From 7589df21b38f3cb6e41a520e13aae8e91b2d898e Mon Sep 17 00:00:00 2001
From: Julien Palard <julien@palard.fr>
Date: Thu, 23 Mar 2023 11:15:33 +0100
Subject: [PATCH] salt-fr: Content-Security-Policy.

---
 afpy.org.yml                  | 3 +++
 roles/nginx/defaults/main.yml | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/afpy.org.yml b/afpy.org.yml
index e1dfe83..38df076 100644
--- a/afpy.org.yml
+++ b/afpy.org.yml
@@ -224,6 +224,9 @@
         nginx_domain: salt-fr.afpy.org
         nginx_certificates: [salt-fr.afpy.org]
         nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVrME7+AYhM4n6opE5gVJbWsZHLETucV2wV+kDvnLk3"
+        nginx_extra: |
+          add_header Content-Security-Policy "default-src 'none'; font-src https://cdnjs.cloudflare.com; img-src 'self' https://www.gravatar.com; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; script-src 'self' https://cdnjs.cloudflare.com; frame-ancestors 'self'";
+          add_header X-Content-Type-Options "nosniff";
 
     - name: Setup nantes.afpy.org
       include_role: name=nginx
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 33278a6..08fbb92 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 
 certbot_authenticator: gandi
-
+nginx_extra: ''
 nginx_conf: |
   server
   {
@@ -17,7 +17,7 @@ nginx_conf: |
       charset utf-8;
       server_name {{ nginx_domain }};
       include snippets/letsencrypt-{{ nginx_domain }}.conf;
-
       root {{ nginx_path }};
       index index.html;
+      {{ nginx_extra }}
   }