joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bfd6f22f0e2f81d0e027ea55161053eb9db3d403
rick-infra/roles/nextcloud/templates/nextcloud.caddy.j2
Joakim 846ab74f87 Fix Nextcloud DNS resolution and implement systemd cron for background jobs 
- Enable IP forwarding in security playbook (net.ipv4.ip_forward = 1)
- Add podman network firewall rules to fix container DNS/HTTPS access
- Implement systemd timer for reliable Nextcloud background job execution
- Add database optimization tasks (indices, bigint conversion, mimetypes)
- Configure maintenance window (04:00 UTC) and phone region (NO)
- Add security headers (X-Robots-Tag, X-Permitted-Cross-Domain-Policies)
- Create Nextcloud removal playbook for clean uninstall
- Fix nftables interface matching (podman0 vs podman+)

Root cause: nftables FORWARD chain blocked container egress traffic
Solution: Explicit firewall rules for podman0 bridge interface
2025-12-20 19:51:26 +01:00

76 lines
2.7 KiB
Django/Jinja
Raw Blame History

# Nextcloud Cloud Storage Service
# Caddy reverse proxy to FPM container with FastCGI transport
# Based on official Caddy php_fastcgi Docker example and Nextcloud NGINX config
{{ nextcloud_domain }} {
# Caddy root - host path where static files exist for serving
# This allows Caddy to find files to serve directly (CSS, JS, images)
root * {{ nextcloud_html_dir }}
# .well-known redirects for CalDAV/CardDAV (must be before php_fastcgi)
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
# Handle .well-known requests that aren't explicitly redirected above
# Let Nextcloud's API handle all other /.well-known/* URIs
redir /.well-known/* /index.php{uri} 301
# Block access to sensitive directories (adapted from NGINX config)
# Match both the directory itself and anything under it
@forbidden {
path /build /build/*
path /tests /tests/*
path /config /config/*
path /lib /lib/*
path /3rdparty /3rdparty/*
path /templates /templates/*
path /data /data/*
path /.* /autotest* /occ* /issue* /indie* /db_* /console*
}
respond @forbidden 404
# PHP-FPM with container root for SCRIPT_FILENAME
# The nested 'root' directive tells FPM where files are in the container
# Per official Caddy docs: https://caddyserver.com/docs/caddyfile/directives/php_fastcgi
php_fastcgi 127.0.0.1:{{ nextcloud_fpm_port }} {
root /var/www/html
env front_controller_active true
env modHeadersAvailable true
}
# Serve static files directly (CSS, JS, images, fonts, etc.)
# Disable index serving to let php_fastcgi handle / and /index.php
# This prevents index.html from being served instead of routing to index.php
file_server {
index off
}
# Security headers (adapted from Nextcloud NGINX config)
header {
# HSTS with preload
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Prevent embedding in frames from other origins
X-Frame-Options "SAMEORIGIN"
# Prevent MIME type sniffing
X-Content-Type-Options "nosniff"
# XSS protection
X-XSS-Protection "1; mode=block"
# Referrer policy
Referrer-Policy "no-referrer"
# Disable FLoC tracking
Permissions-Policy "interest-cohort=()"
# Robot indexing policy
X-Robots-Tag "noindex, nofollow"
# Cross-domain policy
X-Permitted-Cross-Domain-Policies "none"
# Remove server header
-Server
}
# Logging
log {
output file {{ caddy_log_dir }}/nextcloud.log
level INFO
format json
}
}
Reference in New Issue View Git Blame Copy Permalink