Add HSTS headers to all web services

2024-06-11 20:00:40 +02:00 · 2024-06-11 20:00:40 +02:00 · 8a8216d78e
commit 8a8216d78e
parent 5ae55c6c5b
6 changed files with 11 additions and 7 deletions
--- a/hosts.yaml
+++ b/hosts.yaml
@ -31,7 +31,7 @@ all:
            mqtt.bitlair.nl:
        monitoring:
          hosts:
-            monitoring.bitlair.nl:
+            dashboard.bitlair.nl:
        music:
          hosts:
            music.bitlair.nl:
--- a/roles/etherpad/templates/nginx-site.conf
+++ b/roles/etherpad/templates/nginx-site.conf
@ -12,6 +12,10 @@ server {
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ etherpad_domain }}/privkey.pem";
 	{% endif %}

+	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
+
 	location / {
 		proxy_pass http://127.0.0.1:9001/;
 		include proxy_params;
--- a/roles/git-server/templates/nginx-site.conf
+++ b/roles/git-server/templates/nginx-site.conf
@ -13,6 +13,9 @@ server {
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
 	{% endif %}

+	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
 	add_header X-Robots-Tag noindex;

 	location / {
--- a/roles/monitoring/templates/grafana.ini
+++ b/roles/monitoring/templates/grafana.ini
@ -58,11 +58,6 @@ versions_to_keep = 20
 enabled = true
 path = /var/lib/grafana/dashboards

-# Alerting
-[alerting]
-enabled = true
-execute_alerts = True
-
 # SMTP and email config

 # Logging
--- a/roles/monitoring/templates/nginx-site.conf
+++ b/roles/monitoring/templates/nginx-site.conf
@ -10,6 +10,9 @@ server {
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ monitoring_domain }}/privkey.pem";
 	{% endif %}

+	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
 	add_header X-Robots-Tag noindex;

 	location / {
--- a/roles/www/templates/nginx-site.conf
+++ b/roles/www/templates/nginx-site.conf
@ -16,7 +16,6 @@ server {
    ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem";
    {% endif %}

-    # SSL settings from https://cipherli.st/ - AK47 15 jan 2017
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;