--- - hosts: local connection: local roles: - basis - backup - docker - postgres - php - signaling - nginx - nextcloud - checkmk vars: users_local: [] users: "{{ users_local + users_admin }}" fail2ban_activate_modules: - sshd - nginx mount_points: - path: "{{ ncloud_data_location }}" dev: /dev/sdb # NextCloud ncloud_db: type: pgsql name: nextcloud user: nextclouduser pass: FancyNextcloudDbPasswordVeryLong ncloud_admin_user: nextcloudadmin ncloud_admin_pass: FancyInitialAdminPasswordVeryLong! ncloud_data_location: "{{ cloud_storage }}/nextcloud-data" ncloud_npush_port: 7867 ncloud_website: domain: "{{ ncloud_domain }}" letsencrypt: true filetag: "cloud.{{ domain_external }}" state: present owner: ncloud port: 80 port_options: " ipv6only=on" root: "{{ cloud_apps }}/nextcloud/" root_setup: false index: - index.php - index.html - /index.php$request_uri options: access_log: "/var/log/nginx/cloud.{{ domain_external }}-access.log" error_log: "/var/log/nginx/cloud.{{ domain_external }}-error.log" client_max_body_size: 512M client_body_timeout: 300s fastcgi_buffers: 64 4K gzip: !unsafe on gzip_vary: !unsafe on gzip_min_length: 256 gzip_proxied: expired no-cache no-store private no_last_modified no_etag auth gzip_types: pplication/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy fastcgi_hide_header: X-Powered-By add_header: - Referrer-Policy "no-referrer" always - X-Content-Type-Options "nosniff" always - X-Download-Options "noopen" always - X-Frame-Options "SAMEORIGIN" always - X-Permitted-Cross-Domain-Policies "none" always - X-Robots-Tag "none" always - X-XSS-Protection "1; mode=block" always - Strict-Transport-Security "max-age=15552000; includeSubDomains" always - X-Content-Type-Options "nosniff" - X-XSS-Protection "1; mode=block" - X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" - X-Frame-Options "SAMEORIGIN" - Referrer-Policy "no-referrer" locations: - location: '= /' options: | if ( $http_user_agent ~ ^DavClnt ) { return 302 /remote.php/webdav/$is_args$args; } - location: '= /robots.txt' options: | allow all; log_not_found off; access_log off; - location: '^~ /.well-known' options: | location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } location /.well-known/acme-challenge { try_files $uri $uri/ =404; } location /.well-known/pki-validation { try_files $uri $uri/ =404; } return 301 /index.php$request_uri; - location: '~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)' options: return 404; - location: '~ ^/(?:\.|autotest|occ|issue|indie|db_|console)' options: return 404; - location: '~ \.php(?:$|/)' options: | rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php; fastcgi_intercept_errors on; fastcgi_request_buffering off; fastcgi_max_temp_file_size 0; - location: '~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$' options: | try_files $uri /index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets location ~ \.wasm$ { default_type application/wasm; } - location: '~ \.woff2?$' options: | try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets - location: '/remote' options: return 301 /remote.php$request_uri; - location: '^~ /push/' options: | proxy_pass http://127.0.0.1:{{ ncloud_npush_port }}/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - location: '/' options: try_files $uri $uri/ /index.php$request_uri; # Signaling Nextcloud signaling_listen_host: 127.0.0.1 signaling_listen_port: 8080 signaling_janus_api_key: LookUpDocumentationForSettingUpKey signaling_hash_key: LookUpDocumentationForSettingUpHashKey signaling_block_key: LookUpDocumentationForSettingUpBlockKey signaling_ncloud_secret_key: LookUpDocumentationForSettingUpSecretKey signaling_backend_name: examplecloud signaling_website: domain: "signaling.{{ domain_external }}" letsencrypt: true filetag: "signaling.{{ domain_external }}" state: present owner: signaling port: 80 root: noroot root_setup: false index: noindex pre_options: | upstream signaling { server {{ signaling_listen_host }}:{{ signaling_listen_port }}; } options: access_log: "/var/log/nginx/signaling.{{ domain_external }}-access.log" error_log: "/var/log/nginx/signaling.{{ domain_external }}-error.log" locations: - location: '/standalone-signaling/' options: | proxy_pass http://signaling/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - location: '/standalone-signaling/spreed' options: | proxy_pass http://signaling/spreed; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Databases db_configs: - "{{ ncloud_db }}" # Websites web_sites: - "{{ ncloud_website }}" - "{{ signaling_website }}" # Nginx nginx_conf_http_local: - | upstream php { server unix:/run/php/php{{ php_version }}-fpm.sock; } nginx_conf_http: "{{ nginx_conf_http_local }}" # Backup backup_dbs: - "{{ db_configs | json_query('[*].{type: type, name: name}') }}" backup_targets: db: "{{ backup_dbs | flatten }}" file: - "{{ ncloud_data_location }}" - "/etc/letsencrypt" vars_files: - "group_vars/environment.yml"