nextcloud WIP, does not work; synapse v1.20.0

deployer/README.md

@@ -102,6 +102,32 @@ This block will never run unless `/path/to/backup/dir/db-backup.sql.gz` exists.
 
 Someone advised me to install matrix-media-repo to enable animated thumbnails as people's avatar (https://github.com/turt2live/matrix-media-repo/blob/master/config.sample.yaml#L394), and to setup https://github.com/ma1uta/ma1sd which is a federated identity server.
 
+### NextCloud
+
+Steps to dockerization:
+
+* Check the databases
+	* Modify character set to utf8mb4 / collate utf8mb4_general_ci.
+
+			ALTER DATABASE owncloud CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;
+
+	* Change the default for the whole server while at it:
+
+			SET character_set_server = 'utf8mb4';
+			SET collation_server = 'utf8mb4_general_ci';
+
+* Backup:
+
+		# Database 
+		mysqldump -u root -R owncloud > /vault/backups/owncloud.sql
+		# Data (exclude './data' folder which is too big):
+		tar --exclude='./data' -czvf /vault/backups/nextcloud.tar.gz /var/www/nextcloud
+
+Apparently this is needed, but since I'm using a single MariaDB for every service, I won't bother changing the global config:
+
+* “READ COMMITED” transaction isolation level (See: Database “READ COMMITTED” transaction isolation level)
+* Disabled or BINLOG_FORMAT = ROW configured Binary Logging (See: https://dev.mysql.com/doc/refman/5.7/en/binary-log-formats.html)
+* For Emoji (UTF8 4-byte) support see Enabling MySQL 4-byte support
 
 
 ### Ansible 
@@ -121,3 +147,4 @@ create user 'arvuhez'@'172.26.0.2' identified by 'kjhs';
 grant all on arvuhez.* to 'arvuhez'@'172.26.0.2';
 show grants for 'arvuhez'@'172.26.0.2';
 ```
+

deployer/group_vars/all/vars.yml

@@ -17,9 +17,12 @@ wordpress:
 gitea:
   version: 1.12.1
 synapse:
-  version: v1.19.2
+  version: v1.20.0
 drupal: 
   version: 8.8.5-apache
+nextcloud:
+  version: 19.0.3
+  checksum: md5:2094204fd0c3471be2ec010a71231da6
 
 postgres:
   pg_hba_path: "/etc/postgresql/9.6/main/pg_hba.conf"
@@ -183,6 +186,6 @@ sites:
     subnet_nginx_ip: 172.27.8.2
     subnet_site_ip: 172.27.8.3
     # MySQL
-    mysql_database: lexperimental
+    mysql_database: cloud
-    mysql_username: lexperimental
+    mysql_username: cloud
-    mysql_password: "{{ vault_lexperimental_mysql_password }}"
+    mysql_password: "{{ vault_cloud_mysql_password }}"

deployer/group_vars/all/vault.yml

@@ -1,66 +1,62 @@
 $ANSIBLE_VAULT;1.1;AES256
-61346661343863613361323661306539653337373661633864646234323461613935343932356234
+63396539316239353233336438626132623539363031646230646136363332613735653464363266
-3239323832363330323937303731303131653632646633310a613736333165623563346238336266
+6134333039643639383565363361326631346536376162630a356539653234303034303165626364
-38343531663532626435633435316637353366643238373238656637306161333139343865323335
+39643037623062316237303361323037663233626464343032646265343830303932633761613335
-3965623130313631610a613537656264613063653832323832376363396538663564663330393639
+3464643562343235300a383839636533306537303365623438623632323765333138636631386238
-61633836613636323037663139323865613963626632366231626538363634666538393736653331
+36653766393163313633396465643936316635316238656161376435623536396437323836653530
-64646634393537366564393932646134626233623932653735383735303331373263326663633430
+30633232376239666336373430383163376530343230343536646266366135643962306633396337
-33373530613365326438353530663861323736316164656335666531646131613135376230343433
+63386661356631373062613066383862366532396564313633646666313536326234366239353733
-66376335336235373961333230663165306137326632353766646332386133303263383939303534
+30303764653332333961653331613032613066643962316464373738653231336434396634636636
-36626132363639373166353263376134656334353865313337366233303635383030653131323632
+66646463613165396563373161366231633436616261306166626366656134366134616439616336
-34326334646235663337613734376663356465343662653865626665363564333163343361373466
+36623266383338326230623532653336633761326663383463653933343165613935356333353432
-31326436626263663062376131346137393734386461366161316137323135633365663237613236
+34366461616535303731346165333863613933363161376262393433313133626366626432303732
-36353463666366633332663933616337346565613537633437376638373366343334343337633833
+31306337303163656631316130383438623963363135643963656332333535303539303230376634
-63333565346361666361333734323639383666623033393766346463643235376137653066303764
+32373934643963393465336466373635613265386166366634656465653162373333303531363163
-36396632383834303339623232326532663439633662343935376339386435396139326136333162
+32636563323937393866396232356238316533303164333238666135363439616166326465306365
-64333333356135646339623863323032363161323865323434343534393866393561623663616264
+63363062636431663034353662623563343732313666303034613233396239366431646566366634
-31346534653935383662643838326333363563366137323732373132333836616561663036663631
+62613666303532303666323765363634356232396262306332306336653532663832623438646661
-64346162303665613435623965646233623537336236643262616231643332316662373764653235
+30316636616631353161383139383235316130626633383636633235613934643338326134363030
-35663736346239616662303966616363393539373731323235643961393435393539383039633038
+64636366363462616535346233636162313461643637643731323837383034383835323761613764
-32653365633831333134613962386661643264383933343963323366333062663633333837636334
+35383061373638643661653039393532646530303863393838316339616232396239393931343431
-30393534306463306531613965623135663637306462396431616239663830326632633236633131
+33366163313966373061323961383738663662373936373561363034663263353135326237653964
-66313530646437313539386365366164303538303839343231323333366337366364633136616666
+65373233626633313161323761333063616339636163336164353132323731326265323162363633
-30643863666362643530386633366639333739396434616333383830613138376463613663363261
+36623235306263386431353932626432613231366163373433393530343335396464393862636436
-39316635303734353239313938616532366535336432353363313030646166396361363338323232
+66613666356337373965636262666566653764353861643565613830393761333062326233643636
-33323463636264373832306233646338653762356531636465303762623832323936353566623536
+32643033313530346263323034376561373863316133396534396132613861623738336161306435
-30383730393932656530643030656434313832396265663366646235626564363065666536386336
+34373631326464323332343832336337656139616231386263653532326538616530626434663564
-30653165383063623738393465373834396438336539643832373836303437303539646632343763
+37633332366438326132373331353337333865366639333338306565326239646331666232616431
-39623332633033623932376566306433363265643037616265336636363636626232666638633963
+36323864653862386461386631306535303861336230356536393135383766636339626366316632
-63373339663666323761383039393835333239393039656237386666343937373431306239663365
+63643638663962373063373361363062306339373030653661666166313234353539373466613665
-61303661326434383436373635353566306634646635646461346462393730633835363464333866
+34646666613361643237306566393661383736386165613738646532386535336437313461373663
-63333466666538663566646565393539376161623836663532646335636438313538303235386137
+34333530616535316333396665633864663864373762326430666138346534646430323662353663
-37653162633934653034656436613930653563646634346565643333396534326465386133303235
+30636363613037313763646262376564663935663265653533313761393832393834643337633837
-62316262373733663737623861316639386632613465616332353339343935363631623231373834
+33633937333439666431333563323364313664666237623764303737363963393665373237313132
-62653365646561653134653433633364333664616131663236313161393632346130653263353365
+33316664323162643566323261326638643164653639333438623064643262373761383463313565
-34376138616439313438666235353734383130333930316631623736346239316236373565373737
+66636433313432636366333664306161646131303831383463656132333563363134333564356363
-39323233313235313938663663613631373033373039393134323966663866383437623563313764
+37613235353139353539316332646439613338623232343435323436336230303630393536663436
-33363233313664613465346466303462363935633834653362346431323764643262376266306164
+34313764373439323737333761346436636266313363356533343264663831376537386138396338
-30623365653861636435626464383765346637336239313733303161393162666536373239613638
+64663730313764626634343064333965346464366236326561353365353664366463353637393531
-62333333373430616661653062326561663465646562343832393262333265623061653438623036
+61363532393038626631646434653933343532373430646165646135636166353066373765323235
-38373935313632626631353765323330643330626461393331346261363865643339306330363166
+31323634653439316433616435623665376139613736643962323730666666316335323161666239
-31386466386137326335363239653434633065353764653033383234303862643636636637353533
+30613739643737303835343563636236363565633031363737633636633433323661333032626633
-64333336306636643061643534303366666362373666366437323333666531626635353733376235
+32333338323561613163393532313764323566363931653732333261653061333263313832343539
-36643764623134643537373766633137383566333761343733353534326535383666396166396466
+39663438323730393061636561373935366635613531336264393261663461336532616333653762
-32623764646339323932383064303836656531313938656238326366363635383438333563313032
+32306163333264336665303766633963666666313230363639363063336166396334613938643466
-39333737626363663832326334303130633961313263663036643837366365633863373133396539
+62353530663032363932396165303861333461306231613430376561663536316537623366626665
-62646665373063616164343139643434386565616537646264363130653034333266363564323438
+35306533373166306464623334366163386164393666663461333635613031396337386666323666
-34393335306465663962376464626565363536646462323463396631623839616437346563363165
+30666435323632363238623837356139623031323765626331613139373237396161633865303739
-37393465393966393835396164633239643364303434633764373661366563613536386661666263
+35653361323261613065396463663938653062376438666462666635373162336139323233303764
-36303735343361346335613066326237633134653736316665343832626466393462366564663436
+38396136343365346562653933373139633030336638316535643738393036303536623231306233
-65303236393737356234383563343833333934666663323266363535333039326131666633366239
+34663931366164376234376331633737613532313964633733363334306634326566626266313164
-61616163386638376339633563323931653435643363303531346163323732386563643237613363
+31373133363832346462323134306634373066666266646639623832643235633432323164643934
-37316437393537373363383061356131363536343231633632323132383462306662613763663462
+34353137396462313338656437653335623132623633613961656261316164303861306134653764
-33373135383136346666393731373639656136623931616232646166643364666635656332373561
+61613333646539316633383166383464303830383933663765656339663836616164376135636462
-37623835613163363734333361393932333135343762373532666136633966663638353839366232
+37396466616336636437383866313930633162363732623532393033366236653531396363656439
-66363435343161376537653935656336363933663065383935383237313936353134653064363165
+30333433353839353861616239656537363633626333393330346666303766653962396630353238
-63386639363138306164373035306266303061313037626364663036336132323063643739616436
+32373639383639333763643239393036343037383065666661643835336363333865376565663566
-32306362343938333435383630306163303637303664306164316238343662636262326364626339
+30386236626362343036356136383565613837383665636463363934376134316438643561353536
-36376335333065656333303631316233633966663535343731653034393162303034346637653634
+37366461393635383933633638663333666330623634363534306465363065643064333939383931
-35313435323630373663626139343331323431633434633339393732373731346637346637643237
+32303366356130383135626130626335613131663966353065333464303832653535646363636566
-65613035323930366437393334366263306532323430363136346439623366323138643130383234
+34386438383565663733366662373931353732393932343565646235333038313736303939616230
-31303638333138316235666537666637393033313161666663336131373161383735653539353937
+34653239353832326161303531336362343765373431383032366239623135623165653637393339
-66643635613335366330643962623637316436323333333134383931386634653037653939613937
+39623164633532613436353362626664356465386531643339326430623833353531
-64353035653939313839373636626332363663623365353562643366636439363132623633313566
-31663436393437343036376364666531316230393633383631356636386336343630616532613439
-39343236333132626636373739616136623061383763313966343837386261313732393135316638
-33383464653438323461353637643432396433343035336431613639306132333236

deployer/roles/build/tasks/main.yml

@@ -1,13 +1,4 @@
 ---
-
-- name: Build Wordpress sites
-  include_tasks: wordpress.yml  
-  loop: "{{ sites }}"
-  loop_control:
-    loop_var: site
-  when: site.type == "wordpress"
-  tags: wordpress
-
 - name: Build Drupal sites
   include_tasks: drupal.yml  
   loop: "{{ sites }}"
@@ -24,6 +15,14 @@
   when: site.type == "gitea"
   tags: gitea
 
+- name: Build NextCloud sites
+  include_tasks: nextcloud.yml  
+  loop: "{{ sites }}"
+  loop_control:
+    loop_var: site
+  when: site.type == "nextcloud"
+  tags: nextcloud
+
 - name: Build Synapse sites
   include_tasks: synapse.yml  
   loop: "{{ sites }}"
@@ -31,3 +30,12 @@
     loop_var: site
   when: site.type == "synapse"
   tags: synapse
+
+- name: Build Wordpress sites
+  include_tasks: wordpress.yml  
+  loop: "{{ sites }}"
+  loop_control:
+    loop_var: site
+  when: site.type == "wordpress"
+  tags: wordpress
+

deployer/roles/build/tasks/nextcloud.yml

@@ -0,0 +1,106 @@
+---
+
+- block: # Used for tagging all tasks with "nextcloud"
+
+    - name: "Set site_data_path to {{ www_path }}/{{ site.slug }}"
+      set_fact: site_data_path="{{ www_path }}/{{ site.slug }}"
+      tags: always
+
+
+    ###############################
+    # Create wp-content if needed #
+    ###############################
+
+    - name: Is it a new install?
+      stat:
+        path: "{{ site_data_path }}/index.php"
+      register: content
+      tags: bootstrap
+
+    - name: Populate data folder
+      block:
+        # - name: "Clear folder {{ site_data_path }}"
+        #   file:
+        #     path: "{{ site_data_path }}"
+        #     state: absent
+        - name: "Download NextCloud {{ nextcloud.version }} archive"
+          get_url:
+            url: "https://download.nextcloud.com/server/releases/nextcloud-{{ nextcloud.version }}.tar.bz2"
+            dest: "/tmp/nextcloud.tbz2"
+            checksum: "{{ nextcloud.checksum }}"
+        - name: "Extract NextCloud {{ nextcloud.version }} archive"
+          unarchive: 
+            src: "/tmp/nextcloud.tbz2"
+            dest: /tmp
+            remote_src: yes
+        - name: "Copy NextCloud folder to destination"
+          copy:
+            src: /tmp/nextcloud
+            dest: "{{ site_data_path }}"
+            remote_src: yes
+            # group: www-data
+            # mode: '0660'
+            # directory_mode: '0770'
+        - name: "Set proper access rights to {{ site_data_path }}"
+          file: 
+            path: "{{ site_data_path }}"
+            state: directory 
+            recurse: yes
+            group: www-data
+            mode: "u=rwX,g=rwX,o="
+
+        - name: "Remove downloaded content"
+          file:
+            path: "{{ toremove }}"
+            state: absent
+          loop:
+            - /tmp/nextcloud.tgz 
+          loop_control:
+            loop_var: toremove
+
+      when: content.stat.exists is not defined or content.stat.exists == False
+      tags: bootstrap
+
+
+    ####################
+    # Render templates #
+    ####################
+
+    - name: "Render templates"
+      import_tasks: render.yml
+      tags: render
+
+
+    #######################
+    # MySQL configuration #
+    #######################
+
+    - name: "Setup MySQL"
+      import_tasks: mysql.yml
+      tags: mysql
+
+
+    #################
+    # Setup backups #
+    #################
+
+    # Backups would need to exclude the '/data' folder.
+    # Otherwise they can heavily grow in size depending on usage.
+    # So forget about it for now.
+    # - name: "Setup backups"
+    #   import_tasks: backup.yml
+    #   tags: backup
+
+
+    ###################
+    # SSL certificate #
+    ###################
+
+    # - name: Create Let's Encrypt certificate
+    # This seems hard, see:
+    # https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html#acme-certificate-module
+    # https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04
+    # Maybe using shell directly? e.g.
+    # certbot certonly --webroot -w /var/www/letsencrypt -d <url>
+
+  tags: nextcloud # / block

deployer/roles/build/tasks/wordpress.yml

@@ -23,12 +23,12 @@
           file:
             path: "{{ site_data_path }}"
             state: absent
-        - name: "Download Wordpress v{{ wordpress.version }} archive"
+        - name: "Download Wordpress {{ wordpress.version }} archive"
           get_url:
             url: "https://wordpress.org/wordpress-{{ wordpress.version }}.tar.gz"
             dest: "/tmp/wordpress.tgz"
             checksum: "{{ wordpress.checksum }}"
-        - name: "Extract Wordpress v{{ wordpress.version }} archive"
+        - name: "Extract Wordpress {{ wordpress.version }} archive"
           unarchive: 
             src: "/tmp/wordpress.tgz"
             dest: /tmp 

deployer/roles/build/templates/nextcloud/docker-compose.yml.j2

@@ -3,11 +3,11 @@ version: '3'
 # Generated by ansible for site {{ site.url }} 
 # On network {{ site.subnet_cidr_address }}:
 # - web server (nginx) at {{ site.subnet_nginx_ip }}
-# - php-fpm (wordpress) at {{ site.subnet_site_ip }}
+# - php-fpm (nextcloud) at {{ site.subnet_site_ip }}
 
 services:
   site:
-    image: nextcloud:latest-apache
+    image: nextcloud:{{ nextcloud.version }}-fpm
     restart: always
     environment:
       MYSQL_HOST: "{{ site.subnet_gateway_ip }}"
@@ -15,8 +15,11 @@ services:
       MYSQL_PASSWORD: "{{ site.mysql_password }}"
       MYSQL_DATABASE: "{{ site.mysql_database }}"
     volumes: 
-      - "html_data:/var/www/html"
+      - "{{ site_data_path }}:/var/www/html"
-      - "{{ site_data_path }}:/var/www/html/wp-content"
+      # These can be populated with existing content
+      # So make it another volume
+      - "{{ site_data_path }}/config:/var/www/html/config"
+      - "{{ site_data_path }}/data:/var/www/html/data"
     networks:
       net:
         ipv4_address: "{{ site.subnet_site_ip }}"
@@ -26,19 +29,15 @@ services:
     restart: always
     depends_on:
       - site
-    volumes_from:
+    volumes:
-      - site
+      - "{{ site_data_path }}:/var/www/html"
     networks:
       net:
         ipv4_address: "{{ site.subnet_nginx_ip }}"
 
-
 networks:
   net:
     ipam:
       driver: default
       config:
         - subnet: "{{ site.subnet_cidr_address }}"
-
-volumes:
-  html_data:

deployer/roles/build/templates/nextcloud/nginx.host.j2

@@ -0,0 +1,56 @@
+# Generated by ansible for site {{ site.url }} 
+# At {{ site.subnet_site_ip }} on {{ site.subnet_cidr_address }}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ site.url }} www.{{ site.url }};
+
+  # Let's Encrypt
+  include snippets/letsencrypt.conf;
+
+  location / {
+{% if site.redirect_to_www %}
+    return 301 https://www.{{ site.url }}$request_uri;
+{% else %}
+    return 301 https://{{ site.url }}$request_uri;
+{% endif %}
+  }
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  server_name {{ site.url }} www.{{ site.url }};
+
+  access_log  /var/log/nginx/{{ site.slug }}-access.log;
+  error_log   /var/log/nginx/error.log;
+
+{% if site.redirect_to_www %}
+  # Redirect non-www to www
+  if ($host = {{ site.url }}) {
+    rewrite ^ https://www.{{ site.url }}$request_uri permanent;
+  }
+{% else %}
+  # Redirect www to non-www
+  if ($host = www.{{ site.url }}) {
+    rewrite ^ https://{{ site.url }}$request_uri permanent;
+  }
+{% endif %}
+
+  # Let's Encrypt
+  include snippets/letsencrypt.conf;
+
+  include snippets/ssl-params.conf;
+  ssl_certificate /etc/letsencrypt/live/{{ site.url }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ site.url }}/privkey.pem;
+  
+  include snippets/header-params_server.conf;
+  location / {
+    include snippets/header-params_location.conf;
+  
+    proxy_pass http://{{ site.subnet_nginx_ip }}:80;
+  }
+}
+
+

deployer/roles/build/templates/nextcloud/nginx/Dockerfile.j2

@@ -0,0 +1,5 @@
+FROM nginx:latest
+COPY nginx.conf /etc/nginx/nginx.conf
+
+# Should be UID & GID=33
+# USER www-data:www-data 

deployer/roles/build/templates/nextcloud/nginx/nginx.conf.j2

@@ -0,0 +1,175 @@
+# This config is adapted from NextCloud's github repository:
+# https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/fpm/web/nginx.conf
+
+user  www-data www-data;
+worker_processes  1;
+
+error_log /var/log/nginx/error.log warn;
+pid       /var/run/nginx.pid;
+
+
+events {
+  worker_connections  1024;
+}
+
+
+http {
+  charset utf-8;
+
+  include     /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+  set_real_ip_from {{ site.subnet_gateway_ip }};
+  log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+  access_log  /var/log/nginx/access.log  main;
+
+  sendfile    on;
+  #tcp_nopush   on;
+
+  keepalive_timeout  65;
+
+  #gzip  on;
+
+  upstream php-handler {
+    server site:9000;
+  }
+
+  server {
+    listen 80;
+
+    # Add headers to serve security related headers
+    # Before enabling Strict-Transport-Security headers please read into this
+    # topic first.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+    #
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    add_header Referrer-Policy "no-referrer" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header X-Robots-Tag "none" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Path to the root of your installation
+    root /var/www/html;
+
+    location = /robots.txt {
+      allow all;
+      log_not_found off;
+      access_log off;
+    }
+
+    # The following 2 rules are only needed for the user_webfinger app.
+    # Uncomment it if you're planning to use this app.
+    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
+
+    # The following rule is only needed for the Social app.
+    # Uncomment it if you're planning to use this app.
+    rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+
+    location = /.well-known/carddav {
+      return 301 $scheme://$host:$server_port/remote.php/dav;
+    }
+
+    location = /.well-known/caldav {
+      return 301 $scheme://$host:$server_port/remote.php/dav;
+    }
+
+    # set max upload size
+    client_max_body_size 10G;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Uncomment if your server is build with the ngx_pagespeed module
+    # This module is currently not supported.
+    #pagespeed off;
+
+    location / {
+      rewrite ^ /index.php;
+    }
+
+    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+      deny all;
+    }
+    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+      deny all;
+    }
+
+    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
+      fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+      set $path_info $fastcgi_path_info;
+      try_files $fastcgi_script_name =404;
+      include fastcgi_params;
+      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+      fastcgi_param PATH_INFO $path_info;
+      # fastcgi_param HTTPS on;
+
+      # Avoid sending the security headers twice
+      fastcgi_param modHeadersAvailable true;
+
+      # Enable pretty urls
+      fastcgi_param front_controller_active true;
+      fastcgi_pass php-handler;
+      fastcgi_intercept_errors on;
+      fastcgi_request_buffering off;
+    }
+
+    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
+      try_files $uri/ =404;
+      index index.php;
+    }
+
+    # Adding the cache control header for js, css and map files
+    # Make sure it is BELOW the PHP block
+    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+      try_files $uri /index.php$request_uri;
+      add_header Cache-Control "public, max-age=15778463";
+      # Add headers to serve security related headers (It is intended to
+      # have those duplicated to the ones above)
+      # Before enabling Strict-Transport-Security headers please read into
+      # this topic first.
+      #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+      #
+      # WARNING: Only add the preload option once you read about
+      # the consequences in https://hstspreload.org/. This option
+      # will add the domain to a hardcoded list that is shipped
+      # in all major browsers and getting removed from this list
+      # could take several months.
+      add_header Referrer-Policy "no-referrer" always;
+      add_header X-Content-Type-Options "nosniff" always;
+      add_header X-Download-Options "noopen" always;
+      add_header X-Frame-Options "SAMEORIGIN" always;
+      add_header X-Permitted-Cross-Domain-Policies "none" always;
+      add_header X-Robots-Tag "none" always;
+      add_header X-XSS-Protection "1; mode=block" always;
+
+      # Optional: Don't log access to assets
+      access_log off;
+    }
+
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
+      try_files $uri /index.php$request_uri;
+      # Optional: Don't log access to other assets
+      access_log off;
+    }
+  }
+}

deployer/roles/build/templates/wordpress/nginx.host.j2

@@ -24,7 +24,7 @@ server {
   server_name {{ site.url }} www.{{ site.url }};
 
   access_log  /var/log/nginx/{{ site.slug }}-access.log;
-  error_log   /var/log/nginx/{{ site.slug }}-error.log;
+  error_log   /var/log/nginx/error.log;
 
 {% if site.redirect_to_www %}
   # Redirect non-www to www

deployer/roles/deploy/tasks/main.yml

@@ -1,12 +1,5 @@
 ---
 
-- name: Deploy Wordpress sites
-  include_tasks: wordpress.yml
-  loop: "{{ sites }}"
-  loop_control:
-    loop_var: site
-  when: site.type == "wordpress"
-  tags: wordpress
 
 - name: Deploy Drupal sites
   include_tasks: drupal.yml
@@ -24,6 +17,13 @@
   when: site.type == "gitea"
   tags: gitea
 
+- name: Deploy NextCloud sites
+  include_tasks: nextcloud.yml
+  loop: "{{ sites }}"
+  loop_control:
+    loop_var: site
+  when: site.type == "nextcloud"
+  tags: nextcloud
 
 - name: Deploy Synapse sites
   include_tasks: synapse.yml
@@ -31,4 +31,12 @@
   loop_control:
     loop_var: site
   when: site.type == "synapse"
-  tags: synapse
+  tags: synapse
+
+- name: Deploy Wordpress sites
+  include_tasks: wordpress.yml
+  loop: "{{ sites }}"
+  loop_control:
+    loop_var: site
+  when: site.type == "wordpress"
+  tags: wordpress

deployer/roles/deploy/tasks/nextcloud.yml

@@ -0,0 +1,15 @@
+---
+# Needs variables:
+#   - site: dict describing the site install (cf group_vars/all/vars.yml)
+
+- block: # Used for tagging all tasks with "nextcloud"
+
+    - name: Include nginx tasks
+      import_tasks: nginx.yml 
+      tags: nginx
+
+    - name: Include docker tasks
+      import_tasks: docker.yml
+      tags: docker 
+
+  tags: nextcloud