diff options
| -rw-r--r-- | dan/sk-cloudia.yml | 1 | ||||
| -rw-r--r-- | inventory/host_vars/sk-cloudia/nextcloud.yml | 20 | ||||
| -rw-r--r-- | inventory/host_vars/sk-cloudia/vars.yml | 3 | ||||
| -rw-r--r-- | roles/nextcloud/tasks/main.yml | 37 | ||||
| -rw-r--r-- | roles/nextcloud/templates/pod-with-mariadb.yml.j2 | 45 | ||||
| -rw-r--r-- | roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 | 5 |
6 files changed, 91 insertions, 20 deletions
diff --git a/dan/sk-cloudia.yml b/dan/sk-cloudia.yml index 6e2f0f88..cd87c77e 100644 --- a/dan/sk-cloudia.yml +++ b/dan/sk-cloudia.yml @@ -12,3 +12,4 @@ - role: kubernetes/standalone - role: acmetool/base - role: nginx + - role: nextcloud diff --git a/inventory/host_vars/sk-cloudia/nextcloud.yml b/inventory/host_vars/sk-cloudia/nextcloud.yml index a39c21dd..9b14e709 100644 --- a/inventory/host_vars/sk-cloudia/nextcloud.yml +++ b/inventory/host_vars/sk-cloudia/nextcloud.yml @@ -15,13 +15,13 @@ nextcloud_instances: type: mariadb version: 10.4.8 password: "{{ vault_nextcloud_database_passwords['wolke.elevate.at'] }}" - insomnia.skillz.biz: - version: 16.0.5 - port: 8101 - hostnames: - - insomnia.skillz.biz - quota: 200G - database: - type: mariadb - version: 10.4.8 - password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" + # insomnia.skillz.biz: + # version: 16.0.5 + # port: 8101 + # hostnames: + # - insomnia.skillz.biz + # quota: 200G + # database: + # type: mariadb + # version: 10.4.8 + # password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" diff --git a/inventory/host_vars/sk-cloudia/vars.yml b/inventory/host_vars/sk-cloudia/vars.yml index e4d1ddf3..cb5b47a8 100644 --- a/inventory/host_vars/sk-cloudia/vars.yml +++ b/inventory/host_vars/sk-cloudia/vars.yml @@ -38,9 +38,11 @@ kubernetes_standalone_cni_variant: with-localonly-portmap acmetool_directory_server: "{{ acmetool_directory_server_le_live }}" +### TODO: should this be done via the nextcloud role? nginx_vhosts: wolke.elevate.at: template: generic-proxy-no-buffering-with-acme + client_max_body_size: 0 acme: true hostnames: - wolke.elev8.at @@ -48,6 +50,7 @@ nginx_vhosts: proxy_pass: "http://127.0.0.1:8100" # insomnia.skillz.biz: # template: generic-proxy-no-buffering-with-acme + # client_max_body_size: 0 # acme: true # hostnames: # - insomnia.skillz.biz diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 8453ce65..fe65d62b 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -79,6 +79,43 @@ state: directory +- name: create image config dir + loop: "{{ nextcloud_instances | list }}" + loop_control: + label: "{{ item }}" + file: + path: "{{ nextcloud_base_path }}/{{ item }}/config" + state: directory + +- name: create apache vhost config + loop: "{{ nextcloud_instances | list }}" + loop_control: + label: "{{ item }}" + copy: + content: | + <VirtualHost *:8080> + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # SetEnv HTTPS on + # SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + </VirtualHost> + dest: "{{ nextcloud_base_path }}/{{ item }}/config/apache-site.conf" + +- name: configure apache to run on port 8080 only + loop: "{{ nextcloud_instances | list }}" + loop_control: + label: "{{ item }}" + copy: + content: | + Listen 8080 + dest: "{{ nextcloud_base_path }}/{{ item }}/config/ports.conf" + + + - name: generate pod manifests loop: "{{ nextcloud_instances | dict2items }}" loop_control: diff --git a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 b/roles/nextcloud/templates/pod-with-mariadb.yml.j2 index 4e2f6baa..7fa40cd4 100644 --- a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 +++ b/roles/nextcloud/templates/pod-with-mariadb.yml.j2 @@ -7,17 +7,35 @@ spec: allowPrivilegeEscalation: false containers: - name: nextcloud - image: debian:buster - command: - - /bin/bash - - -c - - "sleep 7200" - # securityContext: - # runAsUser: {{ nextcloud_app_uid }} - # runAsGroup: {{ nextcloud_app_gid }} + image: "nextcloud:{{ item.value.version }}" + securityContext: + runAsUser: {{ nextcloud_app_uid }} + runAsGroup: {{ nextcloud_app_gid }} + resources: + limits: + memory: "4Gi" + env: + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: "{{ item.value.hostnames | join(' ') }}" + - name: MYSQL_HOST + value: 127.0.0.1 + - name: MYSQL_DATABASE + value: nextcloud + - name: MYSQL_USER + value: nextcloud + - name: MYSQL_PASSWORD + value: "{{ item.value.database.password }}" volumeMounts: - name: nextcloud mountPath: /var/www/html + - name: config + mountPath: /etc/apache2/sites-available/000-default.conf + subPath: apache-site.conf + readOnly: true + - name: config + mountPath: /etc/apache2/ports.conf + subPath: ports.conf + readOnly: true ports: - containerPort: 8080 hostPort: {{ item.value.port }} @@ -29,19 +47,26 @@ spec: securityContext: runAsUser: {{ nextcloud_db_uid }} runAsGroup: {{ nextcloud_db_gid }} + resources: + limits: + memory: "2Gi" env: - name: MYSQL_RANDOM_ROOT_PASSWORD value: "true" - - name: MYSQL_PASSWORD - value: "{{ item.value.database.password }}" - name: MYSQL_DATABASE value: nextcloud - name: MYSQL_USER value: nextcloud + - name: MYSQL_PASSWORD + value: "{{ item.value.database.password }}" volumeMounts: - name: database mountPath: /var/lib/mysql volumes: + - name: config + hostPath: + path: "{{ nextcloud_base_path }}/{{ item.key }}/config/" + type: Directory - name: nextcloud hostPath: path: "{{ nextcloud_base_path }}/{{ item.key }}/nextcloud" diff --git a/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 index 8cad2994..9f165726 100644 --- a/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 +++ b/roles/nginx/templates/generic-proxy-no-buffering-with-acme.conf.j2 @@ -23,11 +23,16 @@ server { location / { include snippets/proxy-nobuff.conf; +{% if 'client_max_body_size' in item.value %} + client_max_body_size {{ item.value.client_max_body_size }}; +{% endif %} proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-Port $server_port; # for websockets proxy_set_header Upgrade $http_upgrade; |