initial commit

1 files changed, 59 insertions, 0 deletions

diff --git a/nginx/sync.py b/nginx/sync.py
new file mode 100644
index 0000000..b715d41
--- /dev/null
+++ b/nginx/sync.py
@@ -0,0 +1,59 @@
+import re
+
+from commia.prelude import *
+from commia.ssh import scp, ssh_args, ssh_prewarm
+from commia.util import with_written
+
+spacing_pattern = re.compile(r"([;,{}])$")
+
+handoff = Path("nginx/handoff.html").read_text().splitlines()
+handoff = map(lambda line: line.lstrip("\t"), handoff)
+handoff = map(lambda line: spacing_pattern.sub(r"\1 ", line), handoff)
+handoff = "".join(handoff).replace('"', '\\"').replace("$", "${dollar}")
+
+auth_check = """if ($cookie___proxy_token = "") {
+            return 303 https://$host/.nginx/handoff.html;
+        }
+        auth_request /.nginx/auth;"""
+
+auth_locations = (
+    '''location /.nginx/auth {
+                internal;
+                js_content nginx.validate;
+            }
+    
+            location /.nginx/scopes {
+                internal;
+                proxy_pass http://[::1]:8001/scopes/$arg_token;
+            }
+    
+            location /.nginx/handoff.html {
+                return 200 "'''
+    + handoff
+    + """";
+            }
+
+            location /.nginx/cookie {
+                add_header Set-Cookie "__proxy_token=${arg_token}; max-age=${arg_max_age}; path=/; samesite=strict; httponly; secure";
+                return 200;
+            }"""
+)
+
+nginx_conf = (
+    Path("nginx/nginx.conf")
+    .read_text()
+    .replace("%AUTH_CHECK%", auth_check)
+    .replace("%AUTH_LOCATIONS%", auth_locations)
+)
+
+ssh_prewarm("asylum", "secrets@bearer")
+with_written(
+    nginx_conf,
+    lambda path: scp(path, "asylum:/etc/nginx/nginx.conf"),
+)
+
+for name in ["nginx.js", "mime.types", "fastcgi.conf"]:
+    scp(f"nginx/{name}", f"asylum:/etc/nginx/{name}")
+
+if run(p([*ssh_args(), "nginx", "-t"])).returncode == 0:
+    run_check(p([*ssh_args(), "systemctl", "restart", "nginx"]))