nginx: Don't hard-code the HPKP headers.

Instead, lookup the pubkeys and compute the digests on the fly.  But
never modify the actual header snippet to avoid locking our users out.

5 files changed, 16 insertions, 0 deletions

diff --git a/certs/hpkp-hdr.j2 b/certs/hpkp-hdr.j2
new file mode 100644
index 0000000..0226b5c
--- /dev/null
+++ b/certs/hpkp-hdr.j2
@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+{% set tmpl = template_path | basename %}
+{% set pubkey = "certs/public/" + tmpl.rstrip("hpkp-hdr.j2") + ".pub" %}
+
+{%- set pins = [] %}
+{% for pk in [pubkey] + lookup('pipe', 'ls -1 '+pubkey+'.back*').splitlines() -%}
+    {%- set sha256 = lookup('pipe', 'openssl pkey -pubin -outform DER <'+pk+' | openssl dgst -sha256 -binary | base64') -%}
+    {%- set _ = pins.append('pin-sha256="' + sha256 + '"') -%}
+{%- endfor %}
+
+{%- if pins | length > 0 %}
+{% set directives = pins + ['max-age=3600'] %}
+add_header Public-Key-Pins '{{ directives | join('; ') }}';
+{% endif %}
diff --git a/certs/public-backup/fripost.org.pub b/certs/public/fripost.org.pub.back
index bee948f..bee948f 100644
--- a/certs/public-backup/fripost.org.pub
+++ b/certs/public/fripost.org.pub.back
diff --git a/certs/public-backup/git.fripost.org.pub b/certs/public/git.fripost.org.pub.back
index 1620e78..1620e78 100644
--- a/certs/public-backup/git.fripost.org.pub
+++ b/certs/public/git.fripost.org.pub.back
diff --git a/certs/public-backup/lists.fripost.org.pub b/certs/public/lists.fripost.org.pub.back
index b86e615..b86e615 100644
--- a/certs/public-backup/lists.fripost.org.pub
+++ b/certs/public/lists.fripost.org.pub.back
diff --git a/certs/public-backup/mail.fripost.org.pub b/certs/public/mail.fripost.org.pub.back
index 61ee180..61ee180 100644
--- a/certs/public-backup/mail.fripost.org.pub
+++ b/certs/public/mail.fripost.org.pub.back