bundles/nginx: add a default security.txt to all vhosts
All checks were successful
bundlewrap/pipeline/head This commit looks good

This commit is contained in:
Franzi 2021-06-03 18:56:28 +02:00
parent 0a7e5bcdcd
commit 1fbc08f74b
Signed by: kunsi
GPG key ID: 12E3D2136B818350
5 changed files with 51 additions and 1 deletions

View file

@ -0,0 +1,9 @@
Contact: ${vhost.get('contact', repo.libs.defaults.security_email)}
Expires: ${vhost.get('expires', expiry)}
Preferred-Languages: ${','.join(sorted(vhost.get('lang', repo.libs.defaults.security_lang)))}
Canonical: ${proto}://${domain}/.well-known/security.txt
% for key, value in sorted(vhost.items()):
% if key[0].isupper():
${key}: ${value}
% endif
% endfor

View file

@ -72,6 +72,12 @@ server {
alias /var/lib/dehydrated/acme-challenges/;
}
% if security_txt:
location = /.well-known/security.txt {
alias /etc/nginx/security.txt.d/${vhost};
}
% endif
% if proxy:
% for location, options in proxy.items():
location ${location} {

View file

@ -1,3 +1,5 @@
from datetime import datetime, timedelta
if node.has_bundle('pacman'):
package = 'pkg_pacman:nginx'
username = 'http'
@ -12,6 +14,9 @@ directories = {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/security.txt.d': {
'purge': True,
},
'/etc/nginx/ssl': {
'purge': True,
'triggers': {
@ -77,16 +82,39 @@ svc_systemd = {
},
}
now = datetime.now()
in_three_months = now + timedelta(days=90)
default_security_expiry = in_three_months.strftime('%Y-%m-%d') + 'T00:00:00.000Z'
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
if not 'domain' in config:
config['domain'] = vhost
security_txt_enabled = False
if (
node.metadata.get('nginx/security.txt/enabled', True) and
config.get('security.txt', {}).get('enabled', True)
):
security_txt_enabled = True
files[f'/etc/nginx/security.txt.d/{vhost}'] = {
'source': 'security.txt',
'content_type': 'mako',
'context': {
'domain': config['domain'],
'expiry': default_security_expiry,
'proto': 'https' if config.get('ssl', 'letsencrypt') else 'http',
'vhost': config.get('security.txt', node.metadata.get('nginx/security.txt', {})),
},
}
files[f'/etc/nginx/sites/{vhost}'] = {
'source': 'site_template',
'content_type': 'mako',
'context': {
'vhost': vhost,
'php_version': node.metadata.get('php/version', ''),
'security_txt': security_txt_enabled,
'vhost': vhost,
**config,
},
'needs': set(),

View file

@ -4,3 +4,6 @@ influxdb_bucket = 'encrypt$gAAAAABgg9iMnq0nKpODMiMN4NtUw231iqpbyDXV-O8epOAGDSL4j
influxdb_org = 'encrypt$gAAAAABgg9hyjz4XtvG8NBw9uYxiumS3v7YKIrtc9tTTABg1f9R22gzn55q8ULP9X3wlsPMUQs_DH7CgGv9neYmvVAriRoyd8g=='
influxdb_token = 'encrypt$gAAAAABgg9Ag632Xyuc6SWXaR1uH2tLOChmVKAoBIikhjntSSD2qJFL_eouVQGXCLH2HEuSbSdEXcTPn2qmhOiA9jmFdoDSbVbQUsp0EID1wLsWYG_Um2KOxZSF-tn9eDZlgShQYySjzO3nQRmdlJpVLUnGHsiwv_sHD2FstXGpfzTPZq5_egUqEc0K2X-aN2J6BTYc2fZAN'
influxdb_url = 'https://influxdb.kunsmann.eu/'
security_email = f'mailto:{hostmaster_email}'
security_lang = {'en', 'de'}

View file

@ -254,6 +254,10 @@ nodes['htz.ex42-1048908'] = {
},
},
'nginx': {
'security.txt': {
'contact': 'mailto:security@kunsmann.eu',
'Encryption': 'https://franzi.business/gpg_hi-kunsmann.eu.asc',
},
'vhosts': {
# TODO maybe some of this can be moved to a bundle?
'dav.kunsmann.eu': {