Page MenuHomePhabricator

NextCloud for WMCH
Open, HighPublic

Description

Wikimedia CH requested a new NextCloud to share documents with the community without using proprietary software.

This is in line with the Tech Strategy - stub here:

https://meta.wikimedia.org/wiki/Wikimedia_CH/Information_Technology_Strategy


Node:

  • members2 (proposed by Ilario)

How:

  • classic PHP-FPM

  • request 200GB additional storage
    • create ext4 partition with fsck
    • add entry in /etc/fstab/
  • create database utf8mb4_general_ci and user credentials
  • setup DNS record
  • setup virtualhost
  • setup PHP-FPM
  • install needed operating system packages (php8.2-mysql php8.2-dom php8.2-xml php8.2-curl php8.2-gd php8.2-zip php8.2-mbstring)
  • setup web environment
  • setup Let's Encrypt certificates with certbot
  • first web configuration
  • communicate first credentials
  • HTTP headers hardening
  • tests
  • release

Event Timeline

I'm particularly OK with these:

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
Header always set X-Frame-Options           "SAMEORIGIN"
Header always set X-Content-Type-Options    "nosniff"
Header always set Referrer-Policy           "strict-origin-when-cross-origin"

But I'm not bold enough in enabling Content-Security-Policy or Permissions-Policy. Tips welcome.