bundles/nginx: add a default security.txt to all vhosts
All checks were successful
bundlewrap/pipeline/head This commit looks good
All checks were successful
bundlewrap/pipeline/head This commit looks good
This commit is contained in:
parent
0a7e5bcdcd
commit
1fbc08f74b
5 changed files with 51 additions and 1 deletions
9
bundles/nginx/files/security.txt
Normal file
9
bundles/nginx/files/security.txt
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
Contact: ${vhost.get('contact', repo.libs.defaults.security_email)}
|
||||||
|
Expires: ${vhost.get('expires', expiry)}
|
||||||
|
Preferred-Languages: ${','.join(sorted(vhost.get('lang', repo.libs.defaults.security_lang)))}
|
||||||
|
Canonical: ${proto}://${domain}/.well-known/security.txt
|
||||||
|
% for key, value in sorted(vhost.items()):
|
||||||
|
% if key[0].isupper():
|
||||||
|
${key}: ${value}
|
||||||
|
% endif
|
||||||
|
% endfor
|
|
@ -72,6 +72,12 @@ server {
|
||||||
alias /var/lib/dehydrated/acme-challenges/;
|
alias /var/lib/dehydrated/acme-challenges/;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
% if security_txt:
|
||||||
|
location = /.well-known/security.txt {
|
||||||
|
alias /etc/nginx/security.txt.d/${vhost};
|
||||||
|
}
|
||||||
|
% endif
|
||||||
|
|
||||||
% if proxy:
|
% if proxy:
|
||||||
% for location, options in proxy.items():
|
% for location, options in proxy.items():
|
||||||
location ${location} {
|
location ${location} {
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
|
from datetime import datetime, timedelta
|
||||||
|
|
||||||
if node.has_bundle('pacman'):
|
if node.has_bundle('pacman'):
|
||||||
package = 'pkg_pacman:nginx'
|
package = 'pkg_pacman:nginx'
|
||||||
username = 'http'
|
username = 'http'
|
||||||
|
@ -12,6 +14,9 @@ directories = {
|
||||||
'svc_systemd:nginx:restart',
|
'svc_systemd:nginx:restart',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'/etc/nginx/security.txt.d': {
|
||||||
|
'purge': True,
|
||||||
|
},
|
||||||
'/etc/nginx/ssl': {
|
'/etc/nginx/ssl': {
|
||||||
'purge': True,
|
'purge': True,
|
||||||
'triggers': {
|
'triggers': {
|
||||||
|
@ -77,16 +82,39 @@ svc_systemd = {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
now = datetime.now()
|
||||||
|
in_three_months = now + timedelta(days=90)
|
||||||
|
default_security_expiry = in_three_months.strftime('%Y-%m-%d') + 'T00:00:00.000Z'
|
||||||
|
|
||||||
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||||
if not 'domain' in config:
|
if not 'domain' in config:
|
||||||
config['domain'] = vhost
|
config['domain'] = vhost
|
||||||
|
|
||||||
|
security_txt_enabled = False
|
||||||
|
if (
|
||||||
|
node.metadata.get('nginx/security.txt/enabled', True) and
|
||||||
|
config.get('security.txt', {}).get('enabled', True)
|
||||||
|
):
|
||||||
|
security_txt_enabled = True
|
||||||
|
|
||||||
|
files[f'/etc/nginx/security.txt.d/{vhost}'] = {
|
||||||
|
'source': 'security.txt',
|
||||||
|
'content_type': 'mako',
|
||||||
|
'context': {
|
||||||
|
'domain': config['domain'],
|
||||||
|
'expiry': default_security_expiry,
|
||||||
|
'proto': 'https' if config.get('ssl', 'letsencrypt') else 'http',
|
||||||
|
'vhost': config.get('security.txt', node.metadata.get('nginx/security.txt', {})),
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
files[f'/etc/nginx/sites/{vhost}'] = {
|
files[f'/etc/nginx/sites/{vhost}'] = {
|
||||||
'source': 'site_template',
|
'source': 'site_template',
|
||||||
'content_type': 'mako',
|
'content_type': 'mako',
|
||||||
'context': {
|
'context': {
|
||||||
'vhost': vhost,
|
|
||||||
'php_version': node.metadata.get('php/version', ''),
|
'php_version': node.metadata.get('php/version', ''),
|
||||||
|
'security_txt': security_txt_enabled,
|
||||||
|
'vhost': vhost,
|
||||||
**config,
|
**config,
|
||||||
},
|
},
|
||||||
'needs': set(),
|
'needs': set(),
|
||||||
|
|
|
@ -4,3 +4,6 @@ influxdb_bucket = 'encrypt$gAAAAABgg9iMnq0nKpODMiMN4NtUw231iqpbyDXV-O8epOAGDSL4j
|
||||||
influxdb_org = 'encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn55q8ULP9X3wlsPMUQs_DH7CgGv9neYmvVAriRoyd8g=='
|
influxdb_org = 'encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn55q8ULP9X3wlsPMUQs_DH7CgGv9neYmvVAriRoyd8g=='
|
||||||
influxdb_token = 'encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN'
|
influxdb_token = 'encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN'
|
||||||
influxdb_url = 'https://influxdb.kunsmann.eu/'
|
influxdb_url = 'https://influxdb.kunsmann.eu/'
|
||||||
|
|
||||||
|
security_email = f'mailto:{hostmaster_email}'
|
||||||
|
security_lang = {'en', 'de'}
|
||||||
|
|
|
@ -254,6 +254,10 @@ nodes['htz.ex42-1048908'] = {
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'nginx': {
|
'nginx': {
|
||||||
|
'security.txt': {
|
||||||
|
'contact': 'mailto:security@kunsmann.eu',
|
||||||
|
'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc',
|
||||||
|
},
|
||||||
'vhosts': {
|
'vhosts': {
|
||||||
# TODO maybe some of this can be moved to a bundle?
|
# TODO maybe some of this can be moved to a bundle?
|
||||||
'dav.kunsmann.eu': {
|
'dav.kunsmann.eu': {
|
||||||
|
|
Loading…
Reference in a new issue