diff --git a/roles/nextcloud/tasks/main.yaml b/roles/nextcloud/tasks/main.yaml index 8fe202b..9bc914e 100644 --- a/roles/nextcloud/tasks/main.yaml +++ b/roles/nextcloud/tasks/main.yaml @@ -8,8 +8,11 @@ - name: Template nginx base conf template: - src: nginx.conf - dest: /etc/nginx/nginx.conf + src: "{{ item }}" + dest: "/etc/nginx/{{ item }}" + with_items: + - nginx.conf + - mime.types notify: - reload nginx diff --git a/roles/nextcloud/templates/mime.types b/roles/nextcloud/templates/mime.types new file mode 100644 index 0000000..d8207ae --- /dev/null +++ b/roles/nextcloud/templates/mime.types @@ -0,0 +1,97 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/javascript mjs; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/avif avif; + image/png png; + image/svg+xml svg svgz; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/webp webp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + + font/woff woff; + font/woff2 woff2; + + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.oasis.opendocument.graphics odg; + application/vnd.oasis.opendocument.presentation odp; + application/vnd.oasis.opendocument.spreadsheet ods; + application/vnd.oasis.opendocument.text odt; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.wap.wmlc wmlc; + application/wasm wasm; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} + diff --git a/roles/nextcloud/templates/nginx-nextcloud.conf b/roles/nextcloud/templates/nginx-nextcloud.conf index 2f42ab0..bc43b97 100644 --- a/roles/nextcloud/templates/nginx-nextcloud.conf +++ b/roles/nextcloud/templates/nginx-nextcloud.conf @@ -4,7 +4,8 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; - add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; @@ -101,6 +102,8 @@ server { add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; } location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) { @@ -110,7 +113,7 @@ server { # Adding the cache control header for js, css and map files # Make sure it is BELOW the PHP block - location ~ \.(?:css|js|woff2?|svg|gif|map)$ { + location ~ \.(?:css|mjs|js|woff2?|svg|gif|map)$ { try_files $uri /index.php$request_uri; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; @@ -118,6 +121,7 @@ server { add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; # Optional: Don't log access to assets access_log off; diff --git a/roles/nextcloud/templates/php.ini b/roles/nextcloud/templates/php.ini new file mode 100644 index 0000000..59367ad --- /dev/null +++ b/roles/nextcloud/templates/php.ini @@ -0,0 +1,262 @@ +[PHP] + +engine = On + +short_open_tag = Off + +precision = 14 + +output_buffering = 4096 + +zlib.output_compression = Off + +implicit_flush = Off + +unserialize_callback_func = + +serialize_precision = -1 + +disable_functions = + +disable_classes = + +zend.enable_gc = On + +zend.exception_ignore_args = On + +zend.exception_string_param_max_len = 0 + +expose_php = Off + +max_execution_time = 30 + +max_input_time = 60 + +memory_limit = 2048M + +error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT + +display_errors = Off + +display_startup_errors = Off + +log_errors = On + +ignore_repeated_errors = Off + +ignore_repeated_source = Off + +report_memleaks = On + +variables_order = "GPCS" + +request_order = "GP" + +register_argc_argv = Off + +auto_globals_jit = On + +post_max_size = 8M + +auto_prepend_file = + +auto_append_file = + +default_mimetype = "text/html" + +default_charset = "UTF-8" + +doc_root = + +user_dir = + +enable_dl = Off + +file_uploads = On + +upload_max_filesize = 2M + +max_file_uploads = 20 + +allow_url_fopen = On + +allow_url_include = Off + +default_socket_timeout = 60 + +[CLI Server] +cli_server.color = On + +[Date] + +[filter] + +[iconv] + +[imap] + +[intl] + +[sqlite3] + +[Pcre] + +[Pdo] + +[Pdo_mysql] +pdo_mysql.default_socket= + +[Phar] + +[mail function] +SMTP = localhost +smtp_port = 25 + +mail.add_x_header = Off + +mail.mixed_lf_and_crlf = Off + +[ODBC] + +odbc.allow_persistent = On + +odbc.check_persistent = On + +odbc.max_persistent = -1 + +odbc.max_links = -1 + +odbc.defaultlrl = 4096 + +odbc.defaultbinmode = 1 + +[MySQLi] + +mysqli.max_persistent = -1 + +mysqli.allow_persistent = On + +mysqli.max_links = -1 + +mysqli.default_port = 3306 + +mysqli.default_socket = + +mysqli.default_host = + +mysqli.default_user = + +mysqli.default_pw = + +[mysqlnd] +mysqlnd.collect_statistics = On + +mysqlnd.collect_memory_statistics = Off + +[OCI8] + +[PostgreSQL] +pgsql.allow_persistent = On + +pgsql.auto_reset_persistent = Off + +pgsql.max_persistent = -1 + +pgsql.max_links = -1 + +pgsql.ignore_notice = 0 + +pgsql.log_notice = 0 + +[bcmath] +bcmath.scale = 0 + +[browscap] + +[Session] +session.save_handler = files + +session.use_strict_mode = 0 + +session.use_cookies = 1 + +session.use_only_cookies = 1 + +session.name = PHPSESSID + +session.auto_start = 0 + +session.cookie_lifetime = 0 + +session.cookie_path = / + +session.cookie_domain = + +session.cookie_httponly = + +session.cookie_samesite = + +session.serialize_handler = php + +session.gc_probability = 0 + +session.gc_divisor = 1000 + +session.gc_maxlifetime = 1440 + +session.referer_check = + +session.cache_limiter = nocache + +session.cache_expire = 180 + +session.use_trans_sid = 0 + +session.sid_length = 26 + +session.trans_sid_tags = "a=href,area=href,frame=src,form=" + +session.sid_bits_per_character = 5 + +[Assertion] +zend.assertions = -1 + +[COM] + +[mbstring] + +[gd] + +[exif] + +[Tidy] + +tidy.clean_output = Off + +[soap] +soap.wsdl_cache_enabled=1 + +soap.wsdl_cache_dir="/tmp" + +soap.wsdl_cache_ttl=86400 + +soap.wsdl_cache_limit = 5 + +[sysvshm] + +[ldap] +ldap.max_links = -1 + +[dba] + +[opcache] + +opcache.interned_strings_buffer=32 + +[curl] + +[openssl] + +[ffi] + + diff --git a/roles/nextcloud/templates/www.conf b/roles/nextcloud/templates/www.conf new file mode 100644 index 0000000..69ac137 --- /dev/null +++ b/roles/nextcloud/templates/www.conf @@ -0,0 +1,25 @@ +[www] + +user = www-data +group = www-data + +listen = /run/php/php8.2-fpm.sock + +listen.owner = www-data +listen.group = www-data + +pm = dynamic + +pm.max_children = 5 + +pm.start_servers = 2 + +pm.min_spare_servers = 1 + +pm.max_spare_servers = 3 + +env[HOSTNAME] = $HOSTNAME +env[PATH] = /usr/local/bin:/usr/bin:/bin +env[TMP] = /tmp +env[TMPDIR] = /tmp +env[TEMP] = /tmp