v28 (#57)
Reviewed-on: #57 Co-authored-by: Markus Bergholz <git@osuv.de> Co-committed-by: Markus Bergholz <git@osuv.de>
This commit is contained in:
parent
d2d3adb8e5
commit
41565754eb
|
@ -5,6 +5,23 @@ markuman nextcloud Release Notes
|
|||
.. contents:: Topics
|
||||
|
||||
|
||||
v28.0.0
|
||||
=======
|
||||
|
||||
Release Summary
|
||||
---------------
|
||||
|
||||
This is a major release of ``markuman.nextcloud`` in version 28. It installed nextcloud 28 now.
|
||||
|
||||
Minor Changes
|
||||
-------------
|
||||
|
||||
- bump nextcloud to 28.0.0
|
||||
- change sudoers configuration to ``/etc/sudoers.d/ubuntu_nextcloud_user`` to keep existing ``/etc/sudoers`` untouched
|
||||
- dump caddy to 2.7.6
|
||||
- install and configure redis is available now via ``install_redis`` variable. default is ``true``
|
||||
- use ``defaults/main.yml`` for ssh hardening defaults
|
||||
|
||||
v27.0.0
|
||||
=======
|
||||
|
||||
|
|
|
@ -119,6 +119,21 @@ releases:
|
|||
fragments:
|
||||
- 27.yml
|
||||
release_date: '2023-12-04'
|
||||
28.0.0:
|
||||
changes:
|
||||
minor_changes:
|
||||
- bump nextcloud to 28.0.0
|
||||
- change sudoers configuration to ``/etc/sudoers.d/ubuntu_nextcloud_user`` to
|
||||
keep existing ``/etc/sudoers`` untouched
|
||||
- dump caddy to 2.7.6
|
||||
- install and configure redis is available now via ``install_redis`` variable.
|
||||
default is ``true``
|
||||
- use ``defaults/main.yml`` for ssh hardening defaults
|
||||
release_summary: This is a major release of ``markuman.nextcloud`` in version
|
||||
28. It installed nextcloud 28 now.
|
||||
fragments:
|
||||
- 28.0.0.yml
|
||||
release_date: '2023-12-22'
|
||||
9.0.1-dev:
|
||||
changes:
|
||||
bugfixes:
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
namespace: "markuman"
|
||||
description: bring up your nextcloud usage to the next level 🚀
|
||||
name: "nextcloud"
|
||||
version: "27.0.0"
|
||||
version: "28.0.0"
|
||||
readme: "README.md"
|
||||
authors:
|
||||
- "Markus Bergholz <markuman+spambelongstogoogle@gmail.com>"
|
||||
|
@ -16,5 +16,5 @@ tags:
|
|||
repository: "https://github.com/markuman/markuman.nextcloud"
|
||||
issues: "https://github.com/markuman/markuman.nextcloud/issues"
|
||||
dependencies:
|
||||
devsec.hardening: '>=8.6.0'
|
||||
community.mysql: '>=3.2.1'
|
||||
devsec.hardening: '>=9.0.0,<10.0.0'
|
||||
community.mysql: '>=3.8.0,<4.0.0'
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
nextcloud_version: 27.1.4
|
||||
caddy_version: 2.7.5
|
||||
nextcloud_version: 28.0.1
|
||||
caddy_version: 2.7.6
|
||||
|
||||
nextcloud_db_name: nextcloud
|
||||
nextcloud_db_user: nextcloud
|
||||
|
@ -7,6 +7,7 @@ nextcloud_db_user: nextcloud
|
|||
# nextcloud apps
|
||||
install_talk: true
|
||||
install_media: true
|
||||
install_redis: true
|
||||
|
||||
# php-fpm
|
||||
php_fpm:
|
||||
|
@ -25,3 +26,26 @@ remove_unused_authtokens_after_days: 21
|
|||
|
||||
# os hardening
|
||||
os_auditd_max_log_file_action: rotate
|
||||
|
||||
# ssh hardening
|
||||
ssh_allow_users: "{{ ubuntu_nextcloud_user }}"
|
||||
ssh_max_auth_retries: 5
|
||||
# mozilla ssh_scan: Modern - with just ETM (encrypt-then-mac) macs
|
||||
# https://github.com/mozilla/ssh_scan/blob/master/config/policies/just_etm_macs.yaml
|
||||
ssh_kex:
|
||||
- curve25519-sha256@libssh.org
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
- ecdh-sha2-nistp521
|
||||
- ecdh-sha2-nistp384
|
||||
- ecdh-sha2-nistp256
|
||||
ssh_macs:
|
||||
- hmac-sha2-512-etm@openssh.com
|
||||
- hmac-sha2-256-etm@openssh.com
|
||||
- umac-128-etm@openssh.com
|
||||
ssh_ciphers:
|
||||
- chacha20-poly1305@openssh.com
|
||||
- aes256-gcm@openssh.com
|
||||
- aes128-gcm@openssh.com
|
||||
- aes256-ctr
|
||||
- aes192-ctr
|
||||
- aes128-ctr
|
|
@ -42,6 +42,15 @@
|
|||
- libmagickcore-6.q16-6-extra
|
||||
- fail2ban
|
||||
|
||||
- name: install redis
|
||||
when: install_redis
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
||||
state: latest
|
||||
name:
|
||||
- redis-server
|
||||
- php8.1-redis
|
||||
|
||||
- name: enable ipv6 for ufw
|
||||
ansible.builtin.lineinfile:
|
||||
name: /etc/default/ufw
|
||||
|
|
|
@ -15,36 +15,16 @@
|
|||
manage_dir: true
|
||||
key: "{{ ubuntu_nextcloud_user_ssh_key_location }}"
|
||||
|
||||
- name: Allow 'sudo' group to have passwordless sudo
|
||||
ansible.builtin.lineinfile:
|
||||
dest: /etc/sudoers
|
||||
state: present
|
||||
regexp: '^%sudo ALL=(ALL:ALL) ALL'
|
||||
line: '%sudo ALL=(ALL:ALL) NOPASSWD: ALL'
|
||||
- name: Allow ubuntu_nextcloud_user to use sudo without password
|
||||
ansible.builtin.copy:
|
||||
dest: /etc/sudoers.d/ubuntu_nextcloud_user
|
||||
validate: visudo -cf %s
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
content: |
|
||||
{{ ubuntu_nextcloud_user }} ALL=(ALL) NOPASSWD:ALL
|
||||
|
||||
- name: ssh hardening
|
||||
ansible.builtin.include_role:
|
||||
name: devsec.hardening.ssh_hardening
|
||||
vars:
|
||||
ssh_allow_users: "{{ ubuntu_nextcloud_user }}"
|
||||
ssh_max_auth_retries: 5
|
||||
# mozilla ssh_scan: Modern - with just ETM (encrypt-then-mac) macs
|
||||
# https://github.com/mozilla/ssh_scan/blob/master/config/policies/just_etm_macs.yaml
|
||||
ssh_kex:
|
||||
- curve25519-sha256@libssh.org
|
||||
- diffie-hellman-group-exchange-sha256
|
||||
- ecdh-sha2-nistp521
|
||||
- ecdh-sha2-nistp384
|
||||
- ecdh-sha2-nistp256
|
||||
ssh_macs:
|
||||
- hmac-sha2-512-etm@openssh.com
|
||||
- hmac-sha2-256-etm@openssh.com
|
||||
- umac-128-etm@openssh.com
|
||||
ssh_ciphers:
|
||||
- chacha20-poly1305@openssh.com
|
||||
- aes256-gcm@openssh.com
|
||||
- aes128-gcm@openssh.com
|
||||
- aes256-ctr
|
||||
- aes192-ctr
|
||||
- aes128-ctr
|
||||
|
|
|
@ -79,6 +79,17 @@
|
|||
- overwriteprotocol --value="https"
|
||||
- htaccess.IgnoreFrontController --value=true
|
||||
|
||||
- name: nextcloud system settings for redis
|
||||
args:
|
||||
chdir: /var/www/nextcloud/
|
||||
ansible.builtin.command: "sudo -u www-data php occ config:system:set {{ item }}"
|
||||
when: install_redis
|
||||
with_items:
|
||||
- memcache.locking --value='\OC\Memcache\Redis'
|
||||
- redis host --value=localhost
|
||||
- redis port --value 6379
|
||||
- redis timeout --value=0.0
|
||||
|
||||
- name: systemd timer service
|
||||
ansible.builtin.copy:
|
||||
mode: '0755'
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
- name: start nextcloud container
|
||||
community.docker.docker_container:
|
||||
name: nextcloudintergrationtest
|
||||
image: "nextcloud:{{ nextcloud_version | default('27-apache') }}"
|
||||
image: "nextcloud:{{ nextcloud_version | default('28-apache') }}"
|
||||
state: started
|
||||
auto_remove: true
|
||||
recreate: true
|
||||
|
|
Loading…
Reference in New Issue