diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml index 8da9d4b..a0bef42 100644 --- a/roles/etherpad/tasks/main.yaml +++ b/roles/etherpad/tasks/main.yaml @@ -1,9 +1,11 @@ --- - tags: etherpad block: + - import_tasks: ../../../snippets/common-nginx.yaml + - name: Install dependencies apt: - name: [ gpg, nginx, postgresql, python3-psycopg2, apt-transport-https ] + name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ] - name: Import nodesource signing key shell: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg @@ -109,12 +111,6 @@ state: started enabled: yes - - name: Clear default nginx site - file: - state: absent - path: /etc/nginx/sites-enabled/default - notify: reload nginx - - name: Install nginx config template: src: nginx-site.conf diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml index 73fb5c6..91ee37d 100644 --- a/roles/git-server/tasks/main.yaml +++ b/roles/git-server/tasks/main.yaml @@ -1,18 +1,13 @@ --- +- import_tasks: ../../../snippets/common-nginx.yaml + - name: Install dependencies apt: name: - git - - nginx - xq state: present -- name: Clear default nginx site - file: - state: absent - path: /etc/nginx/sites-enabled/default - notify: reload nginx - - name: Install nginx site template: src: nginx-site.conf diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml index f629658..e03ad9c 100644 --- a/roles/monitoring/tasks/main.yaml +++ b/roles/monitoring/tasks/main.yaml @@ -2,16 +2,7 @@ - name: monitoring tags: monitoring block: - - name: Install dependencies - apt: - name: nginx - state: present - - - name: Clear default nginx site - file: - state: absent - path: /etc/nginx/sites-enabled/default - notify: reload nginx + - import_tasks: ../../../snippets/common-nginx.yaml - name: Install nginx site template: diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml index e7021de..7d8e4c0 100644 --- a/roles/music/tasks/main.yaml +++ b/roles/music/tasks/main.yaml @@ -13,9 +13,7 @@ - tags: music block: - - name: Install nginx - apt: - name: nginx + - import_tasks: ../../../snippets/common-nginx.yaml - name: Install nginx config template: diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml index a0db277..b6b542f 100644 --- a/roles/www/tasks/mediawiki.yaml +++ b/roles/www/tasks/mediawiki.yaml @@ -1,8 +1,18 @@ --- - name: Install dependencies apt: - name: - - php-fpm + name: php-fpm + state: present + +- import_tasks: ../../../snippets/common-nginx.yaml + +- name: Install security.txt + template: + src: security.txt + dest: /opt/security.txt + owner: root + group: root + mode: 0644 - name: Allow HTTP/HTTPS iptables: diff --git a/roles/www/templates/nginx-site.conf b/roles/www/templates/nginx-site.conf index 1076138..bb66399 100644 --- a/roles/www/templates/nginx-site.conf +++ b/roles/www/templates/nginx-site.conf @@ -127,5 +127,9 @@ server { alias /opt/matrix-delegation.json; } + location = /.well-known/security.txt { + alias /opt/security.txt; + } + include "snippets/acme.conf"; } diff --git a/roles/www/templates/security.txt b/roles/www/templates/security.txt new file mode 100644 index 0000000..9e2c774 --- /dev/null +++ b/roles/www/templates/security.txt @@ -0,0 +1,3 @@ +Contact: mailto:bestuur@bitlair.nl +Preferred-Languages: nl, en +Hiring: https://bitlair.nl/Deelnemer_Worden diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml new file mode 100644 index 0000000..98aa02b --- /dev/null +++ b/snippets/common-nginx.yaml @@ -0,0 +1,18 @@ +--- +- name: Install nginx + apt: + name: nginx + state: present + +- name: Disable nginx server_tokens + lineinfile: + path: /etc/nginx/nginx.conf + line: "\tserver_tokens off;" + regexp: "server_tokens" + notify: reload nginx + +- name: Clear default nginx site + file: + state: absent + path: /etc/nginx/sites-enabled/default + notify: reload nginx