Initial commit

playbooks/templates/nginx/sites-available/00-default-deny.conf.j2

@@ -0,0 +1,15 @@
+# ANSIBLE MAINTAINED FILE - DO NOT EDIT MANUALLY
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    # Self-signed or snakeoil cert just to complete the TLS handshake
+    ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
+
+    return 444;
+}

playbooks/templates/nginx/sites-available/default-reverse.j2

@@ -0,0 +1,41 @@
+# ANSIBLE MAINTAINED FILE - DO NOT EDIT MANUALLY
+upstream {{ item.key }} {
+        server {{ item.value.upstream }};
+}
+
+server {
+    server_name {{ item.key }};
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    include /etc/nginx/snippets/security-hardening.conf;
+    ssl_certificate /etc/letsencrypt/live/{{ item.key }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ item.key }}/privkey.pem;
+
+    location / {
+            include /etc/nginx/snippets/security-headers.conf;
+            proxy_pass http://{{ item.key }};
+            proxy_set_header    Connection $http_connection;
+            proxy_set_header    Upgrade $http_upgrade;
+            proxy_set_header    Host            $host;
+            proxy_set_header    X-Real-IP $remote_addr;
+            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto $scheme;
+
+            proxy_connect_timeout 15;
+            proxy_send_timeout 15;
+            limit_except GET POST {
+                deny all;
+            }
+    }
+
+}
+
+server {
+    server_name {{ item.key }};
+    listen 80;
+    listen [::]:80;
+
+    return 301 https://$host$request_uri;
+    }
+

playbooks/templates/nginx/snippets/security-hardening.conf.j2

@@ -0,0 +1,13 @@
+# ANSIBLE MAINTAINED FILE - DO NOT EDIT MANUALLY
+ssl_protocols TLSv1.3;
+ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers off;
+ssl_dhparam /etc/nginx/dhparam.pem;
+
+client_max_body_size 512m;
+client_body_buffer_size 16k;
+large_client_header_buffers 4 16k;
+client_body_timeout 30s;
+client_header_timeout 30s;
+send_timeout 30s;
+keepalive_timeout 65s;

playbooks/templates/nginx/snippets/security-headers.conf.j2

@@ -0,0 +1,7 @@
+# ANSIBLE MAINTAINED FILE - DO NOT EDIT MANUALLY
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header Content-Security-Policy "default-src 'none'; script-src 'self' 'nonce-{RANDOM}' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none'; frame-ancestors 'none'; img-src 'self' data:; font-src 'self'; connect-src 'self'; upgrade-insecure-requests" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=()" always;