change blog role to static

add security.txt

README.md

@@ -37,7 +37,7 @@ All services below are running under Docker, except NSD and Borg.
 - Clear view of what services + which versions we are running. This way, we can track security updates better.
 - Host tobb website?
 - Move from Ubuntu to Debian
-- move to pim.kunis.nl
+- move to Mastodon to pim.kunis.nl
 - security.txt
 - Podman
 - Replace watchtower with Podman features

playbooks/all.yml

@@ -13,7 +13,7 @@
     - {role: 'seafile', tags: 'seafile'}
     - {role: 'jitsi', tags: 'jitsi'}
     - {role: 'freshrss', tags: 'freshrss'}
-    - {role: 'blog', tags: 'blog'}
+    - {role: 'static', tags: 'static'}
     - {role: 'inbucket', tags: 'inbucket'}
     - {role: 'prometheus', tags: 'prometheus'}
 - name: Setup dataserver

roles/blog/templates/nginx.conf.j2

@@ -1,18 +0,0 @@
-server {
-	listen 80;
-	server_name {{ domain_name_pim }};
-	index index.html index.htm;
-	root /var/www/blog;
-
-	location / {
-	    try_files $uri $uri/ /index.html;
-	}
-
-	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
-	    expires 30d;
-	    add_header Pragma public;
-	    add_header Cache-Control "public";
-	}
-
-	error_page 404 /404.html;
-}

roles/blog/vars/main.yml

@@ -1,3 +0,0 @@
-service_name: blog
-service_dir: "{{ base_service_dir }}/{{ service_name }}"
-git_origin: https://git.pim.kunis.nl/pim/blog.git

roles/nsd/files/zones/pim.kunis.nl

@@ -1,19 +1,16 @@
 $ORIGIN pim.kunis.nl.
 $TTL 60
 
-pim.kunis.nl.	IN 	SOA	ns.pim.kunis.nl. pim.kunis.nl. 2023020701 1800 3600 1209600 3600
+pim.kunis.nl.	IN 	SOA	ns.pim.kunis.nl. pim.kunis.nl. 2023020800 1800 3600 1209600 3600
 
 			NS	ns.pim.kunis.nl.
 			A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 			TXT	"v=spf1 ~all"
 
 _dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
 
 www		IN	A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 ns		IN	A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 
 social		IN	CNAME	www.pim.kunis.nl.
 dav		IN	CNAME	www.pim.kunis.nl.

roles/nsd/files/zones/pizzapim.nl

@@ -1,25 +1,19 @@
 $ORIGIN pizzapim.nl.
 $TTL 60
 
-pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023020701 1800 3600 1209600 3600
+pizzapim.nl.	IN 	SOA	ns.pizzapim.nl. pim.kunis.nl. 2023020900 1800 3600 1209600 3600
 
 			NS	ns.pizzapim.nl.
 			NS	ns0.transip.net.
 			NS	ns1.transip.nl.
 			NS	ns2.transip.eu.
 			A	84.245.14.149
-			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 			TXT	"v=spf1 ~all"
 			CAA	0 issue "letsencrypt.org"
 
 _dmarc		IN	TXT	"v=DMARC1; p=reject; aspf=s; adkim=s; rua=mailto:wpux1bq8@ag.eu.dmarcian.com;"
 
-www		IN	A	84.245.14.149
+social		IN	A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
 ns		IN	A	84.245.14.149
 			AAAA	2a02:58:19a:f730:b62e:99ff:fe77:1bda
-social		IN	CNAME	www.pizzapim.nl.
-dav		IN	CNAME	www.pizzapim.nl.
-git		IN	CNAME	www.pizzapim.nl.
-meet            IN      CNAME   www.pizzapim.nl.
-rss             IN      CNAME   www.pizzapim.nl.

roles/static/files/security.txt

@@ -0,0 +1 @@
+testje

roles/static/tasks/main.yml

@@ -17,6 +17,10 @@
     cmd: "docker run --rm --volume=\"{{ service_dir }}/git:/srv/jekyll:Z\" -it jekyll/minimal jekyll build"
     chdir: "{{ service_dir }}"
   when: repo.changed
+- name: Copy security.txt
+  copy:
+    src: "{{ role_path }}/files/security.txt"
+    dest: "{{ service_dir }}/security.txt"
 - name: Copy docker compose file
   template:
     src: "{{ role_path }}/templates/docker-compose.yml.j2"

roles/static/templates/docker-compose.yml.j2

@@ -9,12 +9,13 @@ services:
       - {{ service_dir }}/git/templates:/etc/nginx/templates
       - {{ service_dir }}/git/_site:/var/www/blog
       - {{ service_dir }}/nginx.conf:/etc/nginx/conf.d/default.conf
+      - {{ service_dir }}/security.txt:/var/www/blog/security.txt
     networks:
       - traefik
     labels:
       - traefik.enable=true
       - traefik.http.routers.blog.entrypoints=websecure
-      - traefik.http.routers.blog.rule=Host(`{{ domain_name_pim }}`)
+      - "traefik.http.routers.blog.rule=(Host(`{{ domain_name_pim }}`) || Path(`/security.txt`, `/.well-known/security.txt`))"
       - traefik.http.routers.blog.tls=true
       - traefik.http.routers.blog.tls.certresolver=letsencrypt
       - traefik.http.routers.blog.service=blog

roles/static/templates/nginx.conf.j2

@@ -0,0 +1,48 @@
+server {
+	listen 80 default_server;
+
+	location /security.txt {
+		return 301 https://$host/.well-known/security.txt;
+	}
+
+	location /.well-known/security.txt {
+		add_header Content-Type 'text/plain';
+		add_header Cache-Control 'no-cache, no-store, must-revalidate';
+		add_header Pragma 'no-cache';
+		add_header Expires '0';
+		add_header Vary '*';
+		return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
+	}
+}
+
+server {
+	listen 80;
+	server_name {{ domain_name_pim }};
+	index index.html index.htm;
+	root /var/www/blog;
+
+	location /security.txt {
+		return 301 https://$host/.well-known/security.txt;
+	}
+
+	location /.well-known/security.txt {
+		add_header Content-Type 'text/plain';
+		add_header Cache-Control 'no-cache, no-store, must-revalidate';
+		add_header Pragma 'no-cache';
+		add_header Expires '0';
+		add_header Vary '*';
+		return 200 "Contact: mailto:pim@kunis.nl\nExpires: 1970-01-01T00:00:00.000Z\nPreferred-Languages: en,nl\n";
+	}
+
+	location / {
+	    try_files $uri $uri/ /index.html;
+	}
+
+	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
+	    expires 30d;
+	    add_header Pragma public;
+	    add_header Cache-Control "public";
+	}
+
+	error_page 404 /404.html;
+}

roles/static/vars/main.yml

@@ -0,0 +1,3 @@
+service_name: static
+service_dir: "{{ base_service_dir }}/{{ service_name }}"
+git_origin: https://git.pim.kunis.nl/pim/static.git