diff --git a/.gitignore b/.gitignore
index 01be70a..77607d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,9 +6,9 @@
# Production files
*.yml
-host_vars/**
+host_vars
# Testing env exceptions
!testing.yml
-!./host_vars/all.yml
+!all.yml
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..65cd2da
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,15 @@
+## Nextcloud Configuration ##
+nc_version: 16.0.3
+nc_sha256sum: a13f68ce47a1362318629ba5b118a59fa98358bb18f4afc371ea15104f2881f3
+
+nc_domain: www.example.com
+nc_docroot: /var/www/nextcloud
+nc_data: /var/www/nextcloud/data
+
+nc_db: nextcloud
+nc_db_user: nextcloud
+nc_db_pass: nc+password
+
+nc_admin: admin
+nc_admin_pass: ncadmin+password
+
diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 085fe68..ad2c1c0 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -109,6 +109,27 @@
notify:
- Reload Apache
+- name: Enable Apache Rewrite Module
+ apache2_module:
+ name: rewrite
+ state: present
+ notify:
+ - Reload Apache
+
+- name: Enable Apache SSL Module
+ apache2_module:
+ name: ssl
+ state: present
+ notify:
+ - Reload Apache
+
+- name: Enable Apache Headers Module
+ apache2_module:
+ name: headers
+ state: present
+ notify:
+ - Reload Apache
+
- name: Enable Site
file:
src: /etc/apache2/sites-available/{{ nc_domain }}.conf
@@ -118,3 +139,4 @@
group: root
notify:
- Reload Apache
+
diff --git a/roles/nextcloud/templates/apacheconf.conf b/roles/nextcloud/templates/apacheconf.conf
index 39db7e8..add282c 100644
--- a/roles/nextcloud/templates/apacheconf.conf
+++ b/roles/nextcloud/templates/apacheconf.conf
@@ -16,6 +16,19 @@
ServerName {{ nc_domain }}
+ ServerAdmin {{ nc_admin }}
+
+ RewriteEngine On
+ RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+
+
+
+
+ ServerName {{ nc_domain }}
ServerAdmin {{ nc_admin }}
DocumentRoot {{ nc_docroot }}
@@ -23,8 +36,17 @@
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
+ SSLEngine on
+ SSLCertificateFile /etc/letsencrypt/live/{{ nc_domain }}/cert.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{{ nc_domain }}/privkey.pem
+ SSLCertificateChainFile /etc/letsencrypt/live/{{ nc_domain }}/chain.pem
+
+ Protocols h2 http/1.1
+
+ Header always set Strict-Transport-Security "max-age=63072000"
+
Options Indexes FollowSymLinks
AllowOverride All
@@ -33,4 +55,13 @@
php_value memory_limit 512M
+SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder off
+SSLSessionTickets off
+
+SSLUseStapling On
+SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
+
# vim: syntax=apache
+