diff --git a/README.md b/README.md index 8b0ee33..c13b0f9 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ All services below are running under Docker, except NSD and Borg. - Clear view of what services + which versions we are running. This way, we can track security updates better. - Host tobb website? - Move from Ubuntu to Debian -- move to pim.kunis.nl +- move to Mastodon to pim.kunis.nl - security.txt - Podman - Replace watchtower with Podman features diff --git a/playbooks/all.yml b/playbooks/all.yml index 7667947..8add242 100644 --- a/playbooks/all.yml +++ b/playbooks/all.yml @@ -13,7 +13,7 @@ - {role: 'seafile', tags: 'seafile'} - {role: 'jitsi', tags: 'jitsi'} - {role: 'freshrss', tags: 'freshrss'} - - {role: 'blog', tags: 'blog'} + - {role: 'static', tags: 'static'} - {role: 'inbucket', tags: 'inbucket'} - {role: 'prometheus', tags: 'prometheus'} - name: Setup dataserver diff --git a/roles/blog/templates/nginx.conf.j2 b/roles/blog/templates/nginx.conf.j2 deleted file mode 100644 index 41469c8..0000000 --- a/roles/blog/templates/nginx.conf.j2 +++ /dev/null @@ -1,18 +0,0 @@ -server { - listen 80; - server_name {{ domain_name_pim }}; - index index.html index.htm; - root /var/www/blog; - - location / { - try_files $uri $uri/ /index.html; - } - - location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { - expires 30d; - add_header Pragma public; - add_header Cache-Control "public"; - } - - error_page 404 /404.html; -} diff --git a/roles/blog/vars/main.yml b/roles/blog/vars/main.yml deleted file mode 100644 index aa1f151..0000000 --- a/roles/blog/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -service_name: blog -service_dir: "{{ base_service_dir }}/{{ service_name }}" -git_origin: https://git.pim.kunis.nl/pim/blog.git diff --git a/roles/nsd/files/zones/pim.kunis.nl b/roles/nsd/files/zones/pim.kunis.nl index 937ba4a..f68d70d 100644 --- a/roles/nsd/files/zones/pim.kunis.nl +++ b/roles/nsd/files/zones/pim.kunis.nl @@ -1,19 +1,16 @@ $ORIGIN pim.kunis.nl. $TTL 60 -pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023020701 1800 3600 1209600 3600 +pim.kunis.nl. IN SOA ns.pim.kunis.nl. pim.kunis.nl. 2023020800 1800 3600 1209600 3600 NS ns.pim.kunis.nl. A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda TXT "v=spf1 ~all" _dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" www IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda ns IN A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda social IN CNAME www.pim.kunis.nl. dav IN CNAME www.pim.kunis.nl. diff --git a/roles/nsd/files/zones/pizzapim.nl b/roles/nsd/files/zones/pizzapim.nl index a4a6e4c..3892920 100644 --- a/roles/nsd/files/zones/pizzapim.nl +++ b/roles/nsd/files/zones/pizzapim.nl @@ -1,25 +1,19 @@ $ORIGIN pizzapim.nl. $TTL 60 -pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023020701 1800 3600 1209600 3600 +pizzapim.nl. IN SOA ns.pizzapim.nl. pim.kunis.nl. 2023020900 1800 3600 1209600 3600 NS ns.pizzapim.nl. NS ns0.transip.net. NS ns1.transip.nl. NS ns2.transip.eu. A 84.245.14.149 - AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda TXT "v=spf1 ~all" CAA 0 issue "letsencrypt.org" _dmarc IN TXT "v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;" -www IN A 84.245.14.149 +social IN A 84.245.14.149 AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda ns IN A 84.245.14.149 AAAA 2a02:58:19a:f730:b62e:99ff:fe77:1bda -social IN CNAME www.pizzapim.nl. -dav IN CNAME www.pizzapim.nl. -git IN CNAME www.pizzapim.nl. -meet IN CNAME www.pizzapim.nl. -rss IN CNAME www.pizzapim.nl. diff --git a/roles/static/files/security.txt b/roles/static/files/security.txt new file mode 100644 index 0000000..b1800e5 --- /dev/null +++ b/roles/static/files/security.txt @@ -0,0 +1 @@ +testje diff --git a/roles/blog/meta/main.yml b/roles/static/meta/main.yml similarity index 100% rename from roles/blog/meta/main.yml rename to roles/static/meta/main.yml diff --git a/roles/blog/tasks/main.yml b/roles/static/tasks/main.yml similarity index 88% rename from roles/blog/tasks/main.yml rename to roles/static/tasks/main.yml index 5684210..5f0cba5 100644 --- a/roles/blog/tasks/main.yml +++ b/roles/static/tasks/main.yml @@ -17,6 +17,10 @@ cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build" chdir: "{{ service_dir }}" when: repo.changed +- name: Copy security.txt + copy: + src: "{{ role_path }}/files/security.txt" + dest: "{{ service_dir }}/security.txt" - name: Copy docker compose file template: src: "{{ role_path }}/templates/docker-compose.yml.j2" diff --git a/roles/blog/templates/docker-compose.yml.j2 b/roles/static/templates/docker-compose.yml.j2 similarity index 77% rename from roles/blog/templates/docker-compose.yml.j2 rename to roles/static/templates/docker-compose.yml.j2 index 0b312f0..773d584 100644 --- a/roles/blog/templates/docker-compose.yml.j2 +++ b/roles/static/templates/docker-compose.yml.j2 @@ -9,12 +9,13 @@ services: - {{ service_dir }}/git/templates:/etc/nginx/templates - {{ service_dir }}/git/_site:/var/www/blog - {{ service_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf + - {{ service_dir }}/security.txt:/var/www/blog/security.txt networks: - traefik labels: - traefik.enable=true - traefik.http.routers.blog.entrypoints=websecure - - traefik.http.routers.blog.rule=Host(`{{ domain_name_pim }}`) + - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))" - traefik.http.routers.blog.tls=true - traefik.http.routers.blog.tls.certresolver=letsencrypt - traefik.http.routers.blog.service=blog diff --git a/roles/static/templates/nginx.conf.j2 b/roles/static/templates/nginx.conf.j2 new file mode 100644 index 0000000..5267742 --- /dev/null +++ b/roles/static/templates/nginx.conf.j2 @@ -0,0 +1,48 @@ +server { + listen 80 default_server; + + location /security.txt { + return 301 https://$host/.well-known/security.txt; + } + + location /.well-known/security.txt { + add_header Content-Type 'text/plain'; + add_header Cache-Control 'no-cache, no-store, must-revalidate'; + add_header Pragma 'no-cache'; + add_header Expires '0'; + add_header Vary '*'; + return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n"; + } +} + +server { + listen 80; + server_name {{ domain_name_pim }}; + index index.html index.htm; + root /var/www/blog; + + location /security.txt { + return 301 https://$host/.well-known/security.txt; + } + + location /.well-known/security.txt { + add_header Content-Type 'text/plain'; + add_header Cache-Control 'no-cache, no-store, must-revalidate'; + add_header Pragma 'no-cache'; + add_header Expires '0'; + add_header Vary '*'; + return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n"; + } + + location / { + try_files $uri $uri/ /index.html; + } + + location ~* \.(?:ico|css|js|gif|jpe?g|png)$ { + expires 30d; + add_header Pragma public; + add_header Cache-Control "public"; + } + + error_page 404 /404.html; +} diff --git a/roles/static/vars/main.yml b/roles/static/vars/main.yml new file mode 100644 index 0000000..d0ee1bc --- /dev/null +++ b/roles/static/vars/main.yml @@ -0,0 +1,3 @@ +service_name: static +service_dir: "{{ base_service_dir }}/{{ service_name }}" +git_origin: https://git.pim.kunis.nl/pim/static.git