v28 (#57)

Reviewed-on: #57
Co-authored-by: Markus Bergholz <git@osuv.de>
Co-committed-by: Markus Bergholz <git@osuv.de>

CHANGELOG.rst

@@ -5,6 +5,23 @@ markuman nextcloud Release Notes
 .. contents:: Topics
 
 
+v28.0.0
+=======
+
+Release Summary
+---------------
+
+This is a major release of ``markuman.nextcloud`` in version 28. It installed nextcloud 28 now.
+
+Minor Changes
+-------------
+
+- bump nextcloud to 28.0.0
+- change sudoers configuration to ``/etc/sudoers.d/ubuntu_nextcloud_user`` to keep existing ``/etc/sudoers`` untouched
+- dump caddy to 2.7.6
+- install and configure redis is available now via ``install_redis`` variable. default is ``true``
+- use ``defaults/main.yml`` for ssh hardening defaults
+
 v27.0.0
 =======
 

changelogs/changelog.yaml

@@ -119,6 +119,21 @@ releases:
     fragments:
     - 27.yml
     release_date: '2023-12-04'
+  28.0.0:
+    changes:
+      minor_changes:
+      - bump nextcloud to 28.0.0
+      - change sudoers configuration to ``/etc/sudoers.d/ubuntu_nextcloud_user`` to
+        keep existing ``/etc/sudoers`` untouched
+      - dump caddy to 2.7.6
+      - install and configure redis is available now via ``install_redis`` variable.
+        default is ``true``
+      - use ``defaults/main.yml`` for ssh hardening defaults
+      release_summary: This is a major release of ``markuman.nextcloud`` in version
+        28. It installed nextcloud 28 now.
+    fragments:
+    - 28.0.0.yml
+    release_date: '2023-12-22'
   9.0.1-dev:
     changes:
       bugfixes:

galaxy.yml

@@ -1,7 +1,7 @@
 namespace: "markuman"
 description: bring up your nextcloud usage to the next level 🚀
 name: "nextcloud"
-version: "27.0.0"
+version: "28.0.0"
 readme: "README.md"
 authors:
     - "Markus Bergholz <markuman+spambelongstogoogle@gmail.com>"
@@ -16,5 +16,5 @@ tags:
 repository: "https://github.com/markuman/markuman.nextcloud"
 issues: "https://github.com/markuman/markuman.nextcloud/issues"
 dependencies:
-  devsec.hardening: '>=8.6.0'
-  community.mysql: '>=3.2.1'
+  devsec.hardening: '>=9.0.0,<10.0.0'
+  community.mysql: '>=3.8.0,<4.0.0'

roles/nextcloud/defaults/main.yml

@@ -1,5 +1,5 @@
-nextcloud_version: 27.1.4
-caddy_version: 2.7.5
+nextcloud_version: 28.0.1
+caddy_version: 2.7.6
 
 nextcloud_db_name: nextcloud
 nextcloud_db_user: nextcloud
@@ -7,6 +7,7 @@ nextcloud_db_user: nextcloud
 # nextcloud apps
 install_talk: true
 install_media: true
+install_redis: true
 
 # php-fpm
 php_fpm:
@@ -25,3 +26,26 @@ remove_unused_authtokens_after_days: 21
 
 # os hardening
 os_auditd_max_log_file_action: rotate
+
+# ssh hardening
+ssh_allow_users: "{{ ubuntu_nextcloud_user }}"
+ssh_max_auth_retries: 5
+# mozilla ssh_scan: Modern - with just ETM (encrypt-then-mac) macs
+# https://github.com/mozilla/ssh_scan/blob/master/config/policies/just_etm_macs.yaml
+ssh_kex:
+  - curve25519-sha256@libssh.org
+  - diffie-hellman-group-exchange-sha256
+  - ecdh-sha2-nistp521
+  - ecdh-sha2-nistp384
+  - ecdh-sha2-nistp256
+ssh_macs:
+  - hmac-sha2-512-etm@openssh.com
+  - hmac-sha2-256-etm@openssh.com
+  - umac-128-etm@openssh.com
+ssh_ciphers:
+  - chacha20-poly1305@openssh.com
+  - aes256-gcm@openssh.com
+  - aes128-gcm@openssh.com
+  - aes256-ctr
+  - aes192-ctr
+  - aes128-ctr

roles/nextcloud/tasks/01-packages.yml

@@ -42,6 +42,15 @@
       - libmagickcore-6.q16-6-extra
       - fail2ban
 
+- name: install redis
+  when: install_redis
+  ansible.builtin.apt:
+    update_cache: true
+    state: latest
+    name:
+      - redis-server
+      - php8.1-redis
+
 - name: enable ipv6 for ufw
   ansible.builtin.lineinfile:
     name: /etc/default/ufw

roles/nextcloud/tasks/02-user.yml

@@ -15,36 +15,16 @@
     manage_dir: true
     key: "{{ ubuntu_nextcloud_user_ssh_key_location }}"
 
-- name: Allow 'sudo' group to have passwordless sudo
-  ansible.builtin.lineinfile:
-    dest: /etc/sudoers
-    state: present
-    regexp: '^%sudo ALL=(ALL:ALL) ALL'
-    line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL'
+- name: Allow ubuntu_nextcloud_user to use sudo without password
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/ubuntu_nextcloud_user
     validate: visudo -cf %s
+    owner: root
+    group: root
+    mode: 0644
+    content: |
+      {{ ubuntu_nextcloud_user }} ALL=(ALL) NOPASSWD:ALL
 
 - name: ssh hardening
   ansible.builtin.include_role:
     name: devsec.hardening.ssh_hardening
-  vars:
-    ssh_allow_users: "{{ ubuntu_nextcloud_user }}"
-    ssh_max_auth_retries: 5
-    # mozilla ssh_scan: Modern - with just ETM (encrypt-then-mac) macs
-    # https://github.com/mozilla/ssh_scan/blob/master/config/policies/just_etm_macs.yaml
-    ssh_kex:
-      - curve25519-sha256@libssh.org
-      - diffie-hellman-group-exchange-sha256
-      - ecdh-sha2-nistp521
-      - ecdh-sha2-nistp384
-      - ecdh-sha2-nistp256
-    ssh_macs:
-      - hmac-sha2-512-etm@openssh.com
-      - hmac-sha2-256-etm@openssh.com
-      - umac-128-etm@openssh.com
-    ssh_ciphers:
-      - chacha20-poly1305@openssh.com
-      - aes256-gcm@openssh.com
-      - aes128-gcm@openssh.com
-      - aes256-ctr
-      - aes192-ctr
-      - aes128-ctr

roles/nextcloud/tasks/06-nextcloud.yml

@@ -79,6 +79,17 @@
     - overwriteprotocol --value="https"
     - htaccess.IgnoreFrontController --value=true
 
+- name: nextcloud system settings for redis
+  args:
+    chdir: /var/www/nextcloud/
+  ansible.builtin.command: "sudo -u www-data php occ config:system:set {{ item }}"
+  when: install_redis
+  with_items:
+    - memcache.locking --value='\OC\Memcache\Redis'
+    - redis host --value=localhost
+    - redis port --value 6379
+    - redis timeout --value=0.0
+
 - name: systemd timer service
   ansible.builtin.copy:
     mode: '0755'

tests/integration/targets/localhost.yml

@@ -7,7 +7,7 @@
     - name: start nextcloud container
       community.docker.docker_container:
         name: nextcloudintergrationtest
-        image: "nextcloud:{{ nextcloud_version | default('27-apache') }}"
+        image: "nextcloud:{{ nextcloud_version | default('28-apache') }}"
         state: started
         auto_remove: true
         recreate: true