Ensure compatibility with Debian 13

Author: clementbiron

playbooks/templates/nginx.conf.j2

@@ -6,7 +6,9 @@
 # vulnerabilities or exploits that are present in specific versions.
 # Disabling server_tokens can help to mitigate this risk by removing the NGINX
 # version number from the response headers.
+{% if not nginx_conf_has_server_tokens | default(false) %}
 server_tokens off;
+{% endif %}
 
 # Configure the rate limiting module to prevent DDoS attacks.
 limit_req_zone $binary_remote_addr zone=limited:10m rate=10r/s;

roles/nginx/configure/tasks/main.yml

@@ -7,6 +7,16 @@
         state: absent
         path: /etc/nginx/sites-enabled/default
 
+    - name: Check if server_tokens is already configured
+      ansible.builtin.command: grep -E "^\s*server_tokens" /etc/nginx/nginx.conf
+      register: nginx_server_tokens_directive
+      failed_when: false
+      changed_when: false
+
+    - name: Share server_tokens configuration state
+      ansible.builtin.set_fact:
+        nginx_conf_has_server_tokens: "{{ nginx_server_tokens_directive.rc == 0 }}"
+
     - name: Setup NGINX conf
       ansible.builtin.template:
         src: "{{ ota_nginx_config_template }}"