From 809608c7ef4801f80adbd0ae07301e39c11e3951 Mon Sep 17 00:00:00 2001 From: mia Date: Sun, 30 Jun 2024 18:29:59 -0700 Subject: initial commit --- nginx/nginx.conf | 47 +++++++++++++++++++++++++++++++++++++++++++++++ nginx/server.conf | 19 +++++++++++++++++++ nginx/sync.py | 23 +++++++++++++++++++++++ 3 files changed, 89 insertions(+) create mode 100644 nginx/nginx.conf create mode 100644 nginx/server.conf create mode 100644 nginx/sync.py (limited to 'nginx') diff --git a/nginx/nginx.conf b/nginx/nginx.conf new file mode 100644 index 0000000..336c8d2 --- /dev/null +++ b/nginx/nginx.conf @@ -0,0 +1,47 @@ +user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /run/nginx.pid; +include /usr/share/nginx/modules/*.conf; + +events { + worker_connections 1024; +} + +http { + aio threads; + tcp_nopush on; + server_tokens off; + http2 on; + + gzip on; + gunzip on; + gzip_vary on; + gzip_types text/plain text/css application/json application/javascript text/javascript; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=pcache:32m max_size=20g; + ssl_session_cache shared:SSL:10m; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_stapling on; + ssl_stapling_verify on; + ssl_prefer_server_ciphers on; + + resolver 127.0.0.53; + + # dummy host + server { + listen 443 quic reuseport default_server; + listen 443 ssl reuseport default_server; + server_name _; + ssl_certificate /etc/tls/mia.jetzt.crt; + ssl_certificate_key /etc/tls/mia.jetzt.key; + } + + %SERVERS% +} diff --git a/nginx/server.conf b/nginx/server.conf new file mode 100644 index 0000000..d4f35f3 --- /dev/null +++ b/nginx/server.conf @@ -0,0 +1,19 @@ +server { + listen 443 quic; + listen 443 ssl; + server_name %HOST% *.%HOST%; + add_header alt-svc 'h3=":443"; ma=86400'; + ssl_certificate /etc/tls/%HOST%.crt; + ssl_certificate_key /etc/tls/%HOST%.key; + location / { + proxy_pass http://[fd74:5ca2:5071::1]:80; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } +} diff --git a/nginx/sync.py b/nginx/sync.py new file mode 100644 index 0000000..8387e99 --- /dev/null +++ b/nginx/sync.py @@ -0,0 +1,23 @@ +from commia.prelude import * +from commia.bearer import get_key, keys +from commia.ssh import scp, ssh_args, ssh_prewarm +from commia.util import with_written + +ssh_prewarm("asylum", "secrets@bearer") + +domains = get_key(keys.domains).splitlines() + +servers = [] +server_template = Path("nginx/server.conf").read_text() +for domain in domains: + servers.append(server_template.replace("%HOST%", domain)) +servers_indented = "\n".join( + map(lambda line: f"\t{line}", "\n".join(servers).splitlines()) +).strip() + +config = Path("nginx/nginx.conf").read_text().replace("%SERVERS%", servers_indented) + +with_written(config, lambda path: scp(path, "callosum:/etc/nginx/nginx.conf")) + +if run(p([*ssh_args(), "nginx", "-t"])).returncode == 0: + run_check(p([*ssh_args(), "systemctl", "restart", "nginx"])) -- cgit 1.4.1