diff options
| -rw-r--r-- | certs/public-backup/fripost.org.pub | 14 | ||||
| -rw-r--r-- | certs/public-backup/git.fripost.org.pub | 14 | ||||
| -rw-r--r-- | certs/public-backup/lists.fripost.org.pub | 14 | ||||
| -rw-r--r-- | certs/public-backup/mail.fripost.org.pub | 14 | ||||
| -rw-r--r-- | roles/git/files/etc/nginx/sites-available/git | 9 | ||||
| -rw-r--r-- | roles/lists/files/etc/nginx/sites-available/sympa | 1 | ||||
| -rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 1 | ||||
| -rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/website | 9 | ||||
| -rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/wiki | 9 |
9 files changed, 73 insertions, 12 deletions
diff --git a/certs/public-backup/fripost.org.pub b/certs/public-backup/fripost.org.pub new file mode 100644 index 0000000..bee948f --- /dev/null +++ b/certs/public-backup/fripost.org.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs06ycSgCZ35MHeoeV/Ck +gV5mYfZUOebnGse+vk0ATn7a+qnSgYkhAgRVg+jnN/I/oF9tNcwCex3rawzx51vw +Etzb9gZoEXTrULCW1IJNWki5JZdilCjSmWyiw9KVEu956EAKVGagSj3lhH6q8MDQ +tnyc0R49TC/LIIOypMQrow/HLw5Jz4FsCb7O4qaUu78RKzZkFMRB/8lEkmXxqNcX +aXcPhugNbuC109X1oWKVD2Kj8MEoorErUSEGnbvN0eDC8p1edqKV8W7PyWM11WIH +6WeBQOI9D6H39R/wTKrxuGFDNmVJfvMRzU5i8Pgw6J6lOW7ORv9UdQ2LvalKXUTD +n7nOvGhdD1xpEOpkInbjZXVxVBKmcen7/jtB/aVN15RiAsmQGHHaDMJtJgf/t1bv +wnSIn1cMJ9A1cI80zjE2VvnQk0rq+Vq2dURyaSfulRuxfLnV1uiyN28BHUFfTCUl +BTroch484M2G5K6/BExLoaAVmQIApQXqBtE/N/mXmowV+/5V6yxoqmNCP7cG139D +di+KzmFHZYlUWYd7RWgbsSbNkAYBAMqj4P1UtsOpfHFfq8kyGB7Smu7HhkjVlRwQ +FHr1oGoBx2k9wuEa3HNdqwMhSWFxqqPFNwGq3ECpTJlm1Meq3qbYoDV56ZXPIVXz +NElDYDwIvPwbTHjL6bsbBlMCAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/public-backup/git.fripost.org.pub b/certs/public-backup/git.fripost.org.pub new file mode 100644 index 0000000..1620e78 --- /dev/null +++ b/certs/public-backup/git.fripost.org.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0GPDkJ0LfiO2sVyJdA13 +OuYfXzRvP/G8rC5mC3V+0yU525J3ZYNhvY5fC41wFOQc0WRRk72hE2LbgHeSvch3 +jZjyb5n29k1eichbVwUD2G6D0hYSjcn685u0CAOoRJJcRnGhf/8bcUPedmx8zsZ2 +BYtnbY2M8vF+cBiSidSQBASzTNuBrMizF6RhXcR+aQ4N2SbJl9JPCywUFnfVtgP4 +vePqKLlKCHk5tWrLU6bppgzVYBEZUfgWEztGKFiQtrY6AeITxIZzD5XOssw2Jtrk +5b9E7qp3sSTb7xFusmgvD38/h73/mB7xJNFrpPvtNO6oQtGTkKciKG5qyUAXIpQ9 +yWh4PDntcmRj5WpDwhLZYOHJQl7rQs49up7O0oQsLI1KFmh1XGN+qo32akVJbP48 +HfDbxXcmMNbeoG16qjPZEdFY6IvZRO1sQ6CKILq3afz9NEljPLrp8yKPBmro85fa +VDs5C+UgbSmzIOVELf1oorKyJR9UM0HtJW0ZN7Az0/DtluFWBWHwW4R5Gp9rI65L +xob1jxfJmp5Nu2ufFRXazW6deSPOD35jKQy40XLAjscvVR5Ia16exWl1HBypJtDh ++6chLoY//fie73Cmk7u2X+qq9zw8ikY4gRKie3x7zm2qk7ChbO6VejN3KTlkbCui +U/riMb2cxaGQeFuIrL9eUuECAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/public-backup/lists.fripost.org.pub b/certs/public-backup/lists.fripost.org.pub new file mode 100644 index 0000000..b86e615 --- /dev/null +++ b/certs/public-backup/lists.fripost.org.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+b1xBNsRiiL9QdoLOjjL +JC+4me/Hxa4FSk5tITC4J26Mo6ghf+cnQ0zF0l+Ac8ww2aFIjo+XaNXMaF0f3wUI +D+AYSuihfsseKnoJqyaLxxmZIcgt1OrTj6hYYmtPq4VYENdGDlwTxREbalg6qCKd +QoWcprgBVuzEOzBxkcdsD96RKOXs25uLTqsyvIuhSvR94aCkrPlJTNhYmvkvul/6 +N2ss0K3m1dy5bIHhVHSCKB85nQI8dr0mNUKwtAOEz38MIUYZjl0kLnvbgTLzr7uF +1C/Sa/KZ1uUSU3qNJFFzEt0SZhOqgLN9B4TUBip0CrlV4d+NWD8CYA5RnbGUCrqf +nH3wnuiuwrxjE74v2O6mQZLKuj00RuHWqLckraoSVAmDNd5MpBBH1PUtrif6+3xM +Ww5FQ6TtBvhmbCqHe1lkfD3Txuju2gIWpTU8V6OYmYItoQnNNFRNeR8nOMsfp47o +lNQgU70jpTcXzAXNNK/rgfzg/Qo4DBwb10buUixpfoW71jQLo+T/OUCxioVM5JUf +a8wo7YuaLZKkF/DVKAaAQ9gwTUWOy9sfmatmiK/VfO3H6WYdbxcmW8A192qc9e2A +G0QN2VdAiEVmcjFAZIraW7FSSwYwPueDmFXq5YJW+wsqdRJd/qaAR/FuyrdFqT0X +BU7dKsvPbqWqV4Z+slEJ+c0CAwEAAQ== +-----END PUBLIC KEY----- diff --git a/certs/public-backup/mail.fripost.org.pub b/certs/public-backup/mail.fripost.org.pub new file mode 100644 index 0000000..61ee180 --- /dev/null +++ b/certs/public-backup/mail.fripost.org.pub @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu6SUrGStZtiWiWw25pTK +hC5PPwHnTouTbgPUSsRvjfhLvk4KcM6WI5QzHSdS/1bV5psWdsC1ceA7gSXir5K6 +maZkX+vYLqumHWd6iclsPA7XOkBf1XwXdUeLPbHMocVIeZrG6NtcRggkNwuTybqh +LQA9r7WoLRHewxc8CMCyRHQ68XiYAFXUPuKqbhd+vWmncksFAULG82U6AYso6KrF +8DxgvjmxQ6XQlH1vk37kLRe93FcPQFOcsEJ3OkDL124My7OWO+LlO3cWLwvHfhJf +gRM8+SkjBvFjFZDU5Da27UCG5uIwLBTEGHG397ayMTX8bJrK56WL7HFgg00ovMTL +T9fpgIqgxlbq2XTLG1nU/RMxvZUC20p7FKZQzpL6wLZk3zR5IYcoxIhlQemutUHQ +hNbnXbwQUc8PAkERTDhCJZOxCbkZQdlytdl1/EV/odbbC7npI3NgLAq8z6K4MSf8 +fQaYQHoT2Nkm32nSfgw66jyLVHl2jdqufEjxQ7uAT5MOShXX/TFj+fJ4k1AJNUcF +GY4wNYqT51O4NmTWB/m9ILGcH2JOjrf+Hg+hO24+afi0USrut4EkZTGAeKaitfmn +sWeSmvBYpAkUgx/AxRZofSE/+UzMSuZ9jApnA1ZoQ5jJxZJYwK5w0yLwz3Y6NZWO +zQOLM2zHti+3zNknF/kng78CAwEAAQ== +-----END PUBLIC KEY----- diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index ca5555e..ca71e0d 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -4,49 +4,50 @@ server { server_name git.fripost.org; include snippets/acme-challenge.conf; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name git.fripost.org; - include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; - access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; include snippets/headers.conf; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; + ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; + add_header Public-Key-Pins 'pin-sha256="HOoiXgC7tolzZ31b65UzbAKhpCCA7I0iNdO7NEuL0lU="; pin-sha256="7F+6dSG3D3X3SSLXmb4GWWqUViztamLmmCBlYCi4a10="; max-age=15778800'; + location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # Bypass the CGI to return static files stored on disk. Try first repo with # a trailing '.git', then without. location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { root /var/lib/gitolite/repositories; try_files /$1.git/objects/$2 /$1/objects/$2 =404; expires 30d; gzip off; # TODO honor git-daemon-export-ok } # disallow push over HTTP/HTTPS location ~* "^/[^/]+/git-receive-pack$" { return 403; } location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" { gzip off; diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 79df229..732f09f 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -14,40 +14,41 @@ server { } } server { listen 443; listen [::]:443; server_name lists.fripost.org; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org"; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; + add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800'; location = / { return 302 /sympa$args; } location ^~ /static-sympa/ { alias /var/lib/sympa/static_content/; expires 30d; } location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; } location ~* ^/([^/]+)/?$ { return 302 /$1/sympa$args; diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index f4461ca..c66ec7a 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -16,40 +16,41 @@ server { } } server { listen 443; listen [::]:443; server_name mail.fripost.org; server_name webmail.fripost.org; root /var/lib/roundcube; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; child-src 'self'; frame-src 'self'; connect-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri mail.fripost.org webmail.fripost.org"; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; + add_header Public-Key-Pins 'pin-sha256="SHfniMEapxeYo5YT/2jP+n+WstNaYghDMhZUadLlPDk="; pin-sha256="/Tt92H3ZkfEW1/AOCoGVm1TxZl7u4c+tIBnuvAc7d5w="; max-age=15778800'; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden # directories. location ~ /\. { return 404; } access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index e372aa8..7886860 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -6,51 +6,52 @@ server { server_name www.fripost.org; include snippets/acme-challenge.conf; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name fripost.org; server_name www.fripost.org; - include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'none'; base-uri fripost.org www.fripost.org"; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; + ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; + add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800'; + location / { try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki/website; } location /static/ { alias /var/lib/ikiwiki/public_html/fripost-wiki/static/; expires 30d; } location /material/ { alias /var/www/fripost.org/material/; expires 30d; } location /minutes/ { alias /var/www/fripost.org/minutes/; expires 30d; } location /.well-known/autoconfig/ { alias /var/www/fripost.org/autoconfig/; } diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index bc44270..ba217a1 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -5,47 +5,48 @@ server { server_name wiki.fripost.org; include snippets/acme-challenge.conf; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name wiki.fripost.org; - include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; include snippets/headers.conf; add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri wiki.fripost.org"; + include snippets/ssl.conf; + ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; + ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; + add_header Public-Key-Pins 'pin-sha256="fQ+gau72iwOf6rmXvY7/QemB+kYhixPCY/A/EIr3ats="; pin-sha256="MYhOgCyUOp8NRGxa1LZc57g0wREA3kV8C+4SsrDajt8="; max-age=15778800'; + location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki; } location = /ikiwiki.cgi { fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki; fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi; fastcgi_index ikiwiki.cgi; include snippets/fastcgi.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; gzip off; } } |