summaryrefslogtreecommitdiffstats
path: root/roles/lists
diff options
context:
space:
mode:
Diffstat (limited to 'roles/lists')
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa6
-rw-r--r--roles/lists/tasks/nginx.yml13
l---------roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j21
3 files changed, 16 insertions, 4 deletions
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index 732f09f..fbb3421 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -12,43 +12,43 @@ server {
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443;
listen [::]:443;
server_name lists.fripost.org;
access_log /var/log/nginx/lists.access.log;
error_log /var/log/nginx/lists.error.log info;
include snippets/headers.conf;
add_header Content-Security-Policy
"default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; referrer no-referrer-when-downgrade; frame-ancestors 'none'; form-action 'self'; base-uri lists.fripost.org";
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
- ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
- add_header Public-Key-Pins 'pin-sha256="OLx1hOEqnCdS/7ZgzTzAl8Ig/Cwpz5MY9J9Fishg6/0="; pin-sha256="v/Ow0Ou2m08HO10wxci1IVrMC/pbihnoDNxvUwKBsMY="; max-age=15778800';
+ ssl_certificate ssl/lists.fripost.org.pem;
+ ssl_certificate_key ssl/lists.fripost.org.key;
+ include snippets/lists.fripost.org.hpkp-hdr;
location = / {
return 302 /sympa$args;
}
location ^~ /static-sympa/ {
alias /var/lib/sympa/static_content/;
expires 30d;
}
location ^~ /sympa {
fastcgi_split_path_info ^(/sympa)(.*)$;
include snippets/fastcgi.conf;
fastcgi_pass unix:/run/wwsympa.socket;
gzip off;
}
location ~* ^/([^/]+)/?$ {
return 302 /$1/sympa$args;
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 20b3262..6bf4afc 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -2,34 +2,45 @@
apt: pkg=nginx
- name: Copy /etc/nginx/sites-available/sympa
copy: src=etc/nginx/sites-available/sympa
dest=/etc/nginx/sites-available/sympa
owner=root group=root
mode=0644
register: r1
notify:
- Restart Nginx
- name: Create /etc/nginx/sites-enabled/sympa
file: src=../sites-available/sympa
dest=/etc/nginx/sites-enabled/sympa
owner=root group=root
state=link
register: r2
notify:
- Restart Nginx
+- name: Copy HPKP header snippet
+ # never modify the pined pubkeys as we don't want to lock out our users
+ template: src=etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
+ dest=/etc/nginx/snippets/lists.fripost.org.hpkp-hdr
+ validate=/bin/false
+ owner=root group=root
+ mode=0644
+ register: r3
+ notify:
+ - Restart Nginx
+
- name: Start nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
- name: Fetch Nginx's X.509 certificate
# Ensure we don't fetch private data
become: False
fetch_cmd: cmd="openssl x509 -noout -pubkey"
stdin=/etc/nginx/ssl/lists.fripost.org.pem
dest=certs/public/lists.fripost.org.pub
tags:
- genkey
diff --git a/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2 b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
new file mode 120000
index 0000000..a8ba598
--- /dev/null
+++ b/roles/lists/templates/etc/nginx/snippets/lists.fripost.org.hpkp-hdr.j2
@@ -0,0 +1 @@
+../../../../../../certs/hpkp-hdr.j2 \ No newline at end of file