From f0445efdcb39b75dcc48af92cfe49b2f9d831b9f Mon Sep 17 00:00:00 2001
From: Ivy Fan-Chiang <dev@ivyfanchiang.ca>
Date: Sun, 3 Dec 2023 12:22:13 -0500
Subject: [PATCH 1/3] update to latest nginx stable

---
 ansible/nginx.yml       | 19 ++++++++++++++++++-
 deploy_bundle/nginx.yml | 19 ++++++++++++++++++-
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/ansible/nginx.yml b/ansible/nginx.yml
index b66daf5..02173fd 100644
--- a/ansible/nginx.yml
+++ b/ansible/nginx.yml
@@ -12,9 +12,26 @@
       ansible.builtin.wait_for_connection:
         timeout: 300
   tasks:
+    - name: Install nginx repository prerequisites
+      ansible.builtin.package:
+        name:
+          - curl
+          - gnupg2
+          - ca-certificates
+          - lsb-release
+          - debian-archive-keyring
+        state: present
+    - name: Get NGINX keyring
+      ansible.builtin.shell: curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+    - name: Install NGINX repository
+      ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+    - name: Setup Repository pinning
+      ansible.builtin.shell: echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
     - name: Install nginx
       ansible.builtin.package:
-        name: nginx
+        name:
+          - nginx
+          - nginx-extras
         state: present
       notify: Restart nginx
     - name: Copy nginx config
diff --git a/deploy_bundle/nginx.yml b/deploy_bundle/nginx.yml
index b66daf5..02173fd 100644
--- a/deploy_bundle/nginx.yml
+++ b/deploy_bundle/nginx.yml
@@ -12,9 +12,26 @@
       ansible.builtin.wait_for_connection:
         timeout: 300
   tasks:
+    - name: Install nginx repository prerequisites
+      ansible.builtin.package:
+        name:
+          - curl
+          - gnupg2
+          - ca-certificates
+          - lsb-release
+          - debian-archive-keyring
+        state: present
+    - name: Get NGINX keyring
+      ansible.builtin.shell: curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+    - name: Install NGINX repository
+      ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+    - name: Setup Repository pinning
+      ansible.builtin.shell: echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
     - name: Install nginx
       ansible.builtin.package:
-        name: nginx
+        name:
+          - nginx
+          - nginx-extras
         state: present
       notify: Restart nginx
     - name: Copy nginx config

From 89e4ab892bcad9e49a0235751150ab0ec3a19baf Mon Sep 17 00:00:00 2001
From: Ivy Fan-Chiang <dev@ivyfanchiang.ca>
Date: Sun, 3 Dec 2023 12:22:27 -0500
Subject: [PATCH 2/3] hide nginx server tokens

---
 ansible/nginx.conf       | 1 +
 deploy_bundle/nginx.conf | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ansible/nginx.conf b/ansible/nginx.conf
index e6f14d6..1b6a456 100644
--- a/ansible/nginx.conf
+++ b/ansible/nginx.conf
@@ -5,4 +5,5 @@ server {
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }
+        server_tokens off;
 }
diff --git a/deploy_bundle/nginx.conf b/deploy_bundle/nginx.conf
index e6f14d6..1b6a456 100644
--- a/deploy_bundle/nginx.conf
+++ b/deploy_bundle/nginx.conf
@@ -5,4 +5,5 @@ server {
                 proxy_set_header Host $host;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         }
+        server_tokens off;
 }

From 6ccebbbd348b5f636802f430da4f70bc243974fa Mon Sep 17 00:00:00 2001
From: Ivy Fan-Chiang <dev@ivyfanchiang.ca>
Date: Sun, 3 Dec 2023 12:34:22 -0500
Subject: [PATCH 3/3] escape ansible shell commands

---
 ansible/nginx.yml       | 9 ++++++---
 deploy_bundle/nginx.yml | 9 ++++++---
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/ansible/nginx.yml b/ansible/nginx.yml
index 02173fd..21886d3 100644
--- a/ansible/nginx.yml
+++ b/ansible/nginx.yml
@@ -22,11 +22,14 @@
           - debian-archive-keyring
         state: present
     - name: Get NGINX keyring
-      ansible.builtin.shell: curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+      ansible.builtin.shell: >
+        curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
     - name: Install NGINX repository
-      ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+      ansible.builtin.shell: >
+        echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
     - name: Setup Repository pinning
-      ansible.builtin.shell: echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
+      ansible.builtin.shell: >
+        echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
     - name: Install nginx
       ansible.builtin.package:
         name:
diff --git a/deploy_bundle/nginx.yml b/deploy_bundle/nginx.yml
index 02173fd..21886d3 100644
--- a/deploy_bundle/nginx.yml
+++ b/deploy_bundle/nginx.yml
@@ -22,11 +22,14 @@
           - debian-archive-keyring
         state: present
     - name: Get NGINX keyring
-      ansible.builtin.shell: curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+      ansible.builtin.shell: >
+        curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
     - name: Install NGINX repository
-      ansible.builtin.shell: echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
+      ansible.builtin.shell: >
+        echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] http://nginx.org/packages/debian `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
     - name: Setup Repository pinning
-      ansible.builtin.shell: echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
+      ansible.builtin.shell: >
+        echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | sudo tee /etc/apt/preferences.d/99nginx
     - name: Install nginx
       ansible.builtin.package:
         name: