noticket - updates fore firewall, fulfillr, etc.

ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.https.conf.j2

@@ -0,0 +1,60 @@
+upstream assistant {
+  server 127.0.0.1:8123;
+}
+
+geo $local_access {
+  default 0;
+  192.168.1.1 1;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name assistant.bdebyl.net;
+
+  ssl_certificate         /etc/letsencrypt/live/{{ assistant_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ assistant_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ assistant_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  resolver 9.9.9.9 valid=60s ipv6=off;
+
+  location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
+    add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Upgrade           $http_upgrade;
+    proxy_set_header Connection        $connection_upgrade;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://assistant;
+    proxy_redirect     off;
+
+    chunked_transfer_encoding off;
+  }
+}