Playing with CSP report-to/report-uri.

afpy.org.yml

@@ -64,6 +64,11 @@
               root /var/www/afpy.org/;
               include snippets/letsencrypt-afpy.org.conf;
               index index.html;
+
+              add_header Report-To '{"group": "xmpp", "max_age": 10886400, "endpoints": [{ "url": "https://http-to-xmpp.afpy.org" }] }';
+              add_header Content-Security-Policy-Report-Only "default-src 'none'; img-src 'self'; style-src 'self'; script-src 'self'; frame-ancestors 'self'; frame-src https://www.helloasso.com https://web.libera.chat report-uri https://http-to-xmpp.afpy.org; report-to xmpp";
+              add_header X-Content-Type-Options "nosniff";
+
               location /discord
               {
                   return 301 https://discord.gg/qaxq8tVcjx;

http-to-xmpp.yml

@@ -0,0 +1,99 @@
+---
+
+- hosts: http_to_xmpp
+  vars:
+    user: http-to-xmpp
+    home: /home/http-to-xmpp/
+    xmpp_jid: 'afpy@chapril.org'
+    xmpp_dest_jid: 'mdk@chapril.org'
+    xmpp_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31393038346161613063653031313232633461373937656433363364656131376330316461666664
+          3363636533376632646239393364623762653535343563310a353434666166626232363339313235
+          39303566363935613138663536343236643964663838343839616562393732633034393938383430
+          6361613237666235390a653332373339636262663633363833666237653538646439363766383536
+          3738
+  tasks:
+    - name: A user for the HTTP to XMPP gate
+      user:
+        name: "{{ user }}"
+        system: true
+
+    - name: A venv for the HTTP to XMPP gate
+      become: true
+      become_user: "{{ user }}"
+      command: python3 -m venv --upgrade-deps {{ home }}/venv
+      changed_when: False
+
+    - name: Install http-to-xmpp
+      become: true
+      become_user: "{{ user }}"
+      pip:
+        name: [http-to-xmpp, pytz]
+        virtualenv_command: /usr/bin/python3 -m venv
+        virtualenv: "{{ home }}/venv/"
+
+    - name: Setup http-to-xmpp.afpy.org
+      include_role: name=nginx
+      vars:
+        nginx_owner: "{{ user }}"
+        nginx_domain: http-to-xmpp.afpy.org
+        nginx_certificates: [http-to-xmpp.afpy.org]
+        nginx_conf: |
+          server
+          {
+              listen [::]:80; listen 80;
+              server_name http-to-xmpp.afpy.org;
+              return 301 https://$host$request_uri;
+          }
+
+          server
+          {
+              listen [::]:443 ssl http2; listen 443 ssl http2;
+              server_name http-to-xmpp.afpy.org;
+              include snippets/letsencrypt-http-to-xmpp.afpy.org.conf;
+              index index.html;
+
+              location /
+              {
+                  include proxy_params;
+                  proxy_pass http://localhost:1985;
+              }
+          }
+
+    - name: Service for http-to-xmpp
+      notify: restart gate
+      copy:
+        dest: /etc/systemd/system/http-to-xmpp.service
+        mode: 0600
+        content: |
+          [Unit]
+          Description=HTTP to XMPP gateway
+          After=network.target
+
+          [Service]
+          Type=simple
+          Environment="XMPP_JID={{ xmpp_jid }}"
+          Environment="XMPP_PASSWORD={{ xmpp_password }}"
+          Environment="XMPP_DEST_JID={{ xmpp_dest_jid }}"
+          ExecStart={{ home }}/venv/bin/http-to-xmpp
+
+          User={{ user }}
+          WorkingDirectory={{ home }}
+          Restart=on-failure
+
+          [Install]
+          WantedBy=multi-user.target
+
+    - service:
+        name: http-to-xmpp
+        enabled: yes
+        state: started
+        daemon_reload: yes
+
+  handlers:
+    - name: restart gate
+      systemd:
+        daemon_reload: true
+        state: restarted
+        name: http-to-xmpp

inventory

@@ -37,6 +37,9 @@ backup1.afpy.org
 [alains]
 deb2.afpy.org
 
+[http_to_xmpp]
+deb2.afpy.org
+
 [ponyconfs]
 deb2.afpy.org