Updated configuration of permissions

ef192357 · nono · 23cf750f · ef192357 · ef192357 · ef192357
Commit ef192357 authored Mar 05, 2021 by nono 💻
--- a/files/etc/nginx/hedgedocs-nginx.conf.j2
+++ b/files/etc/nginx/hedgedocs-nginx.conf.j2
@@ -3,31 +3,37 @@ map $http_upgrade $connection_upgrade {
        ''      close;
 }
 server {
-        server_name {{ service_hedgedocs_domain | lower  }};
-
-        location / {
-                proxy_pass http://127.0.0.1:3000;
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-        }
-
-        location /socket.io/ {
-                proxy_pass http://127.0.0.1:3000;
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection $connection_upgrade;
-        }
+
+    server_name {{ service_hedgedocs_domain }};
+
+    location / {
+            proxy_pass http://127.0.0.1:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /socket.io/ {
+            proxy_pass http://127.0.0.1:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+    }

    listen [::]:443 ssl http2;
    listen 443 ssl http2;

-    ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain | lower  }}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain | lower  }}/privkey.pem;
+    # Errors
+    access_log /var/log/nginx/hedgedocs_access.log;
+    error_log /var/log/nginx/hedgedocs_error.log warn;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/privkey.pem;

  	# Improve HTTPS performance with session resumption
  	ssl_session_cache shared:SSL:10m;

--- a/files/hedgedocs.service
+++ b/files/hedgedocs.service
@@ -13,8 +13,9 @@ RestartSec=2s
 User=hedgedocs
 Group=www-data
 # the location you cloned CodiMD to.
-WorkingDirectory=/home/hedgedocs/hedgedoc
-ExecStart=/usr/bin/npm start --production
+# This is relative to the home of the hedgedocs user : https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+WorkingDirectory=hedgedoc/
+ExecStart=npm start --production
 Restart=always
 PrivateTmp=true
 PrivateDevices=true

--- a/tasks/configuration.yml
+++ b/tasks/configuration.yml
@@ -28,7 +28,7 @@
    dest: /home/hedgedocs/hedgedoc/config.json
    owner: hedgedocs
    group: www-data
-    mode: 0644
+    mode: 0600

 - name: Configuration du fichier SystemD
  template:

--- a/tasks/install-service.yml
+++ b/tasks/install-service.yml
@@ -17,5 +17,5 @@
    dest: /home/hedgedocs/
    owner: hedgedocs
    group: www-data
-    mode: 0644
+    mode: 0740
    remote_src: yes