owncloud: rename to nextcloud

group_vars/all/vars.yml

@@ -68,10 +68,10 @@ nslcd_base_group: ou=groups,dc=binary-kitchen,dc=de
 nslcd_base_shadow: ou=people,dc=binary-kitchen,dc=de
 nslcd_base_passwd: ou=people,dc=binary-kitchen,dc=de
 
-owncloud_domain: oc.binary-kitchen.de
-owncloud_dbname: owncloud
-owncloud_dbuser: owncloud
-owncloud_dbpass: "{{ vault_owncloud_dbpass }}"
+nextcloud_domain: oc.binary-kitchen.de
+nextcloud_dbname: owncloud
+nextcloud_dbuser: owncloud
+nextcloud_dbpass: "{{ vault_owncloud_dbpass }}"
 
 prosody_admin: moepman@jabber.binary-kitchen.de
 prosody_domain: jabber.binary-kitchen.de

roles/owncloud/tasks/main.yml

@@ -3,16 +3,17 @@
 - name: Install packages
   apt: name={{ item }}
   with_items:
-  - php7.0-apcu
-  - php7.0-curl
-  - php7.0-fpm
-  - php7.0-gd
-  - php7.0-ldap
-  - php7.0-mbstring
-  - php7.0-pgsql
-  - php7.0-xml
-  - php7.0-zip
-  - php-redis
+# FIXME currently PHP handled out of ansible
+# - php7.0-apcu
+# - php7.0-curl
+# - php7.0-fpm
+# - php7.0-gd
+# - php7.0-ldap
+# - php7.0-mbstring
+# - php7.0-pgsql
+# - php7.0-xml
+# - php7.0-zip
+# - php-redis
   - postgresql
   - python-psycopg2
 
@@ -27,34 +28,37 @@
   become_user: postgres
 
 - name: Ensure certificates are available
-  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ owncloud_domain }}.key -out /etc/nginx/ssl/{{ owncloud_domain }}.crt -days 730 -subj "/CN={{ owncloud_domain }}" creates=/etc/nginx/ssl/{{ owncloud_domain }}.crt
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ nextcloud_domain }}.key -out /etc/nginx/ssl/{{ nextcloud_domain }}.crt -days 730 -subj "/CN={{ nextcloud_domain }}" creates=/etc/nginx/ssl/{{ nextcloud_domain }}.crt
   notify: Restart nginx
 
-- name: Configure certificate manager for owncloud
-  template: src=certs.j2 dest=/etc/acertmgr/{{ owncloud_domain }}.conf
+- name: Configure certificate manager for nextcloud
+  template: src=certs.j2 dest=/etc/acertmgr/{{ nextcloud_domain }}.conf
   notify: Run acertmgr
 
 - name: Create vhost directory
-  file: path=/var/www/owncloud state=directory owner=www-data group=www-data
+  file: path=/var/www/nextcloud state=directory owner=www-data group=www-data
 
 - name: Configure vhost
-  template: src=vhost.j2 dest=/etc/nginx/sites-available/owncloud
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/nextcloud
   notify: Restart nginx
 
-- name: Configure php7.0-fpm
-  copy: src=www.conf dest=/etc/php/7.0/fpm/pool.d/www.conf
-  notify: Restart php7.0-fpm
+# FIXME currently PHP handled out of ansible
+#- name: Configure php7.0-fpm
+#  copy: src=www.conf dest=/etc/php/7.0/fpm/pool.d/www.conf
+#  notify: Restart php7.0-fpm
 
-- name: Configure php7.0 opcache
-  copy: src=opcache.ini dest=/etc/php/7.0/mods-available/opcache.ini
-  notify: Restart php7.0-fpm
+# FIXME currently PHP handled out of ansible
+#- name: Configure php7.0 opcache
+#  copy: src=opcache.ini dest=/etc/php/7.0/mods-available/opcache.ini
+#  notify: Restart php7.0-fpm
 
 - name: Enable vhost
-  file: src=/etc/nginx/sites-available/owncloud dest=/etc/nginx/sites-enabled/owncloud state=link
+  file: src=/etc/nginx/sites-available/nextcloud dest=/etc/nginx/sites-enabled/nextcloud state=link
   notify: Restart nginx
 
-- name: Start php7.0-fpm
-  service: name=php7.0-fpm state=started enabled=yes
+# FIXME currently PHP handled out of ansible
+#- name: Start php7.0-fpm
+#  service: name=php7.0-fpm state=started enabled=yes
 
 - name: Start PostgreSQL
   service: name=postgresql state=started enabled=yes

roles/owncloud/templates/certs.j2

@@ -1,13 +1,13 @@
 ---
 
-{{ owncloud_domain }}:
-- path: /etc/nginx/ssl/{{ owncloud_domain }}.key
+{{ nextcloud_domain }}:
+- path: /etc/nginx/ssl/{{ nextcloud_domain }}.key
   user: root
   group: root
   perm: '400'
   format: key
   action: '/usr/sbin/service nginx restart'
-- path: /etc/nginx/ssl/{{ owncloud_domain }}.crt
+- path: /etc/nginx/ssl/{{ nextcloud_domain }}.crt
   user: root
   group: root
   perm: '400'

roles/owncloud/templates/vhost.j2

@@ -2,7 +2,7 @@ server {
 	listen 80;
 	listen [::]:80;
 
-	server_name {{ owncloud_domain }};
+	server_name {{ nextcloud_domain }};
 
 	location /.well-known/acme-challenge {
 		default_type "text/plain";
@@ -10,7 +10,7 @@ server {
 	}
 
 	location / {
-		return 301 https://{{ owncloud_domain }}$request_uri;
+		return 301 https://{{ nextcloud_domain }}$request_uri;
 	}
 }
 
@@ -18,71 +18,139 @@ server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 
-	server_name {{ owncloud_domain }};
+	server_name {{ nextcloud_domain }};
 
-	ssl_certificate_key /etc/nginx/ssl/{{ owncloud_domain }}.key;
-	ssl_certificate /etc/nginx/ssl/{{ owncloud_domain }}.crt;
+	ssl_certificate_key /etc/nginx/ssl/{{ nextcloud_domain }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ nextcloud_domain }}.crt;
 
 	# Add headers to serve security related headers
 	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 	add_header X-Content-Type-Options nosniff;
-	add_header X-Frame-Options "SAMEORIGIN";
+	#add_header X-Frame-Options "SAMEORIGIN";
 	add_header X-XSS-Protection "1; mode=block";
 	add_header X-Robots-Tag none;
 	add_header X-Download-Options noopen;
 	add_header X-Permitted-Cross-Domain-Policies none;
+	add_header 'Referrer-Policy' 'no-referrer';
 
-	root /var/www/owncloud/;
+	# Remove X-Powered-By, which is an information leak
+	fastcgi_hide_header X-Powered-By;
+
+	root /var/www/nextcloud/;
 
 	# set max upload size
 	client_max_body_size 1G;
 	fastcgi_buffers 64 4K;
 
-	# Disable gzip to avoid the removal of the ETag header
-	gzip off;
-
 	index index.php;
 	error_page 403 /core/templates/403.php;
 	error_page 404 /core/templates/404.php;
 
-	rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
-	rewrite ^/.well-known/caldav /remote.php/dav/ permanent;
-
 	location = /robots.txt {
 		allow all;
 		log_not_found off;
 		access_log off;
 	}
 
-	location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
-		deny all;
+	location = /.well-known/carddav {
+		return 301 $scheme://$host/remote.php/dav;
+	}
+	location = /.well-known/caldav {
+		return 301 $scheme://$host/remote.php/dav;
 	}
 
-	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
-		deny all;
-	}
 
 	location / {
-		rewrite ^/remote/(.*) /remote.php last;
-		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-		try_files $uri $uri/ =404;
+		rewrite ^ /index.php$request_uri;
 	}
 
-	location ~ \.php(?:$|/) {
-		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+	location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
+		deny all;
+	}
+
+	location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
+		deny all;
+	}
+
+	location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|ocm-provider\/.+)\.php(?:$|\/) {
+		fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
 		include fastcgi_params;
 		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_pass unix:/run/php/php-fpm.sock;
 		fastcgi_param HTTPS on;
-		fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
-		fastcgi_pass unix:/var/run/php-fpm.sock;
+		#Avoid sending the security headers twice
+		fastcgi_param modHeadersAvailable true;
+		fastcgi_param front_controller_active true;
 		fastcgi_intercept_errors on;
+		fastcgi_request_buffering off;
+	}
+
+	location ~ ^\/(?:updater|ocs-provider|ocm-provider)(?:$|\/) {
+		try_files $uri/ =404;
+		index index.php;
 	}
 
 	# Adding the cache control header for js and css files
-	location ~* \.(?:css|js)$ {
-		add_header Cache-Control "public, max-age=7200";
-		# Don't log access to assets
+	# Make sure it is BELOW the PHP block
+	location ~ \.(?:css|js|woff2?|svg|gif)$ {
+		try_files $uri /index.php$request_uri;
+		add_header Cache-Control "public, max-age=15778463";
+		# Add headers to serve security related headers (It is intended to
+		# have those duplicated to the ones above)
+		# Before enabling Strict-Transport-Security headers please read into
+		# this topic first.
+		# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+		#
+		# WARNING: Only add the preload option once you read about
+		# the consequences in https://hstspreload.org/. This option
+		# will add the domain to a hardcoded list that is shipped
+		# in all major browsers and getting removed from this list
+		# could take several months.
+		add_header X-Content-Type-Options nosniff;
+		add_header X-XSS-Protection "1; mode=block";
+		add_header X-Robots-Tag none;
+		add_header X-Download-Options noopen;
+		add_header X-Permitted-Cross-Domain-Policies none;
+		add_header Referrer-Policy no-referrer;
+		# Optional: Don't log access to assets
 		access_log off;
 	}
+
+	location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+		try_files $uri /index.php$request_uri;
+		# Optional: Don't log access to other assets
+		access_log off;
+	}
+
+	# collabora static files
+		location ^~ /loleaflet {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Host $http_host;
+	}
+
+	# collabora WOPI discovery URL
+	location ^~ /hosting/discovery {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Host $http_host;
+	}
+
+	# collabora websockets, download, presentation and image upload
+	location ^~ /lool {
+		proxy_pass http://localhost:9980;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header Host $http_host;
+	}
+
+	# collabora static files
+	location /drawio {
+		access_log off;
+		alias /var/www/drawio/src/main/webapp;
+		index index.html;
+		location ~ ^/drawio/(.*\.(html|xml|js|css|gif|jpg|png))$ {
+		alias /var/www/drawio/src/main/webapp/$1;
+		}
+	}
+
 }