add nextcloud cron job, fix spacing and forward XFF

2025-01-30 09:07:25 +01:00 · 2025-01-30 09:07:25 +01:00 · 486b48acb8
commit 486b48acb8
parent ca1c3d8347
7 changed files with 172 additions and 137 deletions
--- a/main.tf
+++ b/main.tf
@ -96,13 +96,13 @@ module "caddy_config" {
 }
 module "nextcloud_config" {
-  source              = "./modules/nextcloud"
+  source                   = "./modules/nextcloud"
-  ssh_authorized_keys = var.ssh_authorized_keys
+  ssh_authorized_keys      = var.ssh_authorized_keys
-  nextcloud_domain    = "nextcloud.broken-by-design.fr"
+  nextcloud_domain         = "nextcloud.broken-by-design.fr"
  reverse_proxy_ip_address = "10.109.0.14"
  nextcloud_trusted_domains = [
    "nextcloud.broken-by-design.fr",
  ]
  luks_passphrase = var.nextcloud_luks_passphrase
-  luks_use_tpm2 = false
+  luks_use_tpm2   = false
 }
--- a/modules/nextcloud/files/Caddyfile.tftpl
+++ b/modules/nextcloud/files/Caddyfile.tftpl
@ -1,102 +1,103 @@
 http://${nextcloud_domain}:80 {
-	redir https://${nextcloud_domain}{uri} permanent
+  redir https://${nextcloud_domain}{uri} permanent
 }
 ${nextcloud_domain}:443 {
-	root * /var/www/html
+  root * /var/www/html
-	encode gzip zstd
+  encode gzip zstd
-    rewrite /ocm-provider/ /index.php
+  rewrite /ocm-provider/ /index.php
-    rewrite /ocs-provider/ /ocs-provider/index.php
+  rewrite /ocs-provider/ /ocs-provider/index.php
-    rewrite /remote /remote.php
+  rewrite /remote /remote.php
-    rewrite /remote/* /remote.php?{query}
+  rewrite /remote/* /remote.php?{query}
-    redir /.well-known/caldav /remote.php/dav 301
+  redir /.well-known/caldav /remote.php/dav 301
-    redir /.well-known/carddav /remote.php/dav 301
+  redir /.well-known/carddav /remote.php/dav 301
-    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+  redir /.well-known/webfinger /index.php/.well-known/webfinger 301
-    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
+  redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
-	# .htaccess / data / config / ... shouldn't be accessible from outside
+  # .htaccess / data / config / ... shouldn't be accessible from outside
-	@forbidden {
+  @forbidden {
-        path /.htaccess
+    path /.htaccess
-        path /.xml
+    path /.xml
-        path /console.php
+    path /console.php
-        path /cron.php
+    path /cron.php
-        path /3rdparty/*
+    path /3rdparty/*
-        path /README
+    path /README
-        path /autotest/*
+    path /autotest/*
-        path /build/*
+    path /build/*
-        path /config/*
+    path /config/*
-        path /console/*
+    path /console/*
-        path /data/*
+    path /data/*
-        path /db_*/*
+    path /db_*/*
-        path /db_structure
+    path /db_structure
-        path /indie/*
+    path /indie/*
-        path /issue/*
+    path /issue/*
-        path /lib/*
+    path /lib/*
-        path /occ
+    path /occ
-        path /occ/*
+    path /occ/*
-        path /templates/*
+    path /templates/*
-        path /tests/*
+    path /tests/*
  }
  respond @forbidden 404
  @static {
    method GET HEAD
    not path /index.php*
    not path /apps/theming/composer/*
    not path /apps/theming/lib/*
    not path /apps/theming/templates/*
    not path /apps/theming/theme/*
    not path /js/core/merged-template-prepend.js
    path *.css
    path *.css.map
    path *.gif
    path *.ico
    path *.jpg
    path *.js
    path *.js.map
    path *.json
    path *.mjs
    path *.otf
    path *.png
    path *.svg
    path *.tflite
    path *.wasm
    path *.webp
    path *.woff2
  }
  handle @static {
    header Cache-Control "max-age=604800"
    file_server
  }
  handle * {
    @index_files file {
      try_files {path} {path}/index.php /index.php{path}
      split_path .php
    }
-	respond @forbidden 404
+    rewrite @index_files {file_match.relative}
-
+    php_fastcgi nextcloud:9000 {
-    @static {
+      env PATH /bin
-        method GET HEAD
+      env modHeadersAvailable true
-        not path /index.php*
+      env front_controller_active true
-        not path /apps/theming/composer/*
+      dial_timeout 60s
-        not path /apps/theming/lib/*
+      read_timeout 3600s
-        not path /apps/theming/templates/*
+      write_timeout 300s
-        not path /apps/theming/theme/*
+      header_up X-Forwarded-For {header.X-Forwarded-For} # Keep header from previous "general" reverse proxy
-        not path /js/core/merged-template-prepend.js
+      header_up X-Real-IP {remote_host}
        path *.css
        path *.css.map
        path *.gif
        path *.ico
        path *.jpg
        path *.js
        path *.js.map
        path *.json
        path *.mjs
        path *.otf
        path *.png
        path *.svg
        path *.tflite
        path *.wasm
        path *.webp
        path *.woff2
    }
-	handle @static {
+  header Strict-Transport-Security "max-age=15768000;"
-		header Cache-Control "max-age=604800"
+  header X-Content-Type-Options "nosniff"
-		file_server
+  header X-XSS-Protection "1; mode=block"
-	}
+  header X-Robots-Tag "noindex, nofollow"
  header X-Download-Options "noopen"
  header X-Permitted-Cross-Domain-Policies "none"
  header Referrer-Policy "no-referrer"
  header X-Frame-Options "SAMEORIGIN"
-	handle * {
+  log
-		@index_files file {
+  tls internal
 				try_files {path} {path}/index.php /index.php{path}
 				split_path .php
 		}
 		rewrite @index_files {file_match.relative}
 		php_fastcgi nextcloud:9000 {
 			env PATH /bin
 			env modHeadersAvailable true
 			env front_controller_active true
 			dial_timeout 60s
 			read_timeout 3600s
 			write_timeout 300s
 		}
 	}
 	header Strict-Transport-Security "max-age=15768000;"
    header X-Content-Type-Options "nosniff"
 	header X-XSS-Protection "1; mode=block"
 	header X-Robots-Tag "noindex, nofollow"
 	header X-Download-Options "noopen"
 	header X-Permitted-Cross-Domain-Policies "none"
 	header Referrer-Policy "no-referrer"
 	header X-Frame-Options "SAMEORIGIN"
 	log
 	tls internal
 }
--- a/modules/nextcloud/files/nextcloud-cronjob.service.tftpl
+++ b/modules/nextcloud/files/nextcloud-cronjob.service.tftpl
@ -0,0 +1,7 @@
 [Unit]
 Description=Nextcloud cron.php job
 [Service]
 ExecCondition=/usr/bin/podman exec -ti -u www-data ${nextcloud_container_name} /usr/local/bin/php -f /var/www/html/occ status -ev
 ExecStart=/usr/bin/podman exec -ti -u www-data ${nextcloud_container_name} /usr/local/bin/php -f /var/www/html/cron.php
 KillMode=process
--- a/modules/nextcloud/files/nextcloud-cronjob.timer
+++ b/modules/nextcloud/files/nextcloud-cronjob.timer
@ -0,0 +1,9 @@
 [Unit]
 Description=Run Nextcloud cron.php every 5 minutes
 [Timer]
 OnBootSec=5min
 OnUnitActiveSec=5min
 [Install]
 WantedBy=timers.target
--- a/modules/nextcloud/main.tf
+++ b/modules/nextcloud/main.tf
@ -10,8 +10,8 @@ locals {
  caddyfile_dir_path            = "/opt/caddy"
  caddyfile_file_path           = "${local.caddyfile_dir_path}/Caddyfile"
  postgres_password_secret_name = "postgres-passwd"
-  php_fpm_config_dir_path = "/opt/php"
+  php_fpm_config_dir_path       = "/opt/php"
-  php_fpm_config_file_path = "${local.php_fpm_config_dir_path}/www.conf"
+  php_fpm_config_file_path      = "${local.php_fpm_config_dir_path}/www.conf"
  caddy_data_volume_name     = "caddy-data"
  nextcloud_data_volume_name = "nextcloud-data"
@ -73,9 +73,9 @@ locals {
  caddy_data_luks = merge(
    {
-      name   = "encrypted-${local.caddy_data_volume_name}"
+      name       = "encrypted-${local.caddy_data_volume_name}"
-      device = "${local.data_device_path}1"
+      device     = "${local.data_device_path}1"
-      label  = "encrypted-${local.caddy_data_volume_name}"
+      label      = "encrypted-${local.caddy_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -95,9 +95,9 @@ locals {
  nextcloud_data_luks = merge(
    {
-      name   = "encrypted-${local.nextcloud_data_volume_name}"
+      name       = "encrypted-${local.nextcloud_data_volume_name}"
-      device = "${local.data_device_path}2"
+      device     = "${local.data_device_path}2"
-      label  = "encrypted-${local.nextcloud_data_volume_name}"
+      label      = "encrypted-${local.nextcloud_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -117,9 +117,9 @@ locals {
  postgres_data_luks = merge(
    {
-      name   = "encrypted-${local.postgres_data_volume_name}"
+      name       = "encrypted-${local.postgres_data_volume_name}"
-      device = "${local.data_device_path}3"
+      device     = "${local.data_device_path}3"
-      label  = "encrypted-${local.postgres_data_volume_name}"
+      label      = "encrypted-${local.postgres_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -139,9 +139,9 @@ locals {
  valkey_data_luks = merge(
    {
-      name   = "encrypted-${local.valkey_data_volume_name}"
+      name       = "encrypted-${local.valkey_data_volume_name}"
-      device = "${local.data_device_path}4"
+      device     = "${local.data_device_path}4"
-      label  = "encrypted-${local.valkey_data_volume_name}"
+      label      = "encrypted-${local.valkey_data_volume_name}"
      wipeVolume = false
    },
    var.luks_passphrase == "" ? {} : {
@ -160,30 +160,30 @@ locals {
  )
  caddy_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}"
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.caddy_data_volume_name}"
-    format = "ext4"
+    format         = "ext4"
-    label  = local.caddy_data_volume_name
+    label          = local.caddy_data_volume_name
    wipeFilesystem = false
  }
  nextcloud_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}"
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.nextcloud_data_volume_name}"
-    format = "ext4"
+    format         = "ext4"
-    label  = local.nextcloud_data_volume_name
+    label          = local.nextcloud_data_volume_name
    wipeFilesystem = false
  }
  postgres_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}"
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.postgres_data_volume_name}"
-    format = "ext4"
+    format         = "ext4"
-    label  = local.postgres_data_volume_name
+    label          = local.postgres_data_volume_name
    wipeFilesystem = false
  }
  valkey_data_filesystem = {
-    device = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}"
+    device         = "/dev/disk/by-id/dm-name-encrypted-${local.valkey_data_volume_name}"
-    format = "ext4"
+    format         = "ext4"
-    label  = local.valkey_data_volume_name
+    label          = local.valkey_data_volume_name
    wipeFilesystem = false
    options = [
      "-E", "root_owner=999:999",
@ -191,20 +191,20 @@ locals {
  }
  hostname_file = {
-    path = "/etc/hostname"
+    path  = "/etc/hostname"
-    user = {id = 0}
+    user  = { id = 0 }
-    group = {id = 0}
+    group = { id = 0 }
-    mode = 420 # 0644
+    mode  = 420 # 0644
    contents = {
      source = "data:text/plain,nextcloud"
    }
  }
  hosts_file = {
-    path = "/etc/hosts"
+    path  = "/etc/hosts"
-    user = {id = 0}
+    user  = { id = 0 }
-    group = {id = 0}
+    group = { id = 0 }
-    mode = 420 # 0644
+    mode  = 420 # 0644
    append = [
      {
        source = format(
@ -479,7 +479,7 @@ locals {
          templatefile(
            "${path.module}/files/Caddyfile.tftpl",
            {
-              nextcloud_domain = var.nextcloud_domain
+              nextcloud_domain         = var.nextcloud_domain
              nextcloud_container_name = local.nextcloud_container_name
            }
          )
@ -500,7 +500,7 @@ locals {
          templatefile(
            "${path.module}/files/postgres.env.tftpl",
            {
-              postgres_user_name = "nextcloud"
+              postgres_user_name     = "nextcloud"
              postgres_database_name = "nextcloud"
            }
          )
@ -517,10 +517,10 @@ locals {
  }
  php_fpm_config_file = {
-    path = "/opt/php/www.conf"
+    path  = "/opt/php/www.conf"
-    user = {id = 0}
+    user  = { id = 0 }
-    group = {id = 0}
+    group = { id = 0 }
-    mode = 420 # 0644
+    mode  = 420 # 0644
    contents = {
      source = format(
        "data:text/plain;base64,%s",
@ -542,6 +542,22 @@ locals {
    )
  }
  nextcloud_cronjob_service_unit = {
    name = "nextcloud-cronjob.service"
    contents = templatefile(
      "${path.module}/files/nextcloud-cronjob.service.tftpl",
      {
        nextcloud_container_name = local.nextcloud_container_name
      }
    )
  }
  nextcloud_cronjob_timer_unit = {
    name     = "nextcloud-cronjob.timer"
    enabled  = true
    contents = file("${path.module}/files/nextcloud-cronjob.timer")
  }
  ignition_config = {
    ignition = {
      version = "3.5.0"
@ -589,6 +605,8 @@ locals {
    systemd = {
      units = [
        local.generate_secrets_systemd_unit,
        local.nextcloud_cronjob_service_unit,
        local.nextcloud_cronjob_timer_unit,
      ]
    }
    passwd = {
--- a/modules/nextcloud/variables.tf
+++ b/modules/nextcloud/variables.tf
@ -14,7 +14,7 @@ variable "nextcloud_trusted_domains" {
 }
 variable "reverse_proxy_ip_address" {
-  type = string
+  type     = string
  nullable = false
 }
@ -25,6 +25,6 @@ variable "luks_passphrase" {
 }
 variable "luks_use_tpm2" {
-  type = bool
+  type     = bool
  nullable = false
 }
--- a/outputs.tf
+++ b/outputs.tf
@ -7,6 +7,6 @@ output "caddy_config" {
 }
 output "nextcloud_config" {
-  value = module.nextcloud_config.config
+  value     = module.nextcloud_config.config
  sensitive = true
 }