From 233e2c655cc64627a021c6baabe25e0ab7a4e134 Mon Sep 17 00:00:00 2001
From: mia <mia@mia.jetzt>
Date: Sat, 23 Nov 2024 18:52:51 -0800
Subject: terminate tls on asylum for secure local connections

---
 nginx/sync.py | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

(limited to 'nginx/sync.py')

diff --git a/nginx/sync.py b/nginx/sync.py
index 9d81a39..2b36c2c 100644
--- a/nginx/sync.py
+++ b/nginx/sync.py
@@ -1,9 +1,11 @@
 import re
 
+from commia.bearer import get_key, keys
 from commia.prelude import *
 from commia.ssh import scp, ssh_args, ssh_prewarm
 from commia.util import with_written
 
+ssh_prewarm("asylum", "secrets@bearer")
 spacing_pattern = re.compile(r"([;,{}])$")
 
 handoff = Path("nginx/handoff.html").read_text().splitlines()
@@ -39,14 +41,32 @@ auth_locations = (
             }"""
 )
 
+proxy = (
+    """proxy_http_version 1.1;
+            proxy_redirect off;
+            proxy_set_header Host $http_host;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;"""
+)
+
+domains = get_key(keys.domains).splitlines()
+terminate_tmpl = Path("nginx/terminate.conf").read_text()
+terminate = []
+for domain in domains:
+    terminate.append(terminate_tmpl.replace("%HOST%", domain))
+terminate_indented = "\n".join(
+    map(lambda line: f"\t{line}", "\n".join(terminate).splitlines())
+).strip()
+
 nginx_conf = (
     Path("nginx/nginx.conf")
     .read_text()
     .replace("%AUTH_CHECK%", auth_check)
     .replace("%AUTH_LOCATIONS%", auth_locations)
+    .replace("%PROXY%", proxy)
+    .replace("%TERMINATE%", terminate_indented)
 )
 
-ssh_prewarm("asylum", "secrets@bearer")
 with_written(
     nginx_conf,
     lambda path: scp(path, "asylum:/etc/nginx/nginx.conf"),
-- 
cgit 1.4.1