commit 74549a46d3b5278a9b85dbd72c36456bf3525485 Author: thiuda Date: Fri Jan 27 12:27:13 2023 +0100 init diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..2aea330 --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,3 @@ +--- +skip_list: + - fqcn-builtins diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..eaa78e2 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,8 @@ +--- +collabora_prefix: doc +collabora_image: collabora/code +collabora_version: 22.05.9.3.1 +collabora_container_hostname: collabora +collabora_port: 9980 +collabora_admin: testuser +collabora_secret: test123 diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a10696b --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,13 @@ +--- +galaxy_info: + author: thiuda + description: role to deploy collabora behind nginx reverse proxy + company: progressivwerk + license: MIT + min_ansible_version: 2.1 + galaxy_tags: [] + platforms: + - name: Debian + versions: + - 10 +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..7c158b6 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,43 @@ +--- + +- name: Create collabora dirs + file: + path: "{{ item }}" + state: directory + mode: 0744 + recurse: true + owner: "{{ ansible_ssh_user }}" + group: "{{ ansible_ssh_user }}" + with_items: + - "{{ compose_dir }}/collabora/" + become: true + +- name: Upload docker-compose collabora + template: + src: "templates/docker-compose.yml" + dest: "{{ compose_dir }}/collabora/docker-compose.yml" + owner: "{{ ansible_ssh_user }}" + group: "{{ ansible_ssh_user }}" + mode: 0644 + +- name: Update and start services + become: true + docker_compose: + project_src: "{{ compose_dir }}/collabora" + pull: true + state: present + remove_orphans: true + register: output + +- name: Check services are running + assert: + that: + - "output.ansible_facts.collabora.collabora.state.running": true + +- name: Place reverse proxy conf + become: true + template: + src: "templates/collabora.conf" + dest: "/etc/nginx/conf.d/collabora.conf" + mode: "0600" + notify: "Check and Reload nginx" diff --git a/templates/collabora.conf.j2 b/templates/collabora.conf.j2 new file mode 100644 index 0000000..008f7f0 --- /dev/null +++ b/templates/collabora.conf.j2 @@ -0,0 +1,116 @@ +# {{ ansible_managed }} +# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name {{ collabora_prefix }}.{{domain}}; + + ## + # SSL + ## + ssl_session_cache builtin:1000 shared:SSL:10m; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_prefer_server_ciphers on; + ssl_dhparam {{ ssl_dir }}/dhparams.pem; + ssl_ecdh_curve secp384r1; + ssl_certificate {{ certs_dir }}/{{ domain }}/cert.pem; + ssl_certificate_key {{ certs_dir }}/{{ domain }}/key.pem; + + ## + # OCSP Stapling + ## + ssl_stapling on; + ssl_stapling_verify on; + resolver {{ dns_resolvers }} valid=300s; + ssl_trusted_certificate {{ certs_dir }}/{{ domain }}/cert.pem; + + ## + # HSTS + ## + add_header Strict-Transport-Security "max-age=15552000 includeSubDomains" always; + set $upstream_collabora http://127.0.0.1:{{ collabora_port }}; + + location / { + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Server $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-XSS-Protection "1; mode=block"; + proxy_set_header 'Referrer-Policy' 'origin'; + proxy_set_header X-Content-Type-Options nosniff; + + proxy_pass $upstream_collabora; + + client_max_body_size 500M; + } + + error_page 404 /404.html; + location = /40x.html { + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + } + + # static files + location ^~ /browser { + proxy_pass $upstream_collabora; + proxy_set_header Host $http_host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass $upstream_collabora; + proxy_set_header Host $http_host; + } + + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass $upstream_collabora; + proxy_set_header Host $http_host; + } + + # main websocket + location ~ ^/cool/(.*)/ws$ { + proxy_pass $upstream_collabora; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass $upstream_collabora; + proxy_set_header Host $http_host; + } + + # Admin Console websocket + location ^~ /cool/adminws { + proxy_pass $upstream_collabora; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $http_host; + proxy_read_timeout 36000s; + } +} + +server { + if ($host = {{ collabora_prefix }}.{{ domain }}) { + return 301 https://$host$request_uri; + } + + listen 80; + listen [::]:80; + server_name {{ collabora_prefix }}.{{ domain }}; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/templates/docker-compose.yml.j2 b/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..0e4db04 --- /dev/null +++ b/templates/docker-compose.yml.j2 @@ -0,0 +1,19 @@ +# {{ ansible_managed }} +# commit: {{ lookup('pipe', 'git rev-parse --short HEAD') }} + +version: "3.4" + +services: + collabora: + image: "{{ collabora_image }}:{{ collabora_version }}" + container_name: {{ collabora_container }} + hostname: {{ collabora_container_hostname }} + restart: unless-stopped + ports: "127.0.0.1:{{ collabora_port }}:9980" + volumes: + - /etc/localtime:/etc/localtime:ro + environment: + - "extra_params=--o:ssl.enable=false --o:ssl.termination=true" + - username={{ collabora_admin }} + - password={{ collabora_secret }} + - server_name={{ collabora_prefix }}.{{ domain }}