webapps/nextcloud : Small enhancement on the vhost template to lock out data dir

CHANGELOG.md

@@ -18,7 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * Use systemd module instead of command
 * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
-* webapp/nextcloud : Change default data directory to be outside web root
+* webapps/nextcloud : Change default data directory to be outside web root
+* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
 
 ### Fixed
 

webapps/nextcloud/templates/apache-vhost.conf.j2

@@ -5,9 +5,11 @@
   ServerAlias {{  domain_alias }}
   {% endfor %}
 
+  # SSL
   # SSLEngine on
   # SSLCertificateFile    /etc/letsencrypt/live/{{ nextcloud_instance_name }}/fullchain.pem
   # SSLCertificateKeyFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/privkey.pem
+  # Header always set Strict-Transport-Security "max-age=15552000"
 
   DocumentRoot {{ nextcloud_webroot }}/
 
@@ -21,6 +23,15 @@
     </IfModule>
   </Directory>
 
+  <Directory {{ nextcloud_data }}/>
+    Require all denied
+    AllowOverride None
+
+    <IfModule mod_dav.c>
+      Dav off
+    </IfModule>
+  </Directory>
+
   # SSL Redirect
   # RewriteEngine On
   # RewriteCond %{HTTPS} !=on