#!/usr/bin/env ansible-playbook #- name: 'postgres' # hosts: nextcloud-db # # roles: # - prep_secrets # - prep_postgres # - name: 'redis, php, nextcloud, caddy' hosts: nextcloud-web roles: # - prep_redis # - prep_php # - prep_nextcloud - role: prep_caddy caddy_config: | { # remove comment to use staging Let's Encrypt servers (for testing) #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory email admins@pub.solar } # snippets # security and privacy headers (headers) { header { # disable FLoC tracking Permissions-Policy interest-cohort=() # enable HSTS Strict-Transport-Security max-age=63072000; # keep referrer data off of HTTP connections Referrer-Policy no-referrer-when-downgrade # disable clients from sniffing the media type # already set by nextcloud #X-Content-Type-Options nosniff # clickjacking protection # already set by nextcloud #X-Frame-Options SAMEORIGIN } } cloud.miom.space { redir https://cloud.pub.solar{uri} # import security headers snippet import headers } cloud.pub.solar { root * /var/www/nextcloud file_server php_fastcgi unix//run/php/php-fpm8.sock redir /.well-known/carddav /remote.php/dav 301 redir /.well-known/caldav /remote.php/dav 301 # caddys default is no access logs at all # comment this block out for debugging #log { # output file /var/log/caddy-access.log #} # .htaccess / data / config / ... no access from outside @forbidden { path /.htaccess path /data/* path /config/* path /db_structure path /.xml path /README path /3rdparty/* path /lib/* path /templates/* path /occ path /console.php } respond @forbidden 404 encode gzip # import security headers snippet import headers }