bundles/nginx: add a default security.txt to all vhosts

2021-06-03 18:56:28 +02:00 · 2021-06-03 18:56:28 +02:00 · 1fbc08f74b
parent 0a7e5bcdcd
commit 1fbc08f74b
5 changed files with 51 additions and 1 deletions
--- a/bundles/nginx/files/security.txt
+++ b/bundles/nginx/files/security.txt
@ -0,0 +1,9 @@
+Contact: ${vhost.get('contact', repo.libs.defaults.security_email)}
+Expires: ${vhost.get('expires', expiry)}
+Preferred-Languages: ${','.join(sorted(vhost.get('lang', repo.libs.defaults.security_lang)))}
+Canonical: ${proto}://${domain}/.well-known/security.txt
+% for key, value in sorted(vhost.items()):
+%  if key[0].isupper():
+${key}: ${value}
+%  endif
+% endfor
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -72,6 +72,12 @@ server {
        alias /var/lib/dehydrated/acme-challenges/;
    }

+% if security_txt:
+    location = /.well-known/security.txt {
+        alias /etc/nginx/security.txt.d/${vhost};
+    }
+% endif
+
 % if proxy:
 %     for location, options in proxy.items():
    location ${location} {
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@ -1,3 +1,5 @@
+from datetime import datetime, timedelta
+
 if node.has_bundle('pacman'):
    package = 'pkg_pacman:nginx'
    username = 'http'
@ -12,6 +14,9 @@ directories = {
            'svc_systemd:nginx:restart',
        },
    },
+    '/etc/nginx/security.txt.d': {
+        'purge': True,
+    },
    '/etc/nginx/ssl': {
        'purge': True,
        'triggers': {
@ -77,16 +82,39 @@ svc_systemd = {
    },
 }

+now = datetime.now()
+in_three_months = now + timedelta(days=90)
+default_security_expiry = in_three_months.strftime('%Y-%m-%d') + 'T00:00:00.000Z'
+
 for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
    if not 'domain' in config:
        config['domain'] = vhost

+    security_txt_enabled = False
+    if (
+        node.metadata.get('nginx/security.txt/enabled', True) and
+        config.get('security.txt', {}).get('enabled', True)
+    ):
+        security_txt_enabled = True
+
+        files[f'/etc/nginx/security.txt.d/{vhost}'] = {
+            'source': 'security.txt',
+            'content_type': 'mako',
+            'context': {
+                'domain': config['domain'],
+                'expiry': default_security_expiry,
+                'proto': 'https' if config.get('ssl', 'letsencrypt') else 'http',
+                'vhost': config.get('security.txt', node.metadata.get('nginx/security.txt', {})),
+            },
+        }
+
    files[f'/etc/nginx/sites/{vhost}'] = {
        'source': 'site_template',
        'content_type': 'mako',
        'context': {
-            'vhost': vhost,
            'php_version': node.metadata.get('php/version', ''),
+            'security_txt': security_txt_enabled,
+            'vhost': vhost,
            **config,
        },
        'needs': set(),
--- a/libs/defaults.py
+++ b/libs/defaults.py
@ -4,3 +4,6 @@ influxdb_bucket = 'encrypt$gAAAAABgg9iMnq0nKpODMiMN4NtUw231iqpbyDXV-O8epOAGDSL4j
 influxdb_org = 'encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn55q8ULP9X3wlsPMUQs_DH7CgGv9neYmvVAriRoyd8g=='
 influxdb_token = 'encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN'
 influxdb_url = 'https://influxdb.kunsmann.eu/'
+
+security_email = f'mailto:{hostmaster_email}'
+security_lang = {'en', 'de'}
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@ -254,6 +254,10 @@ nodes['htz.ex42-1048908'] = {
            },
        },
        'nginx': {
+            'security.txt': {
+                'contact': 'mailto:security@kunsmann.eu',
+                'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc',
+            },
            'vhosts': {
                # TODO maybe some of this can be moved to a bundle?
                'dav.kunsmann.eu': {