moved nginx, graylog to podman

2022-05-01 03:31:16 -04:00
parent 8e373896a6
commit c5bc5a91ac
49 changed files with 2556 additions and 580 deletions
--- a/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -0,0 +1,59 @@
+upstream drone {
+  server 127.0.0.1:8080;
+}
+
+geo $local_access {
+  default 0;
+  192.168.1.1 1;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file /etc/nginx/modsec_includes.conf;
+
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ ci_server_name }};
+
+  ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_dhparam             /etc/nginx/ssl/dhparam.pem;
+
+  ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_tickets       off;
+  ssl_session_timeout       1d;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+
+  resolver 9.9.9.9 valid=60s ipv6=off;
+
+  location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
+    add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
+    add_header Content-Security-Policy   "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' https://*.githubusercontent.com https://*.github.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
+    add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
+    add_header Strict-Transport-Security "max-age=630720000; includeSubDomains"                                                                                                                                                   always;
+    add_header X-Content-Type-Options    "nosniff"                                                                                                                                                                                always;
+
+    # Sent from upstream:
+    # add_header X-Frame-Options           "SAMEORIGIN";
+    # add_header X-XSS-Protection          "1; mode=block";
+
+    proxy_set_header Host              $http_host;
+    proxy_set_header X-Forwarded-For   $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+
+    proxy_buffering    off;
+    proxy_http_version 1.1;
+    proxy_pass         http://drone;
+    proxy_redirect     off;
+
+    chunked_transfer_encoding off;
+  }
+}