Fix format

conf/_security.conf

@@ -1,9 +1,16 @@
 # Configure secure access with letsencrypt
 ssl_certificate              /etc/letsencrypt/live/netoik.io/fullchain.pem;
 ssl_certificate_key          /etc/letsencrypt/live/netoik.io/privkey.pem;
-include                   /etc/letsencrypt/options-ssl-nginx.conf;
 ssl_dhparam                  /etc/letsencrypt/ssl-dhparams.pem;
-ssl_session_cache         shared:SSL:1m;
+
+# Add some ssl settings from Mozilla
+# see: https://ssl-config.mozilla.org
+ssl_protocols                TLSv1.3;
+ssl_ecdh_curve               X25519:prime256v1:secp384r1;
+ssl_prefer_server_ciphers    off;
+ssl_stapling                 on;
+ssl_stapling_verify          on;
+resolver                     127.0.0.1;
 
 # Add some basic security headers from OWASP
 # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
@@ -18,5 +25,3 @@ add_header                Cross-Origin-Resource-Policy   "same-site"
 add_header                   Permissions-Policy             "geolocation=(), camera=(), microphone=()"                           always;
 add_header                   Server                         "webserver"                                                          always;
 add_header                   X-Robots-Tag                   "noindex, nofollow"                                                  always;
-
-

netoik-rp.spec

@@ -10,7 +10,7 @@ URL:            https://git.netoik.io/samuel/netoik-rp
 Source0:        %{name}-%{version}.tar.gz
 Buildarch:      noarch
 BuildRequires:  make
-Requires:       nginx,python3,python-devel,augeas-devel,gcc
+Requires:       nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
 
 %description
 Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
@@ -29,13 +29,20 @@ if [ $1 == 1 ]; then
   %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini
   %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
 
-  # Create virutal env with certbot cli
+  # Create virutal env with certbot
   %{_bindir}/env python3 -m venv /opt/certbot
   /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
   %{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
-  %{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+
+  # Create certificate with certbot
+  %{_bindir}/env certbot certonly --non-interactive --agree-tos --email "samuel.campos@netoik.io" --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+
+  # Add crontab rule for automatic renew
   %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
 
+  # Create ssl dh params
+  %{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
+
   # Stop nginx to be sure changes are taken in account
   %{_bindir}/env systemctl stop nginx
 fi
@@ -57,6 +64,7 @@ fi
 %ghost %attr(755, root, root) %dir /opt/certbot
 %ghost %attr(755, root, root) %{_sbindir}/certbot
 %ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt
+%ghost %attr(755, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
 
 %changelog
 %autochangelog