From 1667c2eb3b7946484d13f3b7f81cb88231b7dc01 Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Fri, 5 Jul 2024 11:53:16 +0200
Subject: [PATCH] feat: install new nextcloud nginx config, erase specific
 php-fpm-co config

---
 .../templates/vhosts/o.libertus.eu.conf.j2    | 193 ++++++++++++------
 roles/webapps/tasks/main.yml                  |   3 -
 roles/webapps/tasks/nextcloud.yml             |   8 -
 roles/webapps/templates/oc.conf.j2            |  12 --
 4 files changed, 132 insertions(+), 84 deletions(-)
 delete mode 100644 roles/webapps/tasks/nextcloud.yml
 delete mode 100644 roles/webapps/templates/oc.conf.j2

diff --git a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2 b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2
index 9e81189..53cec72 100644
--- a/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2
+++ b/roles/nginx/templates/vhosts/o.libertus.eu.conf.j2
@@ -1,84 +1,155 @@
+upstream php-handler {
+	server unix:/var/run/php/php{{ php_version }}-fpm.sock;
+}
+
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+	"" "";
+	default "immutable";
+}
+
 server {
 {% include './templates/header.conf.j2' %}
-	
-	add_header Strict-Transport-Security "max-age=15768000" always;
-	add_header X-Content-Type-Options nosniff;
-	add_header X-XSS-Protection "1; mode=block";
-	add_header X-Robots-Tag none;
-	add_header X-Download-Options noopen;
-	add_header X-Permitted-Cross-Domain-Policies none;
-	
+	# Path to the root of your installation
+	root /srv/http/o.libertus.eu;
+	# Prevent nginx HTTP Server Detection
+	server_tokens off;
+
+	# HSTS settings
+	# WARNING: Only add the preload option once you read about
+	# the consequences in https://hstspreload.org/. This option
+	# will add the domain to a hardcoded list that is shipped
+	# in all major browsers and getting removed from this list
+	# could take several months.
+	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+
+	# set max upload size and increase upload timeout:
+	client_max_body_size 1000M;
+	client_body_timeout 300s;
+	fastcgi_buffers 64 4K;
+
+	# Enable gzip but do not remove ETag headers
+	gzip on;
+	gzip_vary on;
+	gzip_comp_level 4;
+	gzip_min_length 256;
+	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+	# Pagespeed is not supported by Nextcloud, so if your server is built
+	# with the `ngx_pagespeed` module, uncomment this line to disable it.
+	#pagespeed off;
+
+	# HTTP response headers borrowed from Nextcloud `.htaccess`
+	add_header Referrer-Policy					  "no-referrer"   always;
+	add_header X-Content-Type-Options			   "nosniff"	   always;
+	add_header X-Download-Options				   "noopen"		always;
+	add_header X-Frame-Options					  "SAMEORIGIN"	always;
+	add_header X-Permitted-Cross-Domain-Policies	"none"		  always;
+	add_header X-Robots-Tag						 "none"		  always;
+	add_header X-XSS-Protection					 "1; mode=block" always;
+
+	# Remove X-Powered-By, which is an information leak
 	fastcgi_hide_header X-Powered-By;
-	
-	root /srv/http/o.libertus.eu/;
+
+	# Specify how to handle directories -- specifying `/index.php$request_uri`
+	# here as the fallback means that Nginx always exhibits the desired behaviour
+	# when a client requests a path that corresponds to a directory that exists
+	# on the server. In particular, if that directory contains an index.php file,
+	# that file is correctly served; if it doesn't, then the request is passed to
+	# the front-end controller. This consistent behaviour means that we don't need
+	# to specify custom rules for certain paths (e.g. images and other assets,
+	# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+	# `try_files $uri $uri/ /index.php$request_uri`
+	# always provides the desired behaviour.
+	index index.php index.html /index.php$request_uri;
+
+	# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+	location = / {
+		if ( $http_user_agent ~ ^DavClnt ) {
+			return 302 /remote.php/webdav/$is_args$args;
+		}
+	}
 
 	location = /robots.txt {
 		allow all;
 		log_not_found off;
 		access_log off;
 	}
-	
-	location = /.well-known/carddav {
-		return 301 $scheme://$host/remote.php/dav;
-	}
-	
-	location /.well-known/caldav {
-		return 301 $scheme://$host/remote.php/dav;
-	}
-	
-	client_max_body_size 1000M;
-	fastcgi_buffers 64 4k;
-	
-	# Avoid E-Tag error on text file
-	gzip on;
-	gzip_vary on;
-	gzip_comp_level 4;
-	gzip_min_length 256;
-	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
-	location / {
-		rewrite ^ /index.php;
-	}
-	
-	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
-		deny all;
+	# Make a regex exception for `/.well-known` so that clients can still
+	# access it despite the existence of the regex rule
+	# `location ~ /(\.|autotest|...)` which would otherwise handle requests
+	# for `/.well-known`.
+	location ^~ /.well-known {
+		# The rules in this block are an adaptation of the rules
+		# in `.htaccess` that concern `/.well-known`.
+
+		location = /.well-known/carddav { return 301 /remote.php/dav/; }
+		location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+		location /.well-known/acme-challenge	{ try_files $uri $uri/ =404; }
+		location /.well-known/pki-validation	{ try_files $uri $uri/ =404; }
+
+		# Let Nextcloud's API for `/.well-known` URIs handle all other
+		# requests by passing them to the front-end controller.
+		return 301 /index.php$request_uri;
 	}
 
-	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
-		deny all;
-	}
-	
-	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+	# Rules borrowed from `.htaccess` to hide certain paths from clients
+	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)				{ return 404; }
+
+	# Ensure this block, which passes PHP files to the PHP process, is above the blocks
+	# which handle static assets (as seen below). If this block is not declared first,
+	# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+	# to the URI, resulting in a HTTP 500 error response.
+	location ~ \.php(?:$|/) {
+		# Required for legacy support
+		rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
 		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+		set $path_info $fastcgi_path_info;
+
 		try_files $fastcgi_script_name =404;
-		fastcgi_param modHeadersAvailable true;
-		fastcgi_param front_controller_active true;
+
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $path_info;
+		fastcgi_param HTTPS on;
+
+		fastcgi_param modHeadersAvailable true;		 # Avoid sending the security headers twice
+		fastcgi_param front_controller_active true;	 # Enable pretty urls
+		fastcgi_pass php-handler;
+
 		fastcgi_intercept_errors on;
 		fastcgi_request_buffering off;
-		fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm-oc.sock;
-		include fastcgi_params;
+
+		fastcgi_max_temp_file_size 0;
 	}
 
-	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
-		try_files $uri/ =404;
-		index index.php;
-	}
-	
-	location ~* \.(?:css|js|woff|svg|gif)$ {
+	location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
 		try_files $uri /index.php$request_uri;
-		add_header Cache-Control "public, max-age=15778463";
-		add_header X-Content-Type-Options nosniff;
-		add_header X-XSS-Protection "1; mode=block";
-		add_header X-Robots-Tag none;
-		add_header X-Download-Options noopen;
-		add_header X-Permitted-Cross-Domain-Policies none;
-		access_log off;
+		add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+		access_log off;	 # Optional: Don't log access to assets
+
+		location ~ \.wasm$ {
+			default_type application/wasm;
+		}
 	}
-	
-	location ~* \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+
+	location ~ \.woff2?$ {
 		try_files $uri /index.php$request_uri;
-		access_log off;
+		expires 7d;		 # Cache-Control policy borrowed from `.htaccess`
+		access_log off;	 # Optional: Don't log access to assets
+	}
+
+	# Rule borrowed from `.htaccess`
+	location /remote {
+		return 301 /remote.php$request_uri;
+	}
+
+	location / {
+		try_files $uri $uri/ /index.php$request_uri;
 	}
 }
-
diff --git a/roles/webapps/tasks/main.yml b/roles/webapps/tasks/main.yml
index eea565c..08e2bfe 100644
--- a/roles/webapps/tasks/main.yml
+++ b/roles/webapps/tasks/main.yml
@@ -3,9 +3,6 @@
 - name: include ttrss for web1
   include_tasks: ttrss.yml
   when: inventory_hostname == 'web1.dmz.mateu.be'
-- name: include php flag for NextCloud
-  include_tasks: nextcloud.yml
-  when: inventory_hostname == 'web1.dmz.mateu.be'
 - name: include z-push
   include_tasks: z-push.yml
   when: inventory_hostname == 'web1.dmz.mateu.be'
diff --git a/roles/webapps/tasks/nextcloud.yml b/roles/webapps/tasks/nextcloud.yml
deleted file mode 100644
index 18c3858..0000000
--- a/roles/webapps/tasks/nextcloud.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-
-- name: php-fpm nextcloud specific configuration
-  template:
-    src: oc.conf.j2
-    dest: "/etc/php/{{ php_version }}/fpm/pool.d/oc.conf"
-  notify:
-    - restart php-fpm
diff --git a/roles/webapps/templates/oc.conf.j2 b/roles/webapps/templates/oc.conf.j2
deleted file mode 100644
index bdc6322..0000000
--- a/roles/webapps/templates/oc.conf.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-[oc]
-user = www-data
-group = www-data
-listen = /run/php/php{{ php_version }}-fpm-oc.sock
-listen.owner = www-data
-listen.group = www-data
-pm = dynamic
-pm.max_children = 50
-pm.start_servers = 5
-pm.min_spare_servers = 5
-pm.max_spare_servers = 15
-php_flag[zlib.output_compression] = Off