diff --git a/ansible/group_vars/all/all.yml b/ansible/group_vars/all/all.yml index e0f7ef38..998c6d28 100644 --- a/ansible/group_vars/all/all.yml +++ b/ansible/group_vars/all/all.yml @@ -12,6 +12,8 @@ node_exporter_ca_filename: "ca.crt" node_exporter_cert_filename: "{{ inventory_hostname }}-fullchain.crt" node_exporter_key_filename: "{{ inventory_hostname }}.key" +nginx_local_path_ca_certificate: "{{ ca_certificates_local_path_ca_certificate }}" + kubernetes_localhost_kubeconfig_path: "{{ lookup('env', 'HOME') }}/.kube/homelab" kubernetes_vip_url: "kubernetes.unicornafk.fr" kubernetes_homelab_ca_config_map: "homelab-ca" diff --git a/ansible/group_vars/dns/all.yml b/ansible/group_vars/dns/all.yml index bc1c16fb..36c2fc7a 100644 --- a/ansible/group_vars/dns/all.yml +++ b/ansible/group_vars/dns/all.yml @@ -246,6 +246,7 @@ powerdns_authoritative_records: nginx_configuration: - server_name: "{{ hostvars[inventory_hostname].hostname[:-1] }}" + ssl_verify_client: optional additional_server_name: - "{{ ansible_default_ipv4.address }}" - "{{ ansible_default_ipv6.address }}" @@ -254,10 +255,13 @@ nginx_configuration: proxy_pass: http://127.0.0.1:8081/api - location: /auth/metrics proxy_pass: http://127.0.0.1:8081/metrics + ssl_client_verify: true - location: /rec/metrics proxy_pass: http://127.0.0.1:8082/metrics + ssl_client_verify: true - location: /dnsdist/metrics proxy_pass: http://127.0.0.1:8083/metrics + ssl_client_verify: true enable_content_security: true http_redirection: false ssl_port: 9443 diff --git a/ansible/roles/nginx/defaults/main.yml b/ansible/roles/nginx/defaults/main.yml index 4918ff7b..bff2ecee 100644 --- a/ansible/roles/nginx/defaults/main.yml +++ b/ansible/roles/nginx/defaults/main.yml @@ -3,6 +3,7 @@ nginx_package_state: latest # nginx_cryptography_version: nginx_cryptography_package_state: latest +nginx_local_path_ca_certificate: /tmp/nginx nginx_venv: "/tmp/venv_nginx" nginx_acme_local_folder: "" nginx_configuration: [] @@ -12,9 +13,11 @@ nginx_auth_basic: {} # nginx_configuration: # - server_name: "{{ inventory_hostname }}" # # optional +# ssl_verify_client: optional # additional_server_name: # - "192.168.0.1" # - location: / +# ssl_client_verify: true # proxy_pass: "http://127.0.0.1:8080" # proxy_headers: # X-Server-URL: https://$server_name/ diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index c63e8b81..47fb6729 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -64,6 +64,15 @@ - /var/www/html notify: Restart nginx +- name: Add CA cert + ansible.builtin.copy: + src: "{{ nginx_local_path_ca_certificate }}" + dest: "/etc/nginx/ssl/ca.crt" + owner: nginx + group: nginx + mode: "0640" + notify: Restart nginx + - name: Configure default nginx configuration ansible.builtin.copy: src: nginx.conf diff --git a/ansible/roles/nginx/templates/site.conf.j2 b/ansible/roles/nginx/templates/site.conf.j2 index 261ce490..a053c14b 100644 --- a/ansible/roles/nginx/templates/site.conf.j2 +++ b/ansible/roles/nginx/templates/site.conf.j2 @@ -5,14 +5,20 @@ server { server_name {{ item.server_name }}{% if item.additional_server_name is defined %}, {% for additional_server_name in item.additional_server_name %}{{ additional_server_name }}{% if not loop.last %}, {% endif %}{% endfor %}{% endif %}; + ssl_client_certificate /etc/nginx/ssl/ca.crt; ssl_certificate /etc/nginx/ssl/{{ item.server_name }}-fullchain.crt; ssl_certificate_key /etc/nginx/ssl/{{ item.server_name }}.key; + {% if item.ssl_verify_client %} + ssl_verify_client {{ item.ssl_verify_client }}; + {% endif %} add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; - {% if item.enable_content_security %}add_header Content-Security-Policy "default-src 'self'" always;{% endif %} + {% if item.enable_content_security %} + add_header Content-Security-Policy "default-src 'self'" always; + {% endif %} add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), sync-script=(), trust-token-redemption=(), window-placement=(), vertical-scroll=()"; add_header X-Permitted-Cross-Domain-Policies "none" always; @@ -21,12 +27,14 @@ server { add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Set-Cookie "Path=/; HttpOnly; Secure"; - access_log /var/log/nginx/{{ item.server_name }}.access.log; error_log /var/log/nginx/{{ item.server_name }}.error.log warn; {% for location in item.locations %} location {{ location.location }} { + {% if location.ssl_client_verify is defined and location.ssl_client_verify %} + if ($ssl_client_verify != "SUCCESS") { return 403; } + {% endif %} {% if location.proxy_pass is defined %} proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr;