From f2f8d661a0f1a99604fd1c502c708d6824948376 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 14 Oct 2019 21:27:28 +0200 Subject: nextcloud deployment made easier --- inventory/host_vars/sk-cloudia/nextcloud.yml | 23 +++++------ roles/nextcloud/tasks/main.yml | 42 ++++---------------- roles/nextcloud/templates/apache-site.conf.j2 | 10 +---- roles/nextcloud/templates/nginx-vhost.conf.j2 | 45 ---------------------- roles/nextcloud/templates/pod-with-mariadb.yml.j2 | 6 +-- .../generic-proxy-no-buffering-with-acme.conf.j2 | 3 ++ 6 files changed, 25 insertions(+), 104 deletions(-) delete mode 100644 roles/nextcloud/templates/nginx-vhost.conf.j2 diff --git a/inventory/host_vars/sk-cloudia/nextcloud.yml b/inventory/host_vars/sk-cloudia/nextcloud.yml index fa03dab6..6077579b 100644 --- a/inventory/host_vars/sk-cloudia/nextcloud.yml +++ b/inventory/host_vars/sk-cloudia/nextcloud.yml @@ -16,14 +16,15 @@ nextcloud_instances: type: mariadb version: 10.4.8 password: "{{ vault_nextcloud_database_passwords['wolke.elevate.at'] }}" - # insomnia.skillz.biz: - # new: yes - # version: 16.0.5 - # port: 8101 - # hostnames: - # - insomnia.skillz.biz - # quota: 200G - # database: - # type: mariadb - # version: 10.4.8 - # password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" + insomnia.skillz.biz: + new: yes + version: 16.0.5 + port: 8101 + hostnames: +# - insomnia.skillz.biz + - wolke.elev8.at + quota: 200G + database: + type: mariadb + version: 10.4.8 + password: "{{ vault_nextcloud_database_passwords['insomnia.skillz.biz'] }}" diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 0f9413b9..1b0602f5 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -89,45 +89,14 @@ src: apache-site.conf.j2 dest: "{{ nextcloud_base_path }}/{{ item }}/config/apache-site.conf" -- name: configure apache to run on port 8443 only +- name: configure apache to run on port 8080 only loop: "{{ nextcloud_instances | list }}" copy: content: | - Listen 8443 + Listen 8080 dest: "{{ nextcloud_base_path }}/{{ item }}/config/ports.conf" -- name: create tls cert/key directory - loop: "{{ nextcloud_instances | list }}" - file: - path: "{{ nextcloud_base_path }}/{{ item }}/config/tls" - state: directory - -- name: generate tls private key for apache - loop: "{{ nextcloud_instances | list }}" - openssl_privatekey: - path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.key" - mode: 0640 - owner: root - group: nc-app - -- name: generate csr for selfsigned certifacate - loop: "{{ nextcloud_instances | list }}" - openssl_csr: - path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.csr" - privatekey_path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.key" - common_name: "nextcloud-{{ item }}" - -## TODO: fix idempotence -- name: generate tls self-signed certificate for apache - loop: "{{ nextcloud_instances | list }}" - openssl_certificate: - path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.crt" - privatekey_path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.key" - csr_path: "{{ nextcloud_base_path }}/{{ item }}/config/tls/nextcloud.csr" - provider: selfsigned - - - name: generate pod manifests loop: "{{ nextcloud_instances | dict2items }}" loop_control: @@ -172,6 +141,11 @@ vars: nginx_vhost: name: "{{ item.key }}" - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" + template: generic-proxy-no-buffering-with-acme acme: true hostnames: "{{ item.value.hostnames }}" + client_max_body_size: "512M" + proxy_pass: "http://127.0.0.1:{{ item.value.port }}" + proxy_redirect: + redirect: "http://$host:8080/" + replacement: "https://$host/" diff --git a/roles/nextcloud/templates/apache-site.conf.j2 b/roles/nextcloud/templates/apache-site.conf.j2 index 457cdfd4..a52a7fc5 100644 --- a/roles/nextcloud/templates/apache-site.conf.j2 +++ b/roles/nextcloud/templates/apache-site.conf.j2 @@ -1,18 +1,10 @@ -Include mods-available/socache_shmcb.load -Include mods-available/ssl.load -Include mods-available/ssl.conf - - + ServerAdmin webmaster@localhost DocumentRoot /var/www/html UseCanonicalName Off UseCanonicalPhysicalPort Off - SSLEngine On - SSLCertificateFile /etc/apache2/tls/nextcloud.crt - SSLCertificateKeyFile /etc/apache2/tls/nextcloud.key - ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined diff --git a/roles/nextcloud/templates/nginx-vhost.conf.j2 b/roles/nextcloud/templates/nginx-vhost.conf.j2 deleted file mode 100644 index 717c0dea..00000000 --- a/roles/nextcloud/templates/nginx-vhost.conf.j2 +++ /dev/null @@ -1,45 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name {{ item.value.hostnames | join(' ') }}; - - include snippets/acmetool.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ item.value.hostnames | join(' ') }}; - - include snippets/acmetool.conf; - include snippets/ssl.conf; - ssl_certificate /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey; - include snippets/hsts.conf; - - location / { - include snippets/proxy-nobuff.conf; - client_max_body_size 512M; - - proxy_set_header Host $host:443; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-Port $server_port; - - # for websockets - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_ssl_trusted_certificate /srv/storage/nextcloud/{{ item.key }}/config/tls/nextcloud.crt; - proxy_ssl_verify on; - proxy_ssl_name nextcloud-{{ item.key }}; - - proxy_pass https://127.0.0.1:{{ item.value.port }}; - } -} diff --git a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 b/roles/nextcloud/templates/pod-with-mariadb.yml.j2 index 92347a44..cebcb2ef 100644 --- a/roles/nextcloud/templates/pod-with-mariadb.yml.j2 +++ b/roles/nextcloud/templates/pod-with-mariadb.yml.j2 @@ -38,12 +38,8 @@ spec: mountPath: /etc/apache2/ports.conf subPath: ports.conf readOnly: true - - name: config - mountPath: /etc/apache2/tls/ - subPath: tls - readOnly: true ports: - - containerPort: 8443 + - containerPort: 8080 hostPort: {{ item.value.port }} - name: database image: "mariadb:{{ item.value.database.version }}" diff --git a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 index 55bd5ac6..0d3e1db2 100644 --- a/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 +++ b/roles/nginx/vhost/templates/generic-proxy-no-buffering-with-acme.conf.j2 @@ -39,5 +39,8 @@ server { proxy_set_header Connection $connection_upgrade; proxy_pass {{ nginx_vhost.proxy_pass }}; +{% if 'proxy_redirect' in nginx_vhost %} + proxy_redirect {{ nginx_vhost.proxy_redirect.redirect }} {{ nginx_vhost.proxy_redirect.replacement }}; +{% endif %} } } -- cgit v1.2.3