Nextcloud: use dedicated user and PHP FPM pool.

There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.

1 files changed, 33 insertions, 17 deletions

diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 86b505b..8878987 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -12,52 +12,59 @@
     - php-curl
     - php-intl
     - php-ldap
     - php-mysql
     - php-zip
     - php-json
     - php-gmp
 
 - name: Configure PHP 7.3 Zend opcache
   lineinfile: dest=/etc/php/7.3/fpm/php.ini
               regexp='^;?{{ item.var }}\\s*='
               line="{{ item.var }} = {{ item.value }}"
               owner=root group=root
               mode=0644
   with_items:
     - { var: opcache.memory_consumption,      value: 512 }
     - { var: opcache.revalidate_freq,         value: 180 }
   notify:
     - Restart php7.3-fpm
 
-- name: Configure PHP 7.3 pool environment
-  lineinfile: dest=/etc/php/7.3/fpm/pool.d/www.conf
-              regexp='^;?env\[{{ item.var }}\]\\s*='
-              line="env[{{ item.var }}] = {{ item.value }}"
-              owner=root group=root
-              mode=0644
-  with_items:
-    - { var: HOSTNAME, value: "$HOSTNAME"     }
-    - { var: PATH,     value: "/usr/bin:/bin" }
-    - { var: TMP,      value: "/tmp"          }
-    - { var: TMPDIR,   value: "/tmp"          }
-    - { var: TEMP,     value: "/tmp"          }
+- name: Create '_nextcloud' user
+  user: name=_nextcloud system=yes
+        group=nogroup
+        createhome=no
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        password=!
+        state=present
+
+- name: Delete PHP 7.3 FPM's www pool
+  file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
+  notify:
+    - Restart php7.3-fpm
+
+- name: Configure PHP 7.3 FPM's nextcloud pool
+  copy: src=etc/php/fpm/pool.d/nextcloud.conf
+        dest=/etc/php/7.3/fpm/pool.d/nextcloud.conf
+        owner=root group=root
+        mode=0644
   notify:
     - Restart php7.3-fpm
 
 - name: Start php7.3-fpm
   service: name=php7.3-fpm state=started
 
 - name: Copy /etc/cron.d/nextcloud
   copy: src=etc/cron.d/nextcloud
         dest=/etc/cron.d/nextcloud
         owner=root group=root
         mode=0644
 
 - name: Copy /etc/nginx/sites-available/nextcloud
   copy: src=etc/nginx/sites-available/nextcloud
         dest=/etc/nginx/sites-available/nextcloud
         owner=root group=root
         mode=0644
   register: r1
   notify:
     - Restart Nginx
@@ -85,82 +92,91 @@
 - name: Start Nginx
   service: name=nginx state=started
   when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   fetch_cmd: cmd="openssl x509 -noout -pubkey"
              stdin=/etc/nginx/ssl/cloud.fripost.org.pem
              dest=certs/public/cloud.fripost.org.pub
   tags:
     - genkey
 
 - import_tasks: ldap.yml
   when: "'LDAP-provider' not in group_names"
   tags:
     - ldap
 
+# Note: intentionally don't set an owner/group as we don't want to set
+# ownership unless the path is a mountpoint.  The service will fail
+# unless the data directory is mounted and accessible, and that's what
+# we want.
+- name: Create directory /mnt/nextcloud-data
+  file: path=/mnt/nextcloud-data
+        state=directory
+        mode=0700
+
 - name: Create directory /var/www/nextcloud
   file: path=/var/www/nextcloud
         state=directory
         owner=root group=root
         mode=0755
 
 # Note: Nextcloud doesn't like symlinked apps
 # * https://github.com/nextcloud/server/issues/10437
 # * https://github.com/nextcloud/server/issues/13556
 - name: Create directory /var/www/nextcloud/apps
   file: path=/var/www/nextcloud/apps
         state=directory
-        owner=www-data group=www-data
+        owner=_nextcloud group=nogroup
         mode=0755
 
 - name: Create directory /var/log/nextcloud
   file: path=/var/log/nextcloud
         state=directory
-        owner=www-data group=adm
+        owner=_nextcloud group=adm
         mode=0750
 
 - name: Create directory /var/cache/nextcloud
   file: path=/var/cache/nextcloud
         state=directory
-        owner=www-data group=www-data
+        owner=_nextcloud group=nogroup
         mode=0700
 
 - name: Copy Nextcloud logrotate snippet
   copy: src=etc/logrotate.d/nextcloud
         dest=/etc/logrotate.d/nextcloud
         owner=root group=root
         mode=0644
   tags:
     - logrotate
 
 - name: Install redis-server
   apt: pkg={{ packages }}
   vars:
     packages:
     - php-redis
     - redis-server
 
 - name: Configure Redis
   lineinfile: dest=/etc/redis/redis.conf
               regexp='^#?{{ item.var }}\\s+'
               line="{{ item.var }} {{ item.value }}"
               owner=redis group=redis
               mode=0640
   with_items:
     - { var: port,           value: 0 }
     - { var: unixsocket,     value: /run/redis/redis-server.sock }
     - { var: unixsocketperm, value: 770 }
   notify:
     - Restart Redis
 
 - name: Start redis-server
   service: name=redis-server state=started
 
-- name: Add 'www-data' to the group 'redis'
-  user: name=www-data groups=redis append=yes
+- name: Add '_nextcloud' user to 'redis' group
+  user: name=_nextcloud groups=redis append=yes
   notify:
     - Restart php7.3-fpm