Nextcloud, HAProxy, CertBot example part 1
The snippet can be accessed without any authentication.
Authored by
Klaus Frank
group_vars/all/nextcloud.vault.yml 4.21 KiB
ansible_nextcloud_base_image: agowa338/nextcloud
ansible_nextcloud_docker_networks:
- Name: HAProxy2Nextcloud
ansible_nextcloud_http_host_port: 80
ansible_nextcloud_expose_http: false
ansible_nextcloud_expose_https: false
ansible_nextcloud_admin_password: ic1soaxohtooChiemaahicaiyoh5irahfiX6Ai3o
ansible_nextcloud_redis_password: Eiquaith2toot0QuaeNgei5Ahh8peob0raD0ahgh
ansible_nextcloud_mariadb_root_password: sai5loove1IxeiNgaiph9equa5oophei7jee5Eix
ansible_nextcloud_mariadb_user_username: uy9aiW9zei
ansible_nextcloud_mariadb_user_password: phoh3fei0id3daGisheem0woo2johm1oola1Eep1
docker_daemon_options:
fixed-cidr-v6: 2001:db8:9839:ffff::/64
ipv6: true
debug: false
log-driver: journald
docker_networks:
- name: ipv6Network
enable_ipv6: true
ipam_config:
- subnet: '10.254.0.0/16'
iprange: '10.254.1.0/24'
- subnet: '2001:db8:9839::/63'
aux_addresses:
haproxy001: '2001:db8:9839::2'
- name: HAProxy2Nextcloud
ipam_config:
- subnet: '10.255.1.0/24'
- name: HAProxy2Certbot
ipam_config:
- subnet: '10.255.5.0/24'
ansible_haproxy_docker_networks:
- name: ipv6Network
- name: HAProxy2Nextcloud
- name: HAProxy2Certbot
ipv4_address: 10.255.5.2
ansible_haproxy_restart_policy: always
ansible_haproxy_published_ports:
- '80:80'
- '443:443'
ansible_haproxy_exposed_ports:
- 80
- 443
ansible_haproxy_certbot:
Enabled: true
Backend_Servers:
- Name: CertBot
IP: 10.255.5.3
Port: 80
Port: 80
Bind_IP:
- 0.0.0.0
- '::'
ansible_haproxy_all_redirect_https: true
ansible_haproxy_base_image: 'haproxy:alpine'
ansible_haproxy_global_vars:
- tune.ssl.default-dh-param 4096
- >-
ssl-default-bind-ciphers
TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM
- ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ansible_haproxy_frontent:
- Name: HTTPS
Bind_IP:
- 0.0.0.0
- '::'
Bind_Port: 443
Enable_0rdd: yes
Mode: http
Protocol: https
Backend_Servers:
- Name: Nextcloud
Domain: nextcloud.example.com
Additional_Options:
- >-
http-response set-header Strict-Transport-Security
"max-age=31536000;includeSubdomains;preload"
- http-response set-header X-Content-Type-Options "nosniff"
- http-response set-header X-XSS-Protection "1;mode=block"
- >-
http-response set-header Referrer-Policy
"strict-origin-when-cross-origin"
- >-
http-response set-header Public-Key-Pins
"pin-sha256=\"Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=\";
pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\";
pin-sha256=\"5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU=\";
pin-sha256=\"kb6xLprt35abNnSn74my4Dkfya9arbk5zN5a60YzuqE=\";
max-age=2592000; includeSubdomains"
# TODO: CSP connect-src self only for nextcloud required
- >-
http-response set-header Content-Security-Policy "frame-ancestors
'self';style-src 'self' 'unsafe-inline';script-src 'self'
'unsafe-inline' 'unsafe-eval';font-src 'self' data:;img-src 'self'
data:;form-action 'self';object-src 'none';default-src 'none';base-uri
'none';connect-src 'self';frame-src 'self';manifest-src 'self'"
- http-response set-header X-Frame-Options SAMEORIGIN
- http-response set-header X-Content-Type-Options nosniff
ansible_haproxy_backend:
- Name: Nextcloud
Mode: http
Backend_Servers:
- Name: NextcloudContainer
Address: nextcloud_app_1
Port: 80
Additional_Options:
- option forwardfor
- 'http-request set-header X-Real-IP %[src]'
ansible_certbot_project_directory: "/srv/certbot"
ansible_certbot_expose_port: false
ansible_certbot_docker_networks:
- name: HAProxy2Certbot
ipv4_address: 10.255.5.3
ansible_certbot_contact_mail: "letsencrypt@example.com"
ansible_certbot_domain_list:
- nextcloud.example.com
Please register or sign in to comment