89 lines
2.3 KiB
YAML
Executable file
89 lines
2.3 KiB
YAML
Executable file
#!/usr/bin/env ansible-playbook
|
|
|
|
#- name: 'postgres'
|
|
# hosts: nextcloud-db
|
|
#
|
|
# roles:
|
|
# - prep_secrets
|
|
# - prep_postgres
|
|
#
|
|
- name: 'redis, php, nextcloud, caddy'
|
|
hosts: nextcloud-web
|
|
|
|
roles:
|
|
# - prep_redis
|
|
# - prep_php
|
|
# - prep_nextcloud
|
|
- role: prep_caddy
|
|
caddy_config: |
|
|
{
|
|
# remove comment to use staging Let's Encrypt servers (for testing)
|
|
#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
|
|
|
|
email admins@pub.solar
|
|
}
|
|
# snippets
|
|
# security and privacy headers
|
|
(headers) {
|
|
header {
|
|
# disable FLoC tracking
|
|
Permissions-Policy interest-cohort=()
|
|
|
|
# enable HSTS
|
|
Strict-Transport-Security max-age=63072000;
|
|
|
|
# keep referrer data off of HTTP connections
|
|
Referrer-Policy no-referrer-when-downgrade
|
|
|
|
# disable clients from sniffing the media type
|
|
# already set by nextcloud
|
|
#X-Content-Type-Options nosniff
|
|
|
|
# clickjacking protection
|
|
# already set by nextcloud
|
|
#X-Frame-Options SAMEORIGIN
|
|
}
|
|
}
|
|
cloud.miom.space {
|
|
redir https://cloud.pub.solar{uri}
|
|
|
|
# import security headers snippet
|
|
import headers
|
|
}
|
|
cloud.pub.solar {
|
|
root * /var/www/nextcloud
|
|
file_server
|
|
php_fastcgi unix//run/php/php-fpm8.sock
|
|
|
|
redir /.well-known/carddav /remote.php/dav 301
|
|
redir /.well-known/caldav /remote.php/dav 301
|
|
|
|
# caddys default is no access logs at all
|
|
# comment this block out for debugging
|
|
#log {
|
|
# output file /var/log/caddy-access.log
|
|
#}
|
|
|
|
# .htaccess / data / config / ... no access from outside
|
|
@forbidden {
|
|
path /.htaccess
|
|
path /data/*
|
|
path /config/*
|
|
path /db_structure
|
|
path /.xml
|
|
path /README
|
|
path /3rdparty/*
|
|
path /lib/*
|
|
path /templates/*
|
|
path /occ
|
|
path /console.php
|
|
}
|
|
|
|
respond @forbidden 404
|
|
|
|
encode gzip
|
|
|
|
# import security headers snippet
|
|
import headers
|
|
}
|