feat: add basic nextcloud role

nextcloud with optional collabora base setup
2025-12-19 14:17:08 +01:00 · 2025-12-19 14:17:08 +01:00 · 6ab3505dc8
commit 6ab3505dc8
parent 19986e1205
11 changed files with 404 additions and 0 deletions
--- a/roles/nextcloud/templates/nginx.conf.j2
+++ b/roles/nextcloud/templates/nginx.conf.j2
@ -0,0 +1,86 @@
+upstream nextcloud_backend {
+{% for i in range(1, nextcloud_scale_factor + 1) %}
+  server nextcloud-nextcloud-{{ i }}:9000;
+{% endfor %}
+}
+
+server {
+  listen 80;
+  server_name _;
+
+  # Serve Nextcloud files
+  root /var/www/html;
+  index index.php index.html /index.php$request_uri;
+
+  include /etc/nginx/mime.types;
+  types { application/javascript mjs; }
+
+  client_max_body_size {{ nextcloud_upload_limit_mb }}M;
+  fastcgi_buffers 64 4k;
+
+  # Security headers
+  add_header X-Content-Type-Options nosniff;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+  add_header X-XSS-Protection "1; mode=block";
+  add_header X-Robots-Tag "noindex, nofollow" always;
+  add_header X-Permitted-Cross-Domain-Policies "none" always;
+  add_header Referrer-Policy "no-referrer" always;
+
+
+  # DAV
+  location = /.well-known/carddav { return 308 https://$host/remote.php/dav; }
+  location = /.well-known/caldav  { return 308 https://$host/remote.php/dav; }
+
+  # Federated sharing / Webfinger / Nodeinfo / Host-meta
+  # Forward them to index.php so Nextcloud can handle them
+  location = /.well-known/webfinger  { return 308 https://$host/index.php$request_uri; }
+  location = /.well-known/nodeinfo   { return 308 https://$host/index.php$request_uri; }
+  location = /.well-known/host-meta  { return 308 https://$host/index.php$request_uri; }
+  location = /.well-known/host-meta.json { return 308 https://$host/index.php$request_uri; }
+  location = /robots.txt { allow all; log_not_found off; access_log off; }
+  # denies
+  location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { deny all; }
+  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; }
+
+  location / {
+    try_files $uri $uri/ /index.php$request_uri;
+  }
+
+  location ~ \.php(?:$|/) {
+    # Only allow the front controller
+    try_files $fastcgi_script_name =404;
+
+    include fastcgi_params;
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+
+    # Pass to PHP-FPM in the nextcloud container
+    fastcgi_pass nextcloud_backend;
+
+    # Tell Nextcloud it’s HTTPS (double proxy) and behind proxies
+    fastcgi_param HTTPS on;
+    fastcgi_param modHeadersAvailable true;
+    fastcgi_param front_controller_active true;
+
+    # Preserve original host/proto from outer proxies via Traefik
+    fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
+    fastcgi_param HTTP_X_FORWARDED_HOST  $http_host;
+    fastcgi_param HTTP_X_FORWARDED_FOR   $proxy_add_x_forwarded_for;
+    fastcgi_param HTTP_X_REAL_IP $remote_addr;
+    fastcgi_intercept_errors on;
+    fastcgi_request_buffering off;
+  }
+
+  # Caching for static assets
+  location ~ \.(?:css|js|mjs|woff2?|svg|gif|map)$ {
+    try_files $uri /index.php$request_uri;
+    expires 6M;
+    access_log off;
+  }
+  location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+    try_files $uri /index.php$request_uri;
+    expires 6M;
+    access_log off;
+  }
+}