Configure Nginx

host_vars/website.fedihub.com.yml

@@ -34,3 +34,9 @@ common__iptables__v4_filter: |
   -A OUTPUT -p tcp -m multiport --sport 80,443 -j REJECT
 
 common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'
+
+fedihub__website__host: 'fedihub.com'
+fedihub__website__port: 8000
+fedihub__website__public_dir: '/opt/fedihub/website/public'
+fedihub__website__nginx__ssl_cert: '/etc/letsencrypt/live/website.fedihub.com/fullchain.pem'
+fedihub__website__nginx__ssl_key:  '/etc/letsencrypt/live/website.fedihub.com/privkey.pem'

playbooks/deploy/website.yml

@@ -8,3 +8,4 @@
   roles:
     - name: kotovalexarian.common
       tags: common
+    - ../../roles/website

roles/website/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+fedihub__website__host: 'example.com'
+fedihub__website__port: 8000
+fedihub__website__public_dir: '/opt/fedihub/website/public'
+fedihub__website__nginx__ssl_cert: '/etc/letsencrypt/live/website.example.com/fullchain.pem'
+fedihub__website__nginx__ssl_key:  '/etc/letsencrypt/live/website.example.com/privkey.pem'

roles/website/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart Nginx
+  systemd:
+    name: nginx
+    state: restarted

roles/website/tasks/main.yml

@@ -0,0 +1,3 @@
+---
+- include_tasks: nginx.yml
+- meta: flush_handlers

roles/website/tasks/nginx.yml

@@ -0,0 +1,18 @@
+---
+- name: Create Nginx server configuration
+  template:
+    src: '../templates/nginx/website.conf'
+    dest: '/etc/nginx/sites-available/website.conf'
+    mode: 'u=rw,g=rw,o=r'
+    owner: root
+    group: root
+  notify: Restart Nginx
+
+- name: Enable Nginx server configuration
+  file:
+    state: link
+    src: '/etc/nginx/sites-available/website.conf'
+    dest: '/etc/nginx/sites-enabled/website.conf'
+    owner: root
+    group: root
+  notify: Restart Nginx

roles/website/templates/nginx/website.conf

@@ -0,0 +1,62 @@
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name {{ fedihub__website__host }} www.{{ fedihub__website__host }};
+
+  set $CSP "";
+  set $CSP "${CSP}object-src 'none';";
+  set $CSP "${CSP}frame-src 'none';";
+  set $CSP "${CSP}connect-src 'none';";
+  set $CSP "${CSP}form-action 'none';";
+
+  add_header Content-Security-Policy $CSP always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443      ssl;
+  listen [::]:443 ssl;
+
+  server_name {{ fedihub__website__host }} www.{{ fedihub__website__host }}};
+
+  ssl_certificate     {{ fedihub__website__nginx__ssl_cert }};
+  ssl_certificate_key {{ fedihub__website__nginx__ssl_key }};
+
+  set $CSP "";
+  set $CSP "${CSP}object-src 'none';";
+  set $CSP "${CSP}frame-src 'none';";
+  set $CSP "${CSP}connect-src 'self';";
+  set $CSP "${CSP}form-action 'none';";
+
+  add_header Content-Security-Policy $CSP always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+
+  add_header Last-Modified $date_gmt;
+  add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+
+  client_max_body_size 100M;
+
+  if_modified_since off;
+  expires off;
+  etag off;
+  sendfile off;
+
+  root {{ fedihub__website__public_dir }};
+  index index.html;
+
+  location / {
+    proxy_read_timeout 60s;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_pass http://localhost:{{ fedihub__website__port }};
+  }
+}