MichaIng · MichaIng · Apr 21, 2021 · Feb 28, 2021 · Mar 2, 2021 · Mar 2, 2021
diff --git a/.conf/dps_114/nginx.nextcloud.conf b/.conf/dps_114/nginx.nextcloud.conf
@@ -1,4 +1,4 @@
-# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx.rst#nextcloud-in-a-subdir-of-the-nginx-webroot
+# Based on: https://github.com/nextcloud/documentation/blob/master/admin_manual/installation/nginx-subdir.conf.sample
 
 # Redirect webfinger and nodeinfo requests to Nextcloud endpoint
 location ~ ^/\.well-known/(?:webfinger|nodeinfo) {
@@ -24,7 +24,7 @@ location ^~ /nextcloud {
 	#pagespeed off;
 
 	# HTTP response headers borrowed from Nextcloud `.htaccess`
-	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;
+	#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
 	add_header Referrer-Policy "no-referrer" always;
 	add_header X-Content-Type-Options "nosniff" always;
 	add_header X-Download-Options "noopen" always;
@@ -64,7 +64,7 @@ location ^~ /nextcloud {
 	# then Nginx will encounter an infinite rewriting loop when it prepends
 	# `/nextcloud/index.php` to the URI, resulting in a HTTP 500 error response.
 	location ~ \.php(?:$|/) {
-		fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
+		fastcgi_split_path_info ^(.+?\.php)(/.*|)$;
 		set $path_info $fastcgi_path_info;
 		try_files $fastcgi_script_name =404;
 		include fastcgi_params;
@@ -90,6 +90,11 @@ location ^~ /nextcloud {
 		access_log off; # Optional: Don't log access to assets
 	}
 
+	# Rule borrowed from `.htaccess`
+	location /nextcloud/remote {
+		return 301 /nextcloud/remote.php$request_uri;
+	}
+
 	location /nextcloud {
 		try_files $uri $uri/ /nextcloud/index.php$request_uri;
 	}

diff --git a/.conf/dps_182/unbound.conf b/.conf/dps_182/unbound.conf
@@ -49,7 +49,7 @@ server:
 	do-ip6: yes
 	prefer-ip6: no
 
-	# DNS root server information file. Update regularly via: "curl -# https://www.internic.net/domain/named.root > /var/lib/unbound/root.hints"
+	# DNS root server information file. Updated monthly via cronjob
 	root-hints: "/var/lib/unbound/root.hints"
 
 	# Maximum number of queries per second

diff --git a/.conf/dps_187/cupsd.conf b/.conf/dps_187/cupsd.conf
@@ -0,0 +1,190 @@
+#
+# Configuration file for the CUPS scheduler.  See "man cupsd.conf" for a
+# complete description of this file.
+#
+
+# Log general information in error_log - change "warn" to "debug"
+# for troubleshooting...
+LogLevel warn
+PageLogFormat
+
+# Deactivate CUPS' internal logrotating, as we provide a better one, especially
+# LogLevel debug2 gets usable now
+MaxLogSize 0
+
+# Listen for connections
+Listen 0.0.0.0:631
+Listen /run/cups/cups.sock
+
+# Show shared printers on the local network.
+Browsing On
+BrowseLocalProtocols dnssd
+
+# Default authentication type, when authentication is required...
+DefaultAuthType Basic
+
+# Web interface setting...
+WebInterface Yes
+
+# Restrict access to the server...
+<Location />
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+# Restrict access to the admin pages...
+<Location /admin>
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+# Restrict access to configuration files...
+<Location /admin/conf>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+# Restrict access to log files...
+<Location /admin/log>
+  AuthType Default
+  Require user @SYSTEM
+  Order allow,deny
+  Allow @LOCAL
+</Location>
+
+# Set the default printer/job policies...
+<Policy default>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the authenticated printer/job policies...
+<Policy authenticated>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Default
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Default
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
+
+# Set the kerberized printer/job policies...
+<Policy kerberos>
+  # Job/subscription privacy...
+  JobPrivateAccess default
+  JobPrivateValues default
+  SubscriptionPrivateAccess default
+  SubscriptionPrivateValues default
+
+  # Job-related operations must be done by the owner or an administrator...
+  <Limit Create-Job Print-Job Print-URI Validate-Job>
+    AuthType Negotiate
+    Order deny,allow
+  </Limit>
+
+  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All administration operations require an administrator to authenticate...
+  <Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # All printer operations require a printer operator to authenticate...
+  <Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
+    AuthType Default
+    Require user @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  # Only the owner or an administrator can cancel or authenticate a job...
+  <Limit Cancel-Job CUPS-Authenticate-Job>
+    AuthType Negotiate
+    Require user @OWNER @SYSTEM
+    Order deny,allow
+  </Limit>
+
+  <Limit All>
+    Order deny,allow
+  </Limit>
+</Policy>
diff --git a/.conf/dps_47/nginx.owncloud.conf b/.conf/dps_47/nginx.owncloud.conf
@@ -1,16 +1,16 @@
-# Based on: https://doc.owncloud.org/server/latest/admin_manual/installation/nginx_configuration.html
+# Based on: https://github.com/owncloud/docs/blob/deda107004c35ccfc4927e4aab32a337bc2bb380/modules/admin_manual/examples/installation/nginx/subdirectory-configuration.conf
 
 location ^~ /owncloud {
 
 	# Add headers to serve security related headers
-	#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
-	add_header X-Content-Type-Options nosniff;
-	add_header X-Frame-Options "SAMEORIGIN";
-	add_header X-XSS-Protection "1; mode=block";
-	add_header X-Robots-Tag none;
-	add_header X-Download-Options noopen;
-	add_header X-Permitted-Cross-Domain-Policies none;
-	add_header Referrer-Policy no-referrer;
+	#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+	add_header X-Content-Type-Options nosniff always;
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-XSS-Protection "1; mode=block" always;
+	add_header X-Robots-Tag none always;
+	add_header X-Download-Options noopen always;
+	add_header X-Permitted-Cross-Domain-Policies none always;
+	add_header Referrer-Policy no-referrer always;
 
 	# Set max upload size
 	client_max_body_size 1048576M;
@@ -63,7 +63,7 @@ location ^~ /owncloud {
 		fastcgi_request_buffering off;
 	}
 
-	location ~ ^/owncloud/(?:updater|ocs-provider)(?:$|/) {
+	location ~ ^/owncloud/(?:updater|ocs-provider|ocm-provider)(?:$|/) {
 		try_files $uri $uri/ =404;
 		index index.php;
 	}
@@ -72,23 +72,23 @@ location ^~ /owncloud {
 	# Make sure it is BELOW the PHP block
 	location ~ /owncloud/.*\.(?:css|js) {
 		try_files $uri /owncloud/index.php$uri$is_args$args;
-		add_header Cache-Control "max-age=15778463";
+		add_header Cache-Control "max-age=15778463" always;
 		# Add headers to serve security related headers  (It is intended to have those duplicated to the ones above)
-		#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
-		add_header X-Content-Type-Options nosniff;
-		add_header X-Frame-Options "SAMEORIGIN";
-		add_header X-XSS-Protection "1; mode=block";
-		add_header X-Robots-Tag none;
-		add_header X-Download-Options noopen;
-		add_header X-Permitted-Cross-Domain-Policies none;
-		add_header Referrer-Policy no-referrer;
+		#add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+		add_header X-Content-Type-Options nosniff always;
+		add_header X-Frame-Options "SAMEORIGIN" always;
+		add_header X-XSS-Protection "1; mode=block" always;
+		add_header X-Robots-Tag none always;
+		add_header X-Download-Options noopen always;
+		add_header X-Permitted-Cross-Domain-Policies none always;
+		add_header Referrer-Policy no-referrer always;
 		# Optional: Don't log access to assets
 		access_log off;
 	}
 
 	location ~ /owncloud/.*\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map|json) {
 		try_files $uri /owncloud/index.php$uri$is_args$args;
-		add_header Cache-Control "public, max-age=7200";
+		add_header Cache-Control "public, max-age=7200" always;
 		# Optional: Don't log access to other assets
 		access_log off;
 	}