feat: ssl optional + ths fixes

group_vars/all.yaml

@@ -9,6 +9,9 @@ RSYSLOG_SERVER: internal.monitoring.atlantishq.de
 influxdb_telegraf_password: HISTORY_PURGED_SECRET
 code_server_password: HISTORY_PURGED_SECRET
 
+nextcloud_ssl_enabled: false
+nextcloud_cert_name: nextcloud.atlantishq.de
+
 tor_bridge_name: HISTORY_PURGED_SECRET
 tor_bridge_email: nobody@HISTORY_PURGED_SECRET.com
 

group_vars/nextcloud.yaml

@@ -0,0 +1 @@
+nextcloud_nginx_ssl_enabled: true

group_vars/ths.yaml

@@ -1,3 +1,4 @@
 ---
+nextcloud_nginx_ssl_enabled: false
 checks :
     - { user : sheppy, name : irc, cmd : ""}

roles/nextcloud/templates/nginx-nextcloud.conf

@@ -1,8 +1,10 @@
 server {
     listen 80;
     listen [::]:80;
+    {% if nextcloud_nginx_ssl_enabled %}
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
+    {% endif %}
 
     add_header X-Frame-Options "SAMEORIGIN";
     add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
@@ -13,8 +15,14 @@ server {
     add_header X-Permitted-Cross-Domain-Policies none;
     add_header Referrer-Policy no-referrer;
 
-    ssl_certificate         /etc/letsencrypt/live/nextcloud.atlantishq.de/fullchain.pem;
+    set_real_ip_from  192.168.122.1;
-    ssl_certificate_key     /etc/letsencrypt/live/nextcloud.atlantishq.de/privkey.pem;
+    real_ip_header    X-Forwarded-For;
+    real_ip_recursive on;
+
+    {% if nextcloud_nginx_ssl_enabled %}
+    ssl_certificate         /etc/letsencrypt/live/{{ nextcloud_cert_name }}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/{{ nextcloud_cert_name }}/privkey.pem;
+    {% endif %}
 
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;