diff options
5 files changed, 93 insertions, 18 deletions
diff --git a/inventory/host_vars/sk-cloudio/nextcloud.yml b/inventory/host_vars/sk-cloudio/nextcloud.yml index df947c89..3c5e5ae0 100644 --- a/inventory/host_vars/sk-cloudio/nextcloud.yml +++ b/inventory/host_vars/sk-cloudio/nextcloud.yml @@ -96,8 +96,6 @@ nextcloud_instances: # new: true version: 29.0.3 port: 8105 - hostnames: - - wolke.elev8.at storage: type: zfs parent: "{{ _nextcloud_zfs_base_ }}" @@ -110,3 +108,9 @@ nextcloud_instances: type: mariadb version: 10.11.5 password: "{{ vault_nextcloud_database_passwords['wolke.elev8.at'] }}" + publish: + zone: "{{ apps_publish_zone__sk_cloudio }}" + hostnames: + - wolke.elev8.at + tls: + certificate_provider: acmetool diff --git a/roles/apps/nextcloud/defaults/main.yml b/roles/apps/nextcloud/defaults/main.yml index ac87de94..158da180 100644 --- a/roles/apps/nextcloud/defaults/main.yml +++ b/roles/apps/nextcloud/defaults/main.yml @@ -13,9 +13,6 @@ nextcloud_redis_gid: "952" # new: yes # version: 17.0.0 # port: 8100 -# hostnames: -# - wolke.example.com -# - cloud.example.com # storage: # type: ... # database: @@ -26,3 +23,10 @@ nextcloud_redis_gid: "952" # from: foo/bar:1.0 # optional # dockerfile: | # RUN apt-get install ... +# publish: +# zone: "{{ apps_publish_zone__foo }}" +# hostnames: +# - wolke.example.com +# - cloud.example.com +# tls: +# certificate_provider: ... diff --git a/roles/apps/nextcloud/instance/tasks/main.yml b/roles/apps/nextcloud/instance/tasks/main.yml index 373aa0a8..3c8928b2 100644 --- a/roles/apps/nextcloud/instance/tasks/main.yml +++ b/roles/apps/nextcloud/instance/tasks/main.yml @@ -47,6 +47,43 @@ dest: "{{ nextcloud_instance_basepath }}/config/ports.conf" +- name: create tls directory + file: + path: "{{ nextcloud_instance_basepath }}/tls" + owner: "{{ nextcloud_app_uid }}" + group: "{{ nextcloud_app_gid }}" + mode: 0500 + state: directory + +- name: generate/install TLS certificates for publishment + vars: + x509_certificate_name: "nextcloud-{{ nextcloud_instance }}_publish" + x509_certificate_hostnames: [] + x509_certificate_config: + ca: "{{ nextcloud_instances[nextcloud_instance].publish.zone.certificate_ca_config }}" + cert: + common_name: "nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }}" + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w + x509_certificate_renewal: + install: + - dest: "{{ nextcloud_instance_basepath }}/tls/cert.pem" + src: + - cert + owner: "{{ nextcloud_app_uid }}" + mode: "0400" + - dest: "{{ nextcloud_instance_basepath }}/tls/key.pem" + src: + - key + owner: "{{ nextcloud_app_uid }}" + mode: "0400" + include_role: + name: "x509/{{ nextcloud_instances[nextcloud_instance].publish.zone.certificate_provider }}/cert" + + - name: build custom image # when: "'custom_image' in nextcloud_instances[nextcloud_instance]" include_tasks: custom-image.yml @@ -84,29 +121,44 @@ enabled: yes -- name: configure nginx vhost +- name: configure nginx vhost for publishment vars: - nginx_vhost: - name: "nextcloud-{{ nextcloud_instance }}" + nginx_vhost__yaml: | + name: "nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }}" template: generic + {% if 'tls' in nextcloud_instances[nextcloud_instance].publish %} tls: - certificate_provider: "{{ acme_client }}" - hostnames: "{{ nextcloud_instances[nextcloud_instance].hostnames }}" + {{ nextcloud_instances[nextcloud_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }} + {% endif %} + hostnames: + {% for hostname in nextcloud_instances[nextcloud_instance].publish.hostnames %} + - {{ hostname }} + {% endfor %} locations: '/': - proxy_pass: "http://127.0.0.1:{{ nextcloud_instances[nextcloud_instance].port }}" + {% if nextcloud_instances[nextcloud_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass: "https://127.0.0.1:{{ nextcloud_instances[nextcloud_instance].port }}" + {% else %} + proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ nextcloud_instances[nextcloud_instance].port }}" + {% endif %} proxy_redirect: - - redirect: "http://$host/" - replacement: "https://$host/" - - redirect: "http://$host:8080/" + - redirect: "https://$host:8080/" replacement: "https://$host/" + proxy_ssl: + trusted_certificate: "/etc/ssl/apps-publish-{{ nextcloud_instances[nextcloud_instance].publish.zone.name }}/apps-publish-{{ nextcloud_instances[nextcloud_instance].publish.zone.name }}-ca-crt.pem" + verify: "on" + name: "nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }}" + protocols: "TLSv1.3" extra_directives: |- client_max_body_size 0; types { text/javascript js mjs; } + nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}" include_role: name: nginx/vhost + apply: + delegate_to: "{{ nextcloud_instances[nextcloud_instance].publish.zone.publisher }}" # TODO: @@ -118,7 +170,7 @@ prompt: | ************* {{ nextcloud_instance }} is a new instance ** - ** Go to https://{{ nextcloud_instances[nextcloud_instance].hostnames[0] }} and finalize the + ** Go to https://{{ nextcloud_instances[nextcloud_instance].publish.hostnames[0] }} and finalize the ** installation. After that run the following commands: ** ** $ nextcloud-occ {{ nextcloud_instance }} config:system:set default_phone_region --value='at' diff --git a/roles/apps/nextcloud/instance/templates/apache-site.conf.j2 b/roles/apps/nextcloud/instance/templates/apache-site.conf.j2 index a52a7fc5..8df06113 100644 --- a/roles/apps/nextcloud/instance/templates/apache-site.conf.j2 +++ b/roles/apps/nextcloud/instance/templates/apache-site.conf.j2 @@ -1,3 +1,7 @@ +IncludeOptional mods-available/socache_shmcb.load +IncludeOptional mods-available/ssl.load +IncludeOptional mods-available/ssl.conf + <VirtualHost *:8080> ServerAdmin webmaster@localhost DocumentRoot /var/www/html @@ -5,6 +9,12 @@ UseCanonicalName Off UseCanonicalPhysicalPort Off + ServerName nextcloud-{{ nextcloud_instance }}.{{ inventory_hostname }} + SSLEngine on + SSLCertificateFile "/etc/ssl/publish/cert.pem" + SSLCertificateKeyFile "/etc/ssl/publish/key.pem" + SSLProtocol TLSv1.3 + ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> diff --git a/roles/apps/nextcloud/instance/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/nextcloud/instance/templates/pod-spec-with-mariadb.yml.j2 index 42d76757..c1a4f2ea 100644 --- a/roles/apps/nextcloud/instance/templates/pod-spec-with-mariadb.yml.j2 +++ b/roles/apps/nextcloud/instance/templates/pod-spec-with-mariadb.yml.j2 @@ -13,9 +13,7 @@ containers: {% if 'new' in nextcloud_instances[nextcloud_instance] and nextcloud_instances[nextcloud_instance].new %} env: - name: NEXTCLOUD_TRUSTED_DOMAINS - value: "{{ nextcloud_instances[nextcloud_instance].hostnames | join(' ') }}" - - name: OVERWRITEPROTOCOL - value: "https" + value: "{{ nextcloud_instances[nextcloud_instance].publish.hostnames | join(' ') }}" - name: MYSQL_HOST value: 127.0.0.1 - name: MYSQL_DATABASE @@ -36,6 +34,9 @@ containers: mountPath: /etc/apache2/ports.conf subPath: ports.conf readOnly: true + - name: tls + mountPath: /etc/ssl/publish + readOnly: true ports: - containerPort: 8080 hostPort: {{ nextcloud_instances[nextcloud_instance].port }} @@ -91,6 +92,10 @@ volumes: hostPath: path: "{{ nextcloud_instance_basepath }}/config/" type: Directory +- name: tls + hostPath: + path: "{{ nextcloud_instance_basepath }}/tls/" + type: Directory - name: nextcloud hostPath: path: "{{ nextcloud_instance_basepath }}/nextcloud" |