nextcloud role almost done - some stuff still missing

author: Christian Pointner <equinox@spreadspace.org> 2019-10-13 03:19:34 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2019-10-13 03:19:34 +0200
commit: eb98ae2bb7f5441c6c2bdc85158df0d40f633539 (patch)
tree: 39fc1f66300b8cfaee47739a41b2e876f66c919c
parent: kubernetes standalone cni variants (diff)
6 files changed, 91 insertions, 20 deletions
diff --git a/dan/sk-cloudia.yml b/dan/sk-cloudia.yml
index 6e2f0f88..cd87c77e 100644
--- a/dan/sk-cloudia.yml
+++ b/dan/sk-cloudia.yml
@@ -12,3 +12,4 @@
   - role: kubernetes/standalone
   - role: acmetool/base
   - role: nginx
+  - role: nextcloud
diff --git a/inventory/host_vars/sk-cloudia/nextcloud.yml b/inventory/host_vars/sk-cloudia/nextcloud.yml
index a39c21dd..9b14e709 100644
--- a/inventory/host_vars/sk-cloudia/nextcloud.yml
+++ b/inventory/host_vars/sk-cloudia/nextcloud.yml
@@ -15,13 +15,13 @@ nextcloud_instances:
       type: mariadb
       version: 10.4.8
       password: "{{ vault_nextcloud_database_passwords['wolke.elevate.at'] }}"
-  insomnia.skillz.biz:
-    version: 16.0.5
-    port: 8101
-    hostnames:
-      - insomnia.skillz.biz
-    quota: 200G
-    database:
-      type: mariadb
-      version: 10.4.8
-      password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}"
+  # insomnia.skillz.biz:
+  #   version: 16.0.5
+  #   port: 8101
+  #   hostnames:
+  #     - insomnia.skillz.biz
+  #   quota: 200G
+  #   database:
+  #     type: mariadb
+  #     version: 10.4.8
+  #     password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}"
diff --git a/inventory/host_vars/sk-cloudia/vars.yml b/inventory/host_vars/sk-cloudia/vars.yml
index e4d1ddf3..cb5b47a8 100644
--- a/inventory/host_vars/sk-cloudia/vars.yml
+++ b/inventory/host_vars/sk-cloudia/vars.yml
@@ -38,9 +38,11 @@ kubernetes_standalone_cni_variant: with-localonly-portmap
 acmetool_directory_server: "{{ acmetool_directory_server_le_live }}"
 
 
+### TODO: should this be done via the nextcloud role?
 nginx_vhosts:
   wolke.elevate.at:
     template: generic-proxy-no-buffering-with-acme
+    client_max_body_size: 0
     acme: true
     hostnames:
       - wolke.elev8.at
@@ -48,6 +50,7 @@ nginx_vhosts:
     proxy_pass: "http://127.0.0.1:8100"
   # insomnia.skillz.biz:
   #   template: generic-proxy-no-buffering-with-acme
+  #   client_max_body_size: 0
   #   acme: true
   #   hostnames:
   #     - insomnia.skillz.biz
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 8453ce65..fe65d62b 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -79,6 +79,43 @@
     state: directory
 
 
+- name: create image config dir
+  loop: "{{ nextcloud_instances | list }}"
+  loop_control:
+    label: "{{ item }}"
+  file:
+    path: "{{ nextcloud_base_path }}/{{ item }}/config"
+    state: directory
+
+- name: create apache vhost config
+  loop: "{{ nextcloud_instances | list }}"
+  loop_control:
+    label: "{{ item }}"
+  copy:
+    content: |
+      <VirtualHost *:8080>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+
+        # SetEnv HTTPS on
+        # SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+      </VirtualHost>
+    dest: "{{ nextcloud_base_path }}/{{ item }}/config/apache-site.conf"
+
+- name: configure apache to run on port 8080 only
+  loop: "{{ nextcloud_instances | list }}"
+  loop_control:
+    label: "{{ item }}"
+  copy:
+    content: |
+      Listen 8080
+    dest: "{{ nextcloud_base_path }}/{{ item }}/config/ports.conf"
+
+
+
 - name: generate pod manifests
   loop: "{{ nextcloud_instances | dict2items }}"
   loop_control:
diff --git a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 b/roles/nextcloud/templates/pod-with-mariadb.yml.j2
index 4e2f6baa..7fa40cd4 100644
--- a/roles/nextcloud/templates/pod-with-mariadb.yml.j2
+++ b/roles/nextcloud/templates/pod-with-mariadb.yml.j2
@@ -7,17 +7,35 @@ spec:
     allowPrivilegeEscalation: false
   containers:
   - name: nextcloud
-    image: debian:buster
-    command:
-    - /bin/bash
-    - -c
-    - "sleep 7200"
-    # securityContext:
-    #   runAsUser: {{ nextcloud_app_uid }}
-    #   runAsGroup: {{ nextcloud_app_gid }}
+    image: "nextcloud:{{ item.value.version }}"
+    securityContext:
+      runAsUser: {{ nextcloud_app_uid }}
+      runAsGroup: {{ nextcloud_app_gid }}
+    resources:
+      limits:
+        memory: "4Gi"
+    env:
+    - name: NEXTCLOUD_TRUSTED_DOMAINS
+      value: "{{ item.value.hostnames | join(' ') }}"
+    - name: MYSQL_HOST
+      value: 127.0.0.1
+    - name: MYSQL_DATABASE
+      value: nextcloud
+    - name: MYSQL_USER
+      value: nextcloud
+    - name: MYSQL_PASSWORD
+      value: "{{ item.value.database.password }}"
     volumeMounts:
     - name: nextcloud
       mountPath: /var/www/html
+    - name: config
+      mountPath: /etc/apache2/sites-available/000-default.conf
+      subPath: apache-site.conf
+      readOnly: true
+    - name: config
+      mountPath: /etc/apache2/ports.conf
+      subPath: ports.conf
+      readOnly: true
     ports:
     - containerPort: 8080
       hostPort: {{ item.value.port }}
@@ -29,19 +47,26 @@ spec:
     securityContext:
       runAsUser: {{ nextcloud_db_uid }}
       runAsGroup: {{ nextcloud_db_gid }}
+    resources:
+      limits:
+        memory: "2Gi"
     env:
     - name: MYSQL_RANDOM_ROOT_PASSWORD
       value: "true"
-    - name: MYSQL_PASSWORD
-      value: "{{ item.value.database.password }}"
     - name: MYSQL_DATABASE
       value: nextcloud
     - name: MYSQL_USER
       value: nextcloud
+    - name: MYSQL_PASSWORD
+      value: "{{ item.value.database.password }}"
     volumeMounts:
     - name: database
       mountPath: /var/lib/mysql
   volumes:
+  - name: config
+    hostPath:
+      path: "{{ nextcloud_base_path }}/{{ item.key }}/config/"
+      type: Directory
   - name: nextcloud
     hostPath:
       path: "{{ nextcloud_base_path }}/{{ item.key }}/nextcloud"
diff --git a/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2
index 8cad2994..9f165726 100644
--- a/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2
+++ b/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2
@@ -23,11 +23,16 @@ server {
 
     location / {
         include snippets/proxy-nobuff.conf;
+{% if 'client_max_body_size' in item.value %}
+        client_max_body_size {{ item.value.client_max_body_size }};
+{% endif %}
 
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Ssl on;
+        proxy_set_header X-Forwarded-Port $server_port;
 
         # for websockets
         proxy_set_header Upgrade $http_upgrade;
author	Christian Pointner <equinox@spreadspace.org>	2019-10-13 03:19:34 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2019-10-13 03:19:34 +0200
commit	eb98ae2bb7f5441c6c2bdc85158df0d40f633539 (patch)
tree	39fc1f66300b8cfaee47739a41b2e876f66c919c
parent	kubernetes standalone cni variants (diff)