enhance security via nginx static hosting

.gitignore

@@ -1,4 +1,4 @@
-docs/build
+mkdocs/site
 traefik/log/*.log
 traefik/log/*.gz
 traefik/tls/*.json

compose.yml

@@ -1,4 +1,11 @@
 services:
+  mkdocs:
+    image: squidfunk/mkdocs-material
+    command:
+      - build
+    volumes:
+      - ./mkdocs:/docs
+
   traefik:
     image: traefik:latest
     command:
@@ -13,8 +20,8 @@ services:
       - ./traefik/log:/var/log/traefik
       - ./traefik/tls:/letsencrypt
 
-  mkdocs:
-    image: squidfunk/mkdocs-material
+  nginx:
+    image: nginx:latest
     labels:
       - traefik.enable=true
       - traefik.http.routers.rskio.entrypoints=websecure
@@ -22,7 +29,11 @@ services:
       - traefik.http.routers.rskio.tls=true
       - traefik.http.routers.rskio.tls.certresolver=rskio_certresolver
       - traefik.http.routers.rskio.service=rskio@docker
-      - traefik.http.services.rskio.loadbalancer.server.port=8000
+      - traefik.http.services.rskio.loadbalancer.server.port=80
     volumes:
-      - ./mkdocs:/docs
+      - ./mkdocs/site:/opt/share/mkdocs/html:ro
+      - ./nginx/etc/conf.d:/etc/nginx/conf.d:ro
+    depends_on:
+      mkdocs:
+        condition: service_completed_successfully
 

mkdocs/docs/index.md

@@ -2,14 +2,14 @@
 
 ## Rskio
 
-This site (a project of mine in and of itself) is meant to catalog my efforts. Through the years, I have "spun my wheels" in order to learn, get something working, or even try something interesting--only for it to be lost to time. You could boil this site down to my notes. However, I fully intend for it to be much more than that. This site exists for me and the possibilty that it might help you too.
+This site is meant to catalog my efforts. Through the years, I have "spun my wheels" in order to learn, get something working, or even try something interesting--only for it to be lost to time. You could boil this site down to my notes. However, I fully intend for it to be much more than that. This site exists for me and the possibilty something I did might help you too.
 
 
 ## About
 
 Its been what, now? Around 10 years since I started working in computing proffessionally (right after dropping out of a Computer Science program, oops). Oh and about 14 since I'd learned my first programming language. What?! I'm in my thirties?! Guess I can't go saying I'm just some random kid on the internet anymore. 
 
-Just like everyone else my age, I got into computing because my family didn't know how to get the wifi working when we finally got broadband internet. Somehow that got me into robotics and programming in middle school and it snowballed from there. After a multi-year stint with the challenges of the cyber security field, I found peace by letting other people deal with it. These days I'm a full-time computer engineer that designs and deploys network infrastructure for a Tier-1 cloud provider.  In my spare time, I work on projects, or dream of a financial freedom and getting able to work on whatever projects I want full-time, or both.
+Just like everyone else my age, I got into computing because my family didn't know how to get the wifi working when we finally got broadband internet. Somehow that got me into robotics and programming in middle school and it snowballed from there. After a multi-year stint with the challenges of the cyber security field, I found peace letting other people deal with it. These days I'm a full-time computer engineer that designs and deploys network infrastructure for a Tier-1 cloud provider.  In my spare time, I work on projects or dream of financial freedom that would allow me to work on whatever projects I want full-time.
 
 ## What does Rskio Mean?
 

nginx/etc/conf.d/default.conf

@@ -0,0 +1,34 @@
+server {
+    listen       80;
+    listen  [::]:80;
+    server_name rskio.com;
+
+    server_tokens off;
+
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+    add_header X-XSS-Protection "1; mode=block";
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+
+    # rskio logging is handled via traefik
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    location / {
+        root   /opt/share/mkdocs/html;
+        index  index.html index.htm;
+        limit_except GET HEAD POST { deny all; }
+    }
+
+    # rskio auth is handled via traefik
+    #error_page  404              /404.html;
+
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+        limit_except GET HEAD POST { deny all; }
+    }
+}
+