Fix typo

files/certbot/ovh.ini

@@ -0,0 +1,9 @@
+# OVH API credentials used by Certbot
+# To generate a new token, go to: https://www.ovh.com/auth/api/createToken
+
+dns_ovh_endpoint = "$OVH_ENDPOINT"
+dns_ovh_application_name = "$OVH_APPLICATION_NAME"
+dns_ovh_application_description = "$OVH_APPLICATION_DESCRIPTION"
+dns_ovh_application_key = "$OVH_APPLICATION_KEY"
+dns_ovh_application_secret = "$OVH_APPLICATION_SECRET"
+dns_ovh_consumer_key = "$OVH_CONSUMER_KEY"

files/nginx/0_security.conf

@@ -0,0 +1,27 @@
+# Configure secure access with letsencrypt
+ssl_certificate              /etc/letsencrypt/live/netoik.io/fullchain.pem;
+ssl_certificate_key          /etc/letsencrypt/live/netoik.io/privkey.pem;
+ssl_dhparam                  /etc/letsencrypt/ssl-dhparams.pem;
+
+# Add some ssl settings from Mozilla
+# see: https://ssl-config.mozilla.org
+ssl_protocols                TLSv1.3;
+ssl_ecdh_curve               X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers    off;
+ssl_stapling                 on;
+ssl_stapling_verify          on;
+resolver                     127.0.0.1;
+
+# Add some basic security headers from OWASP
+# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+add_header                   Strict-Transport-Security      "max-age=63072000; includeSubDomains; preload;"                      always;
+add_header                   X-Frame-Options                "DENY"                                                               always;
+add_header                   X-XSS-Protection               "0"                                                                  always;
+add_header                   X-Content-Type-Options         "nosniff"                                                            always;
+add_header                   Referrer-Policy                "strict-origin-when-cross-origin"                                    always;
+add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Cross-Origin-Opener-Policy     "same-origin"                                                        always;
+add_header                   Cross-Origin-Resource-Policy   "same-site"                                                          always;
+add_header                   Permissions-Policy             "geolocation=(), camera=(), microphone=()"                           always;
+add_header                   Server                         "webserver"                                                          always;
+add_header                   X-Robots-Tag                   "noindex, nofollow"                                                  always;

files/nginx/default.conf

@@ -0,0 +1,13 @@
+server {
+	listen 443 default_server;
+	server_name _;
+
+	return 404;
+}
+
+server {
+	listen 80 default_server;
+	server_name _;
+
+	return 301 https://$host$request_uri;    
+}

files/sbin/certbot_renew

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+/usr/bin/env sleep $(($RANDOM % 3600));
+/opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
+/usr/bin/env certbot renew

files/systemd/certbot-renew.service

@@ -0,0 +1,5 @@
+[Unit]
+Description=Renew certbot certificates
+
+[Service]
+ExecStart=certbot_renew

files/systemd/certbot-renew.timer

@@ -0,0 +1,8 @@
+[Unit]
+Description=Daily renew certbot certificates
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=multi-user.target