From b68232cea42ef0ce60d0ce1fec662b1469c4379e Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 4 Jun 2018 14:00:55 +0200 Subject: [PATCH] hackmd: improve (csp, hsts, version bump) and start to use vault --- group_vars/{all => all/vars.yml} | 1 + group_vars/all/vault.yml | 7 +++++++ roles/hackmd/defaults/main.yml | 2 +- roles/hackmd/{meta_ => meta}/main.yml | 0 roles/hackmd/templates/config.json.j2 | 8 +++++--- 5 files changed, 14 insertions(+), 4 deletions(-) rename group_vars/{all => all/vars.yml} (98%) create mode 100644 group_vars/all/vault.yml rename roles/hackmd/{meta_ => meta}/main.yml (100%) diff --git a/group_vars/all b/group_vars/all/vars.yml similarity index 98% rename from group_vars/all rename to group_vars/all/vars.yml index 54abf5b..02a55ad 100644 --- a/group_vars/all +++ b/group_vars/all/vars.yml @@ -11,6 +11,7 @@ hackmd_domain: pad.binary-kitchen.de hackmd_dbname: hackmd hackmd_dbuser: hackmd hackmd_dbpass: oepaich3haob7AoY +hackmd_secret: "{{ vault_hackmd_secret }}" ldap_ca: /etc/ldap/ssl/BKCA.crt ldap_uri: ldaps://ldap.binary.kitchen/ diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml new file mode 100644 index 0000000..44f9b72 --- /dev/null +++ b/group_vars/all/vault.yml @@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +64323839393830353266323861653938663862323663616135396166393532333030313465393563 +6666313061303232383533343362383134663730383761660a666339353639613037663134393334 +65633566363961663138616564353761353931666363613336316335643535363533306461343662 +3339383263396438640a616433336333626632326465363931616461356539656535626432383738 +33356462366339356164373539333636386230376665303561303864366232636463616339653731 +3537623933633964383538633261633133323136366433376232 diff --git a/roles/hackmd/defaults/main.yml b/roles/hackmd/defaults/main.yml index 417bf28..90665de 100644 --- a/roles/hackmd/defaults/main.yml +++ b/roles/hackmd/defaults/main.yml @@ -1,3 +1,3 @@ --- -hackmd_version: 1.1.0-ce +hackmd_version: 1.1.1-ce diff --git a/roles/hackmd/meta_/main.yml b/roles/hackmd/meta/main.yml similarity index 100% rename from roles/hackmd/meta_/main.yml rename to roles/hackmd/meta/main.yml diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2 index 6c72855..9c56580 100644 --- a/roles/hackmd/templates/config.json.j2 +++ b/roles/hackmd/templates/config.json.j2 @@ -2,14 +2,16 @@ "production": { "domain": "{{ hackmd_domain }}", "protocolUseSSL": true, - "_hsts": { + "allowFreeURL": true, + "sessionSecret": "{{ hackmd_secret }}", + "hsts": { "enable": true, - "maxAgeSeconds": "31536000", + "maxAgeSeconds": "2592000", "includeSubdomains": true, "preload": true }, "csp": { - "enable": false, + "enable": true, "directives": { }, "upgradeInsecureRequests": "auto",