sync roles with changes from OWS

roles/webserver/meta/main.yml

@@ -2,7 +2,7 @@
 dependencies:
   - role: rclone
   - role: nginx
-#  - role: nginx_exporter
+  - role: nginx_exporter
   - role: php
-#  - role: php_fpm_exporter
+  - role: php_fpm_exporter
   - role: redis

roles/webserver/tasks/main.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: Mount Volume
   import_tasks: volume.yml
 

roles/webserver/tasks/nginx.yml

@@ -29,7 +29,7 @@
     state: directory
     mode: "0755"
 
-- name: Copy SSL certificates for {{ webserver_domain }}
+- name: "Copy SSL certificates for {{ webserver_domain }}"
   copy:
     remote_src: true
     # make sure that ssl certs are available

roles/webserver/tasks/volume.yml

@@ -9,8 +9,9 @@
 
 - name: Creates mount directory
   file:
-    path: "{{ hcloud_webserver_volume_path }}"
     state: directory
+    path: "{{ hcloud_webserver_volume_path }}"
+    mode: "0755"
     force: false
 
 - name: Mount hcloud volume

roles/webserver/templates/conf.d/cloud.conf.j2

@@ -22,7 +22,10 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
-    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic;
+    listen [::]:443 quic;
+
     server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
     include global/cert.conf;
 
@@ -35,7 +38,7 @@ server {
     # will add the domain to a hardcoded list that is shipped
     # in all major browsers and getting removed from this list
     # could take several months.
-    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header Strict-Transport-Security "max-age=15768000; preload" always;
 
     # set max upload size and increase upload timeout:
     client_max_body_size {{ nextcloud_max_upload_size }};
@@ -68,6 +71,10 @@ server {
     add_header X-Robots-Tag                      "noindex, nofollow" always;
     add_header X-XSS-Protection                  "1; mode=block"     always;
 
+    # Add Alt-Svc header to negotiate HTTP/3.
+    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
+    add_header x-quic 'h3' always;
+
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 

roles/webserver/templates/conf.d/twirling.conf.j2

@@ -9,9 +9,17 @@ server {
 }
 
 server {
-    # Enable HTTP/2
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
+    # Enable QUIC and HTTP/3.
+    listen 443 quic reuseport default_server;
+    listen [::]:443 quic reuseport default_server;
+    http3 on;
+    http3_hq on;
+    quic_retry on;
+    quic_gso on;
+
     server_name {{ webserver_domain }} www.{{ webserver_domain }};
     include global/cert.conf;
     include global/header.conf;

roles/webserver/templates/header.conf.j2

@@ -44,14 +44,17 @@ add_header X-XSS-Protection "1; mode=block" always;
 # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
 # directives for css and js(if you have inline css or js, you will need to keep it too).
 # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
-#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src to 'none'; frame-ancestors 'self' https://*.twirling.de https://twirling.de";
+#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline' font-src 'self'; frame-src ; object-src 'none'";
+add_header Content-Security-Policy "frame-ancestors 'self' https://*.{{ webserver_domain }} https://{{ webserver_domain }}";
 
 #add_header Referrer-Policy no-referrer;
 add_header Referrer-Policy "no-referrer" always;
 
-add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.twirling.de; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'";
-add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.twirling.de');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";
+add_header Feature-Policy "accelerometer 'none'; autoplay 'self'; geolocation 'self'; midi 'none'; notifications 'self'; push 'self'; sync-xhr 'self' https://*.{{ webserver_domain }}; microphone 'self'; camera 'self'; magnetometer 'none'; gyroscope 'none'; speaker 'self'; vibrate 'self'; fullscreen 'self'; payment 'none'; usb 'none'";
+add_header Permissions-Policy "geolocation=(self);midi=();notifications=(self);push=(self);sync-xhr=(self 'https://*.{{ webserver_domain }}');microphone=(self);camera=(self);magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=()";
+
+add_header X-Robots-Tag "noindex, noimageindex, nofollow, nosnippet, noarchive" always;
 
 # Add Alt-Svc header to negotiate HTTP/3.
-#add_header Alt-Svc 'quic=":443"'; # Advertise that QUIC is available
-#add_header QUIC-Status $quic;     # Sent when QUIC was used
+add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
+add_header x-quic 'h3' always;