chore: install docker and dependencies in base role

the ansible_virtualization_type != "docker" part is used when testing in containers, since systemd is not available there
chore: upgrade reverseproxy role for use with vagrant and ssl
2025-11-07 11:53:37 +01:00 · 2025-11-07 11:52:41 +01:00 · 2025-11-07 11:50:53 +01:00
9 changed files with 161 additions and 47 deletions
--- a/.idea/digitalboard.core.iml
+++ b/.idea/digitalboard.core.iml
@ -0,0 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <module type="PYTHON_MODULE" version="4">
  <component name="NewModuleRootManager">
    <content url="file://$MODULE_DIR$" />
    <orderEntry type="jdk" jdkName="Python 3.13" jdkType="Python SDK" />
    <orderEntry type="sourceFolder" forTests="false" />
    <orderEntry type="module" module-name="reference-ansible" />
  </component>
 </module>
--- a/.idea/inspectionProfiles/Project_Default.xml
+++ b/.idea/inspectionProfiles/Project_Default.xml
@ -0,0 +1,6 @@
 <component name="InspectionProjectProfileManager">
  <profile version="1.0">
    <option name="myName" value="Project Default" />
    <inspection_tool class="Eslint" enabled="true" level="WARNING" enabled_by_default="true" />
  </profile>
 </component>
--- a/.idea/inspectionProfiles/profiles_settings.xml
+++ b/.idea/inspectionProfiles/profiles_settings.xml
@ -0,0 +1,6 @@
 <component name="InspectionProjectProfileManager">
  <settings>
    <option name="USE_PROJECT_PROFILE" value="false" />
    <version value="1.0" />
  </settings>
 </component>
--- a/.idea/material_theme_project_new.xml
+++ b/.idea/material_theme_project_new.xml
@ -0,0 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="MaterialThemeProjectNewConfig">
    <option name="metadata">
      <MTProjectMetadataState>
        <option name="migrated" value="true" />
        <option name="pristineConfig" value="false" />
        <option name="userId" value="6727a2ce:1988652562a:-7ffe" />
      </MTProjectMetadataState>
    </option>
  </component>
 </project>
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@ -0,0 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="Black">
    <option name="sdkName" value="Python 3.13" />
  </component>
  <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.13" project-jdk-type="Python SDK" />
 </project>
--- a/.idea/modules.xml
+++ b/.idea/modules.xml
@ -0,0 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="ProjectModuleManager">
    <modules>
      <module fileurl="file://$PROJECT_DIR$/.idea/digitalboard.core.iml" filepath="$PROJECT_DIR$/.idea/digitalboard.core.iml" />
      <module fileurl="file://$PROJECT_DIR$/../reference-ansible/.idea/reference-ansible.iml" filepath="$PROJECT_DIR$/../reference-ansible/.idea/reference-ansible.iml" />
    </modules>
  </component>
 </project>
--- a/.idea/vcs.xml
+++ b/.idea/vcs.xml
@ -0,0 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
  <component name="VcsDirectoryMappings">
    <mapping directory="" vcs="Git" />
    <mapping directory="$PROJECT_DIR$" vcs="Git" />
    <mapping directory="$PROJECT_DIR$/../reference-ansible" vcs="Git" />
  </component>
 </project>
--- a/93
+++ b/93
@ -0,0 +1,93 @@
 version: "3.9"
 # ⛵ Nextcloud + Collabora (CODE) behind Traefik (TLS at Traefik)
 # Replace all occurrences of cloud.digitalboard.ch and office.example.com with your domains.
 services:
  db:
    image: postgres:16-alpine
    container_name: nextcloud-postgres
    restart: always
    environment:
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD: PVgvn5w06yvN7K8QwKacLrGNtvQformw
    volumes:
      - /srv/data/nextcloud/postgresql/data:/var/lib/postgresql/data
    networks:
      - internal
  redis:
    image: redis:7-alpine
    container_name: nextcloud-redis
    restart: always
    command: ["redis-server", "--appendonly", "yes"]
    volumes:
      - /srv/data/nextcloud/redis/data:/data
    networks:
      - internal
  nextcloud:
    image: nextcloud:apache
    container_name: nextcloud
    restart: always
    depends_on:
      - db
      - redis
    environment:
      POSTGRES_HOST: db
      POSTGRES_DB: nextcloud
      POSTGRES_USER: nextcloud
      POSTGRES_PASSWORD: PVgvn5w06yvN7K8QwKacLrGNtvQformw
      NEXTCLOUD_ADMIN_USER: tinfoil
      NEXTCLOUD_ADMIN_PASSWORD: Wkcox8ZD05po1rq60Y4h2cIenws7hF7F
      REDIS_HOST: redis
      # REDIS_HOST_PASSWORD: ""
      PHP_MEMORY_LIMIT: 1024M
      PHP_UPLOAD_LIMIT: 2048M
      OVERWRITEPROTOCOL: https
      OVERWRITEHOST: cloud.digitalboard.ch
      TRUSTED_PROXIES: "172.18.0.0/16"
    volumes:
      - /srv/data/nextcloud/nextcloud/:/var/www/html
      - ./servername.conf:/etc/apache2/conf-enabled/servername.conf
    networks:
      - internal
      - proxy
    labels:
      - traefik.enable=true
      - traefik.docker.network=proxy
      - traefik.http.routers.nextcloud.rule=Host(`cloud.digitalboard.ch`) 
      - traefik.http.routers.nextcloud.entrypoints=web
      - traefik.http.services.nextcloud.loadbalancer.server.port=80
      # Ensure Nextcloud always sees HTTPS from the double proxy:
      - traefik.http.middlewares.nc-https.headers.customrequestheaders.X-Forwarded-Proto=https
      - traefik.http.routers.nextcloud.middlewares=nc-wellknown,nc-https
      # Well-known DAV:
      - traefik.http.middlewares.nc-wellknown.redirectregex.permanent=true
      - traefik.http.middlewares.nc-wellknown.redirectregex.regex=^https?://([^/]+)/.well-known/(card|cal)dav
      - traefik.http.middlewares.nc-wellknown.redirectregex.replacement=https://$${1}/remote.php/dav/
  collabora:
    image: collabora/code:latest
    container_name: collabora
    restart: always
    environment:
      domain: ^cloud\.example\.com$
      extra_params: --o:ssl.enable=false --o:ssl.termination=true
      username: admin
      password: change_me
    cap_add:
      - MKNOD
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.collabora.rule=Host(`office-intern.example.com`)
      - traefik.http.routers.collabora.entrypoints=web
      - traefik.http.services.collabora.loadbalancer.server.port=9980
 networks:
  internal:
  proxy:
    external: true
--- a/roles/reverseproxy/templates/middlewares.yml.j2
+++ b/roles/reverseproxy/templates/middlewares.yml.j2
@ -1,47 +1,11 @@
-{% if enable_dashboard %}
+http:
-api:
+  middlewares:
-  dashboard: true
+    secure-headers:
-  insecure: true
+      headers:
-{% endif %}
+        frameDeny: true
-
+        contentTypeNosniff: true
-{% if enable_access_logs %}
+        browserXssFilter: true
-accessLog:
+        forceSTSHeader: true
-  format: {{ access_log_format }}
+        stsSeconds: 31536000
-{% endif %}
+        stsIncludeSubdomains: true
-
+        stsPreload: true
 entryPoints:
  web:
    address: ":80"
 {% if use_ssl %}
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
 {% endif %}
  websecure:
    address: ":443"
 providers:
 {% if use_static_services | default(false) %}
  file:
    filename: /etc/traefik/services.yml
    watch: true
 {% endif %}
 {% if use_docker_provider | default(true) %}
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
 {% endif %}
 certificatesResolvers:
  letsencrypt:
    acme:
      email: admin@digitalboard.ch
      storage: /letsencrypt/acme.json
      httpChallenge:
        entryPoint: web
 global:
  checkNewVersion: false
  sendAnonymousUsage: false
Author	SHA1	Message	Date
Bert-Jan Fikse	3a10c57015	chore: install docker and dependencies in base role the ansible_virtualization_type != "docker" part is used when testing in containers, since systemd is not available there	2025-11-07 11:53:37 +01:00
Bert-Jan Fikse	9e7b2b3b84	chore: upgrade reverseproxy role for use with vagrant and ssl	2025-11-07 11:52:41 +01:00
Bert-Jan Fikse	a4aa64777e	feat: add basic httpbin services Used to test connectivity of proxies	2025-11-07 11:50:53 +01:00