Compare commits
	
		
			1 Commits
		
	
	
		
			server-28.
			...
			9d121236f1
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 9d121236f1 | 
							
								
								
									
										11
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										11
									
								
								README.md
									
									
									
									
									
								
							| @@ -7,17 +7,12 @@ and managing nextcloud installations | |||||||
|  |  | ||||||
| ## Roles | ## Roles | ||||||
|  |  | ||||||
| - [`roles/server`](roles/server/README.md): For deploying | - [`roles/nextcloud`](roles/nextcloud/README.md): For deploying | ||||||
|   and configuring a bare nextcloud instance in a docker container. |   and configuring a bare nextcloud instance in a docker container. | ||||||
|   Supports both the `-apache` (default) and `-fpm` variants. |   Supports both the `-apache` (default) and `-fpm` variants. | ||||||
| - [`roles/apps`](roles/apps/README.md): | - [`roles/nextcloud-apps`](roles/nextcloud-apps/README.md): | ||||||
|   For managing nextcloud apps in an already installed nextcloud |   For managing nextcloud apps in an already installed nextcloud | ||||||
|   server instance. Can install, remove, enable/disable and update apps. |   instance. Can install, remove, enable/disable and update apps. | ||||||
| - [`roles/ldap-user-backend`](roles/ldap-user-backend/README.md): |  | ||||||
|   Manages LDAP authentication sources in installed nextcloud instances. |  | ||||||
| - [`roles/nginx-fpm-proxy`](roles/nginx-fpm-proxy/README.md): |  | ||||||
|   Reverse proxy role which connects to nextcloud using FPM |  | ||||||
|   and serves static content. |  | ||||||
|  |  | ||||||
| ## License | ## License | ||||||
|  |  | ||||||
|   | |||||||
							
								
								
									
										13
									
								
								galaxy.yml
									
									
									
									
									
								
							
							
						
						
									
										13
									
								
								galaxy.yml
									
									
									
									
									
								
							| @@ -1,14 +1,13 @@ | |||||||
| namespace: finallycoffee | namespace: finallycoffee | ||||||
| name: nextcloud | name: nextcloud | ||||||
| version: 0.5.1 | version: 0.1.0 | ||||||
| readme: README.md | readme: README.md | ||||||
| authors: | authors: | ||||||
| - transcaffeine <transcaffeine@finally.coffee> | - Johanna Dorothea Reichmann <transcaffeine@finallycoffee.eu> | ||||||
| description: Installing and configuring nextcloud (and related apps/services) using docker | description: Installing and configuring nextcloud (and related apps/services) using docker | ||||||
| dependencies: | license: | ||||||
|   "community.docker": "^1.10.0" | - CNPLv7+ | ||||||
| license_file: LICENSE.md |  | ||||||
| build_ignore: | build_ignore: | ||||||
| - '*.tar.gz' | - '*.tar.gz' | ||||||
| repository: https://git.finally.coffee/finallycoffee/nextcloud | repository: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud | ||||||
| issues: https://git.finally.coffee/finallycoffee/nextcloud/issues | issues: https://git.finallycoffee.eu/finallycoffee.eu/nextcloud/issues | ||||||
|   | |||||||
| @@ -1,3 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| requires_ansible: ">=2.12" |  | ||||||
| @@ -1,3 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| nc_apps_occ_command: "php occ" |  | ||||||
							
								
								
									
										19
									
								
								roles/ldap-user-backend/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										19
									
								
								roles/ldap-user-backend/defaults/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,19 @@ | |||||||
|  | --- | ||||||
|  |  | ||||||
|  | nc_ldap_api_instance_url: http://localhost | ||||||
|  | nc_ldap_api_basic_auth_user: | ||||||
|  | nc_ldap_api_basic_auth_password: | ||||||
|  |  | ||||||
|  | nc_ldap_config_id: s01 | ||||||
|  | nc_ldap_config_host: 127.0.0.1 | ||||||
|  | nc_ldap_config_port: 389 | ||||||
|  | nc_ldap_config_backup_host: ~ | ||||||
|  | nc_ldap_config_backup_port: ~ | ||||||
|  |  | ||||||
|  | nc_ldap_config_base_dn: | ||||||
|  | nc_ldap_config_base_dn_users: | ||||||
|  | nc_ldap_config_base_dn_groups: | ||||||
|  | nc_ldap_config_agent_name: | ||||||
|  | nc_ldap_config_agent_password: | ||||||
|  |  | ||||||
|  | nc_ldap_meta_http_agent: "ansible-httpget/finallycoffee.nextcloud.ldap-user-backend" | ||||||
| @@ -1,6 +1,6 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| - name: Set default api parameters for HTTP | - name: Default api config | ||||||
|   meta: noop |   meta: noop | ||||||
|   vars: &api_defaults |   vars: &api_defaults | ||||||
|     http_agent: "{{ nc_ldap_meta_http_agent }}" |     http_agent: "{{ nc_ldap_meta_http_agent }}" | ||||||
| @@ -16,8 +16,9 @@ | |||||||
|     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" |     url: "{{ nc_ldap_api_path }}/{{ nc_ldap_config_id }}{{ query_params }}" | ||||||
|     method: GET |     method: GET | ||||||
|   vars: |   vars: | ||||||
|     query_params: "?showPassword={{ '1' if nc_ldap_config_agent_password else '0' }}&format={{nc_ldap_api_parameter_format }}" |     query_params: "?showPassword=1&format={{nc_ldap_api_parameter_format }}" | ||||||
|   register: nc_ldap_existing_config_api |      | ||||||
|  |   register: nc_ldap_existing_config | ||||||
| 
 | 
 | ||||||
| # TODO: Can we force an ID on POST? | # TODO: Can we force an ID on POST? | ||||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} | - name: Create ldap configuration with id={{ nc_ldap_config_id }} | ||||||
| @@ -25,25 +26,20 @@ | |||||||
|     <<: *api_defaults |     <<: *api_defaults | ||||||
|     url: "{{ nc_ldap_api_path }}" |     url: "{{ nc_ldap_api_path }}" | ||||||
|     method: POST |     method: POST | ||||||
|   when: nc_ldap_existing_config_api.status != 200 |   when: nc_ldap_existing_config.status != 200 | ||||||
| 
 |  | ||||||
| - name: Parse output of query command to dict |  | ||||||
|   set_fact: |  | ||||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_api.stdout | from_json }}" |  | ||||||
|   changed_when: false |  | ||||||
| 
 | 
 | ||||||
| - name: Create changeset | - name: Create changeset | ||||||
|   set_fact: |   set_fact: | ||||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" |     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" | ||||||
|   vars: |   vars: | ||||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" |     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" | ||||||
|   loop: "{{ nc_ldap_config_keys.keys() }}" |   loops: "{{ nc_ldap_config_keys.keys() }}" | ||||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] |   when: "{{ nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] is not None }}" | ||||||
| 
 | 
 | ||||||
| - name: Ensure ldap configuration is in sync (http) | - name: Ensure ldap configuration is in sync | ||||||
|   uri: |   uri: | ||||||
|     <<: *api_defaults |     <<: *api_defaults | ||||||
|     url: "{{ nc_lap_api_path }}/{{ nc_ldap_config_id }}" |     url: | ||||||
|     method: PUT |     method: PUT | ||||||
|     body: "{{ { 'configData': nc_ldap_config_changeset } }}" |     body: | ||||||
|     body_format: "form-urlencoded" |     body_format: "form-urlencoded" | ||||||
| @@ -56,5 +56,3 @@ nc_ldap_config_keys: | |||||||
|   turnOnPasswordChange: "{{ nc_ldap_config_turn_on_password_change }}" |   turnOnPasswordChange: "{{ nc_ldap_config_turn_on_password_change }}" | ||||||
|   ldapDynamicGroupMemberURL: "{{ nc_ldap_config_dynamic_group_member_url }}" |   ldapDynamicGroupMemberURL: "{{ nc_ldap_config_dynamic_group_member_url }}" | ||||||
|   ldapDefaultPPolicyDN: "{{ nc_ldap_config_default_ppolicy_dn }}" |   ldapDefaultPPolicyDN: "{{ nc_ldap_config_default_ppolicy_dn }}" | ||||||
| 
 |  | ||||||
| nc_ldap_config_changeset: {} |  | ||||||
| @@ -1,37 +0,0 @@ | |||||||
| # `finallycoffee.nextcloud.ldap-user-backend` ansible role |  | ||||||
|  |  | ||||||
| Ansible role for managing LDAP authentication of nextcloud instances using ansible. |  | ||||||
|  |  | ||||||
| ## Prerequisites |  | ||||||
|  |  | ||||||
| This role assumes a nextcloud instance is up and running, and has the `user_ldap` |  | ||||||
| nextcloud app installed. For starting a nextcloud instance, see the |  | ||||||
| `finallycoffee.nextcloud.server` role, for managing nextcloud apps see the |  | ||||||
| `finallycoffee.nextcloud.apps` ansible role. |  | ||||||
|  |  | ||||||
| ## Configuration |  | ||||||
|  |  | ||||||
| - Set `nc_ldap_api_method` to either `occ` or `http` to control wether the |  | ||||||
|   configuration is set using `php occ` command line calls or the `http` API |  | ||||||
|   of the `user_ldap` nextcloud app. |  | ||||||
|  |  | ||||||
| - For `nc_ldap_api_method: occ`, ensure `nc_ldap_container` is set to the name |  | ||||||
|   of the docker container where nextcloud is running, and `nc_ldap_occ_user` is |  | ||||||
|   the user the container / nextcloud itself runs as. `nc_ldap_occ_command` |  | ||||||
|   _can_ also be tweaked if `php` is not in the path, but the default should |  | ||||||
|   be fine in most cases. |  | ||||||
|  |  | ||||||
| - For `nc_ldap_api_method: http`, ensure `nc_ldapi_api_instance_url` contains |  | ||||||
|   the URL to the nextcloud server, including protocol (and port, if |  | ||||||
|   non-standard), and `nc_ldap_api_basic_auth_[user|password]` contain the |  | ||||||
|   credentials of an admin user with the rights to edit the LDAP settings. |  | ||||||
|  |  | ||||||
| - Set `nc_ldap_test_configuration` to `true`/`false` to have the role issue a |  | ||||||
|   nextcloud-provided test of the configured LDAP configuration, this corresponds |  | ||||||
|   to a `occ ldap:test-config <id>`. |  | ||||||
|  |  | ||||||
| For most of the options, see the |  | ||||||
| [nextcloud manual on configuration keys](https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap_api.html#configuration-keys), |  | ||||||
| the config keys are mapped 1:1 with a prefix of `nc_ldap_config_` and |  | ||||||
| the so-called "snake-case" (`ldap_backup_host`), so `ldapUserFilterMode` becomes |  | ||||||
| `nc_ldap_config_ldap_user_filter_mode`. |  | ||||||
| @@ -1,67 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| nc_ldap_api_method: occ |  | ||||||
| nc_ldap_test_configuration: true |  | ||||||
|  |  | ||||||
| nc_ldap_api_instance_url: http://localhost |  | ||||||
| nc_ldap_api_basic_auth_user: |  | ||||||
| nc_ldap_api_basic_auth_password: |  | ||||||
|  |  | ||||||
| nc_ldap_occ_command: "php occ" |  | ||||||
| nc_ldap_occ_user: "nextcloud" |  | ||||||
| nc_ldap_container: nextcloud |  | ||||||
|  |  | ||||||
| nc_ldap_config_id: s01 |  | ||||||
| nc_ldap_config_host: 127.0.0.1 |  | ||||||
| nc_ldap_config_port: 389 |  | ||||||
| nc_ldap_config_backup_host: ~ |  | ||||||
| nc_ldap_config_backup_port: ~ |  | ||||||
|  |  | ||||||
| nc_ldap_config_base_dn: |  | ||||||
| nc_ldap_config_base_dn_users: |  | ||||||
| nc_ldap_config_base_dn_groups: |  | ||||||
| nc_ldap_config_agent_name: |  | ||||||
| nc_ldap_config_agent_password: |  | ||||||
|  |  | ||||||
| nc_ldap_config_override_main_server: ~ |  | ||||||
| nc_ldap_config_tls: ~ |  | ||||||
| nc_ldap_config_turn_off_cert_check: ~ |  | ||||||
| nc_ldap_config_user_displayname: ~ |  | ||||||
| nc_ldap_config_user_displayname2: ~ |  | ||||||
| nc_ldap_config_user_avatar_rule: ~ |  | ||||||
| nc_ldap_config_gid_number: ~ |  | ||||||
| nc_ldap_config_user_filter_objectclass: ~ |  | ||||||
| nc_ldap_config_user_filter_groups: ~ |  | ||||||
| nc_ldap_config_user_filter: ~ |  | ||||||
| nc_ldap_config_user_filter_mode: ~ |  | ||||||
| nc_ldap_config_attributes_for_user_search: ~ |  | ||||||
| nc_ldap_config_group_filter: ~ |  | ||||||
| nc_ldap_config_group_filter_mode: ~ |  | ||||||
| nc_ldap_config_group_filter_objectclass: ~ |  | ||||||
| nc_ldap_config_group_filter_groups: ~ |  | ||||||
| nc_ldap_config_group_member_assoc_attr: ~ |  | ||||||
| nc_ldap_config_group_displayname: ~ |  | ||||||
| nc_ldap_config_attributes_for_group_search: ~ |  | ||||||
| nc_ldap_config_login_filter: ~ |  | ||||||
| nc_ldap_config_login_filter_mode: ~ |  | ||||||
| nc_ldap_config_login_filter_email: ~ |  | ||||||
| nc_ldap_config_login_filter_username: ~ |  | ||||||
| nc_ldap_config_login_filter_attributes: ~ |  | ||||||
| nc_ldap_config_quota_attribute: ~ |  | ||||||
| nc_ldap_config_quota_default: ~ |  | ||||||
| nc_ldap_config_email_attribute: ~ |  | ||||||
| nc_ldap_config_cache_ttl: ~ |  | ||||||
| nc_ldap_config_configuration_active: ~ |  | ||||||
| nc_ldap_config_experienced_admin: ~ |  | ||||||
| nc_ldap_config_home_folder_naming_rule: ~ |  | ||||||
| nc_ldap_config_use_memberOf_to_detect_membership: ~ |  | ||||||
| nc_ldap_config_expert_username_attr: ~ |  | ||||||
| nc_ldap_config_expert_uuid_user_attr: ~ |  | ||||||
| nc_ldap_config_expert_uuid_group_attr: ~ |  | ||||||
| nc_ldap_config_nested_groups: ~ |  | ||||||
| nc_ldap_config_paging_size: ~ |  | ||||||
| nc_ldap_config_turn_on_password_change: ~ |  | ||||||
| nc_ldap_config_dynamic_group_member_url: ~ |  | ||||||
| nc_ldap_config_default_ppolicy_dn: ~ |  | ||||||
|  |  | ||||||
| nc_ldap_meta_http_agent: "ansible-httpget/finallycoffee.nextcloud.ldap-user-backend" |  | ||||||
| @@ -1,4 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| collections: |  | ||||||
|   - community.docker |  | ||||||
| @@ -1,49 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Check if configuration with given config ID already exists |  | ||||||
|   docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:show-config --output json {{ '--show-password' if nc_ldap_config_agent_password else '' }} {{ nc_ldap_config_id }}" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   changed_when: false |  | ||||||
|   check_mode: false |  | ||||||
|   register: nc_ldap_existing_config_occ |  | ||||||
|  |  | ||||||
| - name: Create ldap configuration with id={{ nc_ldap_config_id }} |  | ||||||
|   docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:create-empty-config --output json {{ nc_ldap_config_id }}" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   when: nc_ldap_existing_config_occ.rc != 0 and nc_ldap_config_id not in (nc_ldap_existing_config_occ.stdout | from_json).keys() |  | ||||||
|  |  | ||||||
| - name: Parse output of query command to dict |  | ||||||
|   set_fact: |  | ||||||
|     nc_ldap_existing_config: "{{ nc_ldap_existing_config_occ.stdout | from_json }}" |  | ||||||
|   changed_when: false |  | ||||||
|  |  | ||||||
| - name: Create changeset |  | ||||||
|   set_fact: |  | ||||||
|     nc_ldap_config_changeset: "{{ nc_ldap_config_changeset | combine(changed_entry) }}" |  | ||||||
|   vars: |  | ||||||
|     changed_entry: "{{ { item : nc_ldap_config_keys[item] } }}" |  | ||||||
|   loop: "{{ nc_ldap_config_keys.keys() }}" |  | ||||||
|   when: nc_ldap_config_keys[item] is defined and nc_ldap_config_keys[item] and nc_ldap_config_keys[item] != nc_ldap_existing_config[nc_ldap_config_id][item] |  | ||||||
|  |  | ||||||
| - name: Ensure ldap configuration is in sync |  | ||||||
|   docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:set-config \"{{ nc_ldap_config_id }}\" \"{{ item.key }}\" \"{{ item.value }}\"" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   loop: "{{ nc_ldap_config_changeset | dict2items }}" |  | ||||||
|  |  | ||||||
| - name: Ensure ldap configuration is working |  | ||||||
|   docker_container_exec: |  | ||||||
|     container: "{{ nc_ldap_container }}" |  | ||||||
|     command: "{{ nc_ldap_occ_command }} ldap:test-config {{ nc_ldap_config_id }}" |  | ||||||
|     user: "{{ nc_ldap_occ_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   changed_when: false |  | ||||||
|   when: nc_ldap_test_configuration |  | ||||||
| @@ -1,10 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is http |  | ||||||
|   include_tasks: load_config_http.yml |  | ||||||
|   when: nc_ldap_api_method == 'http' |  | ||||||
|  |  | ||||||
| - name: Load config {{ nc_ldap_config_id }} (and create if not exists) when running mode is occ |  | ||||||
|   include_tasks: load_config_occ.yml |  | ||||||
|   when: nc_ldap_api_method == 'occ' |  | ||||||
|  |  | ||||||
| @@ -3,5 +3,3 @@ | |||||||
| nextcloud_container_name: nextcloud | nextcloud_container_name: nextcloud | ||||||
| nextcloud_apps: [] | nextcloud_apps: [] | ||||||
| nextcloud_run_user: nextcloud | nextcloud_run_user: nextcloud | ||||||
| 
 |  | ||||||
| nextcloud_apps_check_integrity: false |  | ||||||
| @@ -48,12 +48,3 @@ | |||||||
|   loop: "{{ nextcloud_apps }}" |   loop: "{{ nextcloud_apps }}" | ||||||
|   notify: |   notify: | ||||||
|     - restart-nextcloud |     - restart-nextcloud | ||||||
| 
 |  | ||||||
| - name: Ensure app integrity |  | ||||||
|   community.docker.docker_container_exec: |  | ||||||
|     container: "{{ nextcloud_container_name }}" |  | ||||||
|     command: "php occ integrity:check-app {{ item.name }}" |  | ||||||
|     user: "{{ nextcloud_run_user }}" |  | ||||||
|     tty: yes |  | ||||||
|   when: nextcloud_apps_check_integrity and item.state|default('present') in ['latest', 'present'] |  | ||||||
|   loop: "{{ nextcloud_apps }}" |  | ||||||
							
								
								
									
										8
									
								
								roles/nextcloud/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										8
									
								
								roles/nextcloud/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,8 @@ | |||||||
|  | # `finallycoffee.nextcloud.nextcloud` ansible role | ||||||
|  |  | ||||||
|  | This role can be used to deploy nextcloud in a docker container, | ||||||
|  | regardless of wether the `apache` or `fpm` docker image is used. | ||||||
|  |  | ||||||
|  | It provides various common (optimization) configuration options | ||||||
|  | and creates a user on the host which is mapped into the container, | ||||||
|  | so the host file permissions remain comprehensible. | ||||||
| @@ -1,6 +1,6 @@ | |||||||
| --- | --- | ||||||
| 
 | 
 | ||||||
| nextcloud_version: 28.0.2 | nextcloud_version: 22.2.0 | ||||||
| nextcloud_user: nextcloud | nextcloud_user: nextcloud | ||||||
| nextcloud_basepath: /opt/nextcloud | nextcloud_basepath: /opt/nextcloud | ||||||
| nextcloud_config_path: "{{ nextcloud_basepath }}/config" | nextcloud_config_path: "{{ nextcloud_basepath }}/config" | ||||||
| @@ -9,9 +9,6 @@ nextcloud_data_path: "{{ nextcloud_basepath }}/data" | |||||||
| # Where user data like media, documents etc are persisted | # Where user data like media, documents etc are persisted | ||||||
| nextcloud_storage_path: "{{ nextcloud_basepath }}/storage" | nextcloud_storage_path: "{{ nextcloud_basepath }}/storage" | ||||||
| nextcloud_fpm_config_path: "{{ nextcloud_basepath }}/fpm-config" | nextcloud_fpm_config_path: "{{ nextcloud_basepath }}/fpm-config" | ||||||
| #nextcloud_socket_path: "{{ nextcloud_basepath }}/socket" |  | ||||||
| 
 |  | ||||||
| nextcloud_background_job_mode: cron |  | ||||||
| 
 | 
 | ||||||
| nextcloud_database_type: sqlite | nextcloud_database_type: sqlite | ||||||
| nextcloud_database_name: nextcloud | nextcloud_database_name: nextcloud | ||||||
| @@ -33,7 +30,6 @@ nextcloud_container_base_volumes: | |||||||
|   - "{{ nextcloud_data_path }}:/var/www/html:z" |   - "{{ nextcloud_data_path }}:/var/www/html:z" | ||||||
|   - "{{ nextcloud_fpm_config_path }}/opcache.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:z" |   - "{{ nextcloud_fpm_config_path }}/opcache.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini:z" | ||||||
|   - "{{ nextcloud_fpm_config_path }}/fpm.ini:/usr/local/etc/php-fpm.d/www.conf:z" |   - "{{ nextcloud_fpm_config_path }}/fpm.ini:/usr/local/etc/php-fpm.d/www.conf:z" | ||||||
|   - "{{ nextcloud_fpm_config_path }}/fpm-docker.ini:/usr/local/etc/php-fpm.d/zz-docker.conf:z" |  | ||||||
|   - "{{ nextcloud_basepath }}/nextcloud-passwd:/etc/passwd:z" |   - "{{ nextcloud_basepath }}/nextcloud-passwd:/etc/passwd:z" | ||||||
|   - "{{ nextcloud_basepath }}/nextcloud-group:/etc/group:z" |   - "{{ nextcloud_basepath }}/nextcloud-group:/etc/group:z" | ||||||
| nextcloud_container_extra_volumes: [] | nextcloud_container_extra_volumes: [] | ||||||
| @@ -46,36 +42,17 @@ nextcloud_container_purge_other_networks: true | |||||||
| nextcloud_paths: | nextcloud_paths: | ||||||
|   - path: "{{ nextcloud_config_path }}" |   - path: "{{ nextcloud_config_path }}" | ||||||
|     mode: "0755" |     mode: "0755" | ||||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|     group: root |     group: "root" | ||||||
|   - path: "{{ nextcloud_data_path }}" |   - path: "{{ nextcloud_data_path }}" | ||||||
|     mode: "0755" |     mode: "0755" | ||||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|     group: "{{ nextcloud_user_info.group | default(nextcloud_user) }}" |     group: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|   - path: "{{ nextcloud_fpm_config_path }}" |   - path: "{{ nextcloud_fpm_config_path }}" | ||||||
|     mode: "0750" |     mode: "0750" | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   - path: "{{ nextcloud_storage_path }}" |   - path: "{{ nextcloud_storage_path }}" | ||||||
|     mode: "0770" |     mode: "0770" | ||||||
|     owner: "{{ nextcloud_user_info.uid | default(nextcloud_user) }}" |     owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" | ||||||
|     group: "root" |     group: "root" | ||||||
| 
 |  | ||||||
| # PHP OpCache tuning |  | ||||||
| nextcloud_opcache_enable: 1 |  | ||||||
| nextcloud_opcache_interned_strings_buffer_mb: 32 |  | ||||||
| nextcloud_opcache_max_accelerated_files: 32531 |  | ||||||
| nextcloud_opcache_memory_consumption_mb: 256 |  | ||||||
| nextcloud_opcache_fast_shutdown: 1 |  | ||||||
| nextcloud_opcache_save_comments: 1 |  | ||||||
| nextcloud_opcache_revalidate_freq: 1 |  | ||||||
| nextcloud_opcache_validate_timestamps: 0 |  | ||||||
| 
 |  | ||||||
| # FPM config |  | ||||||
| nextcloud_fpm_max_children: 64 |  | ||||||
| nextcloud_fpm_start_servers: "{{ nextcloud_fpm_max_children / 2 | int }}" |  | ||||||
| nextcloud_fpm_min_spare_servers: "{{ nextcloud_fpm_max_children / 4 | int }}" |  | ||||||
| nextcloud_fpm_max_spare_servers: "{{ nextcloud_fpm_max_children * 3/4 | int }}" |  | ||||||
| 
 |  | ||||||
| nextcloud_php_memory_limit: 1024M |  | ||||||
| nextcloud_php_upload_limit: 1024M |  | ||||||
| @@ -7,19 +7,6 @@ | |||||||
|     system: yes |     system: yes | ||||||
|   register: nextcloud_user_info |   register: nextcloud_user_info | ||||||
| 
 | 
 | ||||||
| - name: Map nextcloud socket path if defined |  | ||||||
|   set_fact: |  | ||||||
|     nextcloud_paths: "{{ nextcloud_paths + [ socket_dir ] }}" |  | ||||||
|     nextcloud_container_base_volumes: "{{ nextcloud_container_base_volumes + [ socket_map ] }}" |  | ||||||
|   vars: |  | ||||||
|     socket_dir: |  | ||||||
|       path: "{{ nextcloud_socket_path }}" |  | ||||||
|       mode: "0755" |  | ||||||
|       owner: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" |  | ||||||
|       group: "{{ nextcloud_user_info.uid|default(nextcloud_user) }}" |  | ||||||
|     socket_map: "{{ nextcloud_socket_path }}:{{ nextcloud_container_php_socket_path }}:z" |  | ||||||
|   when: nextcloud_socket_path is defined and nextcloud_socket_path is string |  | ||||||
| 
 |  | ||||||
| - name: Ensure nextcloud directories exist and have correct permissions | - name: Ensure nextcloud directories exist and have correct permissions | ||||||
|   file: |   file: | ||||||
|     path: "{{ item.path }}" |     path: "{{ item.path }}" | ||||||
| @@ -56,16 +43,6 @@ | |||||||
|   notify: |   notify: | ||||||
|     - reload-nextcloud |     - reload-nextcloud | ||||||
| 
 | 
 | ||||||
| - name: Template PHP FPM docker-specific configuration |  | ||||||
|   template: |  | ||||||
|     src: nextcloud-fpm-docker.ini.j2 |  | ||||||
|     dest: "{{ nextcloud_fpm_config_path }}/fpm-docker.ini" |  | ||||||
|     mode: "0640" |  | ||||||
|     owner: "root" |  | ||||||
|     group: "root" |  | ||||||
|   notify: |  | ||||||
|     - reload-nextcloud |  | ||||||
| 
 |  | ||||||
| - name: Template modified /etc/passwd for nextcloud container | - name: Template modified /etc/passwd for nextcloud container | ||||||
|   template: |   template: | ||||||
|     src: nextcloud-passwd.j2 |     src: nextcloud-passwd.j2 | ||||||
| @@ -93,7 +70,6 @@ | |||||||
|     mode: "0640" |     mode: "0640" | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   when: nextcloud_background_job_mode == 'cron' |  | ||||||
|   notify: |   notify: | ||||||
|     - reload-systemd |     - reload-systemd | ||||||
| 
 | 
 | ||||||
| @@ -104,12 +80,21 @@ | |||||||
|     mode: "0640" |     mode: "0640" | ||||||
|     owner: root |     owner: root | ||||||
|     group: root |     group: root | ||||||
|   when: nextcloud_background_job_mode == 'cron' |  | ||||||
|   notify: |   notify: | ||||||
|     - reload-systemd |     - reload-systemd | ||||||
| 
 | 
 | ||||||
| - name: Flush handlers now to ensure systemd can know about the timer before it's enabled | - meta: flush_handlers | ||||||
|   meta: flush_handlers | 
 | ||||||
|  | - name: Enable systemd timer for nextcloud cron | ||||||
|  |   systemd: | ||||||
|  |     name: "nextcloud-cron.timer" | ||||||
|  |     enabled: yes | ||||||
|  | 
 | ||||||
|  | - name: Ensure systemd timer for nextcloud cron is started | ||||||
|  |   systemd: | ||||||
|  |     name: "nextcloud-cron.timer" | ||||||
|  |     state: started | ||||||
|  | 
 | ||||||
| 
 | 
 | ||||||
| - name: Ensure docker container for nextcloud is running | - name: Ensure docker container for nextcloud is running | ||||||
|   docker_container: |   docker_container: | ||||||
| @@ -122,23 +107,3 @@ | |||||||
|     purge_networks: "{{ nextcloud_container_purge_other_networks }}" |     purge_networks: "{{ nextcloud_container_purge_other_networks }}" | ||||||
|     restart_policy: "{{ nextcloud_container_restart_policy }}" |     restart_policy: "{{ nextcloud_container_restart_policy }}" | ||||||
|     state: started |     state: started | ||||||
| 
 |  | ||||||
| - name: Enable systemd timer for nextcloud cron |  | ||||||
|   systemd: |  | ||||||
|     name: "nextcloud-cron.timer" |  | ||||||
|     enabled: yes |  | ||||||
|   when: nextcloud_background_job_mode == 'cron' |  | ||||||
| 
 |  | ||||||
| - name: Ensure systemd timer for nextcloud cron is started |  | ||||||
|   systemd: |  | ||||||
|     name: "nextcloud-cron.timer" |  | ||||||
|     state: started |  | ||||||
|   when: nextcloud_background_job_mode == 'cron' |  | ||||||
| 
 |  | ||||||
| - name: Configure nextcloud |  | ||||||
|   include_tasks: |  | ||||||
|     file: configure-single-setting.yml |  | ||||||
|   vars: |  | ||||||
|     key: "{{ item.key | replace('[', '.') | replace(']', '.') }}" |  | ||||||
|     value: "{{ item.value }}" |  | ||||||
|   loop: "{{ lookup('ansible.utils.to_paths', nextcloud_config ) | dict2items }}" |  | ||||||
							
								
								
									
										14
									
								
								roles/nextcloud/templates/nextcloud-fpm-opcache.ini.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/nextcloud/templates/nextcloud-fpm-opcache.ini.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | |||||||
|  | opcache.enable=1 | ||||||
|  | opcache.interned_strings_buffer=32 | ||||||
|  | ; next prime in the set which is suitable for large installations | ||||||
|  | ; default for this setting is 10000 which picks the prime 7963, | ||||||
|  | ; but default installation of nextcloud has already ~9k php files | ||||||
|  | ; see https://www.php.net/manual/en/opcache.configuration.php#ini.opcache.max-accelerated-files | ||||||
|  | opcache.max_accelerated_files=32531 | ||||||
|  | opcache.memory_consumption=256 | ||||||
|  | ; deconstructor optimizations | ||||||
|  | opcache.fast_shutdown=1 | ||||||
|  | ;opcache.save_comments=1 | ||||||
|  | ; not used if validate_timestamps=0 | ||||||
|  | ;opcache.revalidate_freq=1 | ||||||
|  | opcache.validate_timestamps=0 | ||||||
							
								
								
									
										14
									
								
								roles/nextcloud/templates/nextcloud-fpm.ini.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/nextcloud/templates/nextcloud-fpm.ini.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | |||||||
|  | [www] | ||||||
|  |  | ||||||
|  | user = www-data | ||||||
|  | group = www-data | ||||||
|  |  | ||||||
|  | listen = 127.0.0.1:9000 | ||||||
|  |  | ||||||
|  | pm = dynamic | ||||||
|  | pm.max_children = 64 | ||||||
|  | pm.start_servers = 32 | ||||||
|  | pm.min_spare_servers = 24 | ||||||
|  | pm.max_spare_servers = 48 | ||||||
|  |  | ||||||
|  | ;pm.max_requests=500 | ||||||
| @@ -22,27 +22,3 @@ nextcloud_container_base_environment_yaml: |+2 | |||||||
|   {% elif nextcloud_database_type == 'sqlite' %} |   {% elif nextcloud_database_type == 'sqlite' %} | ||||||
|   SQLITE_DATABASE: "{{ nextcloud_database_name }}" |   SQLITE_DATABASE: "{{ nextcloud_database_name }}" | ||||||
|   {% endif %} |   {% endif %} | ||||||
|   PHP_MEMORY_LIMIT: "{{ nextcloud_php_memory_limit }}" |  | ||||||
|   PHP_UPLOAD_LIMIT: "{{ nextcloud_php_upload_limit }}" |  | ||||||
| 
 |  | ||||||
| nextcloud_config: "{{ nextcloud_base_config | from_yaml | combine(nextcloud_extra_config|default({}), recursive=True, list_merge='append') }}" |  | ||||||
| nextcloud_base_config: |+2 |  | ||||||
|   {% if nextcloud_database_type != 'sqlite' %} |  | ||||||
|   system: |  | ||||||
|     dbhost: "{{ nextcloud_database_host }}" |  | ||||||
|     dbuser: "{{ nextcloud_database_user }}" |  | ||||||
|     dbpassword: "{{ nextcloud_database_pass }}" |  | ||||||
|     dbname: "{{ nextcloud_database_name }}" |  | ||||||
|     dbtype: "{{ nextcloud_database_types[nextcloud_database_type] }}" |  | ||||||
|   {% endif %} |  | ||||||
|   app: |  | ||||||
|     core: |  | ||||||
|       backgroundjobs_mode: "{{ nextcloud_background_job_mode }}" |  | ||||||
| 
 |  | ||||||
| nextcloud_occ_command: "php occ" |  | ||||||
| nextcloud_container_php_socket_path: /var/run/php |  | ||||||
| nextcloud_database_types: |  | ||||||
|   postgres: pgsql |  | ||||||
|   mysql: mysql |  | ||||||
|   mariadb: mysql |  | ||||||
|   sqlite: sqlite3 |  | ||||||
| @@ -1,22 +0,0 @@ | |||||||
| # `finallycoffee.nextcloud.nginx-fpm-proxy` ansible role |  | ||||||
|  |  | ||||||
| Ansible role for serving nextcloud static content and connecting to dynamic content via PHP-FPM. |  | ||||||
|  |  | ||||||
| ## Prerequisites |  | ||||||
|  |  | ||||||
| A running nextcloud instance with FPM available either via IP+port or a unix socket. |  | ||||||
|  |  | ||||||
| ## Configuration |  | ||||||
|  |  | ||||||
| - Set `nextcloud_nginx_data_path` to the data directory of the nextcloud instance, |  | ||||||
|   from where static content etc is served from. |  | ||||||
|  |  | ||||||
| - `nextcloud_nginx_storage_path` needs to be set to the storage path of the nextcloud |  | ||||||
|   instance, where user data is stored. Usually this is `{{ nextcloud_nginx_data_path }}/data`. |  | ||||||
|  |  | ||||||
| - Set `nextcloud_nginx_fpm_socket_dir` to the directory containing the FPM socket, |  | ||||||
|   called `nextcloud.sock` by default. This can be overridden in `nextcloud_nginx_fpm_socket_path`. |  | ||||||
|  |  | ||||||
| - If FPM is not used via a unix socket, set `nextcloud_nginx_fpm_server_ip` and |  | ||||||
|   `nextcloud_nginx_fpm_server_port` accordingly. Note that the IP must be reachable |  | ||||||
|   from inside the nginx container. |  | ||||||
| @@ -1,23 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| nextcloud_nginx_version: "1.23.3" |  | ||||||
| nextcloud_nginx_basepath: /opt/nextcloud-nginx |  | ||||||
| nextcloud_nginx_config: "{{ nextcloud_nginx_basepath }}/nextcloud.conf" |  | ||||||
| nextcloud_nginx_servernames: ~ |  | ||||||
|  |  | ||||||
| nextcloud_nginx_container_name: nextcloud_nginx |  | ||||||
| nextcloud_nginx_container_image: "docker.io/library/nginx" |  | ||||||
| nextcloud_nginx_container_image_flavor: "alpine" |  | ||||||
| nextcloud_nginx_container_image_ref: "{{ nextcloud_nginx_container_image }}:{{ nextcloud_nginx_version }}{{ '-' + nextcloud_nginx_container_image_flavor if nextcloud_nginx_container_image_flavor else ''}}" |  | ||||||
| nextcloud_nginx_container_image_force_pull: false |  | ||||||
| nextcloud_nginx_container_extra_volumes: [] |  | ||||||
| nextcloud_nginx_container_extra_labels: {} |  | ||||||
| nextcloud_nginx_container_extra_env: {} |  | ||||||
| nextcloud_nginx_container_restart_policy: unless-stopped |  | ||||||
|  |  | ||||||
| nextcloud_nginx_fpm_server_ip: ~ |  | ||||||
| nextcloud_nginx_fpm_server_port: 9000 |  | ||||||
| nextcloud_nginx_fpm_socket_dir: ~ |  | ||||||
| nextcloud_nginx_fpm_socket_path: "{{ nextcloud_nginx_fpm_socket_dir }}/nextcloud.sock" |  | ||||||
| nextcloud_nginx_data_path: ~ |  | ||||||
| nextcloud_nginx_storage_path: ~ |  | ||||||
| @@ -1,8 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Restart nextcloud nginx fpm proxy container |  | ||||||
|   listen: restart-nextcloud-nginx |  | ||||||
|   docker_container: |  | ||||||
|     name: "{{ nextcloud_nginx_container_name }}" |  | ||||||
|     state: started |  | ||||||
|     restart: yes |  | ||||||
| @@ -1,36 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Create directory for nginx config |  | ||||||
|   file: |  | ||||||
|     path: "{{ nextcloud_nginx_basepath }}" |  | ||||||
|     state: directory |  | ||||||
|     mode: 0750 |  | ||||||
|  |  | ||||||
| - name: Template nginx reverse proxy config for nextcloud |  | ||||||
|   template: |  | ||||||
|     src: nextcloud-nginx.conf.j2 |  | ||||||
|     dest: "{{ nextcloud_nginx_config }}" |  | ||||||
|   vars: |  | ||||||
|     fpm_server: "{{ nextcloud_nginx_fpm_server_ip }}" |  | ||||||
|     fpm_server_port: "{{ nextcloud_nginx_fpm_server_port }}" |  | ||||||
|     fpm_socket: "{{ nextcloud_nginx_fpm_socket_path }}" |  | ||||||
|     domain: "{{ nextcloud_nginx_servernames }}" |  | ||||||
|   notify: restart-nextcloud-nginx |  | ||||||
|  |  | ||||||
| - name: Ensure nginx docker image is pulled |  | ||||||
|   docker_image: |  | ||||||
|     name: "{{ nextcloud_nginx_container_image_ref }}" |  | ||||||
|     state: present |  | ||||||
|     source: pull |  | ||||||
|     force_source: "{{ nextcloud_nginx_container_image_force_pull }}" |  | ||||||
|  |  | ||||||
| - name: Ensure nginx is running for FPM and static file serving |  | ||||||
|   docker_container: |  | ||||||
|     name: "{{ nextcloud_nginx_container_name }}" |  | ||||||
|     image: "{{ nextcloud_nginx_container_image_ref }}" |  | ||||||
|     volumes: "{{ nextcloud_nginx_container_volumes }}" |  | ||||||
|     labels: "{{ nextcloud_nginx_container_labels }}" |  | ||||||
|     env: "{{ nextcloud_nginx_container_env }}" |  | ||||||
|     networks: "{{ nextcloud_nginx_container_networks | default(omit) }}" |  | ||||||
|     restart_policy: "{{ nextcloud_nginx_container_restart_policy }}" |  | ||||||
|     state: started |  | ||||||
| @@ -1,180 +0,0 @@ | |||||||
| upstream php-handler { |  | ||||||
| {% if fpm_socket %} |  | ||||||
| {% if fpm_socket is not string %} |  | ||||||
| {% for upstream in fpm_socket %} |  | ||||||
|     server unix:{{ upstream }}; |  | ||||||
| {% endfor %} |  | ||||||
| {% else %} |  | ||||||
|     server unix:{{ fpm_socket }}; |  | ||||||
| {% endif %} |  | ||||||
| {% else %} |  | ||||||
|     server {{ fpm_server }}:{{ fpm_server_port }}; |  | ||||||
| {% endif %} |  | ||||||
| } |  | ||||||
|  |  | ||||||
| server { |  | ||||||
|     listen 80; |  | ||||||
|     listen [::]:80; |  | ||||||
|     server_name {{ domain | join(' ') }}; |  | ||||||
|  |  | ||||||
|     # Add headers to serve security related headers |  | ||||||
|     # Before enabling Strict-Transport-Security headers please read into this |  | ||||||
|     # topic first. |  | ||||||
|     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |  | ||||||
|     # |  | ||||||
|     # WARNING: Only add the preload option once you read about |  | ||||||
|     # the consequences in https://hstspreload.org/. This option |  | ||||||
|     # will add the domain to a hardcoded list that is shipped |  | ||||||
|     # in all major browsers and getting removed from this list |  | ||||||
|     # could take several months. |  | ||||||
|     add_header Referrer-Policy "no-referrer" always; |  | ||||||
|     add_header X-Content-Type-Options "nosniff" always; |  | ||||||
|     add_header X-Download-Options "noopen" always; |  | ||||||
|     add_header X-Frame-Options "SAMEORIGIN" always; |  | ||||||
|     add_header X-Permitted-Cross-Domain-Policies "none" always; |  | ||||||
|     add_header X-Robots-Tag "none" always; |  | ||||||
|     add_header X-XSS-Protection "1; mode=block" always; |  | ||||||
|  |  | ||||||
|     # Remove X-Powered-By, which is an information leak |  | ||||||
|     fastcgi_hide_header X-Powered-By; |  | ||||||
|  |  | ||||||
|     # Path to the root of your installation |  | ||||||
|     root /var/www/nextcloud; |  | ||||||
|  |  | ||||||
|     location = /robots.txt { |  | ||||||
|         allow all; |  | ||||||
|         log_not_found off; |  | ||||||
|         access_log off; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Make a regex exception for `/.well-known` so that clients can still |  | ||||||
|     # access it despite the existence of the regex rule |  | ||||||
|     # `location ~ /(\.|autotest|...)` which would otherwise handle requests |  | ||||||
|     # for `/.well-known`. |  | ||||||
|     location ^~ /.well-known { |  | ||||||
|         # The rules in this block are an adaptation of the rules |  | ||||||
|         # in `.htaccess` that concern `/.well-known`. |  | ||||||
|  |  | ||||||
|         location = /.well-known/carddav { return 301 https://$host/remote.php/dav/; } |  | ||||||
|         location = /.well-known/caldav  { return 301 https://$host/remote.php/dav/; } |  | ||||||
|  |  | ||||||
|         # The following rule is only needed for the Social app. |  | ||||||
|         # Uncomment it if you're planning to use this app. |  | ||||||
|         location = /.well-known/webfinger	{ return 301 https://$host/public.php?service=webfinger; } |  | ||||||
|  |  | ||||||
|         # The following 2 rules are only needed for the user_webfinger app. |  | ||||||
|         # Uncomment it if you're planning to use this app. |  | ||||||
|         location = /.well-known/host-meta	{ return 301 https://$host/public.php?service=host-meta; } |  | ||||||
|         location = /.well-known/host-meta.json	{ return 301 https://$host/public.php?service=host-meta-json; } |  | ||||||
|  |  | ||||||
|         location /.well-known/acme-challenge    { try_files $uri $uri/ =404; } |  | ||||||
|         location /.well-known/pki-validation    { try_files $uri $uri/ =404; } |  | ||||||
|  |  | ||||||
|         # Let Nextcloud's API for `/.well-known` URIs handle all other |  | ||||||
|         # requests by passing them to the front-end controller. |  | ||||||
|         return 301 https://$host/index.php$request_uri; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # set max upload size |  | ||||||
|     client_max_body_size {{ nextcloud_php_upload_limit }}; |  | ||||||
|     fastcgi_buffers 128 4K; |  | ||||||
|  |  | ||||||
|     # Enable gzip but do not remove ETag headers |  | ||||||
|     gzip on; |  | ||||||
|     gzip_vary on; |  | ||||||
|     gzip_comp_level 4; |  | ||||||
|     gzip_min_length 256; |  | ||||||
|     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; |  | ||||||
|     gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; |  | ||||||
|  |  | ||||||
|     # Uncomment if your server is build with the ngx_pagespeed module |  | ||||||
|     # This module is currently not supported. |  | ||||||
|     #pagespeed off; |  | ||||||
|  |  | ||||||
|     location / { |  | ||||||
|         rewrite ^ /index.php; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ { |  | ||||||
|         deny all; |  | ||||||
|     } |  | ||||||
|     location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) { |  | ||||||
|         deny all; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy)\.php(?:$|\/) { |  | ||||||
|         fastcgi_split_path_info ^(.+?\.php)(\/.*|)$; |  | ||||||
|         set $path_info $fastcgi_path_info; |  | ||||||
|         try_files $fastcgi_script_name =404; |  | ||||||
|         fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; |  | ||||||
|         fastcgi_param SCRIPT_NAME $fastcgi_script_name; |  | ||||||
|         fastcgi_param PATH_INFO $path_info; |  | ||||||
|         fastcgi_param HTTPS $https; |  | ||||||
|         fastcgi_param HTTP_PROXY ""; |  | ||||||
|         fastcgi_param REMOTE_ADDR $remote_addr; |  | ||||||
|         # Avoid sending the security headers twice |  | ||||||
|         fastcgi_param modHeadersAvailable true; |  | ||||||
|         # Enable pretty urls |  | ||||||
|         fastcgi_param front_controller_active true; |  | ||||||
|         fastcgi_pass php-handler; |  | ||||||
|         include fastcgi_params; |  | ||||||
|         fastcgi_intercept_errors on; |  | ||||||
|         fastcgi_request_buffering off; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { |  | ||||||
|         try_files $uri/ =404; |  | ||||||
|         index index.php; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     # Adding the cache control header for js, css and map files |  | ||||||
|     # Make sure it is BELOW the PHP block |  | ||||||
|     location ~ \.(?:css|js|woff2?|svg|gif|map)$ { |  | ||||||
|         expires 1d; |  | ||||||
|         # How `sendfile`, `tcp_nopush` and `tcp_nodelay` interact |  | ||||||
|         # https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765?gi=f11af534b564 |  | ||||||
|         sendfile on; # use `sendfile` syscall, which is a DMA (zero-copy) call |  | ||||||
|         tcp_nopush on; # wait until the file is fully "read" |  | ||||||
|         tcp_nodelay on; # always immediately flush, never wait for a full packet worth of data (default wait interval = 200ms) |  | ||||||
|         aio on; #async IO for files |  | ||||||
|         open_file_cache max=10000; # cache metadata for up to 10000 files |  | ||||||
|         open_file_cache_valid 3600s; # previous cache is valid for 1h |  | ||||||
|         open_file_cache_errors off; # except if there was an error, that is not cached |  | ||||||
|         try_files $uri /index.php$request_uri; |  | ||||||
|         add_header Cache-Control "public, max-age=15778463"; |  | ||||||
|         # Add headers to serve security related headers (It is intended to |  | ||||||
|         # have those duplicated to the ones above) |  | ||||||
|         # Before enabling Strict-Transport-Security headers please read into |  | ||||||
|         # this topic first. |  | ||||||
|         #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; |  | ||||||
|         # |  | ||||||
|         # WARNING: Only add the preload option once you read about |  | ||||||
|         # the consequences in https://hstspreload.org/. This option |  | ||||||
|         # will add the domain to a hardcoded list that is shipped |  | ||||||
|         # in all major browsers and getting removed from this list |  | ||||||
|         # could take several months. |  | ||||||
|         add_header Referrer-Policy "no-referrer" always; |  | ||||||
|         add_header X-Content-Type-Options "nosniff" always; |  | ||||||
|         add_header X-Download-Options "noopen" always; |  | ||||||
|         add_header X-Frame-Options "SAMEORIGIN" always; |  | ||||||
|         add_header X-Permitted-Cross-Domain-Policies "none" always; |  | ||||||
|         add_header X-Robots-Tag "none" always; |  | ||||||
|         add_header X-XSS-Protection "1; mode=block" always; |  | ||||||
|  |  | ||||||
|         # Optional: Don't log access to assets |  | ||||||
|         access_log off; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ { |  | ||||||
|         expires 1d; |  | ||||||
|         sendfile on; |  | ||||||
|         tcp_nopush on; |  | ||||||
|         tcp_nodelay on; |  | ||||||
|         open_file_cache max=10000; |  | ||||||
|         open_file_cache_valid 3600s; |  | ||||||
|         open_file_cache_errors off; |  | ||||||
|         try_files $uri /index.php$request_uri; |  | ||||||
|         # Optional: Don't log access to other assets |  | ||||||
|         access_log off; |  | ||||||
|     } |  | ||||||
| } |  | ||||||
| @@ -1,18 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| nextcloud_nginx_container_volumes_base: >-2 |  | ||||||
|   {{ |  | ||||||
|     [ |  | ||||||
|       nextcloud_nginx_config + ':/etc/nginx/conf.d/nextcloud.conf:ro', |  | ||||||
|       nextcloud_nginx_data_path + ':/var/www/nextcloud:ro', |  | ||||||
|       nextcloud_nginx_storage_path + ':/var/www/nextcloud/data:rw' |  | ||||||
|     ] |  | ||||||
|     + ([nextcloud_nginx_fpm_socket_dir + ':' + nextcloud_nginx_fpm_socket_dir + ':rw'] if nextcloud_nginx_fpm_socket_dir else []) |  | ||||||
|   }} |  | ||||||
| nextcloud_nginx_container_labels_base: |  | ||||||
|   version: "{{ nextcloud_nginx_version }}" |  | ||||||
| nextcloud_nginx_container_env_base: {} |  | ||||||
|  |  | ||||||
| nextcloud_nginx_container_volumes: "{{ nextcloud_nginx_container_volumes_base + nextcloud_nginx_container_extra_volumes }}" |  | ||||||
| nextcloud_nginx_container_labels: "{{ nextcloud_nginx_container_labels_base | combine(nextcloud_nginx_container_extra_labels) }}" |  | ||||||
| nextcloud_nginx_container_env: "{{ nextcloud_nginx_container_env_base | combine(nextcloud_nginx_container_extra_env) }}" |  | ||||||
| @@ -1,21 +0,0 @@ | |||||||
| # `finallycoffee.nextcloud.nextcloud` ansible role |  | ||||||
|  |  | ||||||
| This role can be used to deploy nextcloud in a docker container, |  | ||||||
| regardless of wether the `apache` or `fpm` docker image is used. |  | ||||||
|  |  | ||||||
| It provides various common (optimization) configuration options |  | ||||||
| and creates a user on the host which is mapped into the container, |  | ||||||
| so the host file permissions remain comprehensible. |  | ||||||
|  |  | ||||||
| ## Configuration |  | ||||||
|  |  | ||||||
| - `nextcloud_socket_path`: Setting this (to, for example, `{{ nextcloud_basepath }}/socket`), |  | ||||||
|   will make FPM listen on `{{ nextcloud_socket_path }}/nextcloud.sock` on the host, enabling |  | ||||||
|   you to use FPM to interface with nextcloud. |  | ||||||
|  |  | ||||||
| ### Redis over UNIX-Socket |  | ||||||
|  |  | ||||||
| Set `REDIS_HOST` to a path in the container where the socket is mapped using |  | ||||||
| `nextcloud_container_extra_environment`. Also set `REDIS_HOST_PORT` to 0 |  | ||||||
| explicitely, as `redis.config.php` will set it to `null` otherwise, resulting |  | ||||||
| in an exception. Set your redis password in `REDIS_HOST_PASSWORD`. |  | ||||||
| @@ -1,41 +0,0 @@ | |||||||
| --- |  | ||||||
|  |  | ||||||
| - name: Ensure {{ key }} is set to {{ '***' if ['pass', 'secret', 'key']|select('in', key) else value }} |  | ||||||
|   block: |  | ||||||
|     - name: Check value of {{ key }} |  | ||||||
|       community.docker.docker_container_exec: |  | ||||||
|         container: "{{ nextcloud_container_name }}" |  | ||||||
|         command: "{{ nextcloud_occ_command }} config:{{ type }}:get {{ scope }} {{ entry }}" |  | ||||||
|         user: "{{ nextcloud_user_info.uid }}" |  | ||||||
|         tty: yes |  | ||||||
|       register: nextcloud_current_config_entry |  | ||||||
|       check_mode: false |  | ||||||
|       changed_when: false |  | ||||||
|  |  | ||||||
|     - name: Set {{ key }} to {{ '***' if (['pass', 'secret', 'key']|select('in', key)) else value }} |  | ||||||
|       community.docker.docker_container_exec: |  | ||||||
|         container: "{{ nextcloud_container_name }}" |  | ||||||
|         command: "{{ nextcloud_occ_command }} config:{{ type }}:set {{ scope }} {{ entry }} --type={{ value_type }} --value={{ value }} -n" |  | ||||||
|         user: "{{ nextcloud_user_info.uid }}" |  | ||||||
|         tty: yes |  | ||||||
|       when: nextcloud_current_config_entry.stdout != value |  | ||||||
|       notify: restart-nextcloud |  | ||||||
|   vars: |  | ||||||
|     entry_path: "{{ key.split('.') }}" |  | ||||||
|     value_type: >- |  | ||||||
|       {% if value is boolean %} |  | ||||||
|       boolean |  | ||||||
|       {% elsif value is integer %} |  | ||||||
|       integer |  | ||||||
|       {% elsif value is float %} |  | ||||||
|       float |  | ||||||
|       {% else %} |  | ||||||
|       string |  | ||||||
|       {% endif %} |  | ||||||
|     type: "{{ entry_path | first }}" |  | ||||||
|     scope: "{{ entry_path[1] if entry_path | length > 2 else '' }}" |  | ||||||
|     entry: >- |  | ||||||
|       {{ |  | ||||||
|          entry_path[1] if entry_path|length == 2 else  |  | ||||||
|          (entry_path[2:] | join(" ")) |  | ||||||
|       }} |  | ||||||
| @@ -1,2 +0,0 @@ | |||||||
| [global] |  | ||||||
| daemonize = no |  | ||||||
| @@ -1,14 +0,0 @@ | |||||||
| opcache.enable={{ nextcloud_opcache_enable }} |  | ||||||
| opcache.interned_strings_buffer={{ nextcloud_opcache_interned_strings_buffer_mb }} |  | ||||||
| ; next prime in the set which is suitable for large installations |  | ||||||
| ; default for this setting is 10000 which picks the prime 7963, |  | ||||||
| ; but default installation of nextcloud has already ~9k php files |  | ||||||
| ; see https://www.php.net/manual/en/opcache.configuration.php#ini.opcache.max-accelerated-files |  | ||||||
| opcache.max_accelerated_files={{ nextcloud_opcache_max_accelerated_files }} |  | ||||||
| opcache.memory_consumption={{ nextcloud_opcache_memory_consumption_mb }} |  | ||||||
| ; deconstructor optimizations |  | ||||||
| opcache.fast_shutdown={{ nextcloud_opcache_fast_shutdown }} |  | ||||||
| opcache.save_comments={{ nextcloud_opcache_save_comments }} |  | ||||||
| ; not used if validate_timestamps=0 |  | ||||||
| opcache.revalidate_freq={{ nextcloud_opcache_revalidate_freq }} |  | ||||||
| opcache.validate_timestamps={{ nextcloud_opcache_validate_timestamps }} |  | ||||||
| @@ -1,21 +0,0 @@ | |||||||
| [www] |  | ||||||
|  |  | ||||||
| user = www-data |  | ||||||
| group = www-data |  | ||||||
|  |  | ||||||
| {% if nextcloud_socket_path is defined and nextcloud_socket_path is string %} |  | ||||||
| listen = {{ nextcloud_container_php_socket_path }}/{{ nextcloud_container_name }}.sock |  | ||||||
| listen.owner = www-data |  | ||||||
| listen.group = www-data |  | ||||||
| listen.mode = 0666 |  | ||||||
| {% else %} |  | ||||||
| ;listen = 0.0.0.0:9000 |  | ||||||
| {% endif %} |  | ||||||
|  |  | ||||||
| pm = dynamic |  | ||||||
| pm.max_children = {{ nextcloud_fpm_max_children }} |  | ||||||
| pm.start_servers = {{ nextcloud_fpm_start_servers }} |  | ||||||
| pm.min_spare_servers = {{ nextcloud_fpm_min_spare_servers }} |  | ||||||
| pm.max_spare_servers = {{ nextcloud_fpm_max_spare_servers }} |  | ||||||
|  |  | ||||||
| ;pm.max_requests=500 |  | ||||||
		Reference in New Issue
	
	Block a user