feat: add csp data type

.gitea/workflows/cd.yaml

@@ -0,0 +1,20 @@
+name: Continuous Delivery
+
+on:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+"
+
+jobs:
+  build_n_upload:
+    runs-on: self-hosted
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"
+      - run: make upload
+        env:
+          PKG_TOKEN: ${{ secrets.PKG_TOKEN }}

.gitea/workflows/ci.yaml

@@ -6,8 +6,13 @@ on:
       - main
 
 jobs:
-  env:
-    runs-on: linux
+  lint_n_build:
+    runs-on: self-hosted
     steps:
-      - name: Show env
-        run: env | sort
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          fetch-tags: true
+      - run: shellcheck files/sbin/certbot_renew
+      - run: make tarball
+      - run: rpmbuild -ba "$(make name).spec"

.gitignore

@@ -1,2 +1,3 @@
 *.swp
 *.env
+/.idea

Makefile

@@ -1,12 +1,21 @@
-NAME = $(shell basename $(PWD))
-VERSION = $(shell git describe | sed 's/-/./g')
-BRANCH = $(shell git branch --show-current)
+NAME = netoik-rp
+VERSION = $(shell git describe --abbrev=0)
+RELEASE = $(shell git rev-parse --short HEAD)
+ARCH = noarch
+OWNER = samuel
+SUMMARY = "Netoïk Reverse Proxy"
+LICENSE = "MIT"
+URL = "https://git.netoik.io/$(OWNER)/$(NAME)"
+SOURCE0 = "$(NAME)-$(VERSION)-$(RELEASE).tar.gz"
 
+RPM_RPMDIR = $(shell rpm --eval '%{_rpmdir}')
 RPM_SBINDIR = $(shell rpm --eval '%{_sbindir}')
 RPM_SOURCEDIR = $(shell rpm --eval '%{_sourcedir}')
 RPM_SYSCONFDIR = $(shell rpm --eval '%{_sysconfdir}')
 RPM_UNITDIR = $(shell rpm --eval '%{_unitdir}')
-RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(NAME)-$(VERSION).tar.gz
+
+RPM_TARBALL_PATH = $(RPM_SOURCEDIR)/$(SOURCE0)
+RPM_BUILD_PATH = $(RPM_RPMDIR)/$(ARCH)/$(NAME)-$(VERSION)-$(RELEASE).$(ARCH).rpm
 
 .PHONY: name
 name:
@@ -16,20 +25,52 @@ name:
 version:
 	@echo "$(VERSION)"
 
+.PHONY: release
+release:
+	@echo "$(RELEASE)"
+
+.PHONY: arch
+arch:
+	@echo "$(ARCH)"
+
+.PHONY: owner
+owner:
+	@echo "$(OWNER)"
+
+.PHONY: summary
+summary:
+	@echo "$(SUMMARY)"
+
+.PHONY: license
+license:
+	@echo "$(LICENSE)"
+
+.PHONY: url
+url:
+	@echo "$(URL)"
+
+.PHONY: source0
+source0:
+	@echo "$(SOURCE0)"
+
+.PHONY: install
+install:
+	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
+	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d files/nginx/0_security.conf files/nginx/z_default.conf
+	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot files/certbot/ovh.ini
+	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) files/systemd/certbot-renew.service files/systemd/certbot-renew.timer
+	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) files/sbin/certbot_renew
+
 $(RPM_TARBALL_PATH): *
 	git archive --format=tar.gz \
 	            --output="$@" \
 	            --prefix="$(NAME)-$(VERSION)/" \
 	            --verbose \
-	            "$(BRANCH)"
+	            HEAD 
 
 .PHONY: tarball
 tarball: $(RPM_TARBALL_PATH)
 
-.PHONY: install
-install:
-	install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) $(DESTDIR)$(RPM_SBINDIR)
-	install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/nginx/0_security.conf conf/nginx/default.conf
-	install --mode=600 --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot conf/certbot/ovh.ini
-	install --mode=644 --target-directory=$(DESTDIR)$(RPM_UNITDIR) conf/systemd/certbot-renew.service conf/systemd/certbot-renew.timer
-	install --mode=755 --target-directory=$(DESTDIR)$(RPM_SBINDIR) conf/sbin/certbot_renew
+.PHONY: upload
+upload:
+	curl --fail-with-body --upload-file "$(RPM_BUILD_PATH)" --user "$(OWNER):$(PKG_TOKEN)" https://git.netoik.io/api/packages/$(OWNER)/rpm/upload

README.md

@@ -1,3 +1,88 @@
-# netoik-rp
+# Netoïk reverse proxy ![badge](https://git.netoik.io/samuel/netoik-rp/actions/workflows/ci.yaml/badge.svg)
 
-Netoïk reverse proxy
+Build an RPM package which will install several tools.
+
+- `Nginx` with:
+    - ssl settings
+    - security headers
+    - default site configuration
+
+
+- `Certbot` certificates with:
+    - ovh configuration to renew certs
+    - a command tool certbot_renew
+    - a systemctl certbot renew timer
+
+
+# Development
+
+A `Makefile` is integrated to let you run some basic commands.
+
+- To display some information about the project
+  ```shell
+  make name
+  make version
+  make release
+  make build_arch
+  ```
+
+- To build a tarball:
+  ```shell
+  make tarball 
+  ```
+  
+- To build a rpm package:
+  ```shell
+  rpmbuild -ba netoik-rp.spec
+  ```
+  
+- To upload rpm package to Gitea repository
+(env vars `GIT_PACKAGES_USERNAME` and `GIT_PACKAGES_TOKEN` needed):
+  ```shell
+  make upload
+  ```
+
+
+# CI / CD
+
+Two workflows are set up.
+
+- Continuous Integration:
+  - triggered by each push on branch `main`
+  - runs shellcheck on script `certbot_renew`
+  - builds tarball and rpm package to test everything is OK
+
+
+- Continuous Delivery:
+  - triggered by each tag pushed
+  - builds tarball
+  - builds and uploads rpm package to `Gitea` repository
+
+
+# Deployment
+
+Some commands to deploy the RPM package on server
+
+- To add Gitea repo to your repo list:
+  ```shell
+  dnf config-manager --add-repo https://git.netoik.io/api/packages/samuel/rpm.repo
+  dnf repolist | grep gitea-samuel
+  ```
+  
+- To show available versions:
+  ```shell
+  dnf --showduplicates netoik-rp
+  ```
+  
+- To install or upgrade:
+  ```shell
+  dnf --nogpgcheck install netoik-rp
+  dnf --nogpgcheck upgrade netoik-rp
+  ```
+
+
+# Security Notes
+
+For security reasons, act runners does not have sudo privileges and so there is:
+- **no** Continuous Deployment because act runners cannot use `dnf`
+- **no** GPG signing because act runners cannot use `gpg`

files/nginx/0_security.conf

@@ -14,12 +14,15 @@ resolver                     127.0.0.1;
 
 # Add some basic security headers from OWASP
 # see: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html
+# And Nextcloud doc
+# see: https://docs.nextcloud.com/server/31/admin_manual/installation/harden_server.html
 add_header                   Strict-Transport-Security            "max-age=63072000; includeSubDomains; preload;"                                      always;
-add_header                   X-Frame-Options                "DENY"                                                               always;
-add_header                   X-XSS-Protection               "0"                                                                  always;
+add_header                   X-Frame-Options                      "sameorigin"                                                                         always;
+add_header                   X-XSS-Protection                     "1;mode=block"                                                                       always;
 add_header                   X-Content-Type-Options               "nosniff"                                                                            always;
+add_header                   X-Permitted-Cross-Domain-Policies    "none"                                                                               always;
 add_header                   Referrer-Policy                      "strict-origin-when-cross-origin"                                                    always;
-add_header                   Content-Security-Policy        "default-src 'self'; frame-ancestors 'self'; form-action 'self';"    always;
+add_header                   Content-Security-Policy              "default-src 'self' 'unsafe-inline' data:; frame-ancestors 'self'; form-action 'self';"    always;
 add_header                   Cross-Origin-Opener-Policy           "same-origin"                                                                        always;
 add_header                   Cross-Origin-Resource-Policy         "same-site"                                                                          always;
 add_header                   Permissions-Policy                   "geolocation=(), camera=(), microphone=()"                                           always;

files/sbin/certbot_renew

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-/usr/bin/env sleep $(($RANDOM % 3600));
+sleep $((RANDOM % 3600));
 /opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh
-/usr/bin/env certbot renew
+certbot renew --cert-name netoik.io

netoik-rp.spec

@@ -2,13 +2,13 @@
 
 Name:           %(make name)
 Version:        %(make version)
-Release:        1%{?dist}
-Summary:        Netoik Reverse Proxy
-License:        MIT
-URL:            https://git.netoik.io/samuel/netoik-rp
+Release:        %(make release)
+Summary:        %(make summary)
+License:        %(make license)
+URL:            %(make url)
 
-Source0:        %{name}-%{version}.tar.gz
-Buildarch:      noarch
+Source0:        %(make source0)
+Buildarch:      %(make arch)
 BuildRequires:  make
 Requires:       nginx python3 python-devel (augeas-devel or augeas-libs) gcc openssl
 
@@ -23,46 +23,46 @@ Install the reverse proxy called nginx with a predefined configuration and with
 
 %post
 # Replace secrets in ovh.ini
-%{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
-if %{_bindir}/env cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
-	%{_bindir}/env rm %{_sysconfdir}/certbot/.ovh.ini.new
+envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.new
+if cmp --silent %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini; then
+	rm %{_sysconfdir}/certbot/.ovh.ini.new
 else
-	%{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
-	%{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini
+	mv %{_sysconfdir}/certbot/.ovh.ini.new %{_sysconfdir}/certbot/ovh.ini
+	chmod 600 %{_sysconfdir}/certbot/ovh.ini
 fi
 
 # Create virtualenv with certot
 if [ ! -d "/opt/certbot" ]; then
-	%{_bindir}/env python3 -m venv /opt/certbot
+	python3 -m venv /opt/certbot
 	/opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh
-	%{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
+	ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot
 fi
 
 # Create certbot certificates
-if [ ! -d "%{_sysconfdir}/letsencrypt/live/netoik.io" ] || [ ! -d "%{_sysconfdir}/letsencrypt/live/samuel-campos.fr" ]; then
-	%{_bindir}/env certbot certonly --non-interactive --agree-tos --email "samuel.campos@netoik.io" --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr"
+if ! certbot certificates --cert-name netoik.io | grep --quiet netoik.io; then
+	certbot certonly --cert-name netoik.io --non-interactive --agree-tos --email samuel.campos@netoik.io --dns-ovh --dns-ovh-credentials %{_sysconfdir}/certbot/ovh.ini -d *.netoik.io -d *.samuel-campos.fr
 fi
 
 # Create ssl dh params if not already exists
 if [ ! -f "%{_sysconfdir}/letsencrypt/ssl-dhparams.pem" ]; then
-	%{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
+	openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048
 fi
 
 # Restart services
-%{_bindir}/env systemctl daemon-reload
-%{_bindir}/env systemctl reenable --now nginx.service certbot-renew.timer
+systemctl daemon-reload
+systemctl reenable --now nginx.service certbot-renew.timer
 
 %postun
 # Remove folders after uninstall
 if [ $1 == 0 ]; then
-  %{_bindir}/env rm --recursive --force /opt/certbot
-  %{_bindir}/env rm --recursive --force %{_sysconfdir}/certbot
-  %{_bindir}/env rm --recursive --force %{_sysconfdir}/letsencrypt
+  /opt/certbot/bin/certbot delete --cert-name netoik.io --non-interactive
+	rm --recursive --force /opt/certbot
+  rm --recursive --force %{_sysconfdir}/certbot
 fi
 
 %files
 %attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf
-%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf
+%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/z_default.conf
 
 %attr(755, root, root) %dir %{_sysconfdir}/certbot
 %attr(600, root, root) %{_sysconfdir}/certbot/ovh.ini
@@ -74,7 +74,6 @@ fi
 
 %ghost %attr(755, root, root) %dir /opt/certbot
 %ghost %attr(755, root, root) %{_sbindir}/certbot
-%ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt
 %ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem
 
 %changelog