add nextcloud cron job, fix spacing and forward XFF

2025-01-30 09:07:25 +01:00 · 2025-01-30 09:07:25 +01:00 · 486b48acb8
commit 486b48acb8
parent ca1c3d8347
7 changed files with 172 additions and 137 deletions
--- a/main.tf
+++ b/main.tf
@ -96,13 +96,13 @@ module "caddy_config" {
 }

 module "nextcloud_config" {
-  source              = "./modules/nextcloud"
-  ssh_authorized_keys = var.ssh_authorized_keys
-  nextcloud_domain    = "nextcloud.broken-by-design.fr"
+  source                   = "./modules/nextcloud"
+  ssh_authorized_keys      = var.ssh_authorized_keys
+  nextcloud_domain         = "nextcloud.broken-by-design.fr"
  reverse_proxy_ip_address = "10.109.0.14"
  nextcloud_trusted_domains = [
    "nextcloud.broken-by-design.fr",
  ]
  luks_passphrase = var.nextcloud_luks_passphrase
-  luks_use_tpm2 = false
+  luks_use_tpm2   = false
 }
--- a/modules/nextcloud/files/Caddyfile.tftpl
+++ b/modules/nextcloud/files/Caddyfile.tftpl
@ -1,102 +1,103 @@
 http://${nextcloud_domain}:80 {
-	redir https://${nextcloud_domain}{uri} permanent
+  redir https://${nextcloud_domain}{uri} permanent
 }

 ${nextcloud_domain}:443 {
-	root * /var/www/html
-	encode gzip zstd
+  root * /var/www/html
+  encode gzip zstd

-    rewrite /ocm-provider/ /index.php
-    rewrite /ocs-provider/ /ocs-provider/index.php
-    rewrite /remote /remote.php
-    rewrite /remote/* /remote.php?{query}
+  rewrite /ocm-provider/ /index.php
+  rewrite /ocs-provider/ /ocs-provider/index.php
+  rewrite /remote /remote.php
+  rewrite /remote/* /remote.php?{query}

-    redir /.well-known/caldav /remote.php/dav 301
-    redir /.well-known/carddav /remote.php/dav 301
-    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
-    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
+  redir /.well-known/caldav /remote.php/dav 301
+  redir /.well-known/carddav /remote.php/dav 301
+  redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+  redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

-	# .htaccess / data / config / ... shouldn't be accessible from outside
-	@forbidden {
-        path /.htaccess
-        path /.xml
-        path /console.php
-        path /cron.php
-        path /3rdparty/*
-        path /README
-        path /autotest/*
-        path /build/*
-        path /config/*
-        path /console/*
-        path /data/*
-        path /db_*/*
-        path /db_structure
-        path /indie/*
-        path /issue/*
-        path /lib/*
-        path /occ
-        path /occ/*
-        path /templates/*
-        path /tests/*
+  # .htaccess / data / config / ... shouldn't be accessible from outside
+  @forbidden {
+    path /.htaccess
+    path /.xml
+    path /console.php
+    path /cron.php
+    path /3rdparty/*
+    path /README
+    path /autotest/*
+    path /build/*
+    path /config/*
+    path /console/*
+    path /data/*
+    path /db_*/*
+    path /db_structure
+    path /indie/*
+    path /issue/*
+    path /lib/*
+    path /occ
+    path /occ/*
+    path /templates/*
+    path /tests/*
+  }
+  respond @forbidden 404
+
+  @static {
+    method GET HEAD
+    not path /index.php*
+    not path /apps/theming/composer/*
+    not path /apps/theming/lib/*
+    not path /apps/theming/templates/*
+    not path /apps/theming/theme/*
+    not path /js/core/merged-template-prepend.js
+    path *.css
+    path *.css.map
+    path *.gif
+    path *.ico
+    path *.jpg
+    path *.js
+    path *.js.map
+    path *.json
+    path *.mjs
+    path *.otf
+    path *.png
+    path *.svg
+    path *.tflite
+    path *.wasm
+    path *.webp
+    path *.woff2
+  }
+
+  handle @static {
+    header Cache-Control "max-age=604800"
+    file_server
+  }
+
+  handle * {
+    @index_files file {
+      try_files {path} {path}/index.php /index.php{path}
+      split_path .php
    }
-	respond @forbidden 404
-
-    @static {
-        method GET HEAD
-        not path /index.php*
-        not path /apps/theming/composer/*
-        not path /apps/theming/lib/*
-        not path /apps/theming/templates/*
-        not path /apps/theming/theme/*
-        not path /js/core/merged-template-prepend.js
-        path *.css
-        path *.css.map
-        path *.gif
-        path *.ico
-        path *.jpg
-        path *.js
-        path *.js.map
-        path *.json
-        path *.mjs
-        path *.otf
-        path *.png
-        path *.svg
-        path *.tflite
-        path *.wasm
-        path *.webp
-        path *.woff2
+    rewrite @index_files {file_match.relative}
+    php_fastcgi nextcloud:9000 {
+      env PATH /bin
+      env modHeadersAvailable true
+      env front_controller_active true
+      dial_timeout 60s
+      read_timeout 3600s
+      write_timeout 300s
+      header_up X-Forwarded-For {header.X-Forwarded-For} # Keep header from previous "general" reverse proxy
+      header_up X-Real-IP {remote_host}
    }

-	handle @static {
-		header Cache-Control "max-age=604800"
-		file_server
-	}
+  header Strict-Transport-Security "max-age=15768000;"
+  header X-Content-Type-Options "nosniff"
+  header X-XSS-Protection "1; mode=block"
+  header X-Robots-Tag "noindex, nofollow"
+  header X-Download-Options "noopen"
+  header X-Permitted-Cross-Domain-Policies "none"
+  header Referrer-Policy "no-referrer"
+  header X-Frame-Options "SAMEORIGIN"

-	handle * {
-		@index_files file {
-				try_files {path} {path}/index.php /index.php{path}
-				split_path .php
-		}
-		rewrite @index_files {file_match.relative}
-		php_fastcgi nextcloud:9000 {
-			env PATH /bin
-			env modHeadersAvailable true
-			env front_controller_active true
-			dial_timeout 60s
-			read_timeout 3600s
-			write_timeout 300s
-		}
-	}
-
-	header Strict-Transport-Security "max-age=15768000;"
-    header X-Content-Type-Options "nosniff"
-	header X-XSS-Protection "1; mode=block"
-	header X-Robots-Tag "noindex, nofollow"
-	header X-Download-Options "noopen"
-	header X-Permitted-Cross-Domain-Policies "none"
-	header Referrer-Policy "no-referrer"
-	header X-Frame-Options "SAMEORIGIN"
-
-	log
-	tls internal
+  log
+  tls internal
 }
--- a/modules/nextcloud/files/nextcloud-cronjob.service.tftpl
+++ b/modules/nextcloud/files/nextcloud-cronjob.service.tftpl
@ -0,0 +1,7 @@
+[Unit]
+Description=Nextcloud cron.php job
+
+[Service]
+ExecCondition=/usr/bin/podman exec -ti -u www-data ${nextcloud_container_name} /usr/local/bin/php -f /var/www/html/occ status -ev
+ExecStart=/usr/bin/podman exec -ti -u www-data ${nextcloud_container_name} /usr/local/bin/php -f /var/www/html/cron.php
+KillMode=process
--- a/modules/nextcloud/files/nextcloud-cronjob.timer
+++ b/modules/nextcloud/files/nextcloud-cronjob.timer
@ -0,0 +1,9 @@
+[Unit]
+Description=Run Nextcloud cron.php every 5 minutes
+
+[Timer]
+OnBootSec=5min
+OnUnitActiveSec=5min
+
+[Install]
+WantedBy=timers.target
--- a/modules/nextcloud/main.tf
+++ b/modules/nextcloud/main.tf
@ -10,8 +10,8 @@ locals {
  caddyfile_dir_path            = "/opt/caddy"
  caddyfile_file_path           = "${local.caddyfile_dir_path}/Caddyfile"
  postgres_password_secret_name = "postgres-passwd"
-  php_fpm_config_dir_path = "/opt/php"
-  php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf"
+  php_fpm_config_dir_path       = "/opt/php"
+  php_fpm_config_file_path      = "${local.php_fpm_config_dir_path}/www.conf"

  caddy_data_volume_name     = "caddy-data"
  nextcloud_data_volume_name = "nextcloud-data"
@ -73,9 +73,9 @@ locals {

  caddy_data_luks = merge(
    {
-      name   = "encrypted-${local.caddy_data_volume_name}"
-      device = "${local.data_device_path}1"
-      label  = "encrypted-${local.caddy_data_volume_name}"
+      name       = "encrypted-${local.caddy_data_volume_name}"
+      device     = "${local.data_device_path}1"
+      label      = "encrypted-${local.caddy_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -95,9 +95,9 @@ locals {

  nextcloud_data_luks = merge(
    {
-      name   = "encrypted-${local.nextcloud_data_volume_name}"
-      device = "${local.data_device_path}2"
-      label  = "encrypted-${local.nextcloud_data_volume_name}"
+      name       = "encrypted-${local.nextcloud_data_volume_name}"
+      device     = "${local.data_device_path}2"
+      label      = "encrypted-${local.nextcloud_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -117,9 +117,9 @@ locals {

  postgres_data_luks = merge(
    {
-      name   = "encrypted-${local.postgres_data_volume_name}"
-      device = "${local.data_device_path}3"
-      label  = "encrypted-${local.postgres_data_volume_name}"
+      name       = "encrypted-${local.postgres_data_volume_name}"
+      device     = "${local.data_device_path}3"
+      label      = "encrypted-${local.postgres_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -139,9 +139,9 @@ locals {

  valkey_data_luks = merge(
    {
-      name   = "encrypted-${local.valkey_data_volume_name}"
-      device = "${local.data_device_path}4"
-      label  = "encrypted-${local.valkey_data_volume_name}"
+      name       = "encrypted-${local.valkey_data_volume_name}"
+      device     = "${local.data_device_path}4"
+      label      = "encrypted-${local.valkey_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -160,30 +160,30 @@ locals {
  )

  caddy_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}"
-    format = "ext4"
-    label  = local.caddy_data_volume_name
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}"
+    format         = "ext4"
+    label          = local.caddy_data_volume_name
    wipeFilesystem = false
  }

  nextcloud_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}"
-    format = "ext4"
-    label  = local.nextcloud_data_volume_name
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}"
+    format         = "ext4"
+    label          = local.nextcloud_data_volume_name
    wipeFilesystem = false
  }

  postgres_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}"
-    format = "ext4"
-    label  = local.postgres_data_volume_name
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}"
+    format         = "ext4"
+    label          = local.postgres_data_volume_name
    wipeFilesystem = false
  }

  valkey_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}"
-    format = "ext4"
-    label  = local.valkey_data_volume_name
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}"
+    format         = "ext4"
+    label          = local.valkey_data_volume_name
    wipeFilesystem = false
    options = [
      "-E", "root_owner=999:999",
@ -191,20 +191,20 @@ locals {
  }

  hostname_file = {
-    path = "/etc/hostname"
-    user = {id = 0}
-    group = {id = 0}
-    mode = 420 # 0644
+    path  = "/etc/hostname"
+    user  = { id = 0 }
+    group = { id = 0 }
+    mode  = 420 # 0644
    contents = {
      source = "data:text/plain,nextcloud"
    }
  }

  hosts_file = {
-    path = "/etc/hosts"
-    user = {id = 0}
-    group = {id = 0}
-    mode = 420 # 0644
+    path  = "/etc/hosts"
+    user  = { id = 0 }
+    group = { id = 0 }
+    mode  = 420 # 0644
    append = [
      {
        source = format(
@ -479,7 +479,7 @@ locals {
          templatefile(
            "${path.module}/files/Caddyfile.tftpl",
            {
-              nextcloud_domain = var.nextcloud_domain
+              nextcloud_domain         = var.nextcloud_domain
              nextcloud_container_name = local.nextcloud_container_name
            }
          )
@ -500,7 +500,7 @@ locals {
          templatefile(
            "${path.module}/files/postgres.env.tftpl",
            {
-              postgres_user_name = "nextcloud"
+              postgres_user_name     = "nextcloud"
              postgres_database_name = "nextcloud"
            }
          )
@ -517,10 +517,10 @@ locals {
  }

  php_fpm_config_file = {
-    path = "/opt/php/www.conf"
-    user = {id = 0}
-    group = {id = 0}
-    mode = 420 # 0644
+    path  = "/opt/php/www.conf"
+    user  = { id = 0 }
+    group = { id = 0 }
+    mode  = 420 # 0644
    contents = {
      source = format(
        "data:text/plain;base64,%s",
@ -542,6 +542,22 @@ locals {
    )
  }

+  nextcloud_cronjob_service_unit = {
+    name = "nextcloud-cronjob.service"
+    contents = templatefile(
+      "${path.module}/files/nextcloud-cronjob.service.tftpl",
+      {
+        nextcloud_container_name = local.nextcloud_container_name
+      }
+    )
+  }
+
+  nextcloud_cronjob_timer_unit = {
+    name     = "nextcloud-cronjob.timer"
+    enabled  = true
+    contents = file("${path.module}/files/nextcloud-cronjob.timer")
+  }
+
  ignition_config = {
    ignition = {
      version = "3.5.0"
@ -589,6 +605,8 @@ locals {
    systemd = {
      units = [
        local.generate_secrets_systemd_unit,
+        local.nextcloud_cronjob_service_unit,
+        local.nextcloud_cronjob_timer_unit,
      ]
    }
    passwd = {
--- a/modules/nextcloud/variables.tf
+++ b/modules/nextcloud/variables.tf
@ -14,7 +14,7 @@ variable "nextcloud_trusted_domains" {
 }

 variable "reverse_proxy_ip_address" {
-  type = string
+  type     = string
  nullable = false
 }

@ -25,6 +25,6 @@ variable "luks_passphrase" {
 }

 variable "luks_use_tpm2" {
-  type = bool
+  type     = bool
  nullable = false
 }
--- a/outputs.tf
+++ b/outputs.tf
@ -7,6 +7,6 @@ output "caddy_config" {
 }

 output "nextcloud_config" {
-  value = module.nextcloud_config.config
+  value     = module.nextcloud_config.config
  sensitive = true
 }