From d80147564e3d45a051c4773052402880d895e843 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tomislav=20Kopi=C4=87?= Date: Mon, 12 Feb 2024 22:15:56 +0100 Subject: [PATCH] Fix formating --- playbooks/nextcloud.yml | 69 +++++++++++++++------ templates/nextcloud_nginx_vhost.j2 | 99 ++++++++++++++++++++++++++++++ 2 files changed, 150 insertions(+), 18 deletions(-) create mode 100644 templates/nextcloud_nginx_vhost.j2 diff --git a/playbooks/nextcloud.yml b/playbooks/nextcloud.yml index 75869dc..82cd46e 100644 --- a/playbooks/nextcloud.yml +++ b/playbooks/nextcloud.yml @@ -8,31 +8,31 @@ iosched_mmc: kyber iosched_hdd: bfq # PHP - php_memory_limit: {{ ansible_facts['ansible_memtotal_mb'] // 2 }} + php_memory_limit: 512 php_max_upload_size: 4096M - php_opcache_memory: - php_opcache_string_buffer: + php_opcache_memory: 256 + php_opcache_string_buffer: 16 php_opcache_revalidate: 900 php_pm_mode: ondemand - php_pm_max_children: + php_pm_max_children: 16 # PostgreSQL postgres_db_name: nextclouddb postgres_db_user: nextclouduser - postgres_db_password: - postgres_shared_buffers: - postgres_work_mem: - postgres_temp_buffers: + postgres_db_password: testis + postgres_shared_buffers: 128 + postgres_work_mem: 8 + postgres_temp_buffers: 16 # Redis redis_memory: redis_port: 0 # NextCloud - nextcloud_hostname: - nextcloud_admin_user: - nextcloud_admin_pass: - nextcloud_preview_concurrency: - nextcloud_preview_max_memory: + nextcloud_hostname: _ + nextcloud_admin_user: admin + nextcloud_admin_pass: admin + nextcloud_preview_concurrency: 4 + nextcloud_preview_max_memory: 256 nextcloud_preview_jpeg_quality: 75 - nextcloud_preview_max_size: 1280 + nextcloud_preview_max_resolution: 1280 nextcloud_loglevel: 3 tasks: @@ -45,25 +45,58 @@ - name: "Install system basics" apt: - name: apt-transport-https lsb-release ca-certificates curl sudo wget zip hdparm + name: + - apt-transport-https + - lsb-release + - ca-certificates + - curl + - sudo + - wget + - zip + - hdparm status: latest - - name: "Configure powesaving rules and io schedulers" + - name: "Configure io schedulers" ansible.builtin.template: src: ../templates/io-scheduler.j2 dest: /etc/udev/rules.d/60-io-scheduler.rules + + - name: "Configure powesaving rules" ansible.builtin.copy: src: ../templates/disk-power.rules dest: /etc/udev/rules.d/65-disk-power.rules - name: "Install Nginx" apt: - name: nginx-full certbot python3-certbot-nginx + name: + - nginx-full + - certbot + - python3-certbot-nginx status: latest - name: "Install PHP" apt: - name: php8.2 php8.2-fpm php8.2-gmp php8.2-bz2 php-bcmath php8.2-intl php8.2-mbstring php8.2-apcu php8.2-xml php8.2-redis php8.2-curl php8.2-zip php8.2-pgsql php8.2-gd php8.2-bcmath php8.2-imagick php8.2-common libmagickcore-6.q16-6-extra imagemagick ffmpeg + name: + - php8.2 + - php8.2-fpm + - php8.2-gmp + - php8.2-bz2 + - php-bcmath + - php8.2-intl + - php8.2-mbstring + - php8.2-apcu + - php8.2-xml + - php8.2-redis + - php8.2-curl + - php8.2-zip + - php8.2-pgsql + - php8.2-gd + - php8.2-bcmath + - php8.2-imagick + - php8.2-common + - libmagickcore-6.q16-6-extra + - imagemagick + - ffmpeg status: latest - name: "Install Redis" diff --git a/templates/nextcloud_nginx_vhost.j2 b/templates/nextcloud_nginx_vhost.j2 new file mode 100644 index 0000000..d59fec3 --- /dev/null +++ b/templates/nextcloud_nginx_vhost.j2 @@ -0,0 +1,99 @@ +map $arg_v $asset_immutable { + "" ""; + default "immutable"; +} + +server { + + listen 80; + server_name {{ nextcloud_hostname }}; + + root /nextcloud/; + sendfile on; + + client_max_body_size {{ php_max_upload_size }}; + client_body_timeout 900s; + + add_header Referrer-Policy "no-referrer" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Download-Options "noopen" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Strict-Transport-Security "15552000" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header X-Robots-Tag "noindex, nofollow" always; + add_header X-XSS-Protection "1; mode=block" always; + fastcgi_hide_header X-Powered-By; + + index index.php index.html /index.php$request_uri; + + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ^~ /.well-known { + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + return 301 /index.php$request_uri; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + location ~ \.php(?:$|/) { + + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass unix:///run/php/cloudMain.sock; + fastcgi_read_timeout 300s; + fastcgi_intercept_errors on; + + } + + location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; + access_log off; + } + + location /remote { + return 301 /remote.php$request_uri; + } + + location / { + try_files $uri $uri/ /index.php$request_uri; + } + +}