Added NextCloud, Fixed Authelia, Updated rtorrent config

pillars/roles/aurpkgs/cloud.sls

@@ -0,0 +1,3 @@
+aur:
+  pkgs:
+    onlyoffice-documentserver: []

pillars/roles/database/nextcloud.sls

@@ -0,0 +1,9 @@
+database:
+  users:
+    nextcloud:
+      host: cloud.actcur.com
+  databases:
+    nextcloud:
+      nextcloud:
+        host: cloud.actcur.com
+        grant: all privileges

pillars/roles/mount/nextcloud.sls

@@ -0,0 +1,7 @@
+mount:
+  sshfs:
+    /mnt/nextcloud:
+      name: nextcloud
+      host: host.actcur.com
+      directory: /mnt/butter/nextcloud
+      user: mount

pillars/roles/nginx/nextcloud.sls

@@ -0,0 +1,18 @@
+nginx:
+  cloud:
+    auth: none
+    https:
+      port: 8080
+      prot: http
+  office:
+    auth: none
+    https:
+      port: 8000
+      prot: http
+
+portal:
+  Misc:
+    cloud:
+      name: NextCloud
+      summary: NextCloud Server
+      public: true

pillars/servers/env/server/cloud.sls

@@ -0,0 +1 @@
+env: prod

pillars/servers/roles/server/cloud.sls

@@ -0,0 +1,8 @@
+grains:
+  roles:
+    - server
+    - ssh
+    - nrpe
+    - saltminion
+    - nextcloud
+    - nginx-proxy

states/roles/maintain/authelia/config.yml

@@ -46,6 +46,22 @@ ldap:
   user: uid=authelia_admin,cn=users,cn=accounts,dc=actcur,dc=com
   password: "{%- include 'secure/passwords/authelia_admin_password.txt' -%}"
 
+# Authentication methods
+#
+# Authentication methods can be defined per subdomain.
+# There are currently two available methods: "single_factor" and "two_factor"
+#
+# Note: by default a domain uses "two_factor" method.
+#
+# Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
+# values must be one of the two possible methods.
+#
+# Note: 'per_subdomain_methods' is optional.
+#
+# Note: authentication_methods is optional. If it is not set all sub-domains
+# are protected by two factors.
+authentication_methods:
+  default_method: two_factor
 
 # Access Control
 #
@@ -104,8 +120,14 @@ access_control:
         policy: allow
       - domain: 'radarr.actcur.com'
         policy: allow
-      - domain: 'deluge.actcur.com'
+      - domain: 'rtorrent.actcur.com'
         policy: allow
+      - domain: 'jackett.actcur.com'
+        policy: allow
+  users:
+    none:
+      - domain: 'none'
+        policy: deny
 
 # Configuration of session cookies
 #
@@ -152,7 +174,8 @@ storage:
 
   # Settings to connect to mongo server
   mongo:
-    url: mongodb://127.0.0.1/authelia
+    url: mongodb://127.0.0.1/
+    database: authelia
 
 # Configuration of the notification system.
 #

states/roles/maintain/authelia/init.sls

@@ -1,3 +1,13 @@
+authelia_build_pkgs:
+  pkg.installed:
+    - pkgs:
+        - make
+        - gcc
+        
+authelia_nodejs:
+  pkg.installed:
+    - name: nodejs-lts-carbon
+
 authelia_npm:
   pkg.installed:
     - name: npm

states/roles/maintain/nextcloud/init.sls

@@ -0,0 +1,68 @@
+nextcloud-pkgs:
+  pkg.installed:
+    - pkgs:
+      - nextcloud
+      - php-gd
+      - php-intl
+      - nginx
+      - collabora-online-server-nodocker
+      - redis
+      - rabbitmq
+      - postgresql
+    
+/etc/pacman.d/hooks/nextcloud.hook:
+  file.managed:
+    - source: salt://roles/maintain/nextcloud/nextcloud.hook
+    - user: root
+    - group: root
+    - mode: 644
+    - makedirs: true
+    
+/etc/php/php.ini:
+  file.managed:
+    - source: salt://roles/maintain/nextcloud/php.ini
+    - user: root
+    - group: root
+    - mode: 644
+    
+rtorrent-php-fpm:
+  pkg.installed:
+    - name: php-fpm
+  service.running:
+    - name: php-fpm
+    - enable: true
+    - watch:
+      - file: /etc/php/php.ini
+      
+/etc/nginx/conf.d/nextcloud.conf:
+  file.managed:
+    - source: salt://roles/maintain/nextcloud/nginx-nextcloud.conf
+    - user: root
+    - group: root
+    - mode: 644
+      
+/etc/nginx/conf.d/collabora.conf:
+  file.managed:
+    - source: salt://roles/maintain/nextcloud/nginx-collabora.conf
+    - user: root
+    - group: root
+    - mode: 644
+    
+mount:
+  group.present:
+    - gid: 503
+    - addusers:
+      - http
+
+nginx-service:
+  service.running:
+    - name: nginx
+    - watch:
+      - file: /etc/nginx/conf.d/nextcloud.conf
+
+/usr/share/webapps/nextcloud/apps:
+  file.directory:
+    - user: http
+    - group: http
+    - dir_mode: 750
+    

states/roles/maintain/nextcloud/nextcloud.hook

@@ -0,0 +1,11 @@
+[Trigger]
+Operation = Install
+Operation = Upgrade
+Type = Package
+Target = nextcloud
+Target = nextcloud-app-*
+  
+[Action]
+Description = Update Nextcloud installation
+When = PostTransaction
+Exec = /usr/bin/runuser -u http -- /usr/bin/php /usr/share/webapps/nextcloud/occ upgrade

states/roles/maintain/nextcloud/nginx-collabora.conf

@@ -0,0 +1,45 @@
+upstream office.actcur.com {
+    server 127.0.0.1:9980;
+}
+
+server {
+    listen 8000;
+    server_name office.actcur.com;
+
+    # static files
+    location ^~ /loleaflet {
+        proxy_pass http://127.0.0.1:9980;
+        proxy_set_header Host $host;
+    }
+
+    # WOPI discovery URL
+    location ^~ /hosting/discovery {
+        proxy_pass http://127.0.0.1:9980;
+        proxy_set_header Host $host;
+    }
+
+    # Main websocket
+    location ~ /lool/(.*)/ws$ {
+        proxy_pass http://127.0.0.1:9980;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_read_timeout 36000s;
+    }
+
+    # Admin Console websocket
+    location ^~ /lool/adminws {
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:9980;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_read_timeout 36000s;
+    }
+
+    # download, presentation and image upload
+    location ~ /lool {
+        proxy_pass http://127.0.0.1:9980;
+        proxy_set_header Host $host;
+    }
+}

states/roles/maintain/nextcloud/nginx-nextcloud.conf

@@ -0,0 +1,116 @@
+upstream php-handler {
+    server unix:/run/php-fpm/php-fpm.sock;
+}
+
+server {
+   listen 8080;
+   server_name cloud.actcur.com;
+
+    # Add headers to serve security related headers
+    # Before enabling Strict-Transport-Security headers please read into this
+    # topic first.
+    # add_header Strict-Transport-Security "max-age=15768000;
+    # includeSubDomains; preload;";
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Robots-Tag none;
+    add_header X-Download-Options noopen;
+    add_header X-Permitted-Cross-Domain-Policies none;
+
+    # Path to the root of your installation
+    root /usr/share/webapps/nextcloud/;
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # The following 2 rules are only needed for the user_webfinger app.
+    # Uncomment it if you're planning to use this app.
+    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+    # last;
+
+    location = /.well-known/carddav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+    location = /.well-known/caldav {
+       return 301 $scheme://$host/remote.php/dav;
+    }
+
+    location ~ /.well-known/acme-challenge {
+      allow all;
+    }
+
+    # set max upload size
+    client_max_body_size 512M;
+    fastcgi_buffers 64 4K;
+
+    # Disable gzip to avoid the removal of the ETag header
+    gzip off;
+
+    # Uncomment if your server is build with the ngx_pagespeed module
+    # This module is currently not supported.
+    #pagespeed off;
+
+    error_page 403 /core/templates/403.php;
+    error_page 404 /core/templates/404.php;
+
+    location / {
+       rewrite ^ /index.php$uri;
+    }
+
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+       deny all;
+    }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+       deny all;
+     }
+
+    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        #Avoid sending the security headers twice
+        fastcgi_param modHeadersAvailable true;
+        fastcgi_param front_controller_active true;
+        fastcgi_pass php-handler;
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+       try_files $uri/ =404;
+       index index.php;
+    }
+
+    # Adding the cache control header for js and css files
+    # Make sure it is BELOW the PHP block
+    location ~* \.(?:css|js)$ {
+        try_files $uri /index.php$uri$is_args$args;
+        add_header Cache-Control "public, max-age=7200";
+        # Add headers to serve security related headers (It is intended to
+        # have those duplicated to the ones above)
+        # Before enabling Strict-Transport-Security headers please read into
+        # this topic first.
+        # add_header Strict-Transport-Security "max-age=15768000;
+        # includeSubDomains; preload;";
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header X-Robots-Tag none;
+        add_header X-Download-Options noopen;
+        add_header X-Permitted-Cross-Domain-Policies none;
+        # Optional: Don't log access to assets
+        access_log off;
+   }
+
+   location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
+        try_files $uri /index.php$uri$is_args$args;
+        # Optional: Don't log access to other assets
+        access_log off;
+   }
+}

states/roles/maintain/nginx-proxy/init.sls

@@ -89,7 +89,7 @@ nginx:
 {%- else %}
 /etc/nginx/conf.d/default.conf:
   file.managed:
-    - mkdirs: true
+    - makedirs: true
     - source: salt://roles/maintain/nginx-proxy/default.conf
     - user: root
     - group: root

states/roles/maintain/rtorrent/rtorrent.rc

@@ -1,32 +1,32 @@
 # Maximum and minimum number of peers to connect to per torrent.
-min_peers = 40
-max_peers = 100
+throttle.min_peers.normal.set = 40
+throttle.max_peers.normal.set = 100
 
 # Same as above but for seeding completed torrents (-1 = same as downloading)
-min_peers_seed = 25
-max_peers_seed = 60
+throttle.min_peers.seed.set = 25
+throttle.max_peers.seed.set = 60
 
 # Maximum number of simultaneous uploads per torrent.
-max_uploads = 30
+throttle.max_uploads.set = 30
 
 # Global upload and download rate in KiB. "0" for unlimited.
-download_rate = 1024
-upload_rate = 50
+throttle.global_down.max_rate.set_kb = 1024
+throttle.global_up.max_rate.set_kb = 50
 
 # Default directory to save the downloaded torrents.
-directory = /mnt/video/rtorrent/downloads
+directory.default.set = /mnt/video/rtorrent/downloads
 
 # Default session directory. Make sure you don't run multiple instance
 # of rtorrent using the same session directory. Perhaps using a
 # relative path?
-session = /mnt/video/rtorrent/.session
+session.path.set = /mnt/video/rtorrent/.session
 
 # Watch a directory for new torrents, and stop those that have been
 # deleted.
-schedule = watch_directory,5,5,load_start=/home/downloads/~watch/*.torrent
+schedule2 = watch_directory,5,5,load.start=/home/downloads/~watch/*.torrent
 
 # Close torrents when diskspace is low.
-schedule = low_diskspace,5,60,close_low_diskspace=10240M
+schedule2 = low_diskspace,5,60,close_low_diskspace=10240M
 
 # The ip address reported to the tracker.
 #ip = 127.0.0.1
@@ -38,17 +38,17 @@ schedule = low_diskspace,5,60,close_low_diskspace=10240M
 #bind = rakshasa.no
 
 # Port range to use for listening.
-port_range = 55950-56000
+network.port_range.set = 55950-56000
 
 # Start opening ports at a random position within the port range.
-port_random = yes
+network.port_random.set = yes
 
 # Check hash for finished torrents. Might be usefull until the bug is
 # fixed that causes lack of diskspace not to be properly reported.
-check_hash = yes   
+pieces.hash.on_completion.set = yes   
 
 # Set whether the client should try to connect to UDP trackers.
-use_udp_trackers = yes
+trackers.use_udp.set = yes
 
 # Alternative calls to bind and ip that should handle dynamic ip's.
 #schedule = ip_tick,0,1800,ip=rakshasa
@@ -61,14 +61,14 @@ use_udp_trackers = yes
 # outgoing connections but retries with encryption if they fail, preferring
 # plaintext to RC4 encryption after the encrypted handshake
 # 
-encryption = allow_incoming,enable_retry,prefer_plaintext
+protocol.encryption.set = allow_incoming,enable_retry,prefer_plaintext
 
 # Enable DHT support for trackerless torrents or when all trackers are down.
 # May be set to "disable" (completely disable DHT), "off" (do not start DHT),
 # "auto" (start and stop DHT as needed), or "on" (start DHT immediately). 
 # The default is "off". For DHT to work, a session directory must be defined.
 # 
-dht = on
+dht.mode.set = on
 
 # UDP port to use for DHT.
 #
@@ -76,6 +76,6 @@ dht = on
 
 # Enable peer exchange (for torrents not marked private)
 # 
-peer_exchange = yes
+protocol.pex.set = yes
 
-scgi_port = 127.0.0.1:5050
+network.scgi.open_port = 127.0.0.1:5050