From ccf6b10a0e9a3b2ac17fc3f2b0420dece04f868c Mon Sep 17 00:00:00 2001
From: Kris Lamoureux <kris@lamoureux.io>
Date: Wed, 26 Mar 2025 22:07:06 -0400
Subject: [PATCH] Add GPG key and reorganize dockerbox configuration

- Add new primary GPG key in dev config for compose repos
- Slight reorganization of the dockerbox production playbook
- Remove group management in the docker role
- Move HSTS inside the location block
- Add git ignore entry for .ansible files
- Add X-Forwarded-Proto proxy header
---
 .gitignore                                 | 3 ++-
 dev/host_vars/dockerbox.yml                | 4 ++++
 playbooks/dockerbox.yml                    | 6 +++---
 roles/proxy/templates/server-nginx.conf.j2 | 7 ++++---
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.gitignore b/.gitignore
index 554695e..5d88310 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
+.ansible*
+/environments/
 .playbook
 .vagrant*
 .vscode
-/environments/
\ No newline at end of file
diff --git a/dev/host_vars/dockerbox.yml b/dev/host_vars/dockerbox.yml
index 210a7b7..e09db03 100644
--- a/dev/host_vars/dockerbox.yml
+++ b/dev/host_vars/dockerbox.yml
@@ -4,8 +4,12 @@ manage_network: false
 
 # Import my GPG key for git signature verification
 root_gpgkeys:
+  - name: kris@lamoureux.io
+    id: 42A3A92C5DA0F3E5F71A3710105B748C1362EB96
+  # Older key, but still in use
   - name: kris@lamoureux.io
     id: FBF673CEEC030F8AECA814E73EDA9C3441EDA925
+    server: keyserver.ubuntu.com
 
 # proxy
 proxy:
diff --git a/playbooks/dockerbox.yml b/playbooks/dockerbox.yml
index 15fc95c..fc17097 100644
--- a/playbooks/dockerbox.yml
+++ b/playbooks/dockerbox.yml
@@ -3,9 +3,9 @@
   become: true
   roles:
     - base
+    - jenkins
     - docker
+    - mariadb
     - traefik
     - nextcloud
-    - jenkins
-    - prometheus
-    - nginx
+    - proxy
diff --git a/roles/proxy/templates/server-nginx.conf.j2 b/roles/proxy/templates/server-nginx.conf.j2
index ca33a6d..e89bd3f 100644
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@@ -28,13 +28,13 @@ server {
   ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
   ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
-{% if item.hsts is defined %}
-  add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
-{% endif %}
 {% if item.client_max_body_size is defined %}
   client_max_body_size {{ item.client_max_body_size }};
 {% endif %}
   location / {
+{% if item.hsts is defined %}
+    add_header Strict-Transport-Security "max-age={{ item.hsts }}" always;
+{% endif %}
 {% if item.allowedips is defined %}
 {% for ip in item.allowedips %}
     allow {{ ip }};
@@ -49,6 +49,7 @@ server {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass {{ item.proxy_pass }};
 {% if item.proxy_ssl_verify is defined and item.proxy_ssl_verify is false %}
     proxy_ssl_verify off;