From 8cf813ff033bbc98a7dd40db6ac11e2e35c7e997 Mon Sep 17 00:00:00 2001 From: mia Date: Sat, 8 Jun 2024 22:56:05 -0700 Subject: initial commit --- nginx/sync.py | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 nginx/sync.py (limited to 'nginx/sync.py') diff --git a/nginx/sync.py b/nginx/sync.py new file mode 100644 index 0000000..b715d41 --- /dev/null +++ b/nginx/sync.py @@ -0,0 +1,59 @@ +import re + +from commia.prelude import * +from commia.ssh import scp, ssh_args, ssh_prewarm +from commia.util import with_written + +spacing_pattern = re.compile(r"([;,{}])$") + +handoff = Path("nginx/handoff.html").read_text().splitlines() +handoff = map(lambda line: line.lstrip("\t"), handoff) +handoff = map(lambda line: spacing_pattern.sub(r"\1 ", line), handoff) +handoff = "".join(handoff).replace('"', '\\"').replace("$", "${dollar}") + +auth_check = """if ($cookie___proxy_token = "") { + return 303 https://$host/.nginx/handoff.html; + } + auth_request /.nginx/auth;""" + +auth_locations = ( + '''location /.nginx/auth { + internal; + js_content nginx.validate; + } + + location /.nginx/scopes { + internal; + proxy_pass http://[::1]:8001/scopes/$arg_token; + } + + location /.nginx/handoff.html { + return 200 "''' + + handoff + + """"; + } + + location /.nginx/cookie { + add_header Set-Cookie "__proxy_token=${arg_token}; max-age=${arg_max_age}; path=/; samesite=strict; httponly; secure"; + return 200; + }""" +) + +nginx_conf = ( + Path("nginx/nginx.conf") + .read_text() + .replace("%AUTH_CHECK%", auth_check) + .replace("%AUTH_LOCATIONS%", auth_locations) +) + +ssh_prewarm("asylum", "secrets@bearer") +with_written( + nginx_conf, + lambda path: scp(path, "asylum:/etc/nginx/nginx.conf"), +) + +for name in ["nginx.js", "mime.types", "fastcgi.conf"]: + scp(f"nginx/{name}", f"asylum:/etc/nginx/{name}") + +if run(p([*ssh_args(), "nginx", "-t"])).returncode == 0: + run_check(p([*ssh_args(), "systemctl", "restart", "nginx"])) -- cgit 1.4.1