From 8a8216d78e72e8a8bd49ca52245dcf6458a08f84 Mon Sep 17 00:00:00 2001
From: polyfloyd <floyd@polyfloyd.net>
Date: Tue, 11 Jun 2024 20:00:40 +0200
Subject: [PATCH] Add HSTS headers to all web services

---
 hosts.yaml                                 | 2 +-
 roles/etherpad/templates/nginx-site.conf   | 4 ++++
 roles/git-server/templates/nginx-site.conf | 3 +++
 roles/monitoring/templates/grafana.ini     | 5 -----
 roles/monitoring/templates/nginx-site.conf | 3 +++
 roles/www/templates/nginx-site.conf        | 1 -
 6 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/hosts.yaml b/hosts.yaml
index 14a3db2..6bae61a 100644
--- a/hosts.yaml
+++ b/hosts.yaml
@@ -31,7 +31,7 @@ all:
             mqtt.bitlair.nl:
         monitoring:
           hosts:
-            monitoring.bitlair.nl:
+            dashboard.bitlair.nl:
         music:
           hosts:
             music.bitlair.nl:
diff --git a/roles/etherpad/templates/nginx-site.conf b/roles/etherpad/templates/nginx-site.conf
index b4c1fde..57a48b0 100644
--- a/roles/etherpad/templates/nginx-site.conf
+++ b/roles/etherpad/templates/nginx-site.conf
@@ -12,6 +12,10 @@ server {
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ etherpad_domain }}/privkey.pem";
 	{% endif %}
 
+	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
+
 	location / {
 		proxy_pass http://127.0.0.1:9001/;
 		include proxy_params;
diff --git a/roles/git-server/templates/nginx-site.conf b/roles/git-server/templates/nginx-site.conf
index d8c4f37..dd4c478 100644
--- a/roles/git-server/templates/nginx-site.conf
+++ b/roles/git-server/templates/nginx-site.conf
@@ -13,6 +13,9 @@ server {
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ git_server_domain }}/privkey.pem";
 	{% endif %}
 
+	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
 	add_header X-Robots-Tag noindex;
 
 	location / {
diff --git a/roles/monitoring/templates/grafana.ini b/roles/monitoring/templates/grafana.ini
index 3b2bbd0..be8c995 100644
--- a/roles/monitoring/templates/grafana.ini
+++ b/roles/monitoring/templates/grafana.ini
@@ -58,11 +58,6 @@ versions_to_keep = 20
 enabled = true
 path = /var/lib/grafana/dashboards
 
-# Alerting
-[alerting]
-enabled = true
-execute_alerts = True
-
 # SMTP and email config
 
 # Logging
diff --git a/roles/monitoring/templates/nginx-site.conf b/roles/monitoring/templates/nginx-site.conf
index b2f21fc..ffe95db 100644
--- a/roles/monitoring/templates/nginx-site.conf
+++ b/roles/monitoring/templates/nginx-site.conf
@@ -10,6 +10,9 @@ server {
 	ssl_certificate_key "/var/lib/dehydrated/certs/{{ monitoring_domain }}/privkey.pem";
 	{% endif %}
 
+	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
 	add_header X-Robots-Tag noindex;
 
 	location / {
diff --git a/roles/www/templates/nginx-site.conf b/roles/www/templates/nginx-site.conf
index bb66399..f34edee 100644
--- a/roles/www/templates/nginx-site.conf
+++ b/roles/www/templates/nginx-site.conf
@@ -16,7 +16,6 @@ server {
     ssl_certificate_key "/var/lib/dehydrated/certs/{{ www_domain }}/privkey.pem";
     {% endif %}
 
-    # SSL settings from https://cipherli.st/ - AK47 15 jan 2017
     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
     add_header X-Frame-Options DENY;
     add_header X-Content-Type-Options nosniff;