diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2016-07-12 03:10:33 +0200 |
commit | ef430522256013665205cdda05636846cc622251 (patch) | |
tree | 0912b6175af9e97fa76aaf47613bd1926893dc67 /roles/git/tasks/cgit.yml | |
parent | 4e347178a85468cb2a6451a3a57c3379f832ca97 (diff) |
nginx: Don't hard-code the HPKP headers.
Instead, lookup the pubkeys and compute the digests on the fly. But
never modify the actual header snippet to avoid locking our users out.
Diffstat (limited to 'roles/git/tasks/cgit.yml')
-rw-r--r-- | roles/git/tasks/cgit.yml | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 5f4e0e9..1dd2cd6 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -79,34 +79,45 @@ - name: Copy /etc/nginx/sites-available/git copy: src=etc/nginx/sites-available/git dest=/etc/nginx/sites-available/git owner=root group=root mode=0644 register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/git file: src=../sites-available/git dest=/etc/nginx/sites-enabled/git owner=root group=root state=link force=yes register: r2 notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data become: False fetch_cmd: cmd="openssl x509 -noout -pubkey" stdin=/etc/nginx/ssl/git.fripost.org.pem dest=certs/public/git.fripost.org.pub tags: - genkey |