Owncloud service setup

proxy_resources/etc/wireguard/wg0.conf

@@ -67,6 +67,12 @@ PublicKey = {{ penpot_service_pubkey }}
 AllowedIPs = 10.0.0.11/32
 PersistentKeepalive = 25
 
+# Owncloud Service
+[Peer]
+PublicKey = {{ owncloud_service_pubkey }}
+AllowedIPs = 10.0.0.12/32
+PersistentKeepalive = 25
+
 # Connection to backend server for nagios
 [Peer]
 PublicKey = {{ nagios_backend_pubkey }}

serversecrets.example

@@ -29,6 +29,7 @@ git_service_privkey: temp
 invidious_service_privkey: temp 
 searxng_service_privkey: temp 
 nextcloud_service_privkey: temp 
+owncloud_service_privkey: temp
 matrix_service_privkey: temp 
 minecraft_service_privkey: temp 
 kimai_service_privkey: temp
@@ -43,6 +44,7 @@ git_service_pubkey: temp
 invidious_service_pubkey: temp
 searxng_service_pubkey: temp
 nextcloud_service_pubkey: temp
+owncloud_service_pubkey: temp
 matrix_service_pubkey: temp
 minecraft_service_pubkey: temp
 kimai_service_pubkey: temp

services/service_owncloud/ansible.cfg

@@ -0,0 +1,6 @@
+[defaults]
+inventory = ../../hosts
+
+[privilege_escalation]
+become_method=doas
+become_ask_pass=True

services/service_owncloud/deploy-service.yml

@@ -0,0 +1,27 @@
+- hosts: localhost
+  become: 'yes'
+  vars:
+    ansible_become_method: doas
+  tasks:
+    - name: Create necessary directories
+      ansible.builtin.file:
+        path: "{{ item }}" 
+        owner: service_owncloud
+        group: service_owncloud
+        state: directory
+      loop:
+        - "{{ services_directory }}/service_nextcloud/ocis-data"
+        - "{{ services_directory }}/service_nextcloud/ocis-config"
+        - "{{ services_directory }}/service_nextcloud/ocis-thumbnails"
+    - name: Copy docker compose config and other nextcloud files
+      ansible.builtin.template:
+        src: "{{ item }}" 
+        dest: "{{ services_directory }}/service_owncloud/{{ item }}"
+        owner: 1000
+        group: 1000
+      loop:
+        - docker-compose.yml 
+
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!

services/service_owncloud/docker-compose.yml

@@ -0,0 +1,69 @@
+services:
+
+  # Gluetun is used to connect container to VPN
+  ocis-gluetun:
+    image: qmcgaw/gluetun
+    cap_add:
+      - NET_ADMIN
+    environment:
+      - VPN_SERVICE_PROVIDER=custom
+      - VPN_TYPE=wireguard
+      - VPN_ENDPOINT_IP={{ proxy_server_ip }}
+      - VPN_ENDPOINT_PORT={{ proxy_server_vpn_port }}
+      - WIREGUARD_PUBLIC_KEY={{ vpn_server_pubkey }}
+      - WIREGUARD_PRIVATE_KEY={{ owncloud_service_privkey }}
+      - WIREGUARD_ADDRESSES=10.0.0.12/32
+      - FIREWALL_VPN_INPUT_PORTS=9200
+      - FIREWALL_INPUT_PORTS=9200
+    ports:
+      - "9200:9200"
+    deploy:
+      resources:
+        limits:
+          cpus: '0.10'
+          memory: 512M
+
+  ocis:
+    network_mode: "service:ocis-gluetun"
+    image: owncloud/ocis:latest
+    user: 1000:1000
+    entrypoint:
+      - /bin/sh
+    # run ocis init to initialize a configuration file with random secrets
+    # it will fail on subsequent runs, because the config file already exists
+    # therefore we ignore the error and then start the ocis server
+    command: ["-c", "ocis init || true; ocis server"]
+    environment:
+      OCIS_URL: "https://owncloud.{{ domain_name }}"
+      OCIS_LOG_LEVEL: error # make oCIS less verbose
+      PROXY_TLS: false # do not use SSL between reverse proxy and oCIS
+      OCIS_INSECURE: true
+      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
+      PROXY_ENABLE_BASIC_AUTH: false
+      # admin user password
+      IDM_ADMIN_PASSWORD: "{{ service_owncloud_admin_pass }}" # this overrides the admin password from the configuration file
+      # make settings service available to oCIS Hello
+      SETTINGS_GRPC_ADDR: 0.0.0.0:9191
+      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
+      # email server (if configured)
+      # NOTIFICATIONS_SMTP_HOST: "xxxxxx"
+      # NOTIFICATIONS_SMTP_PORT: "xxxx"
+      # NOTIFICATIONS_SMTP_SENDER: "xxxxx"
+      # NOTIFICATIONS_SMTP_USERNAME: "xxxxxxxx"
+      # NOTIFICATIONS_SMTP_INSECURE: "xxxxxxx"
+      # PROXY_TLS is set to "false", the download url has no https
+      STORAGE_USERS_DATA_GATEWAY_URL: http://ocis:9200/data
+      # separate directory for thumbnails
+      THUMBNAILS_FILESYSTEMSTORAGE_ROOT: /var/lib/ocis-thumbnails
+    volumes:
+      - ./ocis-config:/etc/ocis
+      - ./ocis-data:/var/lib/ocis
+      - ./ocis-thumbnails:/var/lib/ocis-thumbnails
+    logging:
+      driver: "local"
+    restart: always
+    deploy:
+      resources:
+        limits:
+          cpus: '0.25'
+          memory: 512M

services/service_owncloud/prox-deploy-service.yml

@@ -0,0 +1,22 @@
+- hosts: 
+    - "{{ proxy_server_hostname }}"
+      #    - "{{ proxy_server_hostname }}"-defaultport
+  become: 'yes'
+  vars:
+    ansible_become_method: doas
+  tasks:
+    # Ensure NGinx site reverse proxy configuration is updated
+    - name: Ensure all NGinx site configurations are updated
+      template:
+        src: proxy_resources/etc/nginx/sites-available/owncloud.domain
+        dest: "/etc/nginx/sites-available/owncloud.{{ domain_name }}"
+    - name: Ensure NGinx site reverse proxy configuration is enabled      
+      ansible.builtin.file:
+        src: "/etc/nginx/sites-available/owncloud.{{ domain_name }}"
+        dest: "/etc/nginx/sites-enabled/owncloud.{{ domain_name }}"
+        state: link
+
+    - name: Debug Finish message
+      debug:
+        msg: Ansible playbook has finished!
+

services/service_owncloud/proxy_resources/etc/nginx/sites-available/owncloud.domain

@@ -0,0 +1,51 @@
+# {{ ansible_managed }}
+
+server {
+
+	server_name owncloud.{{ domain_name }} www.owncloud.{{ domain_name }};
+
+	client_max_body_size 0;
+    	underscores_in_headers on;
+
+	location / {
+		proxy_pass http://10.0.0.12:9200;
+		proxy_set_header Host $host;
+        	proxy_set_header X-Real-IP $remote_addr;
+        	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        	proxy_set_header X-Forwarded-Proto $scheme;
+        	add_header Front-End-Https on;
+		add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; 
+
+        	proxy_headers_hash_max_size 512;
+        	proxy_headers_hash_bucket_size 64;
+
+        	proxy_buffering off;
+        	proxy_redirect off;
+        	proxy_max_temp_file_size 0;
+	}
+
+    	listen [::]:443 ssl; # managed by Certbot
+    	listen 443 ssl; # managed by Certbot
+    	ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem; # managed by Certbot
+    	ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem; # managed by Certbot
+    	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    if ($host = www.owncloud.{{ domain_name }}) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    if ($host = owncloud.{{ domain_name }}) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+        listen 80;
+        listen [::]:80;
+
+        server_name owncloud.{{ domain_name }} www.owncloud.{{ domain_name }};
+    return 404; # managed by Certbot
+}

services/service_owncloud/servicesecrets.example

@@ -0,0 +1,2 @@
+# Example service secrets for owncloud docker service, to be encrypted with ansible vault and called servicesecrets.enc
+service_owncloud_admin_pass: ***