Allow nextcloud to be reached over internal SSL

This removes the need for a custom config, and means traefik is proxying HTTP2, which is nice

ansible/roles/intersect-docker/files/nextcloud/default.conf

@@ -1,89 +0,0 @@
-upstream php-handler {
-    server 127.0.0.1:9000;
-}
-#server {
-#    listen 80;
-#    listen [::]:80;
-#    server_name _;
-#    return 301 https://$host$request_uri;
-#}
-server {
-    #listen 443 ssl http2;
-    #listen [::]:443 ssl http2;
-    listen 80;
-    server_name _;
-    #ssl_certificate /config/keys/cert.crt;
-    #ssl_certificate_key /config/keys/cert.key;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header X-Robots-Tag none;
-    add_header X-Download-Options noopen;
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-Permitted-Cross-Domain-Policies none;
-    add_header Referrer-Policy no-referrer;
-    add_header Strict-Transport-Security "max-age=15768000;";
-    fastcgi_hide_header X-Powered-By;
-    root /config/www/nextcloud/;
-    location = /robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-    location = /.well-known/carddav {
-      return 301 https://$host/remote.php/dav;
-    }
-    location = /.well-known/caldav {
-      return 301 https://$host/remote.php/dav;
-    }
-    client_max_body_size 10G;
-    fastcgi_buffers 64 4K;
-    gzip on;
-    gzip_vary on;
-    gzip_comp_level 4;
-    gzip_min_length 256;
-    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-    location / {
-        rewrite ^ /index.php;
-    }
-    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
-        deny all;
-    }
-    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
-        deny all;
-    }
-    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
-        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
-        try_files $fastcgi_script_name =404;
-        include /etc/nginx/fastcgi_params;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_param PATH_INFO $fastcgi_path_info;
-        fastcgi_param HTTPS on;
-        fastcgi_param modHeadersAvailable true;
-        fastcgi_param front_controller_active true;
-        fastcgi_pass php-handler;
-        fastcgi_intercept_errors on;
-        fastcgi_request_buffering off;
-    }
-
-    location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
-        try_files $uri/ =404;
-        index index.php;
-    }
-    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
-        try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463";
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header X-Robots-Tag none;
-        add_header X-Download-Options noopen;
-        add_header X-Frame-Options "SAMEORIGIN";
-        add_header X-Permitted-Cross-Domain-Policies none;
-        add_header Referrer-Policy no-referrer;
-        access_log off;
-    }
-    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
-        try_files $uri /index.php$request_uri;
-        access_log off;
-    }
-}

ansible/roles/intersect-docker/files/nextcloud/docker-compose.yml

@@ -11,7 +11,6 @@ services:
     volumes:
       - ./nextcloud/config:/config/www/nextcloud/config
       - ./nextcloud/apps:/config/www/nextcloud/apps
-      - ./nextcloud/nginx-default.conf:/config/nginx/site-confs/default
       - /srv/nextcloud-data/data:/data
       - /opt/gitea/repos:/repos:ro
       - /mnt/media:/content:ro
@@ -22,6 +21,8 @@ services:
       - "traefik.enable=true"
       - "traefik.http.routers.nextcloud.rule=Host(`intersect.jakehoward.tech`)"
       - "traefik.http.routers.nextcloud.tls.certresolver=le"
+      - "traefik.http.services.nextcloud-nextcloud.loadbalancer.server.port=443"
+      - "traefik.http.services.nextcloud-nextcloud.loadbalancer.server.scheme=https"
 
   db:
     image: postgres:12-alpine

ansible/roles/intersect-docker/tasks/nextcloud.yml

@@ -35,15 +35,6 @@
   register: config_file
   become: true
 
-- name: Install nextcloud custom nginx config
-  template:
-    src: files/nextcloud/default.conf
-    dest: /opt/nextcloud/nextcloud/nginx-default.conf
-    mode: "{{ docker_compose_file_mask }}"
-    owner: "{{ docker_user.name }}"
-  register: nginx_config
-  become: true
-
 - name: Cycle nextcloud container
   docker_compose:
     project_src: /opt/nextcloud
@@ -51,7 +42,7 @@
     remove_orphans: true
     remove_volumes: true
     state: "{{ item }}"
-  when: compose_file.changed or config_file.changed or nginx_config.changed
+  when: compose_file.changed or config_file.changed
   loop:
     - absent
     - present

ansible/roles/traefik/files/docker-compose.yml

@@ -4,7 +4,6 @@ services:
   traefik:
     container_name: traefik
     image: traefik:v2.2.1
-    # command: "--log.level=DEBUG"
     network_mode: host
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro

ansible/roles/traefik/files/traefik.yml

@@ -36,3 +36,6 @@ certificatesResolvers:
       storage: /etc/traefik/acme.json
       httpChallenge:
         entryPoint: web
+
+serversTransport:
+  insecureSkipVerify: true