samuel/netoik-rp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: samuel:v0.1.33
Branches Tags
samuel:main
samuel:v0.1.46 samuel:v0.1.45 samuel:v0.1.44 samuel:v0.1.43 samuel:v0.1.42 samuel:v0.1.41 samuel:v0.1.40 samuel:v0.1.39 samuel:v0.1.38 samuel:v0.1.9 samuel:v0.1.8 samuel:v0.1.7 samuel:v0.1.6 samuel:v0.1.5 samuel:v0.1.4 samuel:v0.1.37 samuel:v0.1.36 samuel:v0.1.35 samuel:v0.1.34 samuel:v0.1.33 samuel:v0.1.32 samuel:v0.1.31 samuel:v0.1.30 samuel:v0.1.3 samuel:v0.1.29 samuel:v0.1.28 samuel:v0.1.27 samuel:v0.1.26 samuel:v0.1.25 samuel:v0.1.24 samuel:v0.1.23 samuel:v0.1.22 samuel:v0.1.21 samuel:v0.1.20 samuel:v0.1.2 samuel:v0.1.19 samuel:v0.1.18 samuel:v0.1.17 samuel:v0.1.16 samuel:v0.1.15 samuel:v0.1.14 samuel:v0.1.13 samuel:v0.1.12 samuel:v0.1.11 samuel:v0.1.10 samuel:v0.1.1 samuel:v0.1.0
..
compare: samuel:v0.1.34
Branches Tags
samuel:main
samuel:v0.1.46 samuel:v0.1.45 samuel:v0.1.44 samuel:v0.1.43 samuel:v0.1.42 samuel:v0.1.41 samuel:v0.1.40 samuel:v0.1.39 samuel:v0.1.38 samuel:v0.1.9 samuel:v0.1.8 samuel:v0.1.7 samuel:v0.1.6 samuel:v0.1.5 samuel:v0.1.4 samuel:v0.1.37 samuel:v0.1.36 samuel:v0.1.35 samuel:v0.1.34 samuel:v0.1.33 samuel:v0.1.32 samuel:v0.1.31 samuel:v0.1.30 samuel:v0.1.3 samuel:v0.1.29 samuel:v0.1.28 samuel:v0.1.27 samuel:v0.1.26 samuel:v0.1.25 samuel:v0.1.24 samuel:v0.1.23 samuel:v0.1.22 samuel:v0.1.21 samuel:v0.1.20 samuel:v0.1.2 samuel:v0.1.19 samuel:v0.1.18 samuel:v0.1.17 samuel:v0.1.16 samuel:v0.1.15 samuel:v0.1.14 samuel:v0.1.13 samuel:v0.1.12 samuel:v0.1.11 samuel:v0.1.10 samuel:v0.1.1 samuel:v0.1.0

1 Commits
v0.1.33 ... v0.1.34

Author SHA1 Message Date
samuel
9f16b7e8db Use certbot to create cert only 2026-01-01 20:36:46 +01:00
2 changed files with 34 additions and 19 deletions
Expand all files Collapse all files

39
conf/_security.conf
View File

@@ -1,22 +1,29 @@
# Configure secure access with letsencrypt
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache shared:SSL:1m;
ssl_certificate /etc/letsencrypt/live/netoik.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netoik.io/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Add some ssl settings from Mozilla
# see: https://ssl-config.mozilla.org
ssl_protocols TLSv1.3;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_prefer_server_ciphers off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;
# Add some basic security headers from OWASP
# see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "0" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-site" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
add_header Server "webserver" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "0" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self'; form-action 'self';" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-site" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
add_header Server "webserver" always;
add_header X-Robots-Tag "noindex, nofollow" always;

14
netoik-rp.spec
View File

@@ -10,7 +10,7 @@ URL: https://git.netoik.io/samuel/netoik-rp
Source0: %{name}-%{version}.tar.gz
Buildarch: noarch
BuildRequires: make
Requires: nginx,python3,python-devel,augeas-devel,gcc
Requires: nginx python3 python-devel augeas-devel gcc openssl
%description
Install the reverse proxy called nginx with a predefined configuration and with TLS certificates attached to netoik.io
@@ -29,13 +29,20 @@ if [ $1 == 1 ]; then
%{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini
%{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
# Create virutal env with certbot cli
# Create virutal env with certbot
%{_bindir}/env python3 -m venv /opt/certbot
/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
%{_bindir}/env certbot certonly --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
# Create certificate with certbot
%{_bindir}/env certbot certonly --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
# Add crontab rule for automatic renew
%{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab
# Create ssl dh params
%{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
# Stop nginx to be sure changes are taken in account
%{_bindir}/env systemctl stop nginx
fi
@@ -57,6 +64,7 @@ fi
%ghost %attr(755, root, root) %dir /opt/certbot
%ghost %attr(755, root, root) %{_sbindir}/certbot
%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt
%ghost %attr(755, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
%changelog
%autochangelog