From 486b48acb86d0fa89c23b3de6e1641e674dcff7b Mon Sep 17 00:00:00 2001 From: Florian Date: Thu, 30 Jan 2025 09:07:25 +0100 Subject: [PATCH] add nextcloud cron job, fix spacing and forward XFF --- main.tf | 8 +- modules/nextcloud/files/Caddyfile.tftpl | 181 +++++++++--------- .../files/nextcloud-cronjob.service.tftpl | 7 + .../nextcloud/files/nextcloud-cronjob.timer | 9 + modules/nextcloud/main.tf | 98 ++++++---- modules/nextcloud/variables.tf | 4 +- outputs.tf | 2 +- 7 files changed, 172 insertions(+), 137 deletions(-) create mode 100644 modules/nextcloud/files/nextcloud-cronjob.service.tftpl create mode 100644 modules/nextcloud/files/nextcloud-cronjob.timer diff --git a/main.tf b/main.tf index 60a802b..cde3cca 100644 --- a/main.tf +++ b/main.tf @@ -96,13 +96,13 @@ module "caddy_config" { } module "nextcloud_config" { - source = "./modules/nextcloud" - ssh_authorized_keys = var.ssh_authorized_keys - nextcloud_domain = "nextcloud.broken-by-design.fr" + source = "./modules/nextcloud" + ssh_authorized_keys = var.ssh_authorized_keys + nextcloud_domain = "nextcloud.broken-by-design.fr" reverse_proxy_ip_address = "10.109.0.14" nextcloud_trusted_domains = [ "nextcloud.broken-by-design.fr", ] luks_passphrase = var.nextcloud_luks_passphrase - luks_use_tpm2 = false + luks_use_tpm2 = false } \ No newline at end of file diff --git a/modules/nextcloud/files/Caddyfile.tftpl b/modules/nextcloud/files/Caddyfile.tftpl index 2dd7792..6f2e25a 100644 --- a/modules/nextcloud/files/Caddyfile.tftpl +++ b/modules/nextcloud/files/Caddyfile.tftpl @@ -1,102 +1,103 @@ http://${nextcloud_domain}:80 { - redir https://${nextcloud_domain}{uri} permanent + redir https://${nextcloud_domain}{uri} permanent } ${nextcloud_domain}:443 { - root * /var/www/html - encode gzip zstd + root * /var/www/html + encode gzip zstd - rewrite /ocm-provider/ /index.php - rewrite /ocs-provider/ /ocs-provider/index.php - rewrite /remote /remote.php - rewrite /remote/* /remote.php?{query} + rewrite /ocm-provider/ /index.php + rewrite /ocs-provider/ /ocs-provider/index.php + rewrite /remote /remote.php + rewrite /remote/* /remote.php?{query} - redir /.well-known/caldav /remote.php/dav 301 - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/webfinger /index.php/.well-known/webfinger 301 - redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 + redir /.well-known/caldav /remote.php/dav 301 + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/webfinger /index.php/.well-known/webfinger 301 + redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301 - # .htaccess / data / config / ... shouldn't be accessible from outside - @forbidden { - path /.htaccess - path /.xml - path /console.php - path /cron.php - path /3rdparty/* - path /README - path /autotest/* - path /build/* - path /config/* - path /console/* - path /data/* - path /db_*/* - path /db_structure - path /indie/* - path /issue/* - path /lib/* - path /occ - path /occ/* - path /templates/* - path /tests/* + # .htaccess / data / config / ... shouldn't be accessible from outside + @forbidden { + path /.htaccess + path /.xml + path /console.php + path /cron.php + path /3rdparty/* + path /README + path /autotest/* + path /build/* + path /config/* + path /console/* + path /data/* + path /db_*/* + path /db_structure + path /indie/* + path /issue/* + path /lib/* + path /occ + path /occ/* + path /templates/* + path /tests/* + } + respond @forbidden 404 + + @static { + method GET HEAD + not path /index.php* + not path /apps/theming/composer/* + not path /apps/theming/lib/* + not path /apps/theming/templates/* + not path /apps/theming/theme/* + not path /js/core/merged-template-prepend.js + path *.css + path *.css.map + path *.gif + path *.ico + path *.jpg + path *.js + path *.js.map + path *.json + path *.mjs + path *.otf + path *.png + path *.svg + path *.tflite + path *.wasm + path *.webp + path *.woff2 + } + + handle @static { + header Cache-Control "max-age=604800" + file_server + } + + handle * { + @index_files file { + try_files {path} {path}/index.php /index.php{path} + split_path .php } - respond @forbidden 404 - - @static { - method GET HEAD - not path /index.php* - not path /apps/theming/composer/* - not path /apps/theming/lib/* - not path /apps/theming/templates/* - not path /apps/theming/theme/* - not path /js/core/merged-template-prepend.js - path *.css - path *.css.map - path *.gif - path *.ico - path *.jpg - path *.js - path *.js.map - path *.json - path *.mjs - path *.otf - path *.png - path *.svg - path *.tflite - path *.wasm - path *.webp - path *.woff2 + rewrite @index_files {file_match.relative} + php_fastcgi nextcloud:9000 { + env PATH /bin + env modHeadersAvailable true + env front_controller_active true + dial_timeout 60s + read_timeout 3600s + write_timeout 300s + header_up X-Forwarded-For {header.X-Forwarded-For} # Keep header from previous "general" reverse proxy + header_up X-Real-IP {remote_host} } - handle @static { - header Cache-Control "max-age=604800" - file_server - } + header Strict-Transport-Security "max-age=15768000;" + header X-Content-Type-Options "nosniff" + header X-XSS-Protection "1; mode=block" + header X-Robots-Tag "noindex, nofollow" + header X-Download-Options "noopen" + header X-Permitted-Cross-Domain-Policies "none" + header Referrer-Policy "no-referrer" + header X-Frame-Options "SAMEORIGIN" - handle * { - @index_files file { - try_files {path} {path}/index.php /index.php{path} - split_path .php - } - rewrite @index_files {file_match.relative} - php_fastcgi nextcloud:9000 { - env PATH /bin - env modHeadersAvailable true - env front_controller_active true - dial_timeout 60s - read_timeout 3600s - write_timeout 300s - } - } - - header Strict-Transport-Security "max-age=15768000;" - header X-Content-Type-Options "nosniff" - header X-XSS-Protection "1; mode=block" - header X-Robots-Tag "noindex, nofollow" - header X-Download-Options "noopen" - header X-Permitted-Cross-Domain-Policies "none" - header Referrer-Policy "no-referrer" - header X-Frame-Options "SAMEORIGIN" - - log - tls internal + log + tls internal } diff --git a/modules/nextcloud/files/nextcloud-cronjob.service.tftpl b/modules/nextcloud/files/nextcloud-cronjob.service.tftpl new file mode 100644 index 0000000..2c9a33b --- /dev/null +++ b/modules/nextcloud/files/nextcloud-cronjob.service.tftpl @@ -0,0 +1,7 @@ +[Unit] +Description=Nextcloud cron.php job + +[Service] +ExecCondition=/usr/bin/podman exec -ti -u www-data ${nextcloud_container_name} /usr/local/bin/php -f /var/www/html/occ status -ev +ExecStart=/usr/bin/podman exec -ti -u www-data ${nextcloud_container_name} /usr/local/bin/php -f /var/www/html/cron.php +KillMode=process diff --git a/modules/nextcloud/files/nextcloud-cronjob.timer b/modules/nextcloud/files/nextcloud-cronjob.timer new file mode 100644 index 0000000..6f01507 --- /dev/null +++ b/modules/nextcloud/files/nextcloud-cronjob.timer @@ -0,0 +1,9 @@ +[Unit] +Description=Run Nextcloud cron.php every 5 minutes + +[Timer] +OnBootSec=5min +OnUnitActiveSec=5min + +[Install] +WantedBy=timers.target diff --git a/modules/nextcloud/main.tf b/modules/nextcloud/main.tf index a83b561..947e305 100644 --- a/modules/nextcloud/main.tf +++ b/modules/nextcloud/main.tf @@ -10,8 +10,8 @@ locals { caddyfile_dir_path = "/opt/caddy" caddyfile_file_path = "${local.caddyfile_dir_path}/Caddyfile" postgres_password_secret_name = "postgres-passwd" - php_fpm_config_dir_path = "/opt/php" - php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf" + php_fpm_config_dir_path = "/opt/php" + php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf" caddy_data_volume_name = "caddy-data" nextcloud_data_volume_name = "nextcloud-data" @@ -73,9 +73,9 @@ locals { caddy_data_luks = merge( { - name = "encrypted-${local.caddy_data_volume_name}" - device = "${local.data_device_path}1" - label = "encrypted-${local.caddy_data_volume_name}" + name = "encrypted-${local.caddy_data_volume_name}" + device = "${local.data_device_path}1" + label = "encrypted-${local.caddy_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { @@ -95,9 +95,9 @@ locals { nextcloud_data_luks = merge( { - name = "encrypted-${local.nextcloud_data_volume_name}" - device = "${local.data_device_path}2" - label = "encrypted-${local.nextcloud_data_volume_name}" + name = "encrypted-${local.nextcloud_data_volume_name}" + device = "${local.data_device_path}2" + label = "encrypted-${local.nextcloud_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { @@ -117,9 +117,9 @@ locals { postgres_data_luks = merge( { - name = "encrypted-${local.postgres_data_volume_name}" - device = "${local.data_device_path}3" - label = "encrypted-${local.postgres_data_volume_name}" + name = "encrypted-${local.postgres_data_volume_name}" + device = "${local.data_device_path}3" + label = "encrypted-${local.postgres_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { @@ -139,9 +139,9 @@ locals { valkey_data_luks = merge( { - name = "encrypted-${local.valkey_data_volume_name}" - device = "${local.data_device_path}4" - label = "encrypted-${local.valkey_data_volume_name}" + name = "encrypted-${local.valkey_data_volume_name}" + device = "${local.data_device_path}4" + label = "encrypted-${local.valkey_data_volume_name}" wipeVolume = false }, var.luks_passphrase == "" ? {} : { @@ -160,30 +160,30 @@ locals { ) caddy_data_filesystem = { - device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}" - format = "ext4" - label = local.caddy_data_volume_name + device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}" + format = "ext4" + label = local.caddy_data_volume_name wipeFilesystem = false } nextcloud_data_filesystem = { - device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}" - format = "ext4" - label = local.nextcloud_data_volume_name + device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}" + format = "ext4" + label = local.nextcloud_data_volume_name wipeFilesystem = false } postgres_data_filesystem = { - device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}" - format = "ext4" - label = local.postgres_data_volume_name + device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}" + format = "ext4" + label = local.postgres_data_volume_name wipeFilesystem = false } valkey_data_filesystem = { - device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}" - format = "ext4" - label = local.valkey_data_volume_name + device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}" + format = "ext4" + label = local.valkey_data_volume_name wipeFilesystem = false options = [ "-E", "root_owner=999:999", @@ -191,20 +191,20 @@ locals { } hostname_file = { - path = "/etc/hostname" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 + path = "/etc/hostname" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 contents = { source = "data:text/plain,nextcloud" } } hosts_file = { - path = "/etc/hosts" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 + path = "/etc/hosts" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 append = [ { source = format( @@ -479,7 +479,7 @@ locals { templatefile( "${path.module}/files/Caddyfile.tftpl", { - nextcloud_domain = var.nextcloud_domain + nextcloud_domain = var.nextcloud_domain nextcloud_container_name = local.nextcloud_container_name } ) @@ -500,7 +500,7 @@ locals { templatefile( "${path.module}/files/postgres.env.tftpl", { - postgres_user_name = "nextcloud" + postgres_user_name = "nextcloud" postgres_database_name = "nextcloud" } ) @@ -517,10 +517,10 @@ locals { } php_fpm_config_file = { - path = "/opt/php/www.conf" - user = {id = 0} - group = {id = 0} - mode = 420 # 0644 + path = "/opt/php/www.conf" + user = { id = 0 } + group = { id = 0 } + mode = 420 # 0644 contents = { source = format( "data:text/plain;base64,%s", @@ -542,6 +542,22 @@ locals { ) } + nextcloud_cronjob_service_unit = { + name = "nextcloud-cronjob.service" + contents = templatefile( + "${path.module}/files/nextcloud-cronjob.service.tftpl", + { + nextcloud_container_name = local.nextcloud_container_name + } + ) + } + + nextcloud_cronjob_timer_unit = { + name = "nextcloud-cronjob.timer" + enabled = true + contents = file("${path.module}/files/nextcloud-cronjob.timer") + } + ignition_config = { ignition = { version = "3.5.0" @@ -589,6 +605,8 @@ locals { systemd = { units = [ local.generate_secrets_systemd_unit, + local.nextcloud_cronjob_service_unit, + local.nextcloud_cronjob_timer_unit, ] } passwd = { diff --git a/modules/nextcloud/variables.tf b/modules/nextcloud/variables.tf index 6b54de2..739e053 100644 --- a/modules/nextcloud/variables.tf +++ b/modules/nextcloud/variables.tf @@ -14,7 +14,7 @@ variable "nextcloud_trusted_domains" { } variable "reverse_proxy_ip_address" { - type = string + type = string nullable = false } @@ -25,6 +25,6 @@ variable "luks_passphrase" { } variable "luks_use_tpm2" { - type = bool + type = bool nullable = false } diff --git a/outputs.tf b/outputs.tf index e6fe28d..67ea32b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -7,6 +7,6 @@ output "caddy_config" { } output "nextcloud_config" { - value = module.nextcloud_config.config + value = module.nextcloud_config.config sensitive = true }