feat: add nextcloud fixes

roles/nextcloud/tasks/main.yaml

@@ -8,8 +8,11 @@
 
 - name: Template nginx base conf
   template:
-    src: nginx.conf
+    src: "{{ item }}"
-    dest: /etc/nginx/nginx.conf
+    dest: "/etc/nginx/{{ item }}"
+  with_items:
+    - nginx.conf
+    - mime.types
   notify:
     - reload nginx
 

roles/nextcloud/templates/mime.types

@@ -0,0 +1,97 @@
+types {
+    text/html                             html htm shtml;
+    text/css                              css;
+    text/xml                              xml;
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+    application/javascript                js;
+    application/javascript                mjs;
+    application/atom+xml                  atom;
+    application/rss+xml                   rss;
+
+    text/mathml                           mml;
+    text/plain                            txt;
+    text/vnd.sun.j2me.app-descriptor      jad;
+    text/vnd.wap.wml                      wml;
+    text/x-component                      htc;
+
+    image/avif                            avif;
+    image/png                             png;
+    image/svg+xml                         svg svgz;
+    image/tiff                            tif tiff;
+    image/vnd.wap.wbmp                    wbmp;
+    image/webp                            webp;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+
+    font/woff                             woff;
+    font/woff2                            woff2;
+
+    application/java-archive              jar war ear;
+    application/json                      json;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.apple.mpegurl         m3u8;
+    application/vnd.google-earth.kml+xml  kml;
+    application/vnd.google-earth.kmz      kmz;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-fontobject         eot;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.oasis.opendocument.graphics        odg;
+    application/vnd.oasis.opendocument.presentation    odp;
+    application/vnd.oasis.opendocument.spreadsheet     ods;
+    application/vnd.oasis.opendocument.text            odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation    pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.wap.wmlc              wmlc;
+    application/wasm                      wasm;
+    application/x-7z-compressed           7z;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-perl                    pl pm;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-tcl                     tcl tk;
+    application/x-x509-ca-cert            der pem crt;
+    application/x-xpinstall               xpi;
+    application/xhtml+xml                 xhtml;
+    application/xspf+xml                  xspf;
+    application/zip                       zip;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/ogg                             ogg;
+    audio/x-m4a                           m4a;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mp2t                            ts;
+    video/mp4                             mp4;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/webm                            webm;
+    video/x-flv                           flv;
+    video/x-m4v                           m4v;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}
+

roles/nextcloud/templates/nginx-nextcloud.conf

@@ -4,7 +4,8 @@ server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
-    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Robots-Tag none;
@@ -101,6 +102,8 @@ server {
         add_header X-Download-Options noopen;
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header Referrer-Policy no-referrer;
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
     }
 
     location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
@@ -110,7 +113,7 @@ server {
 
     # Adding the cache control header for js, css and map files
     # Make sure it is BELOW the PHP block
-    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
+    location ~ \.(?:css|mjs|js|woff2?|svg|gif|map)$ {
         try_files $uri /index.php$request_uri;
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
@@ -118,6 +121,7 @@ server {
         add_header X-Download-Options noopen;
         add_header X-Permitted-Cross-Domain-Policies none;
         add_header Referrer-Policy no-referrer;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
 
         # Optional: Don't log access to assets
         access_log off;

roles/nextcloud/templates/php.ini

@@ -0,0 +1,262 @@
+[PHP]
+
+engine = On
+
+short_open_tag = Off
+
+precision = 14
+
+output_buffering = 4096
+
+zlib.output_compression = Off
+
+implicit_flush = Off
+
+unserialize_callback_func =
+
+serialize_precision = -1
+
+disable_functions = 
+
+disable_classes =
+
+zend.enable_gc = On
+
+zend.exception_ignore_args = On
+
+zend.exception_string_param_max_len = 0
+
+expose_php = Off
+
+max_execution_time = 30
+
+max_input_time = 60
+
+memory_limit = 2048M
+
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+display_errors = Off
+
+display_startup_errors = Off
+
+log_errors = On
+
+ignore_repeated_errors = Off
+
+ignore_repeated_source = Off
+
+report_memleaks = On
+
+variables_order = "GPCS"
+
+request_order = "GP"
+
+register_argc_argv = Off
+
+auto_globals_jit = On
+
+post_max_size = 8M
+
+auto_prepend_file =
+
+auto_append_file =
+
+default_mimetype = "text/html"
+
+default_charset = "UTF-8"
+
+doc_root =
+
+user_dir =
+
+enable_dl = Off
+
+file_uploads = On
+
+upload_max_filesize = 2M
+
+max_file_uploads = 20
+
+allow_url_fopen = On
+
+allow_url_include = Off
+
+default_socket_timeout = 60
+
+[CLI Server]
+cli_server.color = On
+
+[Date]
+
+[filter]
+
+[iconv]
+
+[imap]
+
+[intl]
+
+[sqlite3]
+
+[Pcre]
+
+[Pdo]
+
+[Pdo_mysql]
+pdo_mysql.default_socket=
+
+[Phar]
+
+[mail function]
+SMTP = localhost
+smtp_port = 25
+
+mail.add_x_header = Off
+
+mail.mixed_lf_and_crlf = Off
+
+[ODBC]
+
+odbc.allow_persistent = On
+
+odbc.check_persistent = On
+
+odbc.max_persistent = -1
+
+odbc.max_links = -1
+
+odbc.defaultlrl = 4096
+
+odbc.defaultbinmode = 1
+
+[MySQLi]
+
+mysqli.max_persistent = -1
+
+mysqli.allow_persistent = On
+
+mysqli.max_links = -1
+
+mysqli.default_port = 3306
+
+mysqli.default_socket =
+
+mysqli.default_host =
+
+mysqli.default_user =
+
+mysqli.default_pw =
+
+[mysqlnd]
+mysqlnd.collect_statistics = On
+
+mysqlnd.collect_memory_statistics = Off
+
+[OCI8]
+
+[PostgreSQL]
+pgsql.allow_persistent = On
+
+pgsql.auto_reset_persistent = Off
+
+pgsql.max_persistent = -1
+
+pgsql.max_links = -1
+
+pgsql.ignore_notice = 0
+
+pgsql.log_notice = 0
+
+[bcmath]
+bcmath.scale = 0
+
+[browscap]
+
+[Session]
+session.save_handler = files
+
+session.use_strict_mode = 0
+
+session.use_cookies = 1
+
+session.use_only_cookies = 1
+
+session.name = PHPSESSID
+
+session.auto_start = 0
+
+session.cookie_lifetime = 0
+
+session.cookie_path = /
+
+session.cookie_domain =
+
+session.cookie_httponly =
+
+session.cookie_samesite =
+
+session.serialize_handler = php
+
+session.gc_probability = 0
+
+session.gc_divisor = 1000
+
+session.gc_maxlifetime = 1440
+
+session.referer_check =
+
+session.cache_limiter = nocache
+
+session.cache_expire = 180
+
+session.use_trans_sid = 0
+
+session.sid_length = 26
+
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+
+session.sid_bits_per_character = 5
+
+[Assertion]
+zend.assertions = -1
+
+[COM]
+
+[mbstring]
+
+[gd]
+
+[exif]
+
+[Tidy]
+
+tidy.clean_output = Off
+
+[soap]
+soap.wsdl_cache_enabled=1
+
+soap.wsdl_cache_dir="/tmp"
+
+soap.wsdl_cache_ttl=86400
+
+soap.wsdl_cache_limit = 5
+
+[sysvshm]
+
+[ldap]
+ldap.max_links = -1
+
+[dba]
+
+[opcache]
+
+opcache.interned_strings_buffer=32
+
+[curl]
+
+[openssl]
+
+[ffi]
+
+

roles/nextcloud/templates/www.conf

@@ -0,0 +1,25 @@
+[www]
+
+user = www-data
+group = www-data
+
+listen = /run/php/php8.2-fpm.sock
+
+listen.owner = www-data
+listen.group = www-data
+
+pm = dynamic
+
+pm.max_children = 5
+
+pm.start_servers = 2
+
+pm.min_spare_servers = 1
+
+pm.max_spare_servers = 3
+
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/local/bin:/usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp