--- - hosts: mdk vars: letsencrypt_email: julien@palard.fr tasks: - name: Common setup include_role: name=common - name: Setup email include_role: name=exim vars: smtp_host: "{{ vault_smtp_host }}" smtp_port: "{{ vault_smtp_port }}" smtp_username: "{{ vault_smtp_username }}" smtp_password: "{{ vault_smtp_password }}" - name: Setup mdk.fr include_role: name=nginx vars: nginx_domain: mdk.fr nginx_certificates: [mdk.fr, www.mdk.fr, julien.palard.fr, mandark.fr, www.mandark.fr] nginx_owner: mdk_fr nginx_path: /var/www/mdk.fr/ nginx_public_deploy_key: | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/8I1ecV8EutLc+Qx6Q8b2RhzXMl9n23LznNlw+MQtM mdk.fr nginx_conf: | add_header Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; frame-ancestors 'none'"; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; server { listen 80; server_name julien.palard.fr; return 301 https://mdk.fr; } server { listen 80; server_name mdk.fr www.mdk.fr mandark.fr www.mandark.fr; return 301 https://mdk.fr$request_uri; } server { listen 443 ssl http2; server_name julien.palard.fr; include snippets/letsencrypt-mdk.fr.conf; return 301 https://mdk.fr; } server { listen 443 ssl http2; server_name www.mdk.fr mandark.fr www.mandark.fr; include snippets/letsencrypt-mdk.fr.conf; return 301 https://mdk.fr$request_uri; } server { listen 443 ssl http2; charset utf-8; server_name mdk.fr; include snippets/letsencrypt-mdk.fr.conf; gzip_static on; add_header Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; frame-ancestors 'none'"; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; location /noindex/ { autoindex off; } location /index/ { autoindex on; } location /talks/ { autoindex on; } location /carte/ { allow 82.64.237.93; allow 2a01:e0a:15:ac20::/64; deny all; add_header Content-Security-Policy "frame-ancestors 'none'"; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; } location /dicewars/ { add_header Content-Security-Policy "frame-ancestors 'none'"; add_header X-Frame-Options "DENY"; } location /photos/ { allow 82.64.237.93; allow 2a01:e0a:15:ac20::/64; deny all; add_header Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'"; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; } location /x/ { add_header Content-Security-Policy "frame-ancestors 'none'"; add_header X-Frame-Options "DENY"; add_header X-Content-Type-Options "nosniff"; } location /python-avancé/ { add_header X-Content-Type-Options "nosniff"; } location /python-initiation/ { add_header X-Content-Type-Options "nosniff"; } location /django-initiation/ { add_header X-Content-Type-Options "nosniff"; } root /var/www/mdk.fr/; index index.html; } - name: Keep nginx logs longer copy: dest: /etc/logrotate.d/nginx content: | /var/log/nginx/*.log { size 10M missingok rotate 99 compress delaycompress notifempty create 0640 www-data adm sharedscripts prerotate if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ run-parts /etc/logrotate.d/httpd-prerotate; \ fi \ endscript postrotate invoke-rc.d nginx rotate >/dev/null 2>&1 endscript }