infra-vintage/nextcloud/ansible/nextcloud.yml

#!/usr/bin/env ansible-playbook

#- name: 'postgres'
#  hosts: nextcloud-db
#
#  roles:
#    - prep_secrets
#    - prep_postgres
#
- name: 'redis, php, nextcloud, caddy'
  hosts: nextcloud-web

  roles:
#    - prep_redis
#    - prep_php
#    - prep_nextcloud
    - role: prep_caddy
      caddy_config: |
        {
          # remove comment to use staging Let's Encrypt servers (for testing)
          #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory

          email admins@pub.solar
        }
        # snippets
        # security and privacy headers
        (headers) {
          header {
            # disable FLoC tracking
            Permissions-Policy interest-cohort=()

            # enable HSTS
            Strict-Transport-Security max-age=63072000;

            # keep referrer data off of HTTP connections
            Referrer-Policy no-referrer-when-downgrade

            # disable clients from sniffing the media type
            # already set by nextcloud
            #X-Content-Type-Options nosniff

            # clickjacking protection
            # already set by nextcloud
            #X-Frame-Options SAMEORIGIN
          }
        }
        cloud.miom.space {
          redir https://cloud.pub.solar{uri}

          # import security headers snippet
          import headers
        }
        cloud.pub.solar {
          root * /var/www/nextcloud
          file_server
          php_fastcgi unix//run/php/php-fpm8.sock

          redir /.well-known/carddav /remote.php/dav 301
          redir /.well-known/caldav /remote.php/dav 301

          # caddys default is no access logs at all
          # comment this block out for debugging
          #log {
          #        output file /var/log/caddy-access.log
          #}

          # .htaccess / data / config / ... no access from outside
          @forbidden {
                  path    /.htaccess
                  path    /data/*
                  path    /config/*
                  path    /db_structure
                  path    /.xml
                  path    /README
                  path    /3rdparty/*
                  path    /lib/*
                  path    /templates/*
                  path    /occ
                  path    /console.php
          }

          respond @forbidden 404

          encode gzip

          # import security headers snippet
          import headers
        }
Init cloud.pub.solar on Alpine Linux 2022-06-04 14:39:34 +00:00			`#!/usr/bin/env ansible-playbook`

			`#- name: 'postgres'`
			`# hosts: nextcloud-db`
			`#`
			`# roles:`
			`# - prep_secrets`
			`# - prep_postgres`
			`#`
			`- name: 'redis, php, nextcloud, caddy'`
			`hosts: nextcloud-web`

			`roles:`
			`# - prep_redis`
			`# - prep_php`
			`# - prep_nextcloud`
			`- role: prep_caddy`
			`caddy_config: \|`
			`{`
			`# remove comment to use staging Let's Encrypt servers (for testing)`
			`#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory`

			`email admins@pub.solar`
			`}`
			`# snippets`
			`# security and privacy headers`
			`(headers) {`
			`header {`
			`# disable FLoC tracking`
			`Permissions-Policy interest-cohort=()`

			`# enable HSTS`
			`Strict-Transport-Security max-age=63072000;`

			`# keep referrer data off of HTTP connections`
			`Referrer-Policy no-referrer-when-downgrade`

			`# disable clients from sniffing the media type`
			`# already set by nextcloud`
			`#X-Content-Type-Options nosniff`

			`# clickjacking protection`
			`# already set by nextcloud`
			`#X-Frame-Options SAMEORIGIN`
			`}`
			`}`
			`cloud.miom.space {`
			`redir https://cloud.pub.solar{uri}`

			`# import security headers snippet`
			`import headers`
			`}`
			`cloud.pub.solar {`
			`root * /var/www/nextcloud`
			`file_server`
			`php_fastcgi unix//run/php/php-fpm8.sock`

			`redir /.well-known/carddav /remote.php/dav 301`
			`redir /.well-known/caldav /remote.php/dav 301`

			`# caddys default is no access logs at all`
			`# comment this block out for debugging`
			`#log {`
			`# output file /var/log/caddy-access.log`
			`#}`

			`# .htaccess / data / config / ... no access from outside`
			`@forbidden {`
			`path /.htaccess`
			`path /data/*`
			`path /config/*`
			`path /db_structure`
			`path /.xml`
			`path /README`
			`path /3rdparty/*`
			`path /lib/*`
			`path /templates/*`
			`path /occ`
			`path /console.php`
			`}`

			`respond @forbidden 404`

			`encode gzip`

			`# import security headers snippet`
			`import headers`
			`}`