From 5dfa64e6ff52eb3c25d717ad8fe7441dd3586a16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Biron?= <clement.biron@gmail.com>
Date: Fri, 28 Nov 2025 11:44:07 +0100
Subject: [PATCH 1/2] Ensure compatibility with Debian 13

---
 playbooks/templates/nginx.conf.j2    |  2 ++
 roles/nginx/configure/tasks/main.yml | 10 ++++++++++
 2 files changed, 12 insertions(+)

diff --git a/playbooks/templates/nginx.conf.j2 b/playbooks/templates/nginx.conf.j2
index f866df4..38b6c85 100644
--- a/playbooks/templates/nginx.conf.j2
+++ b/playbooks/templates/nginx.conf.j2
@@ -6,7 +6,9 @@
 # vulnerabilities or exploits that are present in specific versions.
 # Disabling server_tokens can help to mitigate this risk by removing the NGINX
 # version number from the response headers.
+{% if not nginx_conf_has_server_tokens | default(false) %}
 server_tokens off;
+{% endif %}
 
 # Configure the rate limiting module to prevent DDoS attacks.
 limit_req_zone $binary_remote_addr zone=limited:10m rate=10r/s;
diff --git a/roles/nginx/configure/tasks/main.yml b/roles/nginx/configure/tasks/main.yml
index c7a0363..0873a47 100644
--- a/roles/nginx/configure/tasks/main.yml
+++ b/roles/nginx/configure/tasks/main.yml
@@ -7,6 +7,16 @@
         state: absent
         path: /etc/nginx/sites-enabled/default
 
+    - name: Check if server_tokens is already configured
+      ansible.builtin.command: grep -E "^\s*server_tokens" /etc/nginx/nginx.conf
+      register: nginx_server_tokens_directive
+      failed_when: false
+      changed_when: false
+
+    - name: Share server_tokens configuration state
+      ansible.builtin.set_fact:
+        nginx_conf_has_server_tokens: "{{ nginx_server_tokens_directive.rc == 0 }}"
+
     - name: Setup NGINX conf
       ansible.builtin.template:
         src: "{{ ota_nginx_config_template }}"

From ee8b6f7a0c44eab17551addd22f2cc518dc34713 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Biron?= <clement.biron@gmail.com>
Date: Fri, 28 Nov 2025 11:47:22 +0100
Subject: [PATCH 2/2] Add changelog entry

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d4a39e8..3148265 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 All changes that impact users of this module are documented in this file, in the [Common Changelog](https://common-changelog.org) format with some additional specifications defined in the CONTRIBUTING file. This codebase adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased [patch]
+
+> Development of this release was supported by the [French Ministry for Foreign Affairs](https://www.diplomatie.gouv.fr/fr/politique-etrangere-de-la-france/diplomatie-numerique/) through its ministerial [State Startups incubator](https://beta.gouv.fr/startups/open-terms-archive.html) under the aegis of the Ambassador for Digital Affairs.
+
+### Fixed
+
+- Ensure compatibility with Debian 13
+
 ## 2.1.0 - 2025-06-10
 
 _Full changeset and discussions: [#56](https://github.com/OpenTermsArchive/deployment/pull/56)._