kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 20:39:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

In between re-draft for nextcloud

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-02-10 22:42:08 +01:00
parent 762c564c61
commit 74683bc1fc
17 changed files with 265 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
group_vars/all/11_iam.yml
View File

@ -35,5 +35,15 @@ oauth2_proxy_active: false
#############################################
### LDAP ###
#############################################
# Activate LDAP network for insecure communitation on localhot between different container instances. Set in vars/main.yml
# Activate local LDAP network for communitation on localhot between different docker containers
#
# Set in vars/main.yml via:
# ldap_network_enabled: "{{ldap.enabled}}"
#
# This leads to that the local ldap networks get enabled, if LDAP is enabled
ldap_network_enabled: false
ldap:
enabled: true # Enable or disable LDAP

2
roles/docker-funkwhale/vars/main.yml
View File

@ -2,7 +2,7 @@ application_id: "funkwhale"
nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 512M;"
database_password: "{{funkwhale_database_password}}"
database_type: "postgres"
ldap_network_enabled: true # Activate LDAP network
ldap_network_enabled: "{{ldap.enabled}}"
media_root: "/srv/funkwhale/data/"
static_root: "{{media_root}}static"
celeryd_concurrency: 1

8
roles/docker-keycloak/vars/main.yml
View File

@ -1,4 +1,4 @@
application_id: "keycloak"
database_type: "postgres"
database_password: "{{keycloak_database_password}}"
ldap_network_enabled: true # Activate LDAP network
application_id: "keycloak"
database_type: "postgres"
database_password: "{{keycloak_database_password}}"
ldap_network_enabled: "{{ldap.enabled}}"

2
roles/docker-ldap/vars/main.yml
View File

@ -11,4 +11,4 @@ oauth2_proxy_active: true
enable_wildcard_certificate: false # Activate dedicated Certificate
ldap_network_enabled: true # Activate LDAP network
ldap_network_enabled: "{{ldap.enabled}}"

2
roles/docker-mybb/templates/default.conf
View File

@ -4,7 +4,7 @@ upstream mybb {
server {
listen 80;
error_log stderr debug;
error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %};
root /var/www/html;
index index.html index.php;

17
roles/docker-nextcloud/README.md
View File

@ -117,6 +117,17 @@ docker-compose exec -it nextcloud_database_1 mysql -u nextcloud -pPASSWORD123413
docker-compose exec -it -u www-data application /var/www/html/occ maintenance:mode --off
```
---
# Identity and Access Management (IAM)
## OpenID Connect (OIDC) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
## LDAP
---
## Architecture
@ -156,12 +167,6 @@ docker-compose logs web --tail 1000 | grep 504
- [Nextcloud Talk Plugin and Turnserver in Docker](https://forum.openmediavault.org/index.php?thread/31782-docker-nextcloud-talk-plugin-and-turnserver/)
- [Nextcloud Talk on Docker: Turn Server Issues](https://help.nextcloud.com/t/nextcloud-talk-im-docker/container/turn-server-auf-docker-host-kein-video/84133/10)
---
## OIDC (OpenID Connect) Support 🔐
OIDC is supported in this role—for example, via **Keycloak**. OIDC-specific tasks are included when enabled, allowing integration of external authentication providers seamlessly.
---
## Author

5
roles/docker-nextcloud/handlers/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: restart docker nginx service
command:
cmd: "docker exec {{nextcloud_nginx_container_name}} nginx -s reload"
listen: restart docker nginx service

3
roles/docker-nextcloud/tasks/ldap.yml Normal file
View File

@ -0,0 +1,3 @@
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html
# @See https://chatgpt.com/c/67aa2d21-cb4c-800f-b1be-8629b6bd3f55
#docker compose exec -u www-data application php occ app:enable user_ldap

18
roles/docker-nextcloud/tasks/main.yml
View File

@ -6,21 +6,25 @@
- name: "include task certbot-and-globals.yml"
include_tasks: certbot-and-globals.yml
- name: configure {{domain}}.conf
- name: create nextcloud nginx proxy configuration file
template:
src: "templates/nextcloud.conf.j2"
src: "proxy-nginx.conf.j2"
dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
notify: restart nginx
- name: create nginx.conf
- name: create internal nextcloud nginx configuration
template:
src: "templates/nginx.conf.j2"
src: "internal-nginx.conf.j2"
dest: "{{docker_compose.directories.volumes}}nginx.conf"
notify: docker compose project setup
notify: restart docker nginx service
- name: "copy docker-compose.yml and env file"
include_tasks: copy-docker-compose-and-env.yml
- name: Include OIDC-specific tasks if OIDC client is active
include_tasks: oidc_tasks.yml
- name: Include OIDC-specific tasks
include_tasks: oidc.yml
when: oidc.enabled | bool
- name: Include LDAP specific tasks
include_tasks: ldap.yml
when: ldap.enabled | bool

0
roles/docker-nextcloud/tasks/oidc_tasks.yml → roles/docker-nextcloud/tasks/oidc.yml
View File

2
roles/docker-nextcloud/templates/docker-compose.yml.j2
View File

@ -15,7 +15,7 @@ services:
web:
image: nginx:alpine
container_name: nextcloud-web
container_name: {{nextcloud_nginx_container_name}}
logging:
driver: journald
restart: {{docker_restart_policy}}

5
roles/docker-nextcloud/templates/env.j2
View File

@ -1,4 +1,5 @@
# See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html
# @See https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html
# @See https://github.com/nextcloud/docker/blob/master/README.md
# Database Configuration
MYSQL_DATABASE= "{{database_name}}"
@ -17,5 +18,5 @@ SMTP_NAME= {{system_email.username}}
SMTP_PASSWORD= {{system_email.password}}
# Email from configuration
MAIL_FROM_ADDRESS= no-reply
MAIL_FROM_ADDRESS=no-reply
MAIL_DOMAIN= {{system_email.domain}}

194
roles/docker-nextcloud/templates/internal-new.conf.j2 Normal file
View File

@ -0,0 +1,194 @@
# Internal configuration file for nextcloud
worker_processes auto;
# @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13
error_log /proc/self/fd/2 warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
types {
application/javascript mjs;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /proc/self/fd/1 main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
fastcgi_send_timeout 900s;
fastcgi_read_timeout 900s;
proxy_buffering off;
#gzip on;
upstream php-handler {
server application:9000;
}
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
map $arg_v $asset_immutable {
"" "";
default ", immutable";
}
server {
listen 80;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The rules in this block are an adaptation of the rules
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location = /.well-known/webfinger { return 301 /index.php/.well-known/webfinger; }
location = /.well-known/nodeinfo { return 301 /index.php/.well-known/nodeinfo; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
# Added due to this error: https://help.nextcloud.com/t/ldap-ad-authnetication-500-error-on-ajax-request/107168/3
#rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
#fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
# Serve static files
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Cache-Control "public, max-age=15778463$asset_immutable";
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-XSS-Protection "1; mode=block" always;
access_log off; # Optional: Don't log access to assets
}
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}
}

17
roles/docker-nextcloud/templates/nginx.conf.j2 → roles/docker-nextcloud/templates/internal-nginx.conf.j2
View File

@ -1,6 +1,11 @@
# Internal configuration file for nextcloud
# Verify time by time, that this rules are valid:
# https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
worker_processes auto;
error_log /var/log/nginx/error.log warn;
# @see https://chatgpt.com/share/67aa3ce9-eea0-800f-85e8-ac54a3810b13
error_log /proc/self/fd/2 {% if enable_debug | bool %}debug{% else %}warn{% endif %};
pid /var/run/nginx.pid;
@ -19,7 +24,7 @@ http {
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
access_log /proc/self/fd/1 main;
sendfile on;
#tcp_nopush on;
@ -132,6 +137,10 @@ http {
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
# Added due to this error: https://help.nextcloud.com/t/ldap-ad-authnetication-500-error-on-ajax-request/107168/3
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
@ -150,13 +159,13 @@ http {
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
location ~ \.(otf|woff2?)$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets

2
roles/docker-nextcloud/templates/nextcloud.conf.j2 → roles/docker-nextcloud/templates/proxy-nginx.conf.j2
View File

@ -1,3 +1,5 @@
# This is the nginx configuration file for the proxy server
server
{
server_name {{domain}};

4
roles/docker-nextcloud/vars/main.yml
View File

@ -2,4 +2,6 @@
application_id: "nextcloud"
database_password: "{{nextcloud_database_password}}"
database_type: "mariadb"
nextcloud_application_container_name: "nextcloud-application"
nextcloud_application_container_name: "nextcloud-application"
nextcloud_nginx_container_name: "nextcloud-web"
ldap_network_enabled: "{{ldap.enabled}}"

2
roles/docker-openproject/vars/main.yml
View File

@ -15,4 +15,4 @@ dummy_volume: "{{docker_compose.directories.volu
oauth2_proxy_upstream_application_and_port: "proxy:80"
oauth2_proxy_active: true
ldap_network_enabled: true # Activate LDAP network
ldap_network_enabled: "{{ldap.enabled}}"