erik/nextcloud-aws
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Get basic nextcloud up and running with SSL

Browse source
This commit is contained in:
Erik Stambaugh 2022-01-02 13:01:20 -08:00
parent 20517cdc04
commit 53a369fba5
4 changed files with 346 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
nextcloud.tf
View file

@ -58,6 +58,8 @@ resource "aws_instance" "nextcloud" {
# associate_public_ip_address = false
vpc_security_group_ids = [ module.nextcloud_sg.security_group_id ]
user_data = <<EOF
#!/bin/bash
sudo snap install amazon-ssm-agent --classic
@ -80,10 +82,18 @@ module "nextcloud_sg" {
description = "Nextcloud SG"
vpc_id = module.vpc.vpc_id
egress_rules = [ "all-all" ]
ingress_with_cidr_blocks = [
{
rule = "http-80-tcp"
cidr_blocks = "${chomp(data.http.myip.body)}/32"
cidr_blocks = "0.0.0.0/0"
# cidr_blocks = "${chomp(data.http.myip.body)}/32"
},
{
rule = "https-443-tcp"
cidr_blocks = "0.0.0.0/0"
# cidr_blocks = "${chomp(data.http.myip.body)}/32"
},
]
}

41
roles/nextcloud/files/docker-compose.yaml
View file

@ -10,21 +10,20 @@ services:
db:
container_name: nextcloud_db
image: mariadb
restart: always
restart: unless-stopped
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=true
- MYSQL_ROOT_PASSWORD=
- MYSQL_PASSWORD=
- MYSQL_ROOT_PASSWORD=s00p3rs3krit
- MYSQL_PASSWORD=s00p3rs3krit
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
app:
container_name: nextcloud
image: nextcloud
restart: always
restart: unless-stopped
ports:
- 8080:80
links:
@ -32,7 +31,37 @@ services:
volumes:
- nextcloud:/var/www/html
environment:
- MYSQL_PASSWORD=
- MYSQL_PASSWORD=s00p3rs3krit
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
web:
container_name: nginx
image: nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
links:
- app
volumes:
- /srv/nextcloud/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- /srv/nextcloud/nginx/conf.d:/etc/nginx/conf.d:ro
# - /srv/nextcloud/nginx/www:/usr/share/nginx/html:ro
- /srv/nextcloud/letsencrypt/etc:/etc/letsencrypt
- /srv/nextcloud/letsencrypt/www:/var/www/certbot
volumes_from:
- app
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
certbot:
container_name: certbot
image: certbot/certbot:arm64v8-latest
restart: unless-stopped
volumes:
- /srv/nextcloud/letsencrypt/etc:/etc/letsencrypt
- /srv/nextcloud/letsencrypt/www:/var/www/certbot
- /srv/nextcloud/letsencrypt/var:/var/lib/letsencrypt
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot --webroot-path=/var/www/certbot; sleep 12h & wait $${!}; done;'"

239
roles/nextcloud/files/nginx.conf Normal file
View file

@ -0,0 +1,239 @@
# Run as a less privileged user for security reasons.
user nginx;
# #worker_threads to run;
# "auto" sets it to the #CPU_cores available in the system, and
# offers the best performance.
worker_processes auto;
events { worker_connections 1024; }
http {
upstream backend {
server app;
}
server {
listen 80;
server_name cloud.stoopid.club;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
# Hide nginx version information.
server_tokens off;
listen 443 ssl default_server;
server_name cloud.stoopid.club;
root /usr/share/nginx/html;
include /etc/nginx/mime.types;
ssl_certificate /etc/letsencrypt/live/cloud.stoopid.club/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.stoopid.club/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# location / {
# try_files $uri $uri/ /index.html;
# }
gzip on;
gzip_vary on;
gzip_http_version 1.0;
gzip_comp_level 5;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 256;
gunzip on;
location @nextcloud {
proxy_pass http://backend;
}
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
client_max_body_size 0; # default is 1M
proxy_connect_timeout 10m;
proxy_send_timeout 10m;
proxy_read_timeout 10m;
send_timeout 10m;
try_files /dev/null @nextcloud;
}
}
# server {
# server_name cloud.stoopid.club;
# # Hide nginx version information.
# server_tokens off;
#
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# ssl_session_timeout 1d;
# ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# ssl_session_tickets off;
#
#
# ssl_trusted_certificate /etc/letsencrypt/live/cloud.stoopid.club/chain.pem;
# ssl_certificate /etc/letsencrypt/live/cloud.stoopid.club/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/cloud.stoopid.club/privkey.pem;
## include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
#
## ssl_protocols TLSv1.2 TLSv1.3;
## ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
## ssl_prefer_server_ciphers off;
## # In case of an old server with an OpenSSL version of 1.0.2 or below,
## # leave only prime256v1 or comment out the following line.
## ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
## ssl_stapling on;
## ssl_stapling_verify on;
#
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;
#
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#
# location @nextcloud {
# proxy_pass http://backend;
# }
#
# location / {
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
#
# client_max_body_size 0; # default is 1M
#
# proxy_connect_timeout 10m;
# proxy_send_timeout 10m;
# proxy_read_timeout 10m;
# send_timeout 10m;
#
# try_files /dev/null @nextcloud;
# }
#
#
## location ~ ^/(media|proxy) {
## proxy_cache pleroma_media_cache;
## slice 1m;
## proxy_cache_key $host$uri$is_args$args$slice_range;
## proxy_set_header Range $slice_range;
## proxy_cache_valid 200 206 301 304 1h;
## proxy_cache_lock on;
## proxy_ignore_client_abort on;
## proxy_buffering on;
## chunked_transfer_encoding on;
## proxy_pass http://pleroma:4000/;
## }
#
#
#
#
## root /usr/share/nginx/html;
## include /etc/nginx/mime.types;
##
##
## location / {
## proxy_http_version 1.1;
## proxy_set_header Upgrade $http_upgrade;
## proxy_set_header Connection "upgrade";
## proxy_read_timeout 300; # Some requests take more than 30 seconds.
## proxy_connect_timeout 300; # Some requests take more than 30 seconds.
## proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## proxy_set_header X-Forwarded-Proto $scheme;
## proxy_set_header Host $http_host;
## proxy_redirect off;
## proxy_pass http://pleroma:4000/;
## }
##
### map $remote_addr $proxy_forwarded_elem {
### # IPv4 addresses can be sent as-is
### ~^[0-9.]+$ "for=$remote_addr";
###
### # IPv6 addresses need to be bracketed and quoted
### ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
###
### # Unix domain socket names cannot be represented in RFC 7239 syntax
### default "for=unknown";
### }
###
### map $http_forwarded $proxy_add_forwarded {
### # If the incoming Forwarded header is syntactically valid, append to it
### "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
###
### # Otherwise, replace it
### default "$proxy_forwarded_elem";
### }
##
### proxy_set_header Forwarded $proxy_add_forwarded;
### proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
##
## gzip on;
## gzip_vary on;
## gzip_http_version 1.0;
## gzip_comp_level 5;
## gzip_types
## application/atom+xml
## application/javascript
## application/json
## application/rss+xml
## application/vnd.ms-fontobject
## application/x-font-ttf
## application/x-web-app-manifest+json
## application/xhtml+xml
## application/xml
## font/opentype
## image/svg+xml
## image/x-icon
## text/css
## text/plain
## text/x-component;
## gzip_proxied no-cache no-store private expired auth;
## gzip_min_length 256;
## gunzip on;
# }
include /etc/nginx/conf.d/*.conf;
}

63
roles/nextcloud/tasks/main.yaml
View file

@ -4,9 +4,11 @@
file:
path: /srv/nextcloud/{item}
state: directory
recurse: true
with_items:
- db
- data
- nginx/conf.d
- name: install docker
apt:
@ -16,6 +18,7 @@
packages:
- docker.io
- docker-compose
- openssl
- name: Add users to docker group
user:
@ -25,6 +28,56 @@
with_items:
- ubuntu
# --
- name: check for existing cert
stat:
path: /srv/nextcloud/letsencrypt/etc/live/cloud.stoopid.club
register: certpath
- name: seed initial cert data
command: |
docker run -it --rm --name certbot \
-v "/srv/nextcloud/letsencrypt/etc:/etc/letsencrypt" \
-v "/srv/nextcloud/letsencrypt/var:/var/lib/letsencrypt" \
-p 80:80 \
certbot/certbot:arm64v8-latest certonly \
-m erik@erikstambaugh.com \
--agree-tos \
-n \
--standalone \
-d cloud.stoopid.club
when: certpath.stat.isdir is not defined
#docker run -it --rm --name certbot \
# -v "/etc/letsencrypt:/etc/letsencrypt" \
# -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
# certbot/certbot:arm32v6-latest certonly \
# -m erik@erikstambaugh.com \
# --agree-tos \
# --standalone \
# --dry-run \
# -p 80:80 \
# -d cloud.stoopid.club
## certbot/certbot:arm32v6-latest certonly --help
- name: pick up latest nginx ssl config
get_url:
url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
dest: /srv/nextcloud/letsencrypt/etc/options-ssl-nginx.conf
register: certbotnginx
- name: check for dhparams
stat:
path: /srv/nextcloud/letsencrypt/etc/ssl-dhparams.pem
register: dhparams
- name: "create dhparams (this could take up to an hour)"
command: openssl dhparam -out ssl-dhparams.pem 4096
args:
chdir: /srv/nextcloud/letsencrypt/etc
when: dhparams.stat.exists == False
# ---
- name: nextcloud docker-compose
@ -33,16 +86,22 @@
dest: /srv/nextcloud/docker-compose.yaml
register: dockercompose
- name: nextcloud nginx.conf
copy:
src: files/nginx.conf
dest: /srv/nextcloud/nginx/nginx.conf
register: nginxconf
- name: install nextcloud
command: docker-compose up -d
args:
chdir: /srv/nextcloud
- name: install nextcloud
- name: restart nextcloud
command: docker-compose restart
args:
chdir: /srv/nextcloud
when: dockercompose.changed
when: nginxconf.changed or certbotnginx.changed
# ---