summaryrefslogtreecommitdiffstats
path: root/roles/nextcloud/files/etc
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 00:52:10 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 01:30:44 +0200
commite43ef0c7b9490ece68af38f8a658ad8a710e4e37 (patch)
treef9dedcfa6dee7cfe280aedf10695e73f9ce69962 /roles/nextcloud/files/etc
parent38c697083d50764d833adc039b10b203d36c8f56 (diff)
Nextcloud: use dedicated user and PHP FPM pool.
There is a real security gain in not using the 'www-data' user: nginx workers can't read Nextcloud config files and data directory, so should our nginx configuration be insecure a leak is much less likely.
Diffstat (limited to 'roles/nextcloud/files/etc')
-rw-r--r--roles/nextcloud/files/etc/cron.d/nextcloud2
-rw-r--r--roles/nextcloud/files/etc/nginx/sites-available/nextcloud1
-rw-r--r--roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf17
3 files changed, 19 insertions, 1 deletions
diff --git a/roles/nextcloud/files/etc/cron.d/nextcloud b/roles/nextcloud/files/etc/cron.d/nextcloud
index 681cd43..3c4aac0 100644
--- a/roles/nextcloud/files/etc/cron.d/nextcloud
+++ b/roles/nextcloud/files/etc/cron.d/nextcloud
@@ -1,2 +1,2 @@
MAILTO=root
-*/5 * * * * www-data php -f /usr/local/share/nextcloud/cron.php
+*/5 * * * * _nextcloud php -f /usr/local/share/nextcloud/cron.php
diff --git a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
index d748dc9..f1f4b66 100644
--- a/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
+++ b/roles/nextcloud/files/etc/nginx/sites-available/nextcloud
@@ -76,6 +76,7 @@ server {
post_max_size=512M
memory_limit=512M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root:/var/www/nextcloud:/mnt/nextcloud-data:/etc/nextcloud:/var/cache/nextcloud:/var/log/nextcloud:/usr/share/php:/tmp:/dev";
+ fastcgi_pass unix:/run/php/php7.3-fpm@nextcloud.sock;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
new file mode 100644
index 0000000..dfbb8bf
--- /dev/null
+++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
@@ -0,0 +1,17 @@
+[nextcloud]
+user = _nextcloud
+group = nogroup
+listen = /run/php/php7.3-fpm@nextcloud.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0600
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp