535336432353363313030646166396361363338323232 -33323463636264373832306233646338653762356531636465303762623832323936353566623536 -30383730393932656530643030656434313832396265663366646235626564363065666536386336 -30653165383063623738393465373834396438336539643832373836303437303539646632343763 -39623332633033623932376566306433363265643037616265336636363636626232666638633963 -63373339663666323761383039393835333239393039656237386666343937373431306239663365 -61303661326434383436373635353566306634646635646461346462393730633835363464333866 -63333466666538663566646565393539376161623836663532646335636438313538303235386137 -37653162633934653034656436613930653563646634346565643333396534326465386133303235 -62316262373733663737623861316639386632613465616332353339343935363631623231373834 -62653365646561653134653433633364333664616131663236313161393632346130653263353365 -34376138616439313438666235353734383130333930316631623736346239316236373565373737 -39323233313235313938663663613631373033373039393134323966663866383437623563313764 -33363233313664613465346466303462363935633834653362346431323764643262376266306164 -30623365653861636435626464383765346637336239313733303161393162666536373239613638 -62333333373430616661653062326561663465646562343832393262333265623061653438623036 -38373935313632626631353765323330643330626461393331346261363865643339306330363166 -31386466386137326335363239653434633065353764653033383234303862643636636637353533 -64333336306636643061643534303366666362373666366437323333666531626635353733376235 -36643764623134643537373766633137383566333761343733353534326535383666396166396466 -32623764646339323932383064303836656531313938656238326366363635383438333563313032 -39333737626363663832326334303130633961313263663036643837366365633863373133396539 -62646665373063616164343139643434386565616537646264363130653034333266363564323438 -34393335306465663962376464626565363536646462323463396631623839616437346563363165 -37393465393966393835396164633239643364303434633764373661366563613536386661666263 -36303735343361346335613066326237633134653736316665343832626466393462366564663436 -65303236393737356234383563343833333934666663323266363535333039326131666633366239 -61616163386638376339633563323931653435643363303531346163323732386563643237613363 -37316437393537373363383061356131363536343231633632323132383462306662613763663462 -33373135383136346666393731373639656136623931616232646166643364666635656332373561 -37623835613163363734333361393932333135343762373532666136633966663638353839366232 -66363435343161376537653935656336363933663065383935383237313936353134653064363165 -63386639363138306164373035306266303061313037626364663036336132323063643739616436 -32306362343938333435383630306163303637303664306164316238343662636262326364626339 -36376335333065656333303631316233633966663535343731653034393162303034346637653634 -35313435323630373663626139343331323431633434633339393732373731346637346637643237 -65613035323930366437393334366263306532323430363136346439623366323138643130383234 -31303638333138316235666537666637393033313161666663336131373161383735653539353937 -66643635613335366330643962623637316436323333333134383931386634653037653939613937 -64353035653939313839373636626332363663623365353562643366636439363132623633313566 -31663436393437343036376364666531316230393633383631356636386336343630616532613439 -39343236333132626636373739616136623061383763313966343837386261313732393135316638 -33383464653438323461353637643432396433343035336431613639306132333236 +63396539316239353233336438626132623539363031646230646136363332613735653464363266 +6134333039643639383565363361326631346536376162630a356539653234303034303165626364 +39643037623062316237303361323037663233626464343032646265343830303932633761613335 +3464643562343235300a383839636533306537303365623438623632323765333138636631386238 +36653766393163313633396465643936316635316238656161376435623536396437323836653530 +30633232376239666336373430383163376530343230343536646266366135643962306633396337 +63386661356631373062613066383862366532396564313633646666313536326234366239353733 +30303764653332333961653331613032613066643962316464373738653231336434396634636636 +66646463613165396563373161366231633436616261306166626366656134366134616439616336 +36623266383338326230623532653336633761326663383463653933343165613935356333353432 +34366461616535303731346165333863613933363161376262393433313133626366626432303732 +31306337303163656631316130383438623963363135643963656332333535303539303230376634 +32373934643963393465336466373635613265386166366634656465653162373333303531363163 +32636563323937393866396232356238316533303164333238666135363439616166326465306365 +63363062636431663034353662623563343732313666303034613233396239366431646566366634 +62613666303532303666323765363634356232396262306332306336653532663832623438646661 +30316636616631353161383139383235316130626633383636633235613934643338326134363030 +64636366363462616535346233636162313461643637643731323837383034383835323761613764 +35383061373638643661653039393532646530303863393838316339616232396239393931343431 +33366163313966373061323961383738663662373936373561363034663263353135326237653964 +65373233626633313161323761333063616339636163336164353132323731326265323162363633 +36623235306263386431353932626432613231366163373433393530343335396464393862636436 +66613666356337373965636262666566653764353861643565613830393761333062326233643636 +32643033313530346263323034376561373863316133396534396132613861623738336161306435 +34373631326464323332343832336337656139616231386263653532326538616530626434663564 +37633332366438326132373331353337333865366639333338306565326239646331666232616431 +36323864653862386461386631306535303861336230356536393135383766636339626366316632 +63643638663962373063373361363062306339373030653661666166313234353539373466613665 +34646666613361643237306566393661383736386165613738646532386535336437313461373663 +34333530616535316333396665633864663864373762326430666138346534646430323662353663 +30636363613037313763646262376564663935663265653533313761393832393834643337633837 +33633937333439666431333563323364313664666237623764303737363963393665373237313132 +33316664323162643566323261326638643164653639333438623064643262373761383463313565 +66636433313432636366333664306161646131303831383463656132333563363134333564356363 +37613235353139353539316332646439613338623232343435323436336230303630393536663436 +34313764373439323737333761346436636266313363356533343264663831376537386138396338 +64663730313764626634343064333965346464366236326561353365353664366463353637393531 +61363532393038626631646434653933343532373430646165646135636166353066373765323235 +31323634653439316433616435623665376139613736643962323730666666316335323161666239 +30613739643737303835343563636236363565633031363737633636633433323661333032626633 +32333338323561613163393532313764323566363931653732333261653061333263313832343539 +39663438323730393061636561373935366635613531336264393261663461336532616333653762 +32306163333264336665303766633963666666313230363639363063336166396334613938643466 +62353530663032363932396165303861333461306231613430376561663536316537623366626665 +35306533373166306464623334366163386164393666663461333635613031396337386666323666 +30666435323632363238623837356139623031323765626331613139373237396161633865303739 +35653361323261613065396463663938653062376438666462666635373162336139323233303764 +38396136343365346562653933373139633030336638316535643738393036303536623231306233 +34663931366164376234376331633737613532313964633733363334306634326566626266313164 +31373133363832346462323134306634373066666266646639623832643235633432323164643934 +34353137396462313338656437653335623132623633613961656261316164303861306134653764 +61613333646539316633383166383464303830383933663765656339663836616164376135636462 +37396466616336636437383866313930633162363732623532393033366236653531396363656439 +30333433353839353861616239656537363633626333393330346666303766653962396630353238 +32373639383639333763643239393036343037383065666661643835336363333865376565663566 +30386236626362343036356136383565613837383665636463363934376134316438643561353536 +37366461393635383933633638663333666330623634363534306465363065643064333939383931 +32303366356130383135626130626335613131663966353065333464303832653535646363636566 +34386438383565663733366662373931353732393932343565646235333038313736303939616230 +34653239353832326161303531336362343765373431383032366239623135623165653637393339 +39623164633532613436353362626664356465386531643339326430623833353531 diff --git a/deployer/roles/build/tasks/main.yml b/deployer/roles/build/tasks/main.yml index 057339c..5c55552 100644 --- a/deployer/roles/build/tasks/main.yml +++ b/deployer/roles/build/tasks/main.yml @@ -1,13 +1,4 @@ --- - -- name: Build Wordpress sites - include_tasks: wordpress.yml - loop: "{{ sites }}" - loop_control: - loop_var: site - when: site.type == "wordpress" - tags: wordpress - - name: Build Drupal sites include_tasks: drupal.yml loop: "{{ sites }}" @@ -24,6 +15,14 @@ when: site.type == "gitea" tags: gitea +- name: Build NextCloud sites + include_tasks: nextcloud.yml + loop: "{{ sites }}" + loop_control: + loop_var: site + when: site.type == "nextcloud" + tags: nextcloud + - name: Build Synapse sites include_tasks: synapse.yml loop: "{{ sites }}" @@ -31,3 +30,12 @@ loop_var: site when: site.type == "synapse" tags: synapse + +- name: Build Wordpress sites + include_tasks: wordpress.yml + loop: "{{ sites }}" + loop_control: + loop_var: site + when: site.type == "wordpress" + tags: wordpress + diff --git a/deployer/roles/build/tasks/nextcloud.yml b/deployer/roles/build/tasks/nextcloud.yml new file mode 100644 index 0000000..9565d83 --- /dev/null +++ b/deployer/roles/build/tasks/nextcloud.yml @@ -0,0 +1,106 @@ +--- + +- block: # Used for tagging all tasks with "nextcloud" + + - name: "Set site_data_path to {{ www_path }}/{{ site.slug }}" + set_fact: site_data_path="{{ www_path }}/{{ site.slug }}" + tags: always + + + ############################### + # Create wp-content if needed # + ############################### + + - name: Is it a new install? + stat: + path: "{{ site_data_path }}/index.php" + register: content + tags: bootstrap + + - name: Populate data folder + block: + # - name: "Clear folder {{ site_data_path }}" + # file: + # path: "{{ site_data_path }}" + # state: absent + - name: "Download NextCloud {{ nextcloud.version }} archive" + get_url: + url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud.version }}.tar.bz2" + dest: "/tmp/nextcloud.tbz2" + checksum: "{{ nextcloud.checksum }}" + - name: "Extract NextCloud {{ nextcloud.version }} archive" + unarchive: + src: "/tmp/nextcloud.tbz2" + dest: /tmp + remote_src: yes + - name: "Copy NextCloud folder to destination" + copy: + src: /tmp/nextcloud + dest: "{{ site_data_path }}" + remote_src: yes + # group: www-data + # mode: '0660' + # directory_mode: '0770' + - name: "Set proper access rights to {{ site_data_path }}" + file: + path: "{{ site_data_path }}" + state: directory + recurse: yes + group: www-data + mode: "u=rwX,g=rwX,o=" + + - name: "Remove downloaded content" + file: + path: "{{ toremove }}" + state: absent + loop: + - /tmp/nextcloud.tgz + loop_control: + loop_var: toremove + + when: content.stat.exists is not defined or content.stat.exists == False + tags: bootstrap + + + #################### + # Render templates # + #################### + + - name: "Render templates" + import_tasks: render.yml + tags: render + + + ####################### + # MySQL configuration # + ####################### + + - name: "Setup MySQL" + import_tasks: mysql.yml + tags: mysql + + + ################# + # Setup backups # + ################# + + # Backups would need to exclude the '/data' folder. + # Otherwise they can heavily grow in size depending on usage. + # So forget about it for now. + # - name: "Setup backups" + # import_tasks: backup.yml + # tags: backup + + + ################### + # SSL certificate # + ################### + + # - name: Create Let's Encrypt certificate + # This seems hard, see: + # https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html#acme-certificate-module + # https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04 + # Maybe using shell directly? e.g. + # certbot certonly --webroot -w /var/www/letsencrypt -d + + tags: nextcloud # / block \ No newline at end of file diff --git a/deployer/roles/build/tasks/wordpress.yml b/deployer/roles/build/tasks/wordpress.yml index 24a9a4a..e0eb695 100644 --- a/deployer/roles/build/tasks/wordpress.yml +++ b/deployer/roles/build/tasks/wordpress.yml @@ -23,12 +23,12 @@ file: path: "{{ site_data_path }}" state: absent - - name: "Download Wordpress v{{ wordpress.version }} archive" + - name: "Download Wordpress {{ wordpress.version }} archive" get_url: url: "https://wordpress.org/wordpress-{{ wordpress.version }}.tar.gz" dest: "/tmp/wordpress.tgz" checksum: "{{ wordpress.checksum }}" - - name: "Extract Wordpress v{{ wordpress.version }} archive" + - name: "Extract Wordpress {{ wordpress.version }} archive" unarchive: src: "/tmp/wordpress.tgz" dest: /tmp diff --git a/deployer/roles/build/templates/nextcloud/docker-compose.yml.j2 b/deployer/roles/build/templates/nextcloud/docker-compose.yml.j2 index c81fdad..918b1d0 100644 --- a/deployer/roles/build/templates/nextcloud/docker-compose.yml.j2 +++ b/deployer/roles/build/templates/nextcloud/docker-compose.yml.j2 @@ -3,11 +3,11 @@ version: '3' # Generated by ansible for site {{ site.url }} # On network {{ site.subnet_cidr_address }}: # - web server (nginx) at {{ site.subnet_nginx_ip }} -# - php-fpm (wordpress) at {{ site.subnet_site_ip }} +# - php-fpm (nextcloud) at {{ site.subnet_site_ip }} services: site: - image: nextcloud:latest-apache + image: nextcloud:{{ nextcloud.version }}-fpm restart: always environment: MYSQL_HOST: "{{ site.subnet_gateway_ip }}" @@ -15,8 +15,11 @@ services: MYSQL_PASSWORD: "{{ site.mysql_password }}" MYSQL_DATABASE: "{{ site.mysql_database }}" volumes: - - "html_data:/var/www/html" - - "{{ site_data_path }}:/var/www/html/wp-content" + - "{{ site_data_path }}:/var/www/html" + # These can be populated with existing content + # So make it another volume + - "{{ site_data_path }}/config:/var/www/html/config" + - "{{ site_data_path }}/data:/var/www/html/data" networks: net: ipv4_address: "{{ site.subnet_site_ip }}" @@ -26,19 +29,15 @@ services: restart: always depends_on: - site - volumes_from: - - site + volumes: + - "{{ site_data_path }}:/var/www/html" networks: net: ipv4_address: "{{ site.subnet_nginx_ip }}" - networks: net: ipam: driver: default config: - subnet: "{{ site.subnet_cidr_address }}" - -volumes: - html_data: diff --git a/deployer/roles/build/templates/nextcloud/nginx.host.j2 b/deployer/roles/build/templates/nextcloud/nginx.host.j2 index e69de29..a5a2178 100644 --- a/deployer/roles/build/templates/nextcloud/nginx.host.j2 +++ b/deployer/roles/build/templates/nextcloud/nginx.host.j2 @@ -0,0 +1,56 @@ +# Generated by ansible for site {{ site.url }} +# At {{ site.subnet_site_ip }} on {{ site.subnet_cidr_address }} + +server { + listen 80; + listen [::]:80; + server_name {{ site.url }} www.{{ site.url }}; + + # Let's Encrypt + include snippets/letsencrypt.conf; + + location / { +{% if site.redirect_to_www %} + return 301 https://www.{{ site.url }}$request_uri; +{% else %} + return 301 https://{{ site.url }}$request_uri; +{% endif %} + } +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name {{ site.url }} www.{{ site.url }}; + + access_log /var/log/nginx/{{ site.slug }}-access.log; + error_log /var/log/nginx/error.log; + +{% if site.redirect_to_www %} + # Redirect non-www to www + if ($host = {{ site.url }}) { + rewrite ^ https://www.{{ site.url }}$request_uri permanent; + } +{% else %} + # Redirect www to non-www + if ($host = www.{{ site.url }}) { + rewrite ^ https://{{ site.url }}$request_uri permanent; + } +{% endif %} + + # Let's Encrypt + include snippets/letsencrypt.conf; + + include snippets/ssl-params.conf; + ssl_certificate /etc/letsencrypt/live/{{ site.url }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ site.url }}/privkey.pem; + + include snippets/header-params_server.conf; + location / { + include snippets/header-params_location.conf; + + proxy_pass http://{{ site.subnet_nginx_ip }}:80; + } +} + + diff --git a/deployer/roles/build/templates/nextcloud/nginx/Dockerfile.j2 b/deployer/roles/build/templates/nextcloud/nginx/Dockerfile.j2 new file mode 100644 index 0000000..1201821 --- /dev/null +++ b/deployer/roles/build/templates/nextcloud/nginx/Dockerfile.j2 @@ -0,0 +1,5 @@ +FROM nginx:latest +COPY nginx.conf /etc/nginx/nginx.conf + +# Should be UID & GID=33 +# USER www-data:www-data \ No newline at end of file diff --git a/deployer/roles/build/templates/nextcloud/nginx/nginx.conf.j2 b/deployer/roles/build/templates/nextcloud/nginx/nginx.conf.j2 new file mode 100644 index 0000000..98ce06e --- /dev/null +++ b/deployer/roles/build/templates/nextcloud/nginx/nginx.conf.j2 @@ -0,0 +1,175 @@ +# This config is adapted from NextCloud's github repository: +# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf + +user www-data www-data; +worker_processes 1; + +error_log /var/log/nginx/error.log warn; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + charset utf-8; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + set_real_ip_from {{ site.subnet_gateway_ip }}; + log_format main '$http_x_real_ip - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + + upstream php-handler { + server site:9000; + } + + server { + listen 80; + + # Add headers to serve security related headers + # Before enabling Strict-Transport-Security headers please read into this + # topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + + # Path to the root of your installation + root /var/www/html; + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # The following 2 rules are only needed for the user_webfinger app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last; + + # The following rule is only needed for the Social app. + # Uncomment it if you're planning to use this app. + rewrite ^/.well-known/webfinger /public.php?service=webfinger last; + + location = /.well-known/carddav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + location = /.well-known/caldav { + return 301 $scheme://$host:$server_port/remote.php/dav; + } + + # set max upload size + client_max_body_size 10G; + fastcgi_buffers 64 4K; + + # Enable gzip but do not remove ETag headers + gzip on; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + + # Uncomment if your server is build with the ngx_pagespeed module + # This module is currently not supported. + #pagespeed off; + + location / { + rewrite ^ /index.php; + } + + location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { + deny all; + } + location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) { + fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; + set $path_info $fastcgi_path_info; + try_files $fastcgi_script_name =404; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + # fastcgi_param HTTPS on; + + # Avoid sending the security headers twice + fastcgi_param modHeadersAvailable true; + + # Enable pretty urls + fastcgi_param front_controller_active true; + fastcgi_pass php-handler; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { + try_files $uri/ =404; + index index.php; + } + + # Adding the cache control header for js, css and map files + # Make sure it is BELOW the PHP block + location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + # Add headers to serve security related headers (It is intended to + # have those duplicated to the ones above) + # Before enabling Strict-Transport-Security headers please read into + # this topic first. + #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; + # + # WARNING: Only add the preload option once you read about + # the consequences in https://hstspreload.org/. This option + # will add the domain to a hardcoded list that is shipped + # in all major browsers and getting removed from this list + # could take several months. + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "none" always; + add_header X-XSS-Protection "1; mode=block" always; + + # Optional: Don't log access to assets + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { + try_files $uri /index.php$request_uri; + # Optional: Don't log access to other assets + access_log off; + } + } +} diff --git a/deployer/roles/build/templates/wordpress/nginx.host.j2 b/deployer/roles/build/templates/wordpress/nginx.host.j2 index d765e3f..a5a2178 100644 --- a/deployer/roles/build/templates/wordpress/nginx.host.j2 +++ b/deployer/roles/build/templates/wordpress/nginx.host.j2 @@ -24,7 +24,7 @@ server { server_name {{ site.url }} www.{{ site.url }}; access_log /var/log/nginx/{{ site.slug }}-access.log; - error_log /var/log/nginx/{{ site.slug }}-error.log; + error_log /var/log/nginx/error.log; {% if site.redirect_to_www %} # Redirect non-www to www diff --git a/deployer/roles/deploy/tasks/main.yml b/deployer/roles/deploy/tasks/main.yml index c2475ea..ec564da 100644 --- a/deployer/roles/deploy/tasks/main.yml +++ b/deployer/roles/deploy/tasks/main.yml @@ -1,12 +1,5 @@ --- -- name: Deploy Wordpress sites - include_tasks: wordpress.yml - loop: "{{ sites }}" - loop_control: - loop_var: site - when: site.type == "wordpress" - tags: wordpress - name: Deploy Drupal sites include_tasks: drupal.yml @@ -24,6 +17,13 @@ when: site.type == "gitea" tags: gitea +- name: Deploy NextCloud sites + include_tasks: nextcloud.yml + loop: "{{ sites }}" + loop_control: + loop_var: site + when: site.type == "nextcloud" + tags: nextcloud - name: Deploy Synapse sites include_tasks: synapse.yml @@ -31,4 +31,12 @@ loop_control: loop_var: site when: site.type == "synapse" - tags: synapse \ No newline at end of file + tags: synapse + +- name: Deploy Wordpress sites + include_tasks: wordpress.yml + loop: "{{ sites }}" + loop_control: + loop_var: site + when: site.type == "wordpress" + tags: wordpress \ No newline at end of file diff --git a/deployer/roles/deploy/tasks/nextcloud.yml b/deployer/roles/deploy/tasks/nextcloud.yml new file mode 100644 index 0000000..3e4968e --- /dev/null +++ b/deployer/roles/deploy/tasks/nextcloud.yml @@ -0,0 +1,15 @@ +--- +# Needs variables: +# - site: dict describing the site install (cf group_vars/all/vars.yml) + +- block: # Used for tagging all tasks with "nextcloud" + + - name: Include nginx tasks + import_tasks: nginx.yml + tags: nginx + + - name: Include docker tasks + import_tasks: docker.yml + tags: docker + + tags: nextcloud \ No newline at end of file