bundles/nginx: add a default security.txt to all vhosts

2021-06-03 18:56:28 +02:00 · 2021-06-03 18:56:28 +02:00 · 1fbc08f74b
commit 1fbc08f74b
parent 0a7e5bcdcd
5 changed files with 51 additions and 1 deletions
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@ -1,3 +1,5 @@
+from datetime import datetime, timedelta
+
 if node.has_bundle('pacman'):
    package = 'pkg_pacman:nginx'
    username = 'http'
@ -12,6 +14,9 @@ directories = {
            'svc_systemd:nginx:restart',
        },
    },
+    '/etc/nginx/security.txt.d': {
+        'purge': True,
+    },
    '/etc/nginx/ssl': {
        'purge': True,
        'triggers': {
@ -77,16 +82,39 @@ svc_systemd = {
    },
 }

+now = datetime.now()
+in_three_months = now + timedelta(days=90)
+default_security_expiry = in_three_months.strftime('%Y-%m-%d') + 'T00:00:00.000Z'
+
 for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
    if not 'domain' in config:
        config['domain'] = vhost

+    security_txt_enabled = False
+    if (
+        node.metadata.get('nginx/security.txt/enabled', True) and
+        config.get('security.txt', {}).get('enabled', True)
+    ):
+        security_txt_enabled = True
+
+        files[f'/etc/nginx/security.txt.d/{vhost}'] = {
+            'source': 'security.txt',
+            'content_type': 'mako',
+            'context': {
+                'domain': config['domain'],
+                'expiry': default_security_expiry,
+                'proto': 'https' if config.get('ssl', 'letsencrypt') else 'http',
+                'vhost': config.get('security.txt', node.metadata.get('nginx/security.txt', {})),
+            },
+        }
+
    files[f'/etc/nginx/sites/{vhost}'] = {
        'source': 'site_template',
        'content_type': 'mako',
        'context': {
-            'vhost': vhost,
            'php_version': node.metadata.get('php/version', ''),
+            'security_txt': security_txt_enabled,
+            'vhost': vhost,
            **config,
        },
        'needs': set(),