228 lines
8.2 KiB
YAML
Executable File
228 lines
8.2 KiB
YAML
Executable File
---
|
|
- hosts: local
|
|
connection: local
|
|
roles:
|
|
- basis
|
|
- backup
|
|
- docker
|
|
- postgres
|
|
- php
|
|
- signaling
|
|
- nginx
|
|
- nextcloud
|
|
- checkmk
|
|
|
|
vars:
|
|
users_local: []
|
|
users: "{{ users_local + users_admin }}"
|
|
|
|
fail2ban_activate_modules:
|
|
- sshd
|
|
- nginx
|
|
|
|
mount_points:
|
|
- path: "{{ ncloud_data_location }}"
|
|
dev: /dev/sdb
|
|
|
|
# NextCloud
|
|
ncloud_db:
|
|
type: pgsql
|
|
name: nextcloud
|
|
user: nextclouduser
|
|
pass: FancyNextcloudDbPasswordVeryLong
|
|
ncloud_admin_user: nextcloudadmin
|
|
ncloud_admin_pass: FancyInitialAdminPasswordVeryLong!
|
|
ncloud_data_location: "{{ cloud_storage }}/nextcloud-data"
|
|
ncloud_npush_port: 7867
|
|
|
|
ncloud_website:
|
|
domain: "{{ ncloud_domain }}"
|
|
letsencrypt: true
|
|
filetag: "cloud.{{ domain_external }}"
|
|
state: present
|
|
owner: ncloud
|
|
port: 80
|
|
port_options: " ipv6only=on"
|
|
root: "{{ cloud_apps }}/nextcloud/"
|
|
root_setup: false
|
|
index:
|
|
- index.php
|
|
- index.html
|
|
- /index.php$request_uri
|
|
options:
|
|
access_log: "/var/log/nginx/cloud.{{ domain_external }}-access.log"
|
|
error_log: "/var/log/nginx/cloud.{{ domain_external }}-error.log"
|
|
client_max_body_size: 512M
|
|
client_body_timeout: 300s
|
|
fastcgi_buffers: 64 4K
|
|
gzip: !unsafe on
|
|
gzip_vary: !unsafe on
|
|
gzip_min_length: 256
|
|
gzip_proxied: expired no-cache no-store private no_last_modified no_etag auth
|
|
gzip_types: pplication/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy
|
|
fastcgi_hide_header: X-Powered-By
|
|
add_header:
|
|
- Referrer-Policy "no-referrer" always
|
|
- X-Content-Type-Options "nosniff" always
|
|
- X-Download-Options "noopen" always
|
|
- X-Frame-Options "SAMEORIGIN" always
|
|
- X-Permitted-Cross-Domain-Policies "none" always
|
|
- X-Robots-Tag "none" always
|
|
- X-XSS-Protection "1; mode=block" always
|
|
- Strict-Transport-Security "max-age=15552000; includeSubDomains" always
|
|
- X-Content-Type-Options "nosniff"
|
|
- X-XSS-Protection "1; mode=block"
|
|
- X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
|
|
- X-Frame-Options "SAMEORIGIN"
|
|
- Referrer-Policy "no-referrer"
|
|
locations:
|
|
- location: '= /'
|
|
options: |
|
|
if ( $http_user_agent ~ ^DavClnt ) {
|
|
return 302 /remote.php/webdav/$is_args$args;
|
|
}
|
|
- location: '= /robots.txt'
|
|
options: |
|
|
allow all;
|
|
log_not_found off;
|
|
access_log off;
|
|
- location: '^~ /.well-known'
|
|
options: |
|
|
location = /.well-known/carddav { return 301 /remote.php/dav/; }
|
|
location = /.well-known/caldav { return 301 /remote.php/dav/; }
|
|
|
|
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
|
|
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
|
|
|
|
return 301 /index.php$request_uri;
|
|
- location: '~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)'
|
|
options: return 404;
|
|
- location: '~ ^/(?:\.|autotest|occ|issue|indie|db_|console)'
|
|
options: return 404;
|
|
- location: '~ \.php(?:$|/)'
|
|
options: |
|
|
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
|
|
|
|
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|
|
set $path_info $fastcgi_path_info;
|
|
|
|
try_files $fastcgi_script_name =404;
|
|
|
|
include fastcgi_params;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_param PATH_INFO $path_info;
|
|
fastcgi_param HTTPS on;
|
|
|
|
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
|
|
fastcgi_param front_controller_active true; # Enable pretty urls
|
|
fastcgi_pass php;
|
|
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_request_buffering off;
|
|
|
|
fastcgi_max_temp_file_size 0;
|
|
- location: '~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite)$'
|
|
options: |
|
|
try_files $uri /index.php$request_uri;
|
|
expires 6M; # Cache-Control policy borrowed from `.htaccess`
|
|
access_log off; # Optional: Don't log access to assets
|
|
|
|
location ~ \.wasm$ {
|
|
default_type application/wasm;
|
|
}
|
|
- location: '~ \.woff2?$'
|
|
options: |
|
|
try_files $uri /index.php$request_uri;
|
|
expires 7d; # Cache-Control policy borrowed from `.htaccess`
|
|
access_log off; # Optional: Don't log access to assets
|
|
- location: '/remote'
|
|
options: return 301 /remote.php$request_uri;
|
|
- location: '^~ /push/'
|
|
options: |
|
|
proxy_pass http://127.0.0.1:{{ ncloud_npush_port }}/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
- location: '/'
|
|
options: try_files $uri $uri/ /index.php$request_uri;
|
|
|
|
# Signaling Nextcloud
|
|
signaling_listen_host: 127.0.0.1
|
|
signaling_listen_port: 8080
|
|
|
|
signaling_janus_api_key: LookUpDocumentationForSettingUpKey
|
|
signaling_hash_key: LookUpDocumentationForSettingUpHashKey
|
|
signaling_block_key: LookUpDocumentationForSettingUpBlockKey
|
|
signaling_ncloud_secret_key: LookUpDocumentationForSettingUpSecretKey
|
|
signaling_backend_name: examplecloud
|
|
|
|
signaling_website:
|
|
domain: "signaling.{{ domain_external }}"
|
|
letsencrypt: true
|
|
filetag: "signaling.{{ domain_external }}"
|
|
state: present
|
|
owner: signaling
|
|
port: 80
|
|
root: noroot
|
|
root_setup: false
|
|
index: noindex
|
|
pre_options: |
|
|
upstream signaling {
|
|
server {{ signaling_listen_host }}:{{ signaling_listen_port }};
|
|
}
|
|
options:
|
|
access_log: "/var/log/nginx/signaling.{{ domain_external }}-access.log"
|
|
error_log: "/var/log/nginx/signaling.{{ domain_external }}-error.log"
|
|
locations:
|
|
- location: '/standalone-signaling/'
|
|
options: |
|
|
proxy_pass http://signaling/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
- location: '/standalone-signaling/spreed'
|
|
options: |
|
|
proxy_pass http://signaling/spreed;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "Upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
|
# Databases
|
|
db_configs:
|
|
- "{{ ncloud_db }}"
|
|
|
|
# Websites
|
|
web_sites:
|
|
- "{{ ncloud_website }}"
|
|
- "{{ signaling_website }}"
|
|
|
|
|
|
# Nginx
|
|
nginx_conf_http_local:
|
|
- |
|
|
upstream php {
|
|
server unix:/run/php/php{{ php_version }}-fpm.sock;
|
|
}
|
|
nginx_conf_http: "{{ nginx_conf_http_local }}"
|
|
|
|
|
|
# Backup
|
|
backup_dbs:
|
|
- "{{ db_configs | json_query('[*].{type: type, name: name}') }}"
|
|
backup_targets:
|
|
db: "{{ backup_dbs | flatten }}"
|
|
file:
|
|
- "{{ ncloud_data_location }}"
|
|
- "/etc/letsencrypt"
|
|
|
|
|
|
vars_files:
|
|
- "group_vars/environment.yml"
|