From 809608c7ef4801f80adbd0ae07301e39c11e3951 Mon Sep 17 00:00:00 2001 From: mia Date: Sun, 30 Jun 2024 18:29:59 -0700 Subject: initial commit --- .editorconfig | 2 ++ .envrc | 2 ++ misc/certs.py | 15 +++++++++++++++ nginx/nginx.conf | 47 +++++++++++++++++++++++++++++++++++++++++++++++ nginx/server.conf | 19 +++++++++++++++++++ nginx/sync.py | 23 +++++++++++++++++++++++ notes.txt | 10 ++++++++++ 7 files changed, 118 insertions(+) create mode 100644 .editorconfig create mode 100644 .envrc create mode 100644 misc/certs.py create mode 100644 nginx/nginx.conf create mode 100644 nginx/server.conf create mode 100644 nginx/sync.py create mode 100644 notes.txt diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..8708fe9 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,2 @@ +[*.conf] +indent_style = tab diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..3446535 --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +# shellcheck shell=sh +export PYTHONPATH="$PYTHONPATH:$COMMIA" diff --git a/misc/certs.py b/misc/certs.py new file mode 100644 index 0000000..889ef33 --- /dev/null +++ b/misc/certs.py @@ -0,0 +1,15 @@ +import io +from tarfile import TarFile + +from commia.bearer import get_key, keys +from commia.prelude import * +from commia.ssh import scp +from commia.util import with_written + +buffer = get_key(keys.certificates.certs, decode=False) +tar = TarFile(fileobj=io.BytesIO(buffer)) +for name in tar.getnames(): + with_written( + tar.extractfile(name).read(), + lambda path: scp(path, f"callosum:/etc/tls/{name}"), + ) diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..336c8d2 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,47 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /run/nginx.pid; +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + aio threads; + tcp_nopush on; + server_tokens off; + http2 on; + + gzip on; + gunzip on; + gzip_vary on; + gzip_types text/plain text/css application/json application/javascript text/javascript; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g; + ssl_session_cache shared:SSL:10m; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_stapling on; + ssl_stapling_verify on; + ssl_prefer_server_ciphers on; + + resolver 127.0.0.53; + + # dummy host + server { + listen 443 quic reuseport default_server; + listen 443 ssl reuseport default_server; + server_name _; + ssl_certificate /etc/tls/mia.jetzt.crt; + ssl_certificate_key /etc/tls/mia.jetzt.key; + } + + %SERVERS% +} diff --git a/nginx/server.conf b/nginx/server.conf new file mode 100644 index 0000000..d4f35f3 --- /dev/null +++ b/nginx/server.conf @@ -0,0 +1,19 @@ +server { + listen 443 quic; + listen 443 ssl; + server_name %HOST% *.%HOST%; + add_header alt-svc 'h3=":443"; ma=86400'; + ssl_certificate /etc/tls/%HOST%.crt; + ssl_certificate_key /etc/tls/%HOST%.key; + location / { + proxy_pass http://[fd74:5ca2:5071::1]:80; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/nginx/sync.py b/nginx/sync.py new file mode 100644 index 0000000..8387e99 --- /dev/null +++ b/nginx/sync.py @@ -0,0 +1,23 @@ +from commia.prelude import * +from commia.bearer import get_key, keys +from commia.ssh import scp, ssh_args, ssh_prewarm +from commia.util import with_written + +ssh_prewarm("asylum", "secrets@bearer") + +domains = get_key(keys.domains).splitlines() + +servers = [] +server_template = Path("nginx/server.conf").read_text() +for domain in domains: + servers.append(server_template.replace("%HOST%", domain)) +servers_indented = "\n".join( + map(lambda line: f"\t{line}", "\n".join(servers).splitlines()) +).strip() + +config = Path("nginx/nginx.conf").read_text().replace("%SERVERS%", servers_indented) + +with_written(config, lambda path: scp(path, "callosum:/etc/nginx/nginx.conf")) + +if run(p([*ssh_args(), "nginx", "-t"])).returncode == 0: + run_check(p([*ssh_args(), "systemctl", "restart", "nginx"])) diff --git a/notes.txt b/notes.txt new file mode 100644 index 0000000..b19535a --- /dev/null +++ b/notes.txt @@ -0,0 +1,10 @@ +callosum is a hetzner CPX11 in us-west running fedora server edition + +setup steps: +install packages: dnf install nginx wireguard-tools ufw +switch to systemd-networkd: https://docs.hetzner.com/robot/dedicated-server/network/network-configuration-using-systemd-networkd/#ipv4-and-ipv6-1 +set up wireguard: https://kalnytskyi.com/posts/setup-wireguard-systemd-networkd/ +set up ufw: +- ufw allow 443 +- ufw allow 51820/udp +- ufw route allow in on wg0 out on wg0 -- cgit 1.4.1