Updated configuration of permissions

files/etc/nginx/hedgedocs-nginx.conf.j2

@@ -3,31 +3,37 @@ map $http_upgrade $connection_upgrade {
         ''      close;
 }
 server {
-        server_name {{ service_hedgedocs_domain | lower  }};
-
-        location / {
-                proxy_pass http://127.0.0.1:3000;
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-        }
-
-        location /socket.io/ {
-                proxy_pass http://127.0.0.1:3000;
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection $connection_upgrade;
-        }
+
+    server_name {{ service_hedgedocs_domain }};
+
+    location / {
+            proxy_pass http://127.0.0.1:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /socket.io/ {
+            proxy_pass http://127.0.0.1:3000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+    }
 
     listen [::]:443 ssl http2;
     listen 443 ssl http2;
 
-    ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain | lower  }}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain | lower  }}/privkey.pem;
+    # Errors
+    access_log /var/log/nginx/hedgedocs_access.log;
+    error_log /var/log/nginx/hedgedocs_error.log warn;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ service_hedgedocs_domain }}/privkey.pem;
 
   	# Improve HTTPS performance with session resumption
   	ssl_session_cache shared:SSL:10m;

files/hedgedocs.service

@@ -13,8 +13,9 @@ RestartSec=2s
 User=hedgedocs
 Group=www-data
 # the location you cloned CodiMD to.
-WorkingDirectory=/home/hedgedocs/hedgedoc
-ExecStart=/usr/bin/npm start --production
+# This is relative to the home of the hedgedocs user : https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+WorkingDirectory=hedgedoc/
+ExecStart=npm start --production
 Restart=always
 PrivateTmp=true
 PrivateDevices=true

tasks/configuration.yml

@@ -28,7 +28,7 @@
     dest: /home/hedgedocs/hedgedoc/config.json
     owner: hedgedocs
     group: www-data
-    mode: 0644
+    mode: 0600
 
 - name: Configuration du fichier SystemD
   template:

tasks/install-service.yml

@@ -17,5 +17,5 @@
     dest: /home/hedgedocs/
     owner: hedgedocs
     group: www-data
-    mode: 0644
+    mode: 0740
     remote_src: yes