Skip to content
Snippets Groups Projects

Nextcloud, HAProxy, CertBot example part 1

  • Clone with SSH
  • Clone with HTTPS
  • Embed
  • Share
    The snippet can be accessed without any authentication.
    Authored by Klaus Frank
    group_vars/all/nextcloud.vault.yml 4.21 KiB
    ansible_nextcloud_base_image: agowa338/nextcloud
    ansible_nextcloud_docker_networks:
      - Name: HAProxy2Nextcloud
    ansible_nextcloud_http_host_port: 80
    ansible_nextcloud_expose_http: false
    ansible_nextcloud_expose_https: false
    
    ansible_nextcloud_admin_password: ic1soaxohtooChiemaahicaiyoh5irahfiX6Ai3o
    ansible_nextcloud_redis_password: Eiquaith2toot0QuaeNgei5Ahh8peob0raD0ahgh
    ansible_nextcloud_mariadb_root_password: sai5loove1IxeiNgaiph9equa5oophei7jee5Eix
    ansible_nextcloud_mariadb_user_username: uy9aiW9zei
    ansible_nextcloud_mariadb_user_password: phoh3fei0id3daGisheem0woo2johm1oola1Eep1
    
    docker_daemon_options:
      fixed-cidr-v6: 2001:db8:9839:ffff::/64
      ipv6: true
      debug: false
      log-driver: journald
    
    docker_networks:
      - name: ipv6Network
        enable_ipv6: true
        ipam_config:
          - subnet: '10.254.0.0/16'
            iprange: '10.254.1.0/24'
          - subnet: '2001:db8:9839::/63'
            aux_addresses:
              haproxy001: '2001:db8:9839::2'
      - name: HAProxy2Nextcloud
        ipam_config:
        - subnet: '10.255.1.0/24'
      - name: HAProxy2Certbot
        ipam_config:
        - subnet: '10.255.5.0/24'
    
    ansible_haproxy_docker_networks:
      - name: ipv6Network
      - name: HAProxy2Nextcloud
      - name: HAProxy2Certbot
        ipv4_address: 10.255.5.2
    
    ansible_haproxy_restart_policy: always
    ansible_haproxy_published_ports:
      - '80:80'
      - '443:443'
    ansible_haproxy_exposed_ports:
      - 80
      - 443
    ansible_haproxy_certbot:
      Enabled: true
      Backend_Servers:
        - Name: CertBot
          IP: 10.255.5.3
          Port: 80
      Port: 80
      Bind_IP:
        - 0.0.0.0
        - '::'
    ansible_haproxy_all_redirect_https: true
    ansible_haproxy_base_image: 'haproxy:alpine'
    ansible_haproxy_global_vars:
      - tune.ssl.default-dh-param 4096
      - >-
        ssl-default-bind-ciphers
        TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM
      - ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
    ansible_haproxy_frontent:
      - Name: HTTPS
        Bind_IP:
          - 0.0.0.0
          - '::'
        Bind_Port: 443
        Enable_0rdd: yes
        Mode: http
        Protocol: https
        Backend_Servers:
          - Name: Nextcloud
            Domain: nextcloud.example.com
        Additional_Options:
          - >-
            http-response set-header Strict-Transport-Security
            "max-age=31536000;includeSubdomains;preload"
          - http-response set-header X-Content-Type-Options "nosniff"
          - http-response set-header X-XSS-Protection "1;mode=block"
          - >-
            http-response set-header Referrer-Policy
            "strict-origin-when-cross-origin"
          - >-
            http-response set-header Public-Key-Pins
            "pin-sha256=\"Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=\";
            pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\";
            pin-sha256=\"5C8kvU039KouVrl52D0eZSGf4Onjo4Khs8tmyTlV3nU=\";
            pin-sha256=\"kb6xLprt35abNnSn74my4Dkfya9arbk5zN5a60YzuqE=\";
            max-age=2592000; includeSubdomains"
          # TODO: CSP connect-src self only for nextcloud required
          - >-
            http-response set-header Content-Security-Policy "frame-ancestors
            'self';style-src 'self' 'unsafe-inline';script-src 'self'
            'unsafe-inline' 'unsafe-eval';font-src 'self' data:;img-src 'self'
            data:;form-action 'self';object-src 'none';default-src 'none';base-uri
            'none';connect-src 'self';frame-src 'self';manifest-src 'self'"
          - http-response set-header X-Frame-Options SAMEORIGIN
          - http-response set-header X-Content-Type-Options nosniff
    ansible_haproxy_backend:
      - Name: Nextcloud
        Mode: http
        Backend_Servers:
          - Name: NextcloudContainer
            Address: nextcloud_app_1
            Port: 80
        Additional_Options:
          - option forwardfor
          - 'http-request set-header X-Real-IP %[src]'
          
    ansible_certbot_project_directory: "/srv/certbot"
    ansible_certbot_expose_port: false
    ansible_certbot_docker_networks:
      - name: HAProxy2Certbot
        ipv4_address: 10.255.5.3
    ansible_certbot_contact_mail: "letsencrypt@example.com"
    ansible_certbot_domain_list: 
      - nextcloud.example.com
    0% Loading or .
    You are about to add 0 people to the discussion. Proceed with caution.
    Please register or to comment