From c00c75d310e2afea3b521e8a4b90e800ab4f9ff2 Mon Sep 17 00:00:00 2001
From: heqnx <root@heqnx.com>
Date: Thu, 2 Oct 2025 13:08:58 +0300
Subject: initial commit

---
 templates/cockpit.conf.j2 |  9 +++++
 templates/nginx.conf.j2   | 83 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+)
 create mode 100644 templates/cockpit.conf.j2
 create mode 100644 templates/nginx.conf.j2

(limited to 'templates')

diff --git a/templates/cockpit.conf.j2 b/templates/cockpit.conf.j2
new file mode 100644
index 0000000..e1cf026
--- /dev/null
+++ b/templates/cockpit.conf.j2
@@ -0,0 +1,9 @@
+[WebService]
+Origins             = https://{{ansible_host}}
+ProtocolHeader      = X-Forwarded-Proto
+ForwardedForHeader  = X-Forwarded-For
+
+[Session]
+IdleTimeout         = 15
+LoginTo             = false
+AllowMultiHost      = false
diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2
new file mode 100644
index 0000000..60c8cd4
--- /dev/null
+++ b/templates/nginx.conf.j2
@@ -0,0 +1,83 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    multi_accept on;
+}
+
+http {
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
+    gzip_http_version 1.1;
+    gzip_min_length 256;
+    gzip_types
+        text/plain
+        text/css
+        application/json
+        application/javascript
+        text/xml
+        application/xml
+        application/xml+rss
+        text/javascript
+        image/svg+xml;
+
+    server {
+        listen 80;
+        listen 443 ssl;
+        server_name {{ansible_host}};
+
+        ssl_certificate     /etc/cockpit/ws-certs.d/0-self-signed.cert;
+        ssl_certificate_key /etc/cockpit/ws-certs.d/0-self-signed.key;
+
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers HIGH:!aNULL:!MD5;
+        ssl_prefer_server_ciphers off;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 1d;
+        ssl_session_tickets off;
+
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+        location / {
+            proxy_pass http://127.0.0.1:9090/;
+
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+            proxy_buffering off;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            gzip off;
+        }
+
+        access_log /var/log/nginx/cockpit-access.log;
+        error_log /var/log/nginx/cockpit-error.log warn;
+    }
+}
-- 
cgit v1.2.3