Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
dienste:bytecluster0002:nextcloud [04.10.2020 20:42] – chaos | dienste:bytecluster0002:nextcloud [19.07.2023 19:17] (aktuell) – mape2k | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Proxmox container ' | + | ====== Proxmox container ' |
+ | ===== Status ===== | ||
+ | * läuft, beta | ||
+ | * https:// | ||
+ | * bisher noch ohne redis cache | ||
===== Container setup ===== | ===== Container setup ===== | ||
- | * IP: 10.2.0.20 | ||
* image: debian10 with users | * image: debian10 with users | ||
+ | * 1. Netzwerkinterface | ||
+ | * eth0 | ||
+ | * 10.2.0.20/ | ||
+ | * bridge: vmbr0 | ||
+ | * 2. Netzwerkinterface: | ||
+ | * eth1, | ||
+ | * 10.3.0.20/ | ||
+ | * bridge: vmbr1 | ||
===== Ansible setup ===== | ===== Ansible setup ===== | ||
- | * verbindet man sich als unpriviligierter user und müchte in commando | + | * verbindet man sich als unpriviligierter user und möchte ein Command |
===== Ansible Script ===== | ===== Ansible Script ===== | ||
Zeile 16: | Zeile 27: | ||
tasks: | tasks: | ||
+ | - name: remove apache2 | ||
+ | apt: | ||
+ | name: apache2 | ||
+ | state: absent | ||
+ | |||
- name: install packages | - name: install packages | ||
apt: | apt: | ||
Zeile 31: | Zeile 47: | ||
- php7.3-redis | - php7.3-redis | ||
- php7.3-imagick | - php7.3-imagick | ||
+ | - php7.3-fpm | ||
- ffmpeg | - ffmpeg | ||
+ | - nginx | ||
+ | |||
+ | - name: check if nextcloud is already installed | ||
+ | stat: | ||
+ | path: / | ||
+ | register: nextcloud_exists | ||
- name: Download nextcloud and unpack | - name: Download nextcloud and unpack | ||
Zeile 40: | Zeile 63: | ||
group: www-data | group: www-data | ||
remote_src: yes | remote_src: yes | ||
+ | when: not nextcloud_exists.stat.exists | ||
- name: Remove file packed file | - name: Remove file packed file | ||
Zeile 49: | Zeile 73: | ||
become_user: | become_user: | ||
become: yes | become: yes | ||
- | shell: | + | shell: |
- | php occ maintenance: | + | php occ maintenance: |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
args: | args: | ||
chdir: / | chdir: / | ||
creates: / | creates: / | ||
+ | |||
+ | - name: add domain to trusted domains | ||
+ | become_user: | ||
+ | become: yes | ||
+ | lineinfile: | ||
+ | path: / | ||
+ | insertafter: | ||
+ | line: " | ||
+ | firstmatch: yes | ||
- name: copy nginx config | - name: copy nginx config | ||
Zeile 90: | Zeile 114: | ||
daemon_reload: | daemon_reload: | ||
name: nginx | name: nginx | ||
+ | |||
+ | |||
+ | </ | ||
+ | |||
+ | ==== Notizen ==== | ||
+ | |||
+ | * Ansible script läd momentan das .zip nicht herunter. Fehler unbekannt. | ||
+ | * Sonderzeichen in Passwörtern führen zu fehlern. Genaue Escape-Sequence noch unbekannt. | ||
+ | |||
+ | ===== Nginx Config ===== | ||
+ | < | ||
+ | upstream php-handler { | ||
+ | #server 127.0.0.1: | ||
+ | server unix:/ | ||
+ | } | ||
+ | |||
+ | server { | ||
+ | listen 8087; | ||
+ | listen [::]:8087; | ||
+ | server_name cloud.technikkultur-erfurt.de; | ||
+ | |||
+ | # Enforce HTTPS | ||
+ | #return 301 https:// | ||
+ | #} | ||
+ | |||
+ | #server { | ||
+ | # listen 443 ssl http2; | ||
+ | # listen [::]:443 ssl http2; | ||
+ | # server_name cloud.technikkultur-erfurt.de; | ||
+ | |||
+ | # Use Mozilla' | ||
+ | # https:// | ||
+ | # ssl_certificate | ||
+ | # ssl_certificate_key / | ||
+ | |||
+ | # HSTS settings | ||
+ | # WARNING: Only add the preload option once you read about | ||
+ | # the consequences in https:// | ||
+ | # will add the domain to a hardcoded list that is shipped | ||
+ | # in all major browsers and getting removed from this list | ||
+ | # could take several months. | ||
+ | #add_header Strict-Transport-Security " | ||
+ | |||
+ | # set max upload size | ||
+ | client_max_body_size 512M; | ||
+ | fastcgi_buffers 64 4K; | ||
+ | |||
+ | # Enable gzip but do not remove ETag headers | ||
+ | gzip on; | ||
+ | gzip_vary on; | ||
+ | gzip_comp_level 4; | ||
+ | gzip_min_length 256; | ||
+ | gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; | ||
+ | gzip_types application/ | ||
+ | |||
+ | # Pagespeed is not supported by Nextcloud, so if your server is built | ||
+ | # with the `ngx_pagespeed` module, uncomment this line to disable it. | ||
+ | #pagespeed off; | ||
+ | |||
+ | # HTTP response headers borrowed from Nextcloud `.htaccess` | ||
+ | add_header Referrer-Policy | ||
+ | add_header X-Content-Type-Options | ||
+ | add_header X-Download-Options | ||
+ | add_header X-Frame-Options | ||
+ | add_header X-Permitted-Cross-Domain-Policies | ||
+ | add_header X-Robots-Tag | ||
+ | add_header X-XSS-Protection | ||
+ | |||
+ | # Remove X-Powered-By, | ||
+ | fastcgi_hide_header X-Powered-By; | ||
+ | |||
+ | # Path to the root of your installation | ||
+ | root / | ||
+ | |||
+ | # Specify how to handle directories -- specifying `/ | ||
+ | # here as the fallback means that Nginx always exhibits the desired behaviour | ||
+ | # when a client requests a path that corresponds to a directory that exists | ||
+ | # on the server. In particular, if that directory contains an index.php file, | ||
+ | # that file is correctly served; if it doesn' | ||
+ | # the front-end controller. This consistent behaviour means that we don't need | ||
+ | # to specify custom rules for certain paths (e.g. images and other assets, | ||
+ | # `/updater`, `/ | ||
+ | # `try_files $uri $uri/ / | ||
+ | # always provides the desired behaviour. | ||
+ | index index.php index.html / | ||
+ | |||
+ | # Default Cache-Control policy | ||
+ | expires 1m; | ||
+ | |||
+ | # Rule borrowed from `.htaccess` to handle Microsoft DAV clients | ||
+ | location = / { | ||
+ | if ( $http_user_agent ~ ^DavClnt ) { | ||
+ | return 302 / | ||
+ | } | ||
+ | } | ||
+ | |||
+ | location = /robots.txt { | ||
+ | allow all; | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | } | ||
+ | |||
+ | # Make a regex exception for `/ | ||
+ | # access it despite the existence of the regex rule | ||
+ | # `location ~ / | ||
+ | # for `/ | ||
+ | location ^~ / | ||
+ | # The following 6 rules are borrowed from `.htaccess` | ||
+ | |||
+ | rewrite ^/ | ||
+ | rewrite ^/ | ||
+ | rewrite ^/ | ||
+ | rewrite ^/ | ||
+ | |||
+ | location = / | ||
+ | location = / | ||
+ | |||
+ | try_files $uri $uri/ =404; | ||
+ | } | ||
+ | |||
+ | # Rules borrowed from `.htaccess` to hide certain paths from clients | ||
+ | location ~ ^/ | ||
+ | location ~ ^/ | ||
+ | |||
+ | # Ensure this block, which passes PHP files to the PHP process, is above the blocks | ||
+ | # which handle static assets (as seen below). If this block is not declared first, | ||
+ | # then Nginx will encounter an infinite rewriting loop when it prepends `/ | ||
+ | # to the URI, resulting in a HTTP 500 error response. | ||
+ | location ~ \.php(?: | ||
+ | fastcgi_split_path_info ^(.+? | ||
+ | set $path_info $fastcgi_path_info; | ||
+ | |||
+ | try_files $fastcgi_script_name =404; | ||
+ | |||
+ | include fastcgi_params; | ||
+ | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | ||
+ | fastcgi_param PATH_INFO $path_info; | ||
+ | fastcgi_param HTTPS on; | ||
+ | |||
+ | fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice | ||
+ | fastcgi_param front_controller_active true; # Enable pretty urls | ||
+ | fastcgi_pass php-handler; | ||
+ | |||
+ | fastcgi_intercept_errors on; | ||
+ | fastcgi_request_buffering off; | ||
+ | } | ||
+ | |||
+ | location ~ \.(?: | ||
+ | try_files $uri / | ||
+ | expires 6M; # Cache-Control policy borrowed from `.htaccess` | ||
+ | access_log off; # Optional: Don't log access to assets | ||
+ | } | ||
+ | |||
+ | location ~ \.woff2?$ { | ||
+ | try_files $uri / | ||
+ | expires 7d; # Cache-Control policy borrowed from `.htaccess` | ||
+ | access_log off; # Optional: Don't log access to assets | ||
+ | } | ||
+ | |||
+ | location / { | ||
+ | try_files $uri $uri/ / | ||
+ | } | ||
+ | } | ||
</ | </ |