conf.archlinux.org: add static subdomain for content

Add a new subdomain for the static content (videos,photos) of our Arch Linux Conference so it is independent of the the conf.archlinux.org url routing.

conf.archlinux.org: add static subdomain for content
Add a new subdomain for the static content (videos,photos) of our Arch Linux Conference so it is independent of the the conf.archlinux.org url routing.
95f9b7de · Jelle van der Waa · c05b177e · 95f9b7de · 95f9b7de · 95f9b7de
Commit 95f9b7de authored Nov 06, 2019 by Jelle van der Waa 🚧
--- a/roles/conf.archlinux.org/defaults/main.yml
+++ b/roles/conf.archlinux.org/defaults/main.yml
@@ -3,4 +3,6 @@
 conference_user: confweb
 conference_git: https://github.com/archlinux/conf.archlinux.org.git
 conference_domain: conf.archlinux.org
+static_conference_domain: static.conf.archlinux.org
 conference_dir: /srv/http/{{ conference_domain }}
+static_conference_dir: /srv/http/{{ static_conference_domain }}
--- a/roles/conf.archlinux.org/tasks/main.yml
+++ b/roles/conf.archlinux.org/tasks/main.yml
@@ -16,6 +16,9 @@
 - name: fix home permissions
  file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ conference_dir }}"

+- name: create static conf.archlinux.org dir
+  file: state=directory owner={{ conference_user }} group={{ conference_user }} path="{{ static_conference_dir }}"
+
 - name: generate conf.archlinux.org site
  command: hugo
  become_user: "{{conference_user}}"
@@ -26,11 +29,23 @@
 - name: create ssl cert
  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ conference_domain }}' creates='/etc/letsencrypt/live/{{ conference_domain }}/fullchain.pem'

+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ static_conference_domain }}' creates='/etc/letsencrypt/live/{{ static_conference_domain }}/fullchain.pem'
+
 - name: make nginx log dir
  file: path=/var/log/nginx/{{ conference_domain }} state=directory owner=root group=root mode=0755

+- name: make nginx log dir
+  file: path=/var/log/nginx/{{ static_conference_domain }} state=directory owner=root group=root mode=0755
+
 - name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/conf.archlinux.org.conf owner=root group=root mode=0644
  notify:
    - reload nginx
  tags: ['nginx']
+
+- name: set up nginx
+  template: src=static.nginx.d.conf.j2 dest=/etc/nginx/nginx.d/static.conf.archlinux.org.conf owner=root group=root mode=0644
+  notify:
+    - reload nginx
+  tags: ['nginx']
--- a/roles/conf.archlinux.org/templates/static.nginx.d.conf.j2
+++ b/roles/conf.archlinux.org/templates/static.nginx.d.conf.j2
+server {
+    listen       80;
+    listen       [::]:80;
+    server_name  {{ static_conference_domain }};
+
+    access_log   /var/log/nginx/{{ static_conference_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ static_conference_domain }}/error.log;
+
+    include snippets/letsencrypt.conf;
+
+    location / {
+        access_log off;
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+server {
+    listen       443 ssl http2;
+    listen       [::]:443 ssl http2;
+    server_name  {{ static_conference_domain }};
+
+    access_log   /var/log/nginx/{{ static_conference_domain }}/access.log reduced;
+    error_log    /var/log/nginx/{{ static_conference_domain }}/error.log;
+
+    ssl_certificate      /etc/letsencrypt/live/{{ static_conference_domain }}/fullchain.pem;
+    ssl_certificate_key  /etc/letsencrypt/live/{{ static_conference_domain }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ static_conference_domain }}/chain.pem;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy "same-origin";
+    add_header Feature-Policy "geolocation 'none' ;midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'none'; payment 'none';";
+    add_header Content-Security-Policy "default-src 'self';";
+    add_header X-Content-Type-Options "nosniff" always;
+
+    # Apply HSTS header again, since adding a header removes previous headers
+    add_header Strict-Transport-Security $hsts_header;
+
+    autoindex on;
+
+    location /2019 {
+        return 301 $scheme://$server_name;
+    }
+
+    root {{ static_conference_dir }}/;
+}