feat: add basic nextcloud role

nextcloud with optional collabora base setup
2025-12-19 14:17:08 +01:00 · 2025-12-19 14:17:08 +01:00 · 6ab3505dc8
commit 6ab3505dc8
parent 19986e1205
11 changed files with 404 additions and 0 deletions
--- a/roles/nextcloud/templates/docker-compose.yml.j2
+++ b/roles/nextcloud/templates/docker-compose.yml.j2
@ -0,0 +1,137 @@
+services:
+  db:
+    image: {{ nextcloud_postgres_image }}
+    restart: always
+    environment:
+      POSTGRES_DB: {{ nextcloud_postgres_db }}
+      POSTGRES_USER: {{ nextcloud_postgres_user }}
+      POSTGRES_PASSWORD: {{ nextcloud_postgres_password }}
+    volumes:
+      - {{ nextcloud_docker_volume_dir }}/postgresql/:/var/lib/postgresql/
+      - ./init-db.sql:/docker-entrypoint-initdb.d/init-db.sql:ro
+    networks:
+      - {{ nextcloud_backend_network }}
+
+  redis:
+    image: {{ nextcloud_redis_image }}
+    restart: always
+    command: ["redis-server", "--appendonly", "yes"]
+    volumes:
+      - {{ nextcloud_docker_volume_dir }}/redis/data:/data
+    networks:
+      - {{ nextcloud_backend_network }}
+
+  nginx:
+    image: nginx:alpine
+    restart: always
+    depends_on:
+      - nextcloud
+    volumes:
+      - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html:ro
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      - {{ nextcloud_backend_network }}
+      - {{ nextcloud_traefik_network }}
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network={{ nextcloud_traefik_network }}
+      - traefik.http.routers.{{ nextcloud_service_name }}.rule=Host(`{{ nextcloud_domain }}`)
+{% if nextcloud_use_ssl %}
+      - traefik.http.routers.{{ nextcloud_service_name }}.entrypoints=websecure
+      - traefik.http.routers.{{ nextcloud_service_name }}.tls=true
+{% else %}
+      - traefik.http.routers.{{ nextcloud_service_name }}.entrypoints=web
+{% endif %}
+
+  nextcloud-cron:
+    image: {{ nextcloud_image }}
+    restart: always
+    depends_on:
+      - nextcloud
+    entrypoint: /cron.sh
+    environment:
+      POSTGRES_HOST: db
+      POSTGRES_DB: {{ nextcloud_postgres_db }}
+      POSTGRES_USER: {{ nextcloud_postgres_user }}
+      POSTGRES_PASSWORD: {{ nextcloud_postgres_password }}
+      NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }}
+      NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }}
+      REDIS_HOST: redis
+      PHP_MEMORY_LIMIT: {{ nextcloud_memory_limit_mb }}M
+      PHP_UPLOAD_LIMIT: {{  nextcloud_upload_limit_mb }}M
+      OVERWRITEPROTOCOL: https
+      OVERWRITEHOST: {{ nextcloud_domain }}
+      TRUSTED_PROXIES: "172.18.0.0/16 172.16.9.88/16 172.16.17.0/24 172.16.9.88"
+    volumes:
+      - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
+    networks:
+      - {{ nextcloud_backend_network }}
+
+  nextcloud:
+    image: {{ nextcloud_image }}
+    scale: {{ nextcloud_scale_factor }}
+    restart: always
+    depends_on:
+      - db
+      - redis
+    environment:
+      POSTGRES_HOST: db
+      POSTGRES_DB: {{ nextcloud_postgres_db }}
+      POSTGRES_USER: {{ nextcloud_postgres_user }}
+      POSTGRES_PASSWORD: {{ nextcloud_postgres_password }}
+      NEXTCLOUD_ADMIN_USER: {{ nextcloud_admin_user }}          
+      NEXTCLOUD_ADMIN_PASSWORD: {{ nextcloud_admin_password }}  
+      REDIS_HOST: redis
+      PHP_MEMORY_LIMIT: {{ nextcloud_memory_limit_mb }}M
+      PHP_UPLOAD_LIMIT: {{  nextcloud_upload_limit_mb }}M
+      OVERWRITEPROTOCOL: https
+      OVERWRITEHOST: {{ nextcloud_domain }}
+      TRUSTED_PROXIES: "172.18.0.0/16 172.16.9.88/16 172.16.17.0/24 172.16.9.88"
+{% if nextcloud_use_s3_storage %}
+      OBJECTSTORE_S3_KEY: {{ nextcloud_s3_key }}
+      OBJECTSTORE_S3_SECRET: {{ nextcloud_s3_secret }}
+      OBJECTSTORE_S3_REGION: {{ nextcloud_s3_region }}
+      OBJECTSTORE_S3_BUCKET: {{ nextcloud_s3_bucket }}
+      OBJECTSTORE_S3_HOST: {{ nextcloud_s3_host }}
+      OBJECTSTORE_S3_PORT: {{ nextcloud_s3_port }}
+      OBJECTSTORE_S3_SSL: {{ nextcloud_s3_ssl }}
+      OBJECTSTORE_S3_USEPATH_STYLE: {{ nextcloud_s3_usepath_style }}
+      OBJECTSTORE_S3_AUTOCREATE: {{ nextcloud_s3_autocreate }}
+{% endif %}
+    volumes:
+      - {{ nextcloud_docker_volume_dir }}/nextcloud/:/var/www/html
+    networks:
+      - {{ nextcloud_backend_network }}
+
+{% if nextcloud_enable_collabora %}
+  collabora:
+    image: {{ nextcloud_collabora_image }}
+    restart: always
+    environment:
+      domain: ^{{ nextcloud_domain | replace('.', '\\.') }}$
+      extra_params: >-
+        --o:ssl.enable=false
+        --o:ssl.termination=true
+        --o:net.frame_ancestors=https://{{ nextcloud_domain }}
+    cap_add:
+      - MKNOD
+    networks:
+      - {{ nextcloud_traefik_network }}
+    labels:
+      - traefik.enable=true
+      - traefik.docker.network={{ nextcloud_traefik_network }}
+      - traefik.http.routers.{{ nextcloud_collabora_service_name }}.rule=Host(`{{ nextcloud_collabora_domain }}`)
+      - traefik.http.services.{{ nextcloud_collabora_service_name }}.loadbalancer.server.port=9980
+{% if nextcloud_use_ssl %}
+      - traefik.http.routers.{{ nextcloud_collabora_service_name }}.entrypoints=websecure
+      - traefik.http.routers.{{ nextcloud_collabora_service_name }}.tls=true
+{% else %}
+      - traefik.http.routers.{{ nextcloud_collabora_service_name }}.entrypoints=web
+{% endif %}
+
+{% endif %}
+
+networks:
+  {{ nextcloud_backend_network }}:
+  {{ nextcloud_traefik_network }}:
+    external: true
--- a/roles/nextcloud/templates/init-db.sql.j2
+++ b/roles/nextcloud/templates/init-db.sql.j2
@ -0,0 +1,10 @@
+-- Grant necessary permissions to the Nextcloud PostgreSQL user
+-- CREATEROLE allows creating roles for Nextcloud apps
+ALTER USER {{ nextcloud_postgres_user }} WITH CREATEROLE;
+
+-- Pre-create the Nextcloud database to prevent automatic user creation
+CREATE DATABASE {{ nextcloud_postgres_db }} OWNER {{ nextcloud_postgres_user }};
+
+-- Grant CREATE permission on public schema in the new database
+\c {{ nextcloud_postgres_db }}
+GRANT CREATE ON SCHEMA public TO {{ nextcloud_postgres_user }};
--- a/roles/nextcloud/templates/nginx.conf.j2
+++ b/roles/nextcloud/templates/nginx.conf.j2
@ -0,0 +1,86 @@
+upstream nextcloud_backend {
+{% for i in range(1, nextcloud_scale_factor + 1) %}
+  server nextcloud-nextcloud-{{ i }}:9000;
+{% endfor %}
+}
+
+server {
+  listen 80;
+  server_name _;
+
+  # Serve Nextcloud files
+  root /var/www/html;
+  index index.php index.html /index.php$request_uri;
+
+  include /etc/nginx/mime.types;
+  types { application/javascript mjs; }
+
+  client_max_body_size {{ nextcloud_upload_limit_mb }}M;
+  fastcgi_buffers 64 4k;
+
+  # Security headers
+  add_header X-Content-Type-Options nosniff;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag "noindex, nofollow" always;
+  add_header X-Permitted-Cross-Domain-Policies "none" always;
+  add_header Referrer-Policy "no-referrer" always;
+
+
+  # DAV
+  location = /.well-known/carddav { return 308 https://$host/remote.php/dav; }
+  location = /.well-known/caldav  { return 308 https://$host/remote.php/dav; }
+
+  # Federated sharing / Webfinger / Nodeinfo / Host-meta
+  # Forward them to index.php so Nextcloud can handle them
+  location = /.well-known/webfinger  { return 308 https://$host/index.php$request_uri; }
+  location = /.well-known/nodeinfo   { return 308 https://$host/index.php$request_uri; }
+  location = /.well-known/host-meta  { return 308 https://$host/index.php$request_uri; }
+  location = /.well-known/host-meta.json { return 308 https://$host/index.php$request_uri; }
+  location = /robots.txt { allow all; log_not_found off; access_log off; }
+  # denies
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; }
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; }
+
+  location / {
+    try_files $uri $uri/ /index.php$request_uri;
+  }
+
+  location ~ \.php(?:$|/) {
+    # Only allow the front controller
+    try_files $fastcgi_script_name =404;
+
+    include fastcgi_params;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+
+    # Pass to PHP-FPM in the nextcloud container
+    fastcgi_pass nextcloud_backend;
+
+    # Tell Nextcloud it’s HTTPS (double proxy) and behind proxies
+    fastcgi_param HTTPS on;
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
+
+    # Preserve original host/proto from outer proxies via Traefik
+    fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
+    fastcgi_param HTTP_X_FORWARDED_HOST  $http_host;
+    fastcgi_param HTTP_X_FORWARDED_FOR   $proxy_add_x_forwarded_for;
+    fastcgi_param HTTP_X_REAL_IP $remote_addr;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+  }
+
+  # Caching for static assets
+  location ~ \.(?:css|js|mjs|woff2?|svg|gif|map)$ {
+    try_files $uri /index.php$request_uri;
+    expires 6M;
+    access_log off;
+  }
+  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+    try_files $uri /index.php$request_uri;
+    expires 6M;
+    access_log off;
+  }
+}