infra-vintage/nextcloud/ansible/nextcloud.yml

89 lines
2.3 KiB
YAML
Executable file

#!/usr/bin/env ansible-playbook
#- name: 'postgres'
# hosts: nextcloud-db
#
# roles:
# - prep_secrets
# - prep_postgres
#
- name: 'redis, php, nextcloud, caddy'
hosts: nextcloud-web
roles:
# - prep_redis
# - prep_php
# - prep_nextcloud
- role: prep_caddy
caddy_config: |
{
# remove comment to use staging Let's Encrypt servers (for testing)
#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
email admins@pub.solar
}
# snippets
# security and privacy headers
(headers) {
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=63072000;
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
# disable clients from sniffing the media type
# already set by nextcloud
#X-Content-Type-Options nosniff
# clickjacking protection
# already set by nextcloud
#X-Frame-Options SAMEORIGIN
}
}
cloud.miom.space {
redir https://cloud.pub.solar{uri}
# import security headers snippet
import headers
}
cloud.pub.solar {
root * /var/www/nextcloud
file_server
php_fastcgi unix//run/php/php-fpm8.sock
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# caddys default is no access logs at all
# comment this block out for debugging
#log {
# output file /var/log/caddy-access.log
#}
# .htaccess / data / config / ... no access from outside
@forbidden {
path /.htaccess
path /data/*
path /config/*
path /db_structure
path /.xml
path /README
path /3rdparty/*
path /lib/*
path /templates/*
path /occ
path /console.php
}
respond @forbidden 404
encode gzip
# import security headers snippet
import headers
}