Merge remote-tracking branch 'refs/remotes/origin/master'

r/nextcloud: Fix a bunch of deployment warnings
The Nextcloud administration overview page listed a bunch of deployment configuration warnings that needed to be addressed: * Set the default phone region * Define a maintenance window starting at 0600 UTC * Increase the PHP memory limit to 1GiB * Increase the PHP OPCache interned strings buffer size * Increase the allowed PHP OPcache memory limit * Fix Apache rewrite rules for /.well-known paths
2025-08-23 22:43:00 -05:00 · 2025-08-23 22:39:44 -05:00 · 2025-08-23 22:29:28 -05:00 · 2025-08-23 22:21:54 -05:00 · 2025-08-23 20:44:41 -05:00 · 2025-08-16 08:55:28 -05:00
11 changed files with 80 additions and 48 deletions
--- a/group_vars/dch-proxy.yml
+++ b/group_vars/dch-proxy.yml
@ -54,7 +54,7 @@ dch_proxy_sites:
  matcher: dom
 - backend: kubernetes
  match: ntfy.pyrocufflink.net
- backend: kubernetes
+- backend: web
  match: darkchestofwonders.us
 - backend: kubernetes
  match: invoiceninja.pyrocufflink.net
@ -62,6 +62,9 @@ dch_proxy_sites:
  match: dynk8s-provisioner.pyrocufflink.net
 - backend: kubernetes
  match: metrics.pyrocufflink.blue
 - backend: kubernetes
  match: auth.pyrocufflink
  matcher: dom
 dch_proxy_backends:
  bitwarden:
@ -136,4 +139,4 @@ dch_proxy_backends:
    servers:
    - name: web0
      host: 'web0.pyrocufflink.blue:443'
-      options: check
+      options: check send-proxy
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@ -36,6 +36,15 @@
    group: apache
  tags:
  - config
 - name: ensure php is configured for nextcloud
  template:
    src: php.ini.j2
    dest: /etc/php.d/60-nextcloud.ini
    mode: '0644'
  notify:
  - restart php-fpm
  tags:
  - php-config
 - name: ensure php-fpm is configured for nextcloud
  template:
--- a/roles/nextcloud/templates/config.php.j2
+++ b/roles/nextcloud/templates/config.php.j2
@ -47,6 +47,8 @@ $CONFIG = array (
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'maintenance' => {{ nextcloud_maintenance|bool|string|lower }},
  'maintenance_window_start' => 6,
  'default_phone_region' => 'US',
  'theme' => '',
  'trashbin_retention_obligation' => 'auto, 30',
  'loglevel' => 2,
--- a/roles/nextcloud/templates/nextcloud.httpd.conf.j2
+++ b/roles/nextcloud/templates/nextcloud.httpd.conf.j2
@ -19,6 +19,10 @@ Dav off
 <IfModule mod_rewrite.c>
  Options -MultiViews
  RewriteRule ^\.well-known/carddav /remote.php/dav [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav [R=301,L]
  RewriteRule ^\.well-known/webfinger /index.php/.well-known/webfinger [R=301,L]
  RewriteRule ^\.well-known/nodeinfo /index.php/.well-known/nodeinfo [R=301,L]
  RewriteRule ^core/js/oc.js$ index.php [PT,E=PATH_INFO:$1]
  RewriteRule ^core/preview.png$ index.php [PT,E=PATH_INFO:$1]
  RewriteCond %{REQUEST_FILENAME} !\.(css|js|mjs|svg|gif|png|html|ttf|woff2?|ico|jpg|jpeg|map|webm|mp4)$
@ -56,7 +60,3 @@ Require all granted
 <Directory /var/lib/nextcloud/data/>
 Require all granted
 </Directory>
 Redirect 301 /.well-known/carddav /remote.php/carddav
 Redirect 301 /.well-known/caldav /remote.php/caldav
 Redirect 301 /.well-known/webdav /remote.php/webdav
--- a/roles/nextcloud/templates/php.ini.j2
+++ b/roles/nextcloud/templates/php.ini.j2
@ -0,0 +1,4 @@
 apc.enable_cli=1
 memory_limit=1024M
 opcache.interned_strings_buffer=100
 opcache.memory_consumption=256
--- a/roles/nextcloud/templates/www.php-fpm.conf.j2
+++ b/roles/nextcloud/templates/www.php-fpm.conf.j2
@ -423,7 +423,7 @@ slowlog = /var/log/php-fpm/www-slow.log
 ;php_flag[display_errors] = off
 php_admin_value[error_log] = /var/log/php-fpm/www-error.log
 php_admin_flag[log_errors] = on
-php_admin_value[memory_limit] = 512M
+;php_admin_value[memory_limit] = 512M
 ; Set the following data paths to directories owned by the FPM process user.
 ;
--- a/roles/websites/darkchestofwonders.us/meta/main.yml
+++ b/roles/websites/darkchestofwonders.us/meta/main.yml
@ -1,9 +0,0 @@
 dependencies:
 - role: cert
  vars:
    cert_src: websites/darkchestofwonders.us.cer
    cert_dest: /etc/pki/tls/certs/darkchestofwonders.us.cer
    cert_key_src: websites/darkchestofwonders.us.key
    cert_key_dest: /etc/pki/tls/private/darkchestofwonders.us.key
  tags:
  - websites/darkchestofwonders.us
--- a/roles/websites/darkchestofwonders.us/tasks/main.yml
+++ b/roles/websites/darkchestofwonders.us/tasks/main.yml
@ -1,3 +1,49 @@
 - name: ensure rsync is installed
  package:
    name: rsync
    state: present
  tags:
  - install
 - name: ensure app group exists
  group:
    name: webapp.dcow
    state: present
 - name: ensure app user exists
  user:
    name: webapp.dcow
    group: webapp.dcow
    home: /srv/www/darkchestofwonders.us
    createhome: true
    state: present
 - name: ensure app home directory permissions are set
  file:
    path: /srv/www/darkchestofwonders.us
    mode: u=rwx,go=rx
    state: directory
 - name: ensure app ssh home directory exists
  file:
    path: /srv/www/darkchestofwonders.us/.ssh
    mode: '0700'
    owner: webapp.dcow
    group: webapp.dcow
    setype: ssh_home_t
    state: directory
 - name: ensure publisher keys are trusted
  authorized_key:
    key: "{{ dcow_publisher_keys|join('\n') }}"
    user: webapp.dcow
    exclusive: true
 - name: ensure authorized_keys file permissions are correct
  file:
    path: /srv/www/darkchestofwonders.us/.ssh/authorized_keys
    mode: u=rw,go=
    owner: webapp.dcow
    group: webapp.dcow
    setype: ssh_home_t
 - name: ensure apache is configured to serve darkchestofwonders.us
  template:
    src=darkchestofwonders.us.httpd.conf.j2
--- a/roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2
+++ b/roles/websites/darkchestofwonders.us/templates/darkchestofwonders.us.httpd.conf.j2
@ -1,9 +1,5 @@
-WSGIDaemonProcess dcow \
+# vim: set ft=apache :
-	user=webapp.dcow \
+MDomain darkchestofwonders.us
 	group=webapp.dcow \
 	python-home=/srv/www/darkchestofwonders.us/venv \
 	lang=en_US.UTF-8 \
 	display-name=%{GROUP}
 <VirtualHost _default_:80>
 ServerName darkchestofwonders.us
@ -16,34 +12,13 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
 ServerName darkchestofwonders.us
 Include conf.d/ssl.include
 SSLCertificateKeyFile /etc/pki/tls/private/darkchestofwonders.us.key
 SSLCertificateFile /etc/pki/tls/certs/darkchestofwonders.us.cer
 <IfModule mod_headers.c>
 	Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
 </IfModule>
-ProxyRequests off
+DocumentRoot /srv/www/darkchestofwonders.us/htdocs
-
+<Directory /srv/www/darkchestofwonders.us/htdocs>
 ProxyPass / http://k8s-ingress.pyrocufflink.blue/
 ProxyPassReverse / http://k8s-ingress.pyrocufflink.blue/
 ProxyPreserveHost on
 <Location />
 	Require all granted
-</Location>
+</Directory>
 <Location /upload>
 <IfModule auth_gssapi_module>
 	AuthType GSSAPI
 	AuthName "{{ krb5_realm|lower }} Domain Authentication"
 	#KrbServiceName HTTP/{{ ansible_fqdn }}@{{ krb5_realm }}
 	GssapiCredStore keytab:/etc/httpd/httpd.keytab
 	GssapiBasicAuth On
 	Require valid-user
 </IfModule>
 <IfModule !auth_kerb_module>
 	Require all denied
 </IfModule>
 </Location>	
 </VirtualHost>
--- a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
+++ b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
@ -11,6 +11,8 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
 <VirtualHost _default_:443>
 ServerName dustin.hatch.name
 RemoteIPProxyProtocol On
 Include conf.d/ssl.include
 <IfModule mod_headers.c>
--- a/websites.yml
+++ b/websites.yml
@ -6,8 +6,6 @@
  - role: mod_md
    tags:
    - mod_md
  - role: formsubmit
    tags: formsubmit
  - role: websites/pyrocufflink.net
    tags: websites/pyrocufflink.net
  - role: websites/dustin.hatch.name
@ -16,6 +14,8 @@
    tags: websites/ebonfire.com
  - role: websites/nratonpass.com
    tags: websites/nratonpass.com
  - role: websites/darkchestofwonders.us
    tags: websites/darkchestofwonders.us
  - role: websites/chmod777.sh
    tags: websites/chmod777.sh
  - role: websites/apps.du5t1n.xyz
Author	SHA1	Message	Date
Dustin	1a3f68e18b	Merge remote-tracking branch 'refs/remotes/origin/master'	2025-08-23 22:43:00 -05:00
Dustin	1c1bff3ec0	r/nextcloud: Fix a bunch of deployment warnings The Nextcloud administration overview page listed a bunch of deployment configuration warnings that needed to be addressed: * Set the default phone region * Define a maintenance window starting at 0600 UTC * Increase the PHP memory limit to 1GiB * Increase the PHP OPCache interned strings buffer size * Increase the allowed PHP OPcache memory limit * Fix Apache rewrite rules for /.well-known paths	2025-08-23 22:39:44 -05:00
Dustin	6cd576dd2b	dch-proxy: Proxy for Authelia Authelia is now exposed to the public Internet, under the name _auth.pyrocufflink.net_, which allows it to protect public websites as well.	2025-08-23 22:29:28 -05:00
Dustin	70909d1b13	websites: Enable PROXY protocol for HTTPS sites Since the reverse proxy does TLS pass-through instead of termination, the original source address is lost. Since the source address is important for logging, rate limiting, and access control, we need to use the HAProxy PROXY protocol to pass it along to the web server. Since the PROXY protocol works at the TCP layer, _all_ connections must use it. Fortunately, all of the sites hosted by the public web server are in fact public and only accessed through HAProxy. Similarly, enabling it for one named virtual host enables it for all virtual hosts on that port. Thus, we only have to explicitly set it for one site, and all the rest will use it as well.	2025-08-23 22:21:54 -05:00
Dustin	717a8f90c6	websites: Remove formsubmit Nothing is using _formsubmit_ right now, but it's been moved to Kubernetes anyway.	2025-08-23 20:44:41 -05:00
Dustin	f8d58ef0ed	websites/dcow: Transition to static site We don't really use this site for screenshot sharing any more. It's cool to keep to look at old screenshots, so I've saved a static snapshot of it that can be hosted by plain ol' Apache.	2025-08-16 08:55:28 -05:00