Add vhost for community.cacert.org on webstatic

This VirtualHost definition will be proxied from email.cacert.org that
will terminate the TLS connection too. A git hook for publishing the
content of the https://git.cacert.org/cacert-community-website.git
repository will be added.

1 files changed, 29 insertions, 0 deletions

diff --git a/hieradata/nodes/webstatic.yaml b/hieradata/nodes/webstatic.yaml
index 21bf5fe..d37a582 100644
--- a/hieradata/nodes/webstatic.yaml
+++ b/hieradata/nodes/webstatic.yaml
@@ -143,6 +143,35 @@ profiles::static_websites::apache_vhosts:
       - 'set Pragma "no-cache"'
       - 'set Expires "-1"'
       - 'set X-Permitted-Cross-Domain-Policies "master-only"'
+  'community.cacert.org':
+    port: 80
+    access_log: true
+    access_log_format: "combined"
+    error_log: true
+    log_level: "warn"
+    docroot: "/var/www/community.cacert.org"
+    docroot_owner: "git"
+    docroot_mode: "0755"
+    directoryindex:
+      - "index.html"
+    directories:
+      -
+        path: "/var/www/community.cacert.org"
+        options:
+          - "-Includes"
+          - "-Indexes"
+          - "-FollowSymLinks"
+          - "-MultiViews"
+        require: "all granted"
+    headers:
+      - 'set X-Frame-Options "sameorigin"'
+      - 'set Strict-Transport-Security "max-age=31536000; includeSubDomains"'
+      - 'set X-XSS-Protection "1; mode=block"'
+      - 'set Cache-Control "no-cache, no-store, must-revalidate"'
+      - 'set Pragma "no-cache"'
+      - 'set Expires "-1"'
+      - 'set X-Permitted-Cross-Domain-Policies "master-only"'
+      - "set Content-Security-Policy \"default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; connect-src 'self';\""
   'infradocs.cacert.org':
     port: 80
     access_log: true