Faalkaart fixes

https://basisbeveiliging.nl/report/NL/cyber_non_profit/1720

roles/etherpad/tasks/main.yaml

@@ -1,9 +1,11 @@
 ---
 - tags: etherpad
   block:
+    - import_tasks: ../../../snippets/common-nginx.yaml
+
     - name: Install dependencies
       apt:
-        name: [ gpg, nginx, postgresql, python3-psycopg2, apt-transport-https ]
+        name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
 
     - name: Import nodesource signing key
       shell: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg
@@ -109,12 +111,6 @@
         state: started
         enabled: yes
 
-    - name: Clear default nginx site
-      file:
-        state: absent
-        path: /etc/nginx/sites-enabled/default
-      notify: reload nginx
-
     - name: Install nginx config
       template:
         src: nginx-site.conf

roles/git-server/tasks/main.yaml

@@ -1,18 +1,13 @@
 ---
+- import_tasks: ../../../snippets/common-nginx.yaml
+
 - name: Install dependencies
   apt:
     name:
       - git
-      - nginx
       - xq
     state: present
 
-- name: Clear default nginx site
-  file:
-    state: absent
-    path: /etc/nginx/sites-enabled/default
-  notify: reload nginx
-
 - name: Install nginx site
   template:
     src: nginx-site.conf

roles/monitoring/tasks/main.yaml

@@ -2,16 +2,7 @@
 - name: monitoring
   tags: monitoring
   block:
-    - name: Install dependencies
-      apt:
-        name: nginx
-        state: present
-
-    - name: Clear default nginx site
-      file:
-        state: absent
-        path: /etc/nginx/sites-enabled/default
-      notify: reload nginx
+    - import_tasks: ../../../snippets/common-nginx.yaml
 
     - name: Install nginx site
       template:

roles/music/tasks/main.yaml

@@ -13,9 +13,7 @@
 
 - tags: music
   block:
-    - name: Install nginx
-      apt:
-        name: nginx
+    - import_tasks: ../../../snippets/common-nginx.yaml
 
     - name: Install nginx config
       template:

roles/www/tasks/mediawiki.yaml

@@ -1,8 +1,18 @@
 ---
 - name: Install dependencies
   apt:
-    name:
-      - php-fpm
+    name: php-fpm
+    state: present
+
+- import_tasks: ../../../snippets/common-nginx.yaml
+
+- name: Install security.txt
+  template:
+    src: security.txt
+    dest: /opt/security.txt
+    owner: root
+    group: root
+    mode: 0644
 
 - name: Allow HTTP/HTTPS
   iptables:

roles/www/templates/nginx-site.conf

@@ -127,5 +127,9 @@ server {
         alias /opt/matrix-delegation.json;
     }
 
+    location = /.well-known/security.txt {
+        alias /opt/security.txt;
+    }
+
     include "snippets/acme.conf";
 }

roles/www/templates/security.txt

@@ -0,0 +1,3 @@
+Contact: mailto:bestuur@bitlair.nl
+Preferred-Languages: nl, en
+Hiring: https://bitlair.nl/Deelnemer_Worden

snippets/common-nginx.yaml

@@ -0,0 +1,18 @@
+---
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+
+- name: Disable nginx server_tokens
+  lineinfile:
+    path: /etc/nginx/nginx.conf
+    line: "\tserver_tokens off;"
+    regexp: "server_tokens"
+  notify: reload nginx
+
+- name: Clear default nginx site
+  file:
+    state: absent
+    path: /etc/nginx/sites-enabled/default
+  notify: reload nginx