feat(securitytxt): initial role

roles/securitytxt/README.md

@@ -0,0 +1,22 @@
+# `famedly.base.securitytxt`
+
+Template a security.txt file (see [RFC 9116](https://www.rfc-editor.org/rfc/rfc9116)) and serves it using nginx.
+
+## Role variables
+
+- `securitytxt_expires`: mandatory, containing a timestamp, formatted as `%Y-%m-%d %H:%M:%S` when the file expires. Is treated as UTC.
+- `securitytxt_contacts`: mandatory, list of at least one string that contains URIs for how to contact the organisation
+- `securitytxt_preferred_languages`: optional, list of language tags
+- `securitytxt_acknowledgements`: optional, url where acknowledgements are published
+- `securitytxt_canonical`: optional, list of url where this file is expected to be served
+- `securitytxt_encryption`: optional, url where a PGP key can be obtained
+- `securitytxt_hiring`: optional, url where open security positions are published
+- `securitytxt_policy`: optional, url where the security policy is published
+
+## License
+
+AGPL-3.0-only
+
+## Author Information
+
+- Jan Christian Grünhage <jan.christian@gruenhage.xyz>

roles/securitytxt/defaults/main.yml

@@ -0,0 +1,21 @@
+---
+securitytxt_container_name: "securitytxt"
+
+securitytxt_container_image_reference: >-
+  {{
+    securitytxt_container_image_repository
+    + ':'
+    + securitytxt_container_image_tag | default('1-alpine')
+  }}
+securitytxt_container_image_repository: >-
+  {{
+    (
+      container_registries[securitytxt_container_image_registry]
+      | default(securitytxt_container_image_registry)
+    )
+    + '/'
+    + securitytxt_container_image_namespace | default('')
+    + securitytxt_container_image_name
+  }}
+securitytxt_container_image_registry: "docker.io"
+securitytxt_container_image_name: "nginx"

roles/securitytxt/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: "Deploy nginx for serving security.txt"
+  community.docker.docker_container:
+    name: "{{ securitytxt_container_name }}"
+    image: "{{ securitytxt_container_image_reference }}"
+    volumes:
+      - "/opt/securitytxt/security.txt:/usr/share/nginx/html/.well-known/security.txt:ro"
+    labels: "{{ securitytxt_container_labels }}"
+    recreate: true
+  listen: "recreate-securitytxt-webserver"

roles/securitytxt/meta/main.yml

@@ -0,0 +1,13 @@
+---
+galaxy_info:
+  author: Jan Christian Grünhage <jan.christian@gruenhage.xyz>
+  description: Templates a security.txt file and serves it using an nginx container
+  company: Famedly GmbH
+  license: AGPL-3.0-only
+  min_ansible_version: "2.13"
+  platforms:
+    - name: Debian
+      versions:
+        - bullseye
+  galaxy_tags: []
+dependencies: []

roles/securitytxt/tasks/main.yml

@@ -0,0 +1,37 @@
+---
+- name: Check that role variables are configured correctly
+  ansible.builtin.assert:
+    that:
+      - securitytxt_contacts | length >= 1
+      - (securitytxt_expires | to_datetime) > now()
+
+- name: "Create securitytxt webroot"
+  ansible.builtin.file:
+    state: "directory"
+    path: "/opt/securitytxt"
+    mode: "0755"
+  tags: ["prepare", "prepare-securitytxt"]
+
+- name: "Template security.txt"
+  ansible.builtin.template:
+    src: "security.txt.j2"
+    dest: "/opt/securitytxt/security.txt"
+    mode: "0644"
+  notify: "recreate-securitytxt-webserver"
+  tags: ["deploy", "deploy-securitytxt"]
+
+- name: "Ensure nginx container image is present"
+  community.docker.docker_image:
+    name: "{{ securitytxt_container_image_reference }}"
+    source: "pull"
+    state: "present"
+  tags: ["prepare", "prepare-securitytxt"]
+
+- name: "Deploy nginx for serving security.txt"
+  community.docker.docker_container:
+    name: "{{ securitytxt_container_name }}"
+    image: "{{ securitytxt_container_image_reference }}"
+    volumes:
+      - "/opt/securitytxt/security.txt:/usr/share/nginx/html/.well-known/security.txt:ro"
+    labels: "{{ securitytxt_container_labels }}"
+  tags: ["deploy", "deploy-securitytxt"]

roles/securitytxt/templates/security.txt.j2

@@ -0,0 +1,37 @@
+Expires: {{ '%Y-%m-%dT%H:%M:%Sz' | strftime((securitytxt_expires | to_datetime).timestamp()) }}
+
+{% for contact in securitytxt_contacts %}
+Contact: {{ contact }}
+{% endfor %}
+
+{%- if securitytxt_preferred_languages is defined %}
+
+Preferred-Languages: {{ securitytxt_preferred_languages | join(', ') }}
+{% endif %}
+
+{%- if securitytxt_acknowledgments is defined %}
+
+Acknowledgments: {{ securitytxt_acknowledgments }}
+{% endif %}
+
+{%-  if securitytxt_canonical is defined %}
+
+{% for canonical in securitytxt_canonical %}
+Canonical: {{ canonical }}
+{% endfor %}
+{% endif %}
+
+{%- if securitytxt_encryption is defined %}
+
+Encryption: {{ securitytxt_encryption }}
+{% endif %}
+
+{%- if securitytxt_hiring is defined %}
+
+Hiring: {{ securitytxt_hiring }}
+{% endif %}
+
+{%-  if securitytxt_policy is defined %}
+
+Policy: {{ securitytxt_policy }}
+{% endif %}