diff options
Diffstat (limited to 'roles/git')
-rw-r--r-- | roles/git/files/etc/nginx/sites-available/git | 6 | ||||
-rw-r--r-- | roles/git/tasks/cgit.yml | 13 | ||||
l--------- | roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 | 1 |
3 files changed, 16 insertions, 4 deletions
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index ca71e0d..0ec65e2 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -27,9 +27,9 @@ server { include snippets/headers.conf; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; - ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; - add_header Public-Key-Pins 'pin-sha256="HOoiXgC7tolzZ31b65UzbAKhpCCA7I0iNdO7NEuL0lU="; pin-sha256="7F+6dSG3D3X3SSLXmb4GWWqUViztamLmmCBlYCi4a10="; max-age=15778800'; + ssl_certificate ssl/git.fripost.org.pem; + ssl_certificate_key ssl/git.fripost.org.key; + include snippets/git.fripost.org.hpkp-hdr; location ^~ /static/ { alias /usr/share/cgit/; diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml index 5f4e0e9..1dd2cd6 100644 --- a/roles/git/tasks/cgit.yml +++ b/roles/git/tasks/cgit.yml @@ -96,9 +96,20 @@ notify: - Restart Nginx +- name: Copy HPKP header snippet + # never modify the pined pubkeys as we don't want to lock out our users + template: src=etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 + dest=/etc/nginx/snippets/git.fripost.org.hpkp-hdr + validate=/bin/false + owner=root group=root + mode=0644 + register: r3 + notify: + - Restart Nginx + - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers diff --git a/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 b/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 new file mode 120000 index 0000000..a8ba598 --- /dev/null +++ b/roles/git/templates/etc/nginx/snippets/git.fripost.org.hpkp-hdr.j2 @@ -0,0 +1 @@ +../../../../../../certs/hpkp-hdr.j2
\ No newline at end of file |