Compare commits
	
		
			29 Commits
		
	
	
		
			server-23.
			...
			7dc25f5821
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 7dc25f5821 | |||
| 5ed71fa11a | |||
| 95aff397b8 | |||
| a708450260 | |||
| 8b600a9830 | |||
| e4c4f0bac4 | |||
| 236a7236d4 | |||
| 6f22e87252 | |||
| 6504e0d7f8 | |||
| 68fac3624b | |||
| f8861c266f | |||
| d2e870389f | |||
| 0f671549d5 | |||
| c045b0586e | |||
| 4e2757f649 | |||
| 80ec87c7f4 | |||
| e079c5d48b | |||
| acbb6bfef7 | |||
| 0368d71410 | |||
| c7fd45b47f | |||
| 8ff2a5878e | |||
| b02037f743 | |||
| 63a291121a | |||
| 69d76f3342 | |||
| f465c5d792 | |||
| 29a145fe42 | |||
| f27abe9e42 | |||
| e76e4beac0 | |||
| b40bd1a383 | 
							
								
								
									
										11
									
								
								galaxy.yml
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								galaxy.yml
									
									
									
									
									
								
							| @@ -1,15 +1,14 @@ | |||||||
| namespace: finallycoffee | namespace: finallycoffee | ||||||
| name: nextcloud | name: nextcloud | ||||||
| version: 0.5.0 | version: 0.5.1 | ||||||
| readme: README.md | readme: README.md | ||||||
| authors: | authors: | ||||||
| - Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu> | - transcaffeine <transcaffeine@finally.coffee> | ||||||
| description: Installing and configuring nextcloud (and related apps/services) using docker | description: Installing and configuring nextcloud (and related apps/services) using docker | ||||||
| dependencies: | dependencies: | ||||||
|   "community.docker": "^1.10.0" |   "community.docker": "^1.10.0" | ||||||
| license: | license_file: LICENSE.md | ||||||
| - CNPLv7+ |  | ||||||
| build_ignore: | build_ignore: | ||||||
| - '*.tar.gz' | - '*.tar.gz' | ||||||
| repository: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud | repository: https://git.finally.coffee/finallycoffee/nextcloud | ||||||
| issues: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud/issues | issues: https://git.finally.coffee/finallycoffee/nextcloud/issues | ||||||
|   | |||||||
							
								
								
									
										3
									
								
								meta/runtime.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										3
									
								
								meta/runtime.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,3 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | requires_ansible: ">=2.12" | ||||||
| @@ -1,7 +1,9 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: restart-nextcloud | - name: restart-nextcloud | ||||||
|   docker_container: |   community.docker.docker_container: | ||||||
|     name: "{{ nextcloud_container_name }}" |     name: "{{ nextcloud_container_name }}" | ||||||
|     state: started |     state: started | ||||||
|     restart: yes |     restart: true | ||||||
|  |     comparisons: | ||||||
|  |       '*': ignore | ||||||
|   | |||||||
| @@ -1,7 +1,7 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: Ensure nextcloud user is created | - name: Ensure nextcloud user is created | ||||||
|   user: |   ansible.builtin.user: | ||||||
|     name: "{{ nextcloud_run_user }}" |     name: "{{ nextcloud_run_user }}" | ||||||
|     state: present |     state: present | ||||||
|   register: nextcloud_user_res |   register: nextcloud_user_res | ||||||
|   | |||||||
| @@ -1,7 +1,7 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| - name: Set default api parameters for HTTP | - name: Set default api parameters for HTTP | ||||||
|   meta: noop |   ansible.builtin.meta: noop | ||||||
|   vars: &api_defaults |   vars: &api_defaults | ||||||
|     http_agent: "{{ nc_ldap_meta_http_agent }}" |     http_agent: "{{ nc_ldap_meta_http_agent }}" | ||||||
|     headers: "{{ nc_ldap_api_headers }}" |     headers: "{{ nc_ldap_api_headers }}" | ||||||
| @@ -11,7 +11,7 @@ | |||||||
|     force: yes |     force: yes | ||||||
| 
 | 
 | ||||||
| - name: Check if configuration with given config ID already exists | - name: Check if configuration with given config ID already exists | ||||||
|   uri: |   ansible.builtin.uri: | ||||||
|     <<: *api_defaults |     <<: *api_defaults | ||||||
|     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" |     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" | ||||||
|     method: GET |     method: GET | ||||||
| @@ -21,19 +21,19 @@ | |||||||
| 
 | 
 | ||||||
| # TODO: Can we force an ID on POST? | # TODO: Can we force an ID on POST? | ||||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} | - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||||
|   uri: |   ansible.builtin.uri: | ||||||
|     <<: *api_defaults |     <<: *api_defaults | ||||||
|     url: "{{ nc_ldap_api_path }}" |     url: "{{ nc_ldap_api_path }}" | ||||||
|     method: POST |     method: POST | ||||||
|   when: nc_ldap_existing_config_api.status != 200 |   when: nc_ldap_existing_config_api.status != 200 | ||||||
| 
 | 
 | ||||||
| - name: Parse output of query command to dict | - name: Parse output of query command to dict | ||||||
|   set_fact: |   ansible.builtin.set_fact: | ||||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_api.stdout | from_json }}" |     nc_ldap_existing_config: "{{ nc_ldap_existing_config_api.stdout | from_json }}" | ||||||
|   changed_when: false |   changed_when: false | ||||||
| 
 | 
 | ||||||
| - name: Create changeset | - name: Create changeset | ||||||
|   set_fact: |   ansible.builtin.set_fact: | ||||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" |     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||||
|   vars: |   vars: | ||||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" |     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||||
| @@ -41,7 +41,7 @@ | |||||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] |   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] | ||||||
| 
 | 
 | ||||||
| - name: Ensure ldap configuration is in sync (http) | - name: Ensure ldap configuration is in sync (http) | ||||||
|   uri: |   ansible.builtin.uri: | ||||||
|     <<: *api_defaults |     <<: *api_defaults | ||||||
|     url: "{{ nc_lap_api_path }}/{{ nc_ldap_config_id }}" |     url: "{{ nc_lap_api_path }}/{{ nc_ldap_config_id }}" | ||||||
|     method: PUT |     method: PUT | ||||||
| @@ -1,7 +1,7 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| - name: Check if configuration with given config ID already exists | - name: Check if configuration with given config ID already exists | ||||||
|   docker_container_exec: |   community.docker.docker_container_exec: | ||||||
|     container: "{{ nc_ldap_container }}" |     container: "{{ nc_ldap_container }}" | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}" |     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}" | ||||||
|     user: "{{ nc_ldap_occ_user }}" |     user: "{{ nc_ldap_occ_user }}" | ||||||
| @@ -11,7 +11,7 @@ | |||||||
|   register: nc_ldap_existing_config_occ |   register: nc_ldap_existing_config_occ | ||||||
| 
 | 
 | ||||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} | - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||||
|   docker_container_exec: |   community.docker.docker_container_exec: | ||||||
|     container: "{{ nc_ldap_container }}" |     container: "{{ nc_ldap_container }}" | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" |     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" | ||||||
|     user: "{{ nc_ldap_occ_user }}" |     user: "{{ nc_ldap_occ_user }}" | ||||||
| @@ -19,12 +19,12 @@ | |||||||
|   when: nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys() |   when: nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys() | ||||||
| 
 | 
 | ||||||
| - name: Parse output of query command to dict | - name: Parse output of query command to dict | ||||||
|   set_fact: |   ansible.builtin.set_fact: | ||||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}" |     nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}" | ||||||
|   changed_when: false |   changed_when: false | ||||||
| 
 | 
 | ||||||
| - name: Create changeset | - name: Create changeset | ||||||
|   set_fact: |   ansible.builtin.set_fact: | ||||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" |     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||||
|   vars: |   vars: | ||||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" |     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||||
| @@ -32,7 +32,7 @@ | |||||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] |   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] | ||||||
| 
 | 
 | ||||||
| - name: Ensure ldap configuration is in sync | - name: Ensure ldap configuration is in sync | ||||||
|   docker_container_exec: |   community.docker.docker_container_exec: | ||||||
|     container: "{{ nc_ldap_container }}" |     container: "{{ nc_ldap_container }}" | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\"" |     command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\"" | ||||||
|     user: "{{ nc_ldap_occ_user }}" |     user: "{{ nc_ldap_occ_user }}" | ||||||
| @@ -40,7 +40,7 @@ | |||||||
|   loop: "{{ nc_ldap_config_changeset | dict2items }}" |   loop: "{{ nc_ldap_config_changeset | dict2items }}" | ||||||
| 
 | 
 | ||||||
| - name: Ensure ldap configuration is working | - name: Ensure ldap configuration is working | ||||||
|   docker_container_exec: |   community.docker.docker_container_exec: | ||||||
|     container: "{{ nc_ldap_container }}" |     container: "{{ nc_ldap_container }}" | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:test-config {{ nc_ldap_config_id }}" |     command: "{{ nc_ldap_occ_command }} ldap:test-config {{ nc_ldap_config_id }}" | ||||||
|     user: "{{ nc_ldap_occ_user }}" |     user: "{{ nc_ldap_occ_user }}" | ||||||
| @@ -1,10 +1,10 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is http | - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is http | ||||||
|   include_tasks: load_config_http.yml |   ansible.builtin.include_tasks: load_config_http.yml | ||||||
|   when: nc_ldap_api_method == 'http' |   when: nc_ldap_api_method == 'http' | ||||||
| 
 | 
 | ||||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is occ | - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is occ | ||||||
|   include_tasks: load_config_occ.yml |   ansible.builtin.include_tasks: load_config_occ.yml | ||||||
|   when: nc_ldap_api_method == 'occ' |   when: nc_ldap_api_method == 'occ' | ||||||
| 
 | 
 | ||||||
| @@ -1,6 +1,6 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| nextcloud_nginx_version: "1.21.3" | nextcloud_nginx_version: "1.25.3" | ||||||
| nextcloud_nginx_basepath: /opt/nextcloud-nginx | nextcloud_nginx_basepath: /opt/nextcloud-nginx | ||||||
| nextcloud_nginx_config: "{{ nextcloud_nginx_basepath }}/nextcloud.conf" | nextcloud_nginx_config: "{{ nextcloud_nginx_basepath }}/nextcloud.conf" | ||||||
| nextcloud_nginx_servernames: ~ | nextcloud_nginx_servernames: ~ | ||||||
| @@ -1,13 +1,13 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| - name: Create directory for nginx config | - name: Create directory for nginx config | ||||||
|   file: |   ansible.builtin.file: | ||||||
|     path: "{{ nextcloud_nginx_basepath }}" |     path: "{{ nextcloud_nginx_basepath }}" | ||||||
|     state: directory |     state: directory | ||||||
|     mode: 0750 |     mode: 0750 | ||||||
| 
 | 
 | ||||||
| - name: Template nginx reverse proxy config for nextcloud | - name: Template nginx reverse proxy config for nextcloud | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: nextcloud-nginx.conf.j2 |     src: nextcloud-nginx.conf.j2 | ||||||
|     dest: "{{ nextcloud_nginx_config }}" |     dest: "{{ nextcloud_nginx_config }}" | ||||||
|   vars: |   vars: | ||||||
| @@ -18,19 +18,20 @@ | |||||||
|   notify: restart-nextcloud-nginx |   notify: restart-nextcloud-nginx | ||||||
| 
 | 
 | ||||||
| - name: Ensure nginx docker image is pulled | - name: Ensure nginx docker image is pulled | ||||||
|   docker_image: |   community.general.docker_image: | ||||||
|     name: "{{ nextcloud_nginx_container_image_ref }}" |     name: "{{ nextcloud_nginx_container_image_ref }}" | ||||||
|     state: present |     state: present | ||||||
|     source: pull |     source: pull | ||||||
|     force_source: "{{ nextcloud_nginx_container_image_force_pull }}" |     force_source: "{{ nextcloud_nginx_container_image_force_pull }}" | ||||||
| 
 | 
 | ||||||
| - name: Ensure nginx is running for FPM and static file serving | - name: Ensure nginx is running for FPM and static file serving | ||||||
|   docker_container: |   community.docker.docker_container: | ||||||
|  |     env: "{{ nextcloud_nginx_container_env }}" | ||||||
|     name: "{{ nextcloud_nginx_container_name }}" |     name: "{{ nextcloud_nginx_container_name }}" | ||||||
|     image: "{{ nextcloud_nginx_container_image_ref }}" |     image: "{{ nextcloud_nginx_container_image_ref }}" | ||||||
|  |     ports: "{{ nextcloud_nginx_container_ports }}" | ||||||
|     volumes: "{{ nextcloud_nginx_container_volumes }}" |     volumes: "{{ nextcloud_nginx_container_volumes }}" | ||||||
|     labels: "{{ nextcloud_nginx_container_labels }}" |     labels: "{{ nextcloud_nginx_container_labels }}" | ||||||
|     env: "{{ nextcloud_nginx_container_env }}" |  | ||||||
|     networks: "{{ nextcloud_nginx_container_networks | default(omit) }}" |     networks: "{{ nextcloud_nginx_container_networks | default(omit) }}" | ||||||
|     restart_policy: "{{ nextcloud_nginx_container_restart_policy }}" |     restart_policy: "{{ nextcloud_nginx_container_restart_policy }}" | ||||||
|     state: started |     state: started | ||||||
| @@ -1,6 +1,12 @@ | |||||||
| upstream php-handler { | upstream php-handler { | ||||||
| {% if fpm_socket %} | {% if fpm_socket %} | ||||||
|  | {% if fpm_socket is not string %} | ||||||
|  | {% for upstream in fpm_socket %} | ||||||
|  |     server unix:{{ upstream }}; | ||||||
|  | {% endfor %} | ||||||
|  | {% else %} | ||||||
|     server unix:{{ fpm_socket }}; |     server unix:{{ fpm_socket }}; | ||||||
|  | {% endif %} | ||||||
| {% else %} | {% else %} | ||||||
|     server {{ fpm_server }}:{{ fpm_server_port }}; |     server {{ fpm_server }}:{{ fpm_server_port }}; | ||||||
| {% endif %} | {% endif %} | ||||||
| @@ -11,29 +17,79 @@ server { | |||||||
|     listen [::]:80; |     listen [::]:80; | ||||||
|     server_name {{ domain | join(' ') }}; |     server_name {{ domain | join(' ') }}; | ||||||
| 
 | 
 | ||||||
|  |     # Path to the root of your installation | ||||||
|  |     root /var/www/nextcloud; | ||||||
|  | 
 | ||||||
|     # Add headers to serve security related headers |     # Add headers to serve security related headers | ||||||
|     # Before enabling Strict-Transport-Security headers please read into this |     # Before enabling Strict-Transport-Security headers please read into this | ||||||
|     # topic first. |     # topic first. | ||||||
|     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; | ||||||
|     # | 
 | ||||||
|     # WARNING: Only add the preload option once you read about |     # Prevent nginx HTTP Server Detection | ||||||
|     # the consequences in https://hstspreload.org/. This option |     server_tokens off; | ||||||
|     # will add the domain to a hardcoded list that is shipped | 
 | ||||||
|     # in all major browsers and getting removed from this list |     # set max upload size | ||||||
|     # could take several months. |     client_max_body_size {{ nextcloud_php_upload_limit }}; | ||||||
|  |     client_body_timeout 300s; | ||||||
|  |     fastcgi_buffers 128 4K; | ||||||
|  | 
 | ||||||
|  |     # Enable gzip but do not remove ETag headers | ||||||
|  |     gzip on; | ||||||
|  |     gzip_vary on; | ||||||
|  |     gzip_comp_level 4; | ||||||
|  |     gzip_min_length 256; | ||||||
|  |     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | ||||||
|  |     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; | ||||||
|  | 
 | ||||||
|  |     # Uncomment if your server is build with the ngx_pagespeed module | ||||||
|  |     # This module is currently not supported. | ||||||
|  |     #pagespeed off; | ||||||
|  | 
 | ||||||
|  |     # The settings allows you to optimize the HTTP2 bandwidth. | ||||||
|  |     # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ | ||||||
|  |     # for tuning hints | ||||||
|  |     client_body_buffer_size 512k; | ||||||
|  | 
 | ||||||
|  |     # HTTP response headers borrowed from Nextcloud `.htaccess` | ||||||
|     add_header Referrer-Policy "no-referrer" always; |     add_header Referrer-Policy "no-referrer" always; | ||||||
|     add_header X-Content-Type-Options "nosniff" always; |     add_header X-Content-Type-Options "nosniff" always; | ||||||
|     add_header X-Download-Options "noopen" always; |  | ||||||
|     add_header X-Frame-Options "SAMEORIGIN" always; |     add_header X-Frame-Options "SAMEORIGIN" always; | ||||||
|     add_header X-Permitted-Cross-Domain-Policies "none" always; |     add_header X-Permitted-Cross-Domain-Policies "none" always; | ||||||
|     add_header X-Robots-Tag "none" always; |     add_header X-Robots-Tag "noindex, nofollow" always; | ||||||
|     add_header X-XSS-Protection "1; mode=block" always; |     add_header X-XSS-Protection "1; mode=block" always; | ||||||
| 
 | 
 | ||||||
|     # Remove X-Powered-By, which is an information leak |     # Remove X-Powered-By, which is an information leak | ||||||
|     fastcgi_hide_header X-Powered-By; |     fastcgi_hide_header X-Powered-By; | ||||||
| 
 | 
 | ||||||
|     # Path to the root of your installation |     # Set .mjs and .wasm MIME types | ||||||
|     root /var/www/nextcloud; |     # Either include it in the default mime.types list | ||||||
|  |     # and include that list explicitly or add the file extension | ||||||
|  |     # only for Nextcloud like below: | ||||||
|  |     include mime.types; | ||||||
|  |     types { | ||||||
|  |         text/javascript js; | ||||||
|  | 	application/javascript mjs; | ||||||
|  | 	application/wasm wasm; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     # Specify how to handle directories -- specifying `/index.php$request_uri` | ||||||
|  |     # here as the fallback means that Nginx always exhibits the desired behaviour | ||||||
|  |     # when a client requests a path that corresponds to a directory that exists | ||||||
|  |     # on the server. In particular, if that directory contains an index.php file, | ||||||
|  |     # that file is correctly served; if it doesn't, then the request is passed to | ||||||
|  |     # the front-end controller. This consistent behaviour means that we don't need | ||||||
|  |     # to specify custom rules for certain paths (e.g. images and other assets, | ||||||
|  |     # `/updater`, `/ocs-provider`), and thus | ||||||
|  |     # `try_files $uri $uri/ /index.php$request_uri` | ||||||
|  |     # always provides the desired behaviour. | ||||||
|  |     index index.php index.html /index.php$request_uri; | ||||||
|  | 
 | ||||||
|  |     # Rule borrowed from `.htaccess` to handle Microsoft DAV clients | ||||||
|  |     location = / { | ||||||
|  |         if ( $http_user_agent ~ ^DavClnt ) { | ||||||
|  |             return 302 /remote.php/webdav/$is_args$args; | ||||||
|  |         } | ||||||
|  |     } | ||||||
| 
 | 
 | ||||||
|     location = /robots.txt { |     location = /robots.txt { | ||||||
|         allow all; |         allow all; | ||||||
| @@ -49,81 +105,55 @@ server { | |||||||
|         # The rules in this block are an adaptation of the rules |         # The rules in this block are an adaptation of the rules | ||||||
|         # in `.htaccess` that concern `/.well-known`. |         # in `.htaccess` that concern `/.well-known`. | ||||||
| 
 | 
 | ||||||
|         location = /.well-known/carddav { return 301 https://$host/remote.php/dav/; } |         location = /.well-known/carddav { return 301 https://$host/remote.php/dav; } | ||||||
|         location = /.well-known/caldav  { return 301 https://$host/remote.php/dav/; } |         location = /.well-known/caldav  { return 301 https://$host/remote.php/dav; } | ||||||
| 
 | 
 | ||||||
|         # The following rule is only needed for the Social app. |         location = /.well-known/webfinger  { return 301 https://$host/index.php/.well-known/webfinger; } | ||||||
|         # Uncomment it if you're planning to use this app. |         location = /.well-known/nodeinfo   { return 301 https://$host/index.php/.well-known/nodeinfo; } | ||||||
|         location = /.well-known/webfinger	{ return 301 https://$host/public.php?service=webfinger; } |  | ||||||
| 
 |  | ||||||
|         # The following 2 rules are only needed for the user_webfinger app. |  | ||||||
|         # Uncomment it if you're planning to use this app. |  | ||||||
|         location = /.well-known/host-meta	{ return 301 https://$host/public.php?service=host-meta; } |  | ||||||
|         location = /.well-known/host-meta.json	{ return 301 https://$host/public.php?service=host-meta-json; } |  | ||||||
| 
 | 
 | ||||||
|         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; } |         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; } | ||||||
|         location /.well-known/pki-validation    { try_files $uri $uri/ =404; } |         location /.well-known/pki-validation    { try_files $uri $uri/ =404; } | ||||||
| 
 | 
 | ||||||
|         # Let Nextcloud's API for `/.well-known` URIs handle all other |         # Let Nextcloud's API for `/.well-known` URIs handle all other | ||||||
|         # requests by passing them to the front-end controller. |         # requests by passing them to the front-end controller. | ||||||
|         return 301 https://$host/index.php$request_uri; |         return 301 /index.php$request_uri; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     # set max upload size |     # Rules borrowed from `.htaccess` to hide certain paths from clients | ||||||
|     client_max_body_size {{ nextcloud_php_upload_limit }}; |     location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; } | ||||||
|     fastcgi_buffers 128 4K; |     location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; } | ||||||
| 
 | 
 | ||||||
|     # Enable gzip but do not remove ETag headers |     # Ensure this block, which passes PHP files to the PHP process, is above the blocks | ||||||
|     gzip on; |     # which handle static assets (as seen below). If this block is not declared first, | ||||||
|     gzip_vary on; |     # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` | ||||||
|     gzip_comp_level 4; |     # to the URI, resulting in a HTTP 500 error response. | ||||||
|     gzip_min_length 256; |     location ~ \.php(?:$|/) { | ||||||
|     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |         # Required for legacy support | ||||||
|     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |         rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; | ||||||
| 
 | 
 | ||||||
|     # Uncomment if your server is build with the ngx_pagespeed module |         fastcgi_split_path_info ^(.+?\.php)(/.*)$; | ||||||
|     # This module is currently not supported. |  | ||||||
|     #pagespeed off; |  | ||||||
| 
 |  | ||||||
|     location / { |  | ||||||
|         rewrite ^ /index.php; |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
|     location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { |  | ||||||
|         deny all; |  | ||||||
|     } |  | ||||||
|     location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { |  | ||||||
|         deny all; |  | ||||||
|     } |  | ||||||
| 
 |  | ||||||
|     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { |  | ||||||
|         fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; |  | ||||||
|         set $path_info $fastcgi_path_info; |         set $path_info $fastcgi_path_info; | ||||||
|  | 
 | ||||||
|         try_files $fastcgi_script_name =404; |         try_files $fastcgi_script_name =404; | ||||||
|         fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; | 
 | ||||||
|         fastcgi_param SCRIPT_NAME $fastcgi_script_name; |  | ||||||
|         fastcgi_param PATH_INFO $path_info; |  | ||||||
|         fastcgi_param HTTPS $https; |  | ||||||
|         fastcgi_param HTTP_PROXY ""; |  | ||||||
|         fastcgi_param REMOTE_ADDR $remote_addr; |  | ||||||
|         # Avoid sending the security headers twice |  | ||||||
|         fastcgi_param modHeadersAvailable true; |  | ||||||
|         # Enable pretty urls |  | ||||||
|         fastcgi_param front_controller_active true; |  | ||||||
|         fastcgi_pass php-handler; |  | ||||||
|         include fastcgi_params; |         include fastcgi_params; | ||||||
|  |         fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; | ||||||
|  |         fastcgi_param PATH_INFO $path_info; | ||||||
|  |         fastcgi_param HTTPS on; | ||||||
|  | 
 | ||||||
|  |         fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice | ||||||
|  |         fastcgi_param front_controller_active true;     # Enable pretty urls | ||||||
|  |         fastcgi_pass php-handler; | ||||||
|  | 
 | ||||||
|         fastcgi_intercept_errors on; |         fastcgi_intercept_errors on; | ||||||
|         fastcgi_request_buffering off; |         fastcgi_request_buffering off; | ||||||
|     } |  | ||||||
| 
 | 
 | ||||||
|     location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { |         fastcgi_max_temp_file_size 0; | ||||||
|         try_files $uri/ =404; |  | ||||||
|         index index.php; |  | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     # Adding the cache control header for js, css and map files |     # Adding the cache control header for js, css and map files | ||||||
|     # Make sure it is BELOW the PHP block |     # Make sure it is BELOW the PHP block | ||||||
|     location ~ \.(?:css|js|woff2?|svg|gif|map)$ { |     location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { | ||||||
|         expires 1d; |         expires 1d; | ||||||
|         # How `sendfile`, `tcp_nopush` and `tcp_nodelay` interact |         # How `sendfile`, `tcp_nopush` and `tcp_nodelay` interact | ||||||
|         # https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765?gi=f11af534b564 |         # https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765?gi=f11af534b564 | ||||||
| @@ -159,16 +189,19 @@ server { | |||||||
|         access_log off; |         access_log off; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { | 
 | ||||||
|         expires 1d; |     location ~ \.woff2?$ { | ||||||
|         sendfile on; |  | ||||||
|         tcp_nopush on; |  | ||||||
|         tcp_nodelay on; |  | ||||||
|         open_file_cache max=10000; |  | ||||||
|         open_file_cache_valid 3600s; |  | ||||||
|         open_file_cache_errors off; |  | ||||||
|         try_files $uri /index.php$request_uri; |         try_files $uri /index.php$request_uri; | ||||||
|         # Optional: Don't log access to other assets |         expires 7d;         # Cache-Control policy borrowed from `.htaccess` | ||||||
|         access_log off; |         access_log off;     # Optional: Don't log access to assets | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     # Rule borrowed from `.htaccess` | ||||||
|  |     location /remote { | ||||||
|  |         return 301 /remote.php$request_uri; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|  |     location / { | ||||||
|  |         try_files $uri $uri/ /index.php$request_uri; | ||||||
|     } |     } | ||||||
| } | } | ||||||
| @@ -12,3 +12,10 @@ so the host file permissions remain comprehensible. | |||||||
| - `nextcloud_socket_path`: Setting this (to, for example, `{{ nextcloud_basepath }}/socket`), | - `nextcloud_socket_path`: Setting this (to, for example, `{{ nextcloud_basepath }}/socket`), | ||||||
|   will make FPM listen on `{{ nextcloud_socket_path }}/nextcloud.sock` on the host, enabling |   will make FPM listen on `{{ nextcloud_socket_path }}/nextcloud.sock` on the host, enabling | ||||||
|   you to use FPM to interface with nextcloud. |   you to use FPM to interface with nextcloud. | ||||||
|  |  | ||||||
|  | ### Redis over UNIX-Socket | ||||||
|  |  | ||||||
|  | Set `REDIS_HOST` to a path in the container where the socket is mapped using | ||||||
|  | `nextcloud_container_extra_environment`. Also set `REDIS_HOST_PORT` to 0 | ||||||
|  | explicitely, as `redis.config.php` will set it to `null` otherwise, resulting | ||||||
|  | in an exception. Set your redis password in `REDIS_HOST_PASSWORD`. | ||||||
|   | |||||||
| @@ -1,6 +1,6 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| nextcloud_version: 23.0.3 | nextcloud_version: 28.0.8 | ||||||
| nextcloud_user: nextcloud | nextcloud_user: nextcloud | ||||||
| nextcloud_basepath: /opt/nextcloud | nextcloud_basepath: /opt/nextcloud | ||||||
| nextcloud_config_path: "{{ nextcloud_basepath }}/config" | nextcloud_config_path: "{{ nextcloud_basepath }}/config" | ||||||
| @@ -46,19 +46,19 @@ nextcloud_container_purge_other_networks: true | |||||||
| nextcloud_paths: | nextcloud_paths: | ||||||
|   - path: "{{ nextcloud_config_path }}" |   - path: "{{ nextcloud_config_path }}" | ||||||
|     mode: "0755" |     mode: "0755" | ||||||
|     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" | ||||||
|     group: "root" |     group: root | ||||||
|   - path: "{{ nextcloud_data_path }}" |   - path: "{{ nextcloud_data_path }}" | ||||||
|     mode: "0755" |     mode: "0755" | ||||||
|     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" | ||||||
|     group: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" |     group: "{{ nextcloud_user_info.group | default(nextcloud_user) }}" | ||||||
|   - path: "{{ nextcloud_fpm_config_path }}" |   - path: "{{ nextcloud_fpm_config_path }}" | ||||||
|     mode: "0750" |     mode: "0750" | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   - path: "{{ nextcloud_storage_path }}" |   - path: "{{ nextcloud_storage_path }}" | ||||||
|     mode: "0770" |     mode: "0770" | ||||||
|     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" | ||||||
|     group: "root" |     group: "root" | ||||||
|  |  | ||||||
| # PHP OpCache tuning | # PHP OpCache tuning | ||||||
|   | |||||||
| @@ -1,14 +1,14 @@ | |||||||
| --- | --- | ||||||
|  |  | ||||||
| - name: Create nextcloud user | - name: Create nextcloud user | ||||||
|   user: |   ansible.builtin.user: | ||||||
|     name: "{{ nextcloud_user }}" |     name: "{{ nextcloud_user }}" | ||||||
|     state: present |     state: present | ||||||
|     system: yes |     system: yes | ||||||
|   register: nextcloud_user_info |   register: nextcloud_user_info | ||||||
|  |  | ||||||
| - name: Map nextcloud socket path if defined | - name: Map nextcloud socket path if defined | ||||||
|   set_fact: |   ansible.builtin.set_fact: | ||||||
|     nextcloud_paths: "{{ nextcloud_paths + [ socket_dir ] }}" |     nextcloud_paths: "{{ nextcloud_paths + [ socket_dir ] }}" | ||||||
|     nextcloud_container_base_volumes: "{{ nextcloud_container_base_volumes + [ socket_map ] }}" |     nextcloud_container_base_volumes: "{{ nextcloud_container_base_volumes + [ socket_map ] }}" | ||||||
|   vars: |   vars: | ||||||
| @@ -21,7 +21,7 @@ | |||||||
|   when: nextcloud_socket_path is defined and nextcloud_socket_path is string |   when: nextcloud_socket_path is defined and nextcloud_socket_path is string | ||||||
|  |  | ||||||
| - name: Ensure nextcloud directories exist and have correct permissions | - name: Ensure nextcloud directories exist and have correct permissions | ||||||
|   file: |   ansible.builtin.file: | ||||||
|     path: "{{ item.path }}" |     path: "{{ item.path }}" | ||||||
|     state: directory |     state: directory | ||||||
|     mode: "{{ item.mode }}" |     mode: "{{ item.mode }}" | ||||||
| @@ -30,14 +30,14 @@ | |||||||
|   loop: "{{ nextcloud_paths }}" |   loop: "{{ nextcloud_paths }}" | ||||||
|  |  | ||||||
| - name: Ensure docker container for nextcloud is pulled | - name: Ensure docker container for nextcloud is pulled | ||||||
|   docker_image: |   community.docker.docker_image: | ||||||
|     name: "{{ nextcloud_container_image_ref }}" |     name: "{{ nextcloud_container_image_ref }}" | ||||||
|     state: present |     state: present | ||||||
|     source: pull |     source: pull | ||||||
|     force_source: "{{ nextcloud_container_image_force_source }}" |     force_source: "{{ nextcloud_container_image_force_source }}" | ||||||
|  |  | ||||||
| - name: Template OpCache configuration | - name: Template OpCache configuration | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: nextcloud-fpm-opcache.ini.j2 |     src: nextcloud-fpm-opcache.ini.j2 | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/opcache.ini" |     dest: "{{ nextcloud_fpm_config_path }}/opcache.ini" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -47,7 +47,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template PHP FPM configuration | - name: Template PHP FPM configuration | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: nextcloud-fpm.ini.j2 |     src: nextcloud-fpm.ini.j2 | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm.ini" |     dest: "{{ nextcloud_fpm_config_path }}/fpm.ini" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -57,7 +57,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template PHP FPM docker-specific configuration | - name: Template PHP FPM docker-specific configuration | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: nextcloud-fpm-docker.ini.j2 |     src: nextcloud-fpm-docker.ini.j2 | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm-docker.ini" |     dest: "{{ nextcloud_fpm_config_path }}/fpm-docker.ini" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -67,7 +67,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template modified /etc/passwd for nextcloud container | - name: Template modified /etc/passwd for nextcloud container | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: nextcloud-passwd.j2 |     src: nextcloud-passwd.j2 | ||||||
|     dest: "{{ nextcloud_basepath }}/nextcloud-passwd" |     dest: "{{ nextcloud_basepath }}/nextcloud-passwd" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -77,7 +77,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template modified /etc/passwd for nextcloud container | - name: Template modified /etc/passwd for nextcloud container | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: nextcloud-group.j2 |     src: nextcloud-group.j2 | ||||||
|     dest: "{{ nextcloud_basepath }}/nextcloud-group" |     dest: "{{ nextcloud_basepath }}/nextcloud-group" | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -87,7 +87,7 @@ | |||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
|  |  | ||||||
| - name: Template systemd service for nextcloud's cron job | - name: Template systemd service for nextcloud's cron job | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: systemd-nextcloud-cron.service.j2 |     src: systemd-nextcloud-cron.service.j2 | ||||||
|     dest: /etc/systemd/system/nextcloud-cron.service |     dest: /etc/systemd/system/nextcloud-cron.service | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -98,7 +98,7 @@ | |||||||
|     - reload-systemd |     - reload-systemd | ||||||
|  |  | ||||||
| - name: Template timer for nextcloud's cron job | - name: Template timer for nextcloud's cron job | ||||||
|   template: |   ansible.builtin.template: | ||||||
|     src: systemd-nextcloud-cron.timer.j2 |     src: systemd-nextcloud-cron.timer.j2 | ||||||
|     dest: /etc/systemd/system/nextcloud-cron.timer |     dest: /etc/systemd/system/nextcloud-cron.timer | ||||||
|     mode: "0640" |     mode: "0640" | ||||||
| @@ -109,10 +109,10 @@ | |||||||
|     - reload-systemd |     - reload-systemd | ||||||
|  |  | ||||||
| - name: Flush handlers now to ensure systemd can know about the timer before it's enabled | - name: Flush handlers now to ensure systemd can know about the timer before it's enabled | ||||||
|   meta: flush_handlers |   ansible.builtin.meta: flush_handlers | ||||||
|  |  | ||||||
| - name: Ensure docker container for nextcloud is running | - name: Ensure docker container for nextcloud is running | ||||||
|   docker_container: |   community.docker.docker_container: | ||||||
|     name: "{{ nextcloud_container_name }}" |     name: "{{ nextcloud_container_name }}" | ||||||
|     image: "{{ nextcloud_container_image_ref }}" |     image: "{{ nextcloud_container_image_ref }}" | ||||||
|     volumes: "{{ nextcloud_container_volumes }}" |     volumes: "{{ nextcloud_container_volumes }}" | ||||||
| @@ -124,19 +124,19 @@ | |||||||
|     state: started |     state: started | ||||||
|  |  | ||||||
| - name: Enable systemd timer for nextcloud cron | - name: Enable systemd timer for nextcloud cron | ||||||
|   systemd: |   ansible.builtin.systemd: | ||||||
|     name: "nextcloud-cron.timer" |     name: "nextcloud-cron.timer" | ||||||
|     enabled: yes |     enabled: yes | ||||||
|   when: nextcloud_background_job_mode == 'cron' |   when: nextcloud_background_job_mode == 'cron' | ||||||
|  |  | ||||||
| - name: Ensure systemd timer for nextcloud cron is started | - name: Ensure systemd timer for nextcloud cron is started | ||||||
|   systemd: |   ansible.builtin.systemd: | ||||||
|     name: "nextcloud-cron.timer" |     name: "nextcloud-cron.timer" | ||||||
|     state: started |     state: started | ||||||
|   when: nextcloud_background_job_mode == 'cron' |   when: nextcloud_background_job_mode == 'cron' | ||||||
|  |  | ||||||
| - name: Configure nextcloud | - name: Configure nextcloud | ||||||
|   include_tasks: |   ansible.builtin.include_tasks: | ||||||
|     file: configure-single-setting.yml |     file: configure-single-setting.yml | ||||||
|   vars: |   vars: | ||||||
|     key: "{{ item.key | replace('[', '.') | replace(']', '.') }}" |     key: "{{ item.key | replace('[', '.') | replace(']', '.') }}" | ||||||
|   | |||||||
| @@ -4,7 +4,7 @@ user = www-data | |||||||
| group = www-data | group = www-data | ||||||
|  |  | ||||||
| {% if nextcloud_socket_path is defined and nextcloud_socket_path is string %} | {% if nextcloud_socket_path is defined and nextcloud_socket_path is string %} | ||||||
| listen = {{ nextcloud_container_php_socket_path }}/nextcloud.sock | listen = {{ nextcloud_container_php_socket_path }}/{{ nextcloud_container_name }}.sock | ||||||
| listen.owner = www-data | listen.owner = www-data | ||||||
| listen.group = www-data | listen.group = www-data | ||||||
| listen.mode = 0666 | listen.mode = 0666 | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user