From f8e97439c54a67ffa84c7af02d2c6c982001f114 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Sun, 13 Feb 2022 22:00:06 +0100
Subject: [PATCH] Update to 2022-02-13 22:00

---
 roles/nginx/defaults/main.yml                          | 3 +++
 roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 | 4 +++-
 roles/nginx/templates/nginx.conf.j2                    | 6 +++---
 roles/squid/files/acl/software_various.domains         | 1 +
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 663596c..75d1502 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -27,6 +27,9 @@ nginx_key_path: /etc/nginx/ssl/key.pem
 #
 # nginx_letsencrypt_cert:
 
+# Default nginx vhost
+# You can override it if you want to use a custom _ vhost
+nginx_default_vhost_name: _
 nginx_vhosts: []
 nginx_default_vhost_base:
   aliases: []
diff --git a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2 b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
index 6962d12..482a895 100644
--- a/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
+++ b/roles/nginx/templates/ansible_conf.d/30-vhosts.conf.j2
@@ -135,8 +135,10 @@ server {
 {% endif %}
 {% endfor %}
 
-{% if vhost.csp %}
+{% if vhost.csp is string and vhost.csp != '' %}
     add_header Content-Security-Policy "{{ vhost.csp + (vhost.csp is search('connect-src') and vhost.proxy.websocket) | ternary('', '; connect-src \'self\' wss://' + vhost.name) }}";
+{% elif vhost.csp is mapping %}
+    add_header Content-Security-Policy "{% for csp in vhost.csp.keys() | list %}{{ csp }} {{ vhost.csp[csp] }}{% if not loop.last %}; {% endif %}{% endfor %}";
 {% endif %}
 
 {% if vhost.auth == 'llng' or vhost.auth == 'llng_basic' %}
diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2
index 746d729..676d9ee 100644
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -78,10 +78,10 @@ http {
 
 {% if '_' not in nginx_vhosts | map(attribute='name') | list %}
   server {
-    listen 80 default_server;
-    listen 443 default_server ssl http2;
+    listen 80{% if nginx_default_vhost_name == '_' %} default_server{% endif %};
+    listen 443{% if nginx_default_vhost_name == '_' %} default_server{% endif %} ssl http2;
 
-    server_name _;
+    server_name {{ nginx_default_vhost_name }};
     root /usr/share/nginx/html;
 
     # Load location fragments in the default vhost
diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains
index b3ee30b..c6d6721 100644
--- a/roles/squid/files/acl/software_various.domains
+++ b/roles/squid/files/acl/software_various.domains
@@ -159,6 +159,7 @@ download.java.net
 forumarchivebuilder.googlecode.com
 maven.java.net
 redshift-maven-repository.s3-website-us-east-1.amazonaws.com
+maven.repository.redhat.com
 
 # Unifi
 www.ubnt.com