🗝
summary refs log tree commit diff
path: root/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'nginx')
-rw-r--r--nginx/nginx.conf47
-rw-r--r--nginx/server.conf19
-rw-r--r--nginx/sync.py23
3 files changed, 89 insertions, 0 deletions
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000..336c8d2
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,47 @@
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log notice;
+pid /run/nginx.pid;
+include /usr/share/nginx/modules/*.conf;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	aio threads;
+	tcp_nopush on;
+	server_tokens off;
+	http2 on;
+
+	gzip on;
+	gunzip on;
+	gzip_vary on;
+	gzip_types text/plain text/css application/json application/javascript text/javascript;
+
+	map $http_upgrade $connection_upgrade {
+		default upgrade;
+		'' close;
+	}
+
+	proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g;
+	ssl_session_cache shared:SSL:10m;
+
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+	ssl_prefer_server_ciphers on;
+
+	resolver 127.0.0.53;
+
+	# dummy host
+	server {
+		listen 443 quic reuseport default_server;
+		listen 443 ssl reuseport default_server;
+		server_name _;
+		ssl_certificate /etc/tls/mia.jetzt.crt;
+		ssl_certificate_key /etc/tls/mia.jetzt.key;
+	}
+
+	%SERVERS%
+}
diff --git a/nginx/server.conf b/nginx/server.conf
new file mode 100644
index 0000000..d4f35f3
--- /dev/null
+++ b/nginx/server.conf
@@ -0,0 +1,19 @@
+server {
+	listen 443 quic;
+	listen 443 ssl;
+	server_name %HOST% *.%HOST%;
+	add_header alt-svc 'h3=":443"; ma=86400';
+	ssl_certificate /etc/tls/%HOST%.crt;
+	ssl_certificate_key /etc/tls/%HOST%.key;
+	location / {
+		proxy_pass http://[fd74:5ca2:5071::1]:80;
+		proxy_http_version 1.1;
+		proxy_redirect off;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection $connection_upgrade;
+	}
+}
diff --git a/nginx/sync.py b/nginx/sync.py
new file mode 100644
index 0000000..8387e99
--- /dev/null
+++ b/nginx/sync.py
@@ -0,0 +1,23 @@
+from commia.prelude import *
+from commia.bearer import get_key, keys
+from commia.ssh import scp, ssh_args, ssh_prewarm
+from commia.util import with_written
+
+ssh_prewarm("asylum", "secrets@bearer")
+
+domains = get_key(keys.domains).splitlines()
+
+servers = []
+server_template = Path("nginx/server.conf").read_text()
+for domain in domains:
+    servers.append(server_template.replace("%HOST%", domain))
+servers_indented = "\n".join(
+    map(lambda line: f"\t{line}", "\n".join(servers).splitlines())
+).strip()
+
+config = Path("nginx/nginx.conf").read_text().replace("%SERVERS%", servers_indented)
+
+with_written(config, lambda path: scp(path, "callosum:/etc/nginx/nginx.conf"))
+
+if run(p([*ssh_args(), "nginx", "-t"])).returncode == 0:
+    run_check(p([*ssh_args(), "systemctl", "restart", "nginx"]))