From e43ef0c7b9490ece68af38f8a658ad8a710e4e37 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 16 May 2020 00:52:10 +0200
Subject: Nextcloud: use dedicated user and PHP FPM pool.

There is a real security gain in not using the 'www-data' user: nginx
workers can't read Nextcloud config files and data directory, so should
our nginx configuration be insecure a leak is much less likely.
---
 roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf

(limited to 'roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf')

diff --git a/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
new file mode 100644
index 0000000..dfbb8bf
--- /dev/null
+++ b/roles/nextcloud/files/etc/php/fpm/pool.d/nextcloud.conf
@@ -0,0 +1,17 @@
+[nextcloud]
+user = _nextcloud
+group = nogroup
+listen = /run/php/php7.3-fpm@nextcloud.sock
+listen.owner = www-data
+listen.group = www-data
+listen.mode = 0600
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 2
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+env[HOSTNAME] = $HOSTNAME
+env[PATH] = /usr/bin:/bin
+env[TMP] = /tmp
+env[TMPDIR] = /tmp
+env[TEMP] = /tmp
-- 
cgit v1.2.3