added ansible script

2026-02-16 23:40:30 +01:00
parent e6e444fff7
commit 8925d9677e
86 changed files with 15476 additions and 1911 deletions
--- a/ansible/roles/caddy/templates/Caddyfile.j2
+++ b/ansible/roles/caddy/templates/Caddyfile.j2
@@ -0,0 +1,128 @@
+# Caddyfile - Generated by Ansible
+# Domain: {{ domain }}
+
+# Global options
+{
+    email {{ user_email }}
+}
+
+# ===== PUBLIC SERVICES =====
+
+# Nextcloud
+{{ subdomain_nextcloud }}.{{ domain }} {
+    reverse_proxy next:80
+    
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        X-Content-Type-Options nosniff
+        X-Frame-Options SAMEORIGIN
+        Referrer-Policy no-referrer
+        X-XSS-Protection "1; mode=block"
+        -Server
+    }
+    
+    redir /.well-known/carddav /remote.php/dav 301
+    redir /.well-known/caldav /remote.php/dav 301
+    redir /.well-known/webfinger /index.php/.well-known/webfinger 301
+    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
+    
+    request_body {
+        max_size 10GB
+    }
+}
+
+# OnlyOffice Document Server
+{{ subdomain_office }}.{{ domain }} {
+    reverse_proxy onlyoffice:80
+    
+    request_body {
+        max_size 100MB
+    }
+    
+    header {
+        Strict-Transport-Security "max-age=31536000"
+        -Server
+    }
+}
+
+# Excalidraw
+{{ subdomain_draw }}.{{ domain }} {
+    reverse_proxy excalidraw:80
+    
+    header {
+        Strict-Transport-Security "max-age=31536000"
+        -Server
+    }
+}
+
+# Obsidian
+{{ subdomain_notes }}.{{ domain }} {
+    reverse_proxy obsidian:3000
+    
+    header {
+        Strict-Transport-Security "max-age=31536000"
+        -Server
+    }
+}
+
+# ===== TAILSCALE-ONLY SERVICES =====
+
+# Homarr Dashboard
+{{ subdomain_homarr }}.{{ domain }} {
+    @tailscale {
+        remote_ip 100.64.0.0/10
+    }
+    
+    handle @tailscale {
+        reverse_proxy homarr:7575
+    }
+    
+    handle {
+        respond "Access Denied - Tailscale Required" 403
+        abort
+    }
+}
+
+# Dockhand Container Manager
+{{ subdomain_dockhand }}.{{ domain }} {
+    @tailscale {
+        remote_ip 100.64.0.0/10
+    }
+    
+    handle @tailscale {
+        reverse_proxy dockhand:3000
+    }
+    
+    handle {
+        respond "Access Denied - Tailscale Required" 403
+        abort
+    }
+}
+
+# Uptime Kuma Monitoring
+{{ subdomain_uptime }}.{{ domain }} {
+    @tailscale {
+        remote_ip 100.64.0.0/10
+    }
+    
+    handle @tailscale {
+        reverse_proxy uptime-kuma:3001
+    }
+    
+    handle {
+        respond "Access Denied - Tailscale Required" 403
+        abort
+    }
+}
+
+{% if enable_public_status %}
+# Public Status Page
+status.{{ domain }} {
+    reverse_proxy uptime-kuma:3001/status
+    
+    header {
+        Strict-Transport-Security "max-age=31536000"
+        -Server
+    }
+}
+{% endif %}
--- a/ansible/roles/nextcloud_stack/templates/docker-compose.yml.j2
+++ b/ansible/roles/nextcloud_stack/templates/docker-compose.yml.j2
@@ -0,0 +1,229 @@
+services:
+  # ===== DATABASE LAYER =====
+  
+  next-db:
+    image: docker.io/postgres:18
+    container_name: next-db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_DB={{ db_name }}
+      - POSTGRES_USER={{ db_user }}
+      - POSTGRES_PASSWORD={{ db_password }}
+      - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
+    volumes:
+      - pg_data:/var/lib/postgresql/data
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=false"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U {{ db_user }}"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  next-redis:
+    image: docker.io/redis:7-alpine
+    container_name: next-redis
+    restart: unless-stopped
+    command: redis-server --requirepass {{ redis_password }} --maxmemory 256mb --maxmemory-policy allkeys-lru
+    volumes:
+      - redis_data:/data
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=false"
+    healthcheck:
+      test: ["CMD", "redis-cli", "--raw", "incr", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # ===== APPLICATION LAYER =====
+
+  next:
+    image: docker.io/nextcloud:latest
+    container_name: next
+    restart: unless-stopped
+    depends_on:
+      next-db:
+        condition: service_healthy
+      next-redis:
+        condition: service_healthy
+    mem_swappiness: -1
+    environment:
+      - POSTGRES_DB={{ db_name }}
+      - POSTGRES_USER={{ db_user }}
+      - POSTGRES_PASSWORD={{ db_password }}
+      - POSTGRES_HOST=next-db
+      - REDIS_HOST=next-redis
+      - REDIS_HOST_PASSWORD={{ redis_password }}
+      - NEXTCLOUD_TRUSTED_DOMAINS={{ subdomain_nextcloud }}.{{ domain }}
+      - NEXTCLOUD_ADMIN_USER={{ admin_user }}
+      - NEXTCLOUD_ADMIN_PASSWORD={{ admin_password }}
+      - OVERWRITEPROTOCOL=https
+      - OVERWRITEHOST={{ subdomain_nextcloud }}.{{ domain }}
+      - TRUSTED_PROXIES=caddy
+      - PHP_MEMORY_LIMIT=512M
+      - PHP_UPLOAD_LIMIT=10G
+    volumes:
+      - nextcloud_data:/var/www/html
+      - {{ deployment_dir }}/configs/nextcloud:/var/www/html/config:Z
+      - nextcloud_apps:/var/www/html/custom_apps
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=false"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost/status.php"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  onlyoffice:
+    image: docker.io/onlyoffice/documentserver:latest
+    container_name: onlyoffice
+    restart: unless-stopped
+    environment:
+      - JWT_ENABLED=false
+      - JWT_HEADER=Authorization
+      - JWT_IN_BODY=true
+    volumes:
+      - onlyoffice_data:/var/www/onlyoffice/Data
+      - onlyoffice_logs:/var/log/onlyoffice
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.monitor-only=true"
+
+  excalidraw:
+    image: docker.io/excalidraw/excalidraw:latest
+    container_name: excalidraw
+    restart: unless-stopped
+    environment:
+      - NODE_ENV=production
+      - TZ={{ timezone }}
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  obsidian:
+    image: lscr.io/linuxserver/obsidian:latest
+    container_name: obsidian
+    restart: unless-stopped
+    security_opt:
+      - seccomp:unconfined
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ={{ timezone }}
+    volumes:
+      - {{ deployment_dir }}/data/obsidian/config:/config:z
+      - {{ deployment_dir }}/data/obsidian/vault:/vault:z
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+    shm_size: "1gb"
+
+  # ===== INFRASTRUCTURE LAYER =====
+
+  caddy:
+    image: docker.io/caddy:latest
+    container_name: caddy
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - {{ deployment_dir }}/configs/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy_data:/data
+      - caddy_config:/config
+    environment:
+      - DOMAIN={{ domain }}
+      - EMAIL={{ user_email }}
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  homarr:
+    image: ghcr.io/homarr-labs/homarr:latest
+    container_name: homarr
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - {{ deployment_dir }}/data/homarr:/appdata
+    environment:
+      - SECRET_ENCRYPTION_KEY={{ homarr_secret }}
+      - TZ={{ timezone }}
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    restart: unless-stopped
+    ports:
+      - "3003:3000"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - dockhand_data:/app/data
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  uptime-kuma:
+    image: louislam/uptime-kuma:latest
+    container_name: uptime-kuma
+    restart: unless-stopped
+    volumes:
+      - uptime_kuma_data:/app/data
+    environment:
+      - TZ={{ timezone }}
+    networks:
+      - nextcloud_network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+
+  watchtower:
+    image: containrrr/watchtower:latest
+    container_name: watchtower
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WATCHTOWER_CLEANUP=true
+      - WATCHTOWER_LABEL_ENABLE=true
+      - WATCHTOWER_POLL_INTERVAL=86400
+      - WATCHTOWER_ROLLING_RESTART=true
+      - WATCHTOWER_INCLUDE_RESTARTING=true
+      - TZ={{ timezone }}
+    networks:
+      - nextcloud_network
+
+# ===== PERSISTENT STORAGE =====
+
+volumes:
+  pg_data:
+  redis_data:
+  nextcloud_data:
+  nextcloud_apps:
+  onlyoffice_data:
+  onlyoffice_logs:
+  caddy_data:
+  caddy_config:
+  dockhand_data:
+  uptime_kuma_data:
+
+# ===== NETWORKING =====
+
+networks:
+  nextcloud_network:
+    name: nextcloud_network
+    driver: bridge
--- a/ansible/roles/nextcloud_stack/templates/env.j2
+++ b/ansible/roles/nextcloud_stack/templates/env.j2
@@ -0,0 +1,31 @@
+# Environment Variables for Nextcloud Stack
+# Generated by Ansible - DO NOT EDIT MANUALLY
+
+# Database Configuration
+DB_NAME={{ db_name }}
+DB_USER={{ db_user }}
+DB_PASSWORD={{ db_password }}
+DB_HOST=next-db
+
+# Redis Configuration
+REDIS_PASSWORD={{ redis_password }}
+
+# Nextcloud Admin
+NEXTCLOUD_ADMIN_USER={{ admin_user }}
+NEXTCLOUD_ADMIN_PASSWORD={{ admin_password }}
+
+# Application Secrets
+HOMARR_SECRET_KEY={{ homarr_secret }}
+
+# Domain Configuration
+DOMAIN={{ domain }}
+SUBDOMAIN_NEXTCLOUD={{ subdomain_nextcloud }}
+SUBDOMAIN_OFFICE={{ subdomain_office }}
+
+# User Configuration
+USER_EMAIL={{ user_email }}
+TIMEZONE={{ timezone }}
+
+# UIDs/GIDs
+PUID=1000
+PGID=1000