Ensure compatibility with Debian 13 (#57)

clementbiron · web-flow · commit e78fa7cb9465 · 2025-11-28T11:50:34.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All changes that impact users of this module are documented in this file, in the [Common Changelog](https://common-changelog.org) format with some additional specifications defined in the CONTRIBUTING file. This codebase adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased [patch]
+
+> Development of this release was supported by the [French Ministry for Foreign Affairs](https://www.diplomatie.gouv.fr/fr/politique-etrangere-de-la-france/diplomatie-numerique/) through its ministerial [State Startups incubator](https://beta.gouv.fr/startups/open-terms-archive.html) under the aegis of the Ambassador for Digital Affairs.
+
+### Fixed
+
+- Ensure compatibility with Debian 13
+
 ## 2.1.0 - 2025-06-10
 
 _Full changeset and discussions: [#56](https://github.com/OpenTermsArchive/deployment/pull/56)._
diff --git a/playbooks/templates/nginx.conf.j2 b/playbooks/templates/nginx.conf.j2
@@ -6,7 +6,9 @@
 # vulnerabilities or exploits that are present in specific versions.
 # Disabling server_tokens can help to mitigate this risk by removing the NGINX
 # version number from the response headers.
+{% if not nginx_conf_has_server_tokens | default(false) %}
 server_tokens off;
+{% endif %}
 
 # Configure the rate limiting module to prevent DDoS attacks.
 limit_req_zone $binary_remote_addr zone=limited:10m rate=10r/s;
diff --git a/roles/nginx/configure/tasks/main.yml b/roles/nginx/configure/tasks/main.yml
@@ -7,6 +7,16 @@
         state: absent
         path: /etc/nginx/sites-enabled/default
 
+    - name: Check if server_tokens is already configured
+      ansible.builtin.command: grep -E "^\s*server_tokens" /etc/nginx/nginx.conf
+      register: nginx_server_tokens_directive
+      failed_when: false
+      changed_when: false
+
+    - name: Share server_tokens configuration state
+      ansible.builtin.set_fact:
+        nginx_conf_has_server_tokens: "{{ nginx_server_tokens_directive.rc == 0 }}"
+
     - name: Setup NGINX conf
       ansible.builtin.template:
         src: "{{ ota_nginx_config_template }}"
