Add GPG key and reorganize dockerbox configuration

- Add new primary GPG key in dev config for compose repos
- Slight reorganization of the dockerbox production playbook
- Remove group management in the docker role
- Move HSTS inside the location block
- Add git ignore entry for .ansible files
- Add X-Forwarded-Proto proxy header
This commit is contained in:
Kris Lamoureux 2025-03-26 22:07:06 -04:00
parent bd8eca0466
commit ccf6b10a0e
Signed by: kris
GPG Key ID: 105B748C1362EB96
4 changed files with 13 additions and 7 deletions

3
.gitignore vendored
View File

@ -1,4 +1,5 @@
.ansible*
/environments/
.playbook
.vagrant*
.vscode
/environments/

View File

@ -4,8 +4,12 @@ manage_network: false
# Import my GPG key for git signature verification
root_gpgkeys:
- name: kris@lamoureux.io
id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
# Older key, but still in use
- name: kris@lamoureux.io
id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
server: keyserver.ubuntu.com
# proxy
proxy:

View File

@ -3,9 +3,9 @@
become: true
roles:
- base
- jenkins
- docker
- mariadb
- traefik
- nextcloud
- jenkins
- prometheus
- nginx
- proxy

View File

@ -28,13 +28,13 @@ server {
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %}
{% if item.hsts is defined %}
add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
{% endif %}
{% if item.client_max_body_size is defined %}
client_max_body_size {{ item.client_max_body_size }};
{% endif %}
location / {
{% if item.hsts is defined %}
add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
{% endif %}
{% if item.allowedips is defined %}
{% for ip in item.allowedips %}
allow {{ ip }};
@ -49,6 +49,7 @@ server {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass {{ item.proxy_pass }};
{% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
proxy_ssl_verify off;