154 lines
4.9 KiB
YAML
154 lines
4.9 KiB
YAML
---
|
|
|
|
- hosts: mdk
|
|
vars:
|
|
letsencrypt_email: julien@palard.fr
|
|
tasks:
|
|
- name: Common setup
|
|
include_role: name=common
|
|
|
|
- name: Setup email
|
|
include_role: name=exim
|
|
vars:
|
|
smtp_host: "{{ vault_smtp_host }}"
|
|
smtp_port: "{{ vault_smtp_port }}"
|
|
smtp_username: "{{ vault_smtp_username }}"
|
|
smtp_password: "{{ vault_smtp_password }}"
|
|
|
|
- name: Setup mdk.fr
|
|
include_role: name=nginx
|
|
vars:
|
|
nginx_domain: mdk.fr
|
|
nginx_certificates: [mdk.fr, www.mdk.fr, julien.palard.fr, mandark.fr, www.mandark.fr]
|
|
nginx_owner: mdk_fr
|
|
nginx_path: /var/www/mdk.fr/
|
|
nginx_public_deploy_key: |
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/8I1ecV8EutLc+Qx6Q8b2RhzXMl9n23LznNlw+MQtM mdk.fr
|
|
nginx_conf: |
|
|
add_header Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; frame-ancestors 'none'";
|
|
add_header X-Frame-Options "DENY";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
|
|
server
|
|
{
|
|
listen 80;
|
|
server_name julien.palard.fr;
|
|
return 301 https://mdk.fr;
|
|
}
|
|
|
|
server
|
|
{
|
|
listen 80;
|
|
server_name mdk.fr www.mdk.fr mandark.fr www.mandark.fr;
|
|
return 301 https://mdk.fr$request_uri;
|
|
}
|
|
|
|
server
|
|
{
|
|
listen 443 ssl http2;
|
|
server_name julien.palard.fr;
|
|
include snippets/letsencrypt-mdk.fr.conf;
|
|
return 301 https://mdk.fr;
|
|
}
|
|
|
|
server
|
|
{
|
|
listen 443 ssl http2;
|
|
server_name www.mdk.fr mandark.fr www.mandark.fr;
|
|
include snippets/letsencrypt-mdk.fr.conf;
|
|
return 301 https://mdk.fr$request_uri;
|
|
}
|
|
|
|
server
|
|
{
|
|
listen 443 ssl http2;
|
|
charset utf-8;
|
|
server_name mdk.fr;
|
|
include snippets/letsencrypt-mdk.fr.conf;
|
|
gzip_static on;
|
|
|
|
add_header Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'; frame-ancestors 'none'";
|
|
add_header X-Frame-Options "DENY";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
|
|
location /noindex/ {
|
|
autoindex off;
|
|
}
|
|
|
|
location /index/ {
|
|
autoindex on;
|
|
}
|
|
|
|
location /talks/ {
|
|
autoindex on;
|
|
}
|
|
|
|
location /carte/ {
|
|
allow 82.64.237.93;
|
|
allow 2a01:e0a:15:ac20::/64;
|
|
deny all;
|
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
add_header X-Frame-Options "DENY";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
}
|
|
|
|
location /dicewars/ {
|
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
add_header X-Frame-Options "DENY";
|
|
}
|
|
|
|
location /photos/ {
|
|
allow 82.64.237.93;
|
|
allow 2a01:e0a:15:ac20::/64;
|
|
deny all;
|
|
add_header Content-Security-Policy "default-src 'none'; font-src 'self'; script-src 'unsafe-inline' 'self'; style-src 'unsafe-inline' 'self'; img-src 'self'";
|
|
add_header X-Frame-Options "DENY";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
}
|
|
|
|
location /x/ {
|
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
add_header X-Frame-Options "DENY";
|
|
add_header X-Content-Type-Options "nosniff";
|
|
|
|
}
|
|
|
|
location /python-avancé/ {
|
|
add_header X-Content-Type-Options "nosniff";
|
|
}
|
|
|
|
location /python-initiation/ {
|
|
add_header X-Content-Type-Options "nosniff";
|
|
}
|
|
|
|
location /django-initiation/ {
|
|
add_header X-Content-Type-Options "nosniff";
|
|
}
|
|
|
|
root /var/www/mdk.fr/;
|
|
index index.html;
|
|
}
|
|
|
|
- name: Keep nginx logs longer
|
|
copy:
|
|
dest: /etc/logrotate.d/nginx
|
|
content: |
|
|
/var/log/nginx/*.log {
|
|
size 10M
|
|
missingok
|
|
rotate 99
|
|
compress
|
|
delaycompress
|
|
notifempty
|
|
create 0640 www-data adm
|
|
sharedscripts
|
|
prerotate
|
|
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
|
|
run-parts /etc/logrotate.d/httpd-prerotate; \
|
|
fi \
|
|
endscript
|
|
postrotate
|
|
invoke-rc.d nginx rotate >/dev/null 2>&1
|
|
endscript
|
|
}
|