From d93be536ff345e7091d9d8ddd8550d53c6f69fcc Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Tue, 19 Oct 2021 15:07:42 -0700
Subject: [PATCH] proxies: add security.txt file

Per https://securitytxt.org/ and
https://datatracker.ietf.org/doc/html/draft-foudil-securitytxt-12
This is a basic 2 liner, we can expand on it later.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 playbooks/include/proxies-miscellaneous.yml |  4 ++++
 roles/security.txt/files/security-txt.conf  |  1 +
 roles/security.txt/files/security.txt       |  2 ++
 roles/security.txt/tasks/main.yml           | 13 +++++++++++++
 4 files changed, 20 insertions(+)
 create mode 100644 roles/security.txt/files/security-txt.conf
 create mode 100644 roles/security.txt/files/security.txt
 create mode 100644 roles/security.txt/tasks/main.yml

diff --git a/playbooks/include/proxies-miscellaneous.yml b/playbooks/include/proxies-miscellaneous.yml
index 682fac2cb5..8e00090979 100644
--- a/playbooks/include/proxies-miscellaneous.yml
+++ b/playbooks/include/proxies-miscellaneous.yml
@@ -59,3 +59,7 @@
   - role: pkgdb-proxy
     tags:
     - pkgdb2
+
+  - role: security.txt
+    tags:
+    - security.txt
diff --git a/roles/security.txt/files/security-txt.conf b/roles/security.txt/files/security-txt.conf
new file mode 100644
index 0000000000..11d85490ed
--- /dev/null
+++ b/roles/security.txt/files/security-txt.conf
@@ -0,0 +1 @@
+AliasMatch ^/.well-known/security.txt /srv/web/security.txt
diff --git a/roles/security.txt/files/security.txt b/roles/security.txt/files/security.txt
new file mode 100644
index 0000000000..5bf706e1c2
--- /dev/null
+++ b/roles/security.txt/files/security.txt
@@ -0,0 +1,2 @@
+Contact: mailto:infra-security@fedoraproject.org
+Expires: 2022-01-31T21:01:00.000Z
diff --git a/roles/security.txt/tasks/main.yml b/roles/security.txt/tasks/main.yml
new file mode 100644
index 0000000000..9ef4f1651d
--- /dev/null
+++ b/roles/security.txt/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+# Install static security.txt file on proxies.
+- name: Copy static security.txt file into place
+  copy: src=security.txt dest=/srv/web/security.txt owner=root group=root mode=755
+  tags:
+  - security.txt
+
+- name: Copy httpd config
+  copy: src=security-txt.conf dest=/etc/httpd/conf.d/admin.fedoraproject.org/security-txt.conf owner=root group=root mode=755
+  notify:
+  - reload apache
+  tags:
+  - security.txt