From c27551939d65f118f851bc2c59b995fed2706b66 Mon Sep 17 00:00:00 2001
From: Ludovic Poujol <lpoujol@evolix.fr>
Date: Fri, 13 Jan 2023 11:05:55 +0100
Subject: [PATCH] webapps/nextcloud : Small enhancement on the vhost template
 to lock out data dir

---
 CHANGELOG.md                                     |  3 ++-
 webapps/nextcloud/templates/apache-vhost.conf.j2 | 11 +++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6da60c0c..b9d77908 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,7 +18,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 * Use systemd module instead of command
 * Removed all "warn: False" args in command, shell and other modules as it's been deprecated and will give a hard fail in ansible-core 2.14.0.
-* webapp/nextcloud : Change default data directory to be outside web root
+* webapps/nextcloud : Change default data directory to be outside web root
+* webapps/nextcloud : Small enhancement on the vhost template to lock out data dir
 
 ### Fixed
 
diff --git a/webapps/nextcloud/templates/apache-vhost.conf.j2 b/webapps/nextcloud/templates/apache-vhost.conf.j2
index ff9f621c..556fa4cb 100644
--- a/webapps/nextcloud/templates/apache-vhost.conf.j2
+++ b/webapps/nextcloud/templates/apache-vhost.conf.j2
@@ -5,9 +5,11 @@
   ServerAlias {{  domain_alias }}
   {% endfor %}
 
+  # SSL
   # SSLEngine on
   # SSLCertificateFile    /etc/letsencrypt/live/{{ nextcloud_instance_name }}/fullchain.pem
   # SSLCertificateKeyFile /etc/letsencrypt/live/{{ nextcloud_instance_name }}/privkey.pem
+  # Header always set Strict-Transport-Security "max-age=15552000"
 
   DocumentRoot {{ nextcloud_webroot }}/
 
@@ -21,6 +23,15 @@
     </IfModule>
   </Directory>
 
+  <Directory {{ nextcloud_data }}/>
+    Require all denied
+    AllowOverride None
+
+    <IfModule mod_dav.c>
+      Dav off
+    </IfModule>
+  </Directory>
+
   # SSL Redirect
   # RewriteEngine On
   # RewriteCond %{HTTPS} !=on