diff options
author | Patrick Spek <p.spek@tyil.nl> | 2022-04-18 08:53:56 +0200 |
---|---|---|
committer | Patrick Spek <p.spek@tyil.nl> | 2022-04-18 08:53:56 +0200 |
commit | f64cadd81fbaebeb8496f3cd9053764fec06a64e (patch) | |
tree | 33a2c3bb7fb6c37da2b0266f7b7084dec5c4bcf0 | |
parent | 342d8ef5e1d988877efbd1bc5d333640d7523570 (diff) |
Various fixes to make the webserver playbook work
69 files changed, 847 insertions, 794 deletions
diff --git a/playbooks.d/webserver/etc/defaults b/playbooks.d/webserver/etc/defaults index 47ebc9a..9ecd4ae 100644 --- a/playbooks.d/webserver/etc/defaults +++ b/playbooks.d/webserver/etc/defaults @@ -1,2 +1,4 @@ +pkg.certbot=certbox pkg.nginx=nginx + svc.nginx=nginx diff --git a/playbooks.d/webserver/playbook.bash b/playbooks.d/webserver/playbook.bash index 5c422f6..85c38be 100644 --- a/playbooks.d/webserver/playbook.bash +++ b/playbooks.d/webserver/playbook.bash @@ -3,7 +3,7 @@ playbook_add() { info "webserver/add" "Installing packages" - pkg install nginx + pkg install certbot nginx info "webserver/add" "Create www user" groupadd www @@ -18,11 +18,19 @@ playbook_add() rm -frv -- "$(config "fs.etcdir")/nginx" info "webserver/add" "Creating desired directory structure" - mkdir -pv -- "$(config "fs.etcdir")/nginx" - mkdir -pv -- "$(config "fs.etcdir")/nginx/sites-available.d" - mkdir -pv -- "$(config "fs.etcdir")/nginx/sites-enabled.d" - mkdir -pv -- "$(config "fs.etcdir")/nginx/snippets.d" - mkdir -pv -- /var/www + mkdir -pv -- \ + "$(config "fs.etcdir")/nginx" \ + "$(config "fs.etcdir")/nginx/sites-available.d" \ + "$(config "fs.etcdir")/nginx/sites-available.d/http" \ + "$(config "fs.etcdir")/nginx/sites-available.d/https" \ + "$(config "fs.etcdir")/nginx/sites-enabled.d" \ + "$(config "fs.etcdir")/nginx/sites-enabled.d/http" \ + "$(config "fs.etcdir")/nginx/sites-enabled.d/https" \ + "$(config "fs.etcdir")/nginx/snippets.d" \ + /var/www + + info "webserver/add" "Generating dhparam.pem" + openssl dhparam -out "$(config "fs.etcdir")/nginx/dhparam.pem" 4096 info "webserver/add" "Running sync to get all configuration going" playbook_sync @@ -60,17 +68,26 @@ playbook_sync() > "$(config "fs.etcdir")/nginx/snippets.d/$snippet" done - for path in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/sites.d"/* + for path_dir in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/sites.d"/* do - site="$(basename "$path")" + dir="$(basename "$path_dir")" - notice "webserver/sync" "Updating site $site" - file_template "sites.d/$site" \ - > "$(config "fs.etcdir")/nginx/sites-available.d/$site" + for path_site in "$path_dir"/* + do + site="$(basename "$path_site")" + + notice "webserver/sync" "Updating site $dir/$site" + file_template "sites.d/$dir/$site" \ + > "$(config "fs.etcdir")/nginx/sites-available.d/$dir/$site" + done done + notice "webserver/sync" "Set nginx permissions to www user" chown -R www:www "$(config "fs.etcdir")/nginx" + notice "webserver/sync" "Renewing Let's Encrypt certificates" + certbot renew --no-random-sleep-on-renew + [[ "$BASHTARD_COMMAND" == "add" ]] && return svc reload nginx diff --git a/playbooks.d/webserver/share/nginx.conf b/playbooks.d/webserver/share/nginx.conf index c8e9be9..834f220 100644 --- a/playbooks.d/webserver/share/nginx.conf +++ b/playbooks.d/webserver/share/nginx.conf @@ -18,5 +18,6 @@ http { tcp_nopush on; types_hash_max_size 2048; - include ${etc}/nginx/sites-enabled.d/*; + include ${etc}/nginx/sites-enabled.d/http/*; + include ${etc}/nginx/sites-enabled.d/https/*; } diff --git a/playbooks.d/webserver/share/sites.d/com.voidfire b/playbooks.d/webserver/share/sites.d/com.voidfire deleted file mode 100644 index c54cc2c..0000000 --- a/playbooks.d/webserver/share/sites.d/com.voidfire +++ /dev/null @@ -1,34 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name voidfire.com; - - ssl_certificate /etc/letsencrypt/live/voidfire.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/voidfire.com/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - root /var/www/com.voidfire; - - location / { - try_files $uri $uri/ =404; - } -} - -server { - listen 80; - listen [::]:80; - - server_name voidfire.com; - - location / { - return 301 https://$host$request_uri; - } - - location /.well-known/acme-challenge { - root /var/www/.acme; - try_files $uri $uri/ =404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/_ b/playbooks.d/webserver/share/sites.d/http/_ index 0fea007..6207cb2 100644 --- a/playbooks.d/webserver/share/sites.d/_ +++ b/playbooks.d/webserver/share/sites.d/http/_ @@ -7,13 +7,4 @@ server { location / { return 404; } - - location /stub_status { - allow 127.0.0.1; - allow 10.57.0.0/16; - - deny all; - - stub_status; - } } diff --git a/playbooks.d/webserver/share/sites.d/http/church.scriptkitties b/playbooks.d/webserver/share/sites.d/http/church.scriptkitties new file mode 100644 index 0000000..0af0235 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/church.scriptkitties @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name scriptkitties.church; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/com.voidfire b/playbooks.d/webserver/share/sites.d/http/com.voidfire new file mode 100644 index 0000000..3fa9728 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/com.voidfire @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name voidfire.com; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/net.tyil b/playbooks.d/webserver/share/sites.d/http/net.tyil new file mode 100644 index 0000000..31cca7e --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/net.tyil @@ -0,0 +1,12 @@ +server { + listen 80; + listen [::]:80; + + server_name tyil.net; + + include /etc/nginx/snippets.d/certbot.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.fglt b/playbooks.d/webserver/share/sites.d/http/nl.fglt new file mode 100644 index 0000000..4d80a62 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.fglt @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name fglt.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil b/playbooks.d/webserver/share/sites.d/http/nl.tyil new file mode 100644 index 0000000..b2c93db --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt new file mode 100644 index 0000000..ecdfbe8 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur new file mode 100644 index 0000000..4ae2082 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name imgur.alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit new file mode 100644 index 0000000..b1ba239 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name reddit.alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter new file mode 100644 index 0000000..4d537c4 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name twitter.alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud b/playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud new file mode 100644 index 0000000..7c3e941 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud @@ -0,0 +1,12 @@ +server { + listen 80; + listen [::]:80; + + server_name cloud.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.dist b/playbooks.d/webserver/share/sites.d/http/nl.tyil.dist new file mode 100644 index 0000000..19bb5fc --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.dist @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name dist.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.git b/playbooks.d/webserver/share/sites.d/http/nl.tyil.git new file mode 100644 index 0000000..92ce73e --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.git @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name git.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.home b/playbooks.d/webserver/share/sites.d/http/nl.tyil.home new file mode 100644 index 0000000..70eeff7 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.home @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name home.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew b/playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew new file mode 100644 index 0000000..5a87074 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name homebrew.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.p b/playbooks.d/webserver/share/sites.d/http/nl.tyil.p new file mode 100644 index 0000000..8d71cf8 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.p @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name p.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.radio b/playbooks.d/webserver/share/sites.d/http/nl.tyil.radio new file mode 100644 index 0000000..e7adfaf --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.radio @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name radio.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.searx b/playbooks.d/webserver/share/sites.d/http/nl.tyil.searx new file mode 100644 index 0000000..3ee75d4 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.searx @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name searx.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.tv b/playbooks.d/webserver/share/sites.d/http/nl.tyil.tv new file mode 100644 index 0000000..9179cc9 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.tv @@ -0,0 +1,12 @@ +server { + listen 80; + listen [::]:80; + + server_name tv.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.www b/playbooks.d/webserver/share/sites.d/http/nl.tyil.www new file mode 100644 index 0000000..6370823 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/nl.tyil.www @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name www.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/pictures.memebooru b/playbooks.d/webserver/share/sites.d/http/pictures.memebooru new file mode 100644 index 0000000..0aae163 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/pictures.memebooru @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name memebooru.pictures; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/http/work.tyil b/playbooks.d/webserver/share/sites.d/http/work.tyil new file mode 100644 index 0000000..7b09142 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/http/work.tyil @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name tyil.work; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver/share/sites.d/church.scriptkitties b/playbooks.d/webserver/share/sites.d/https/church.scriptkitties index 7227844..de07ad6 100644 --- a/playbooks.d/webserver/share/sites.d/church.scriptkitties +++ b/playbooks.d/webserver/share/sites.d/https/church.scriptkitties @@ -1,15 +1,14 @@ server { - listen 443 ssl http2; # managed by Certbot - listen [::]:443 ssl http2; # managed by Certbot + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name scriptkitties.church; ssl_certificate /etc/letsencrypt/live/scriptkitties.church/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/scriptkitties.church/privkey.pem; - include /etc/nginx/conf.d/certbot.conf; - #include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/ssl.conf; include mime.types; root /var/www/church.scriptkitties; @@ -41,11 +40,11 @@ server { fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; - include fastcgi_params; + include /etc/nginx/snippets.d/fcgi.conf; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_buffers 16 16k; + fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; } @@ -61,17 +60,3 @@ server { deny all; } } - -server { - listen 80; - listen [::]:80; - - server_name scriptkitties.church; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/com.voidfire b/playbooks.d/webserver/share/sites.d/https/com.voidfire new file mode 100644 index 0000000..4021ca0 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/com.voidfire @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name voidfire.com; + + ssl_certificate /etc/letsencrypt/live/voidfire.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voidfire.com/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/com.voidfire; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/net.tyil b/playbooks.d/webserver/share/sites.d/https/net.tyil new file mode 100644 index 0000000..89fe78e --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/net.tyil @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tyil.net; + + ssl_certificate /etc/letsencrypt/live/tyil.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tyil.net/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + auth_basic "Bad hacker!"; + auth_basic_user_file /var/www/net.tyil/htaccess; + + location /grafana/ { + proxy_pass http://127.0.0.1:35300/; + } + + location /plausible/ { + proxy_pass http://127.0.0.1:8796/; + } + + location /prometheus/ { + proxy_pass http://127.0.0.1:9090/; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.fglt b/playbooks.d/webserver/share/sites.d/https/nl.fglt new file mode 100644 index 0000000..e52b6dc --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.fglt @@ -0,0 +1,22 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name fglt.nl; + + ssl_certificate /etc/letsencrypt/live/fglt.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fglt.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + access_log /var/log/nginx/nl.fglt-access.log; + error_log /var/log/nginx/nl.fglt-error.log; + + root /var/www/nl.fglt; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil b/playbooks.d/webserver/share/sites.d/https/nl.tyil index 891b02a..f80c4b6 100644 --- a/playbooks.d/webserver/share/sites.d/nl.tyil +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil @@ -1,14 +1,15 @@ server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name tyil.nl; ssl_certificate /etc/letsencrypt/live/tyil.nl/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tyil.nl/privkey.pem; - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; location ~ ^/.well-known/openpgpkey(.+)$ { add_header Access-Control-Allow-Origin *; @@ -21,16 +22,3 @@ server { return 301 https://www.tyil.nl$request_uri; } } - -server { - listen 80; - listen [::]:80; - - server_name tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt new file mode 100644 index 0000000..f3232c3 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location = / { + return 301 https://www.tyil.nl/services; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur new file mode 100644 index 0000000..c0435f4 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name imgur.alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/imgur.alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/imgur.alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:40648; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit new file mode 100644 index 0000000..a064c44 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name reddit.alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/reddit.alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/reddit.alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:43559; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter new file mode 100644 index 0000000..52ebf0f --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name twitter.alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/twitter.alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/twitter.alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:25989; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud b/playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud new file mode 100644 index 0000000..c4a86cb --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud @@ -0,0 +1,137 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name cloud.tyil.nl; + + error_log /var/log/nginx/cloud-error.log; + access_log /var/log/nginx/cloud-access.log; + + ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + + # Set timeouts + fastcgi_read_timeout 300; + proxy_read_timeout 300; + + # Set upload size + client_max_body_size 200M; + fastcgi_buffers 64 4K; + + # Add (security) headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=63072000" always; + + # Remove headers + fastcgi_hide_header X-Powered-By; + + # Enable gzip + gzip off; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy + ; + + root /var/www/nl.tyil.cloud; + + location / { + rewrite ^ /index.php?$request_uri; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ^~ /.well-known { + rewrite ^/\.well-known/host-meta.json /public.php?service=host-meta.json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + #location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + include snippets.d/fcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass localhost:9000; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~ \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + access_log off; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.dist b/playbooks.d/webserver/share/sites.d/https/nl.tyil.dist new file mode 100644 index 0000000..79f8a3c --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.dist @@ -0,0 +1,16 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name dist.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/dist.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dist.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.dist; + autoindex on; +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.git b/playbooks.d/webserver/share/sites.d/https/nl.tyil.git new file mode 100644 index 0000000..65d1bb9 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.git @@ -0,0 +1,30 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name git.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/git.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /usr/share/webapps/cgit/1.2.3-r100/htdocs; + + location / { + try_files $uri @cgit; + } + + location @cgit { + include snippets.d/uwsgi.conf; + + gzip off; + + uwsgi_modifier1 9; + #uwsgi_param PATH_INFO $fastcgi_path_info; + + uwsgi_pass 127.0.0.1:1234; + } +} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.home b/playbooks.d/webserver/share/sites.d/https/nl.tyil.home index 55326a3..9683ccd 100644 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.home +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.home @@ -1,14 +1,15 @@ server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name home.tyil.nl; ssl_certificate /etc/letsencrypt/live/home.tyil.nl/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/home.tyil.nl/privkey.pem; - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; location / { return 301 https://www.tyil.nl$request_uri; @@ -49,16 +50,3 @@ server { autoindex on; } } - -server { - listen 80; - listen [::]:80; - - server_name home.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew b/playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew new file mode 100644 index 0000000..2b8de15 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name homebrew.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/homebrew.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/homebrew.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.homebrew; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.p b/playbooks.d/webserver/share/sites.d/https/nl.tyil.p index e627a0d..75c0e7a 100644 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.p +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.p @@ -1,15 +1,15 @@ server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name p.tyil.nl; ssl_certificate /etc/letsencrypt/live/p.tyil.nl/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/p.tyil.nl/privkey.pem; - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; root /var/www/nl.tyil.p; @@ -25,17 +25,3 @@ server { alias "/var/www/nl.tyil.p/${slug}/index.txt"; } } - -server { - listen 80; - listen [::]:80; - - server_name p.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.radio b/playbooks.d/webserver/share/sites.d/https/nl.tyil.radio new file mode 100644 index 0000000..7098fc5 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.radio @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name radio.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/radio.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/radio.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_pass http://127.0.0.1:8092/mpd.opus; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.searx b/playbooks.d/webserver/share/sites.d/https/nl.tyil.searx new file mode 100644 index 0000000..bf461cf --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.searx @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name searx.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/searx.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/searx.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/docker-compose/searx; + + location / { + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + + proxy_pass http://127.0.0.1:60474; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.tv b/playbooks.d/webserver/share/sites.d/https/nl.tyil.tv new file mode 100644 index 0000000..093d938 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.tv @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tv.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/tv.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tv.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:8096; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.www b/playbooks.d/webserver/share/sites.d/https/nl.tyil.www new file mode 100644 index 0000000..3304c8f --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/nl.tyil.www @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name www.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/www.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/www.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.www/public; + + error_page 404 /http-404.html; + + location /atom.xml { + return 301 https://www.tyil.nl/posts/index.xml; + } + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/pictures.memebooru b/playbooks.d/webserver/share/sites.d/https/pictures.memebooru new file mode 100644 index 0000000..9d524ef --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/pictures.memebooru @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name memebooru.pictures; + + ssl_certificate /etc/letsencrypt/live/memebooru.pictures/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/memebooru.pictures/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + client_max_body_size 100M; + client_body_timeout 30s; + + location / { + proxy_pass http://127.0.0.1:50405; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Script-Name /szuru; + } +} diff --git a/playbooks.d/webserver/share/sites.d/https/work.tyil b/playbooks.d/webserver/share/sites.d/https/work.tyil new file mode 100644 index 0000000..d5a5dd9 --- /dev/null +++ b/playbooks.d/webserver/share/sites.d/https/work.tyil @@ -0,0 +1,15 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tyil.work; + + ssl_certificate /etc/letsencrypt/live/tyil.work/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tyil.work/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + return 301 https://www.tyil.nl$request_uri; +} diff --git a/playbooks.d/webserver/share/sites.d/net.tyil b/playbooks.d/webserver/share/sites.d/net.tyil deleted file mode 100644 index 571fb97..0000000 --- a/playbooks.d/webserver/share/sites.d/net.tyil +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name tyil.net; - - ssl_certificate /etc/letsencrypt/live/tyil.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tyil.net/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name tyil.net; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.fglt b/playbooks.d/webserver/share/sites.d/nl.fglt deleted file mode 100644 index 63e8d62..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.fglt +++ /dev/null @@ -1,39 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name fglt.nl; - - ssl_certificate /etc/letsencrypt/live/fglt.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/fglt.nl/privkey.pem; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; - - access_log /var/log/nginx/nl.fglt-access.log; - error_log /var/log/nginx/nl.fglt-error.log; - - root /var/www/nl.fglt; - - location / { - try_files $uri $uri/ =404; - } -} - -server { - listen 80; - listen [::]:80; - - server_name fglt.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - access_log /var/log/nginx/nl.fglt-access.log; - error_log /var/log/nginx/nl.fglt-error.log; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.alt b/playbooks.d/webserver/share/sites.d/nl.tyil.alt deleted file mode 100644 index aae4826..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.alt +++ /dev/null @@ -1,29 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/alt.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location = / { - return 301 https://www.tyil.nl/services; - } -} - -server { - listen 80; - listen [::]:80; - - server_name alt.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.imgur b/playbooks.d/webserver/share/sites.d/nl.tyil.alt.imgur deleted file mode 100644 index 8e3c8a3..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.imgur +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name imgur.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/imgur.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/imgur.alt.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name imgur.alt.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.reddit b/playbooks.d/webserver/share/sites.d/nl.tyil.alt.reddit deleted file mode 100644 index ba62ade..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.reddit +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name reddit.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/reddit.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/reddit.alt.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name reddit.alt.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.twitter b/playbooks.d/webserver/share/sites.d/nl.tyil.alt.twitter deleted file mode 100644 index e40baba..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.twitter +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name twitter.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/twitter.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/twitter.alt.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name twitter.alt.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.youtube b/playbooks.d/webserver/share/sites.d/nl.tyil.alt.youtube deleted file mode 100644 index 17bb748..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.alt.youtube +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name youtube.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/youtube.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/youtube.alt.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name youtube.alt.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.cloud b/playbooks.d/webserver/share/sites.d/nl.tyil.cloud deleted file mode 100644 index 09fb324..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.cloud +++ /dev/null @@ -1,37 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name cloud.tyil.nl; - - error_log /var/log/nginx/cloud-error.log; - access_log /var/log/nginx/cloud-access.log; - - ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - client_max_body_size 200M; - - location / { - proxy_set_header Host "cloud.tyil.nl"; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name cloud.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.dist b/playbooks.d/webserver/share/sites.d/nl.tyil.dist deleted file mode 100644 index 66bf077..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.dist +++ /dev/null @@ -1,34 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name dist.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/dist.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/dist.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name dist.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.dnd-wiki b/playbooks.d/webserver/share/sites.d/nl.tyil.dnd-wiki deleted file mode 100644 index 40108c1..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.dnd-wiki +++ /dev/null @@ -1,53 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - server_name dnd-wiki.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/dnd-wiki.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/dnd-wiki.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - root /var/www/nl.tyil.dnd-wiki; - - client_max_body_size 10M; - - location / { - index doku.php; - try_files $uri $uri/ @dokuwiki; - } - - location ~ ^/lib.*\.(gif|png|ico|jpg)$ { - expires 30d; - } - - location ^~ /conf/ { return 403; } - location ^~ /data/ { return 403; } - - location @dokuwiki { - rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last; - rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last; - rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last; - rewrite ^/(.*) /doku.php?id=$1 last; - } - - location ~ \.php$ { - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_pass localhost:9000; - } -} - -server { - listen 80; - listen [::]:80; - - server_name dnd-wiki.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.git b/playbooks.d/webserver/share/sites.d/nl.tyil.git deleted file mode 100644 index e7d04f0..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.git +++ /dev/null @@ -1,34 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name git.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/git.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/git.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; - - location / { - proxy_set_header Host "git.tyil.nl"; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name git.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.headphones b/playbooks.d/webserver/share/sites.d/nl.tyil.headphones deleted file mode 100644 index 9f27f69..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.headphones +++ /dev/null @@ -1,35 +0,0 @@ -#server { -# listen 443 ssl; # managed by Certbot -# listen [::]:443 ssl; # managed by Certbot -# -# server_name headphones.tyil.nl; -# -# ssl_certificate /etc/letsencrypt/live/headphones.tyil.nl/fullchain.pem; -# ssl_certificate_key /etc/letsencrypt/live/headphones.tyil.nl/privkey.pem; -# -# include /etc/nginx/conf.d/ssl.conf; -# include /etc/nginx/conf.d/certbot.conf; -# -# location / { -# proxy_pass http://127.0.0.1:8181; -# } -#} - -server { - listen 80; - listen [::]:80; - - server_name headphones.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - access_log /var/log/nginx/nl.tyil.headphones-access.log; - error_log /var/log/nginx/nl.tyil.headphones-error.log; - -# location / { -# return 301 https://$host$request_uri; -# } - location / { - proxy_pass http://localhost:8181; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.homebrew b/playbooks.d/webserver/share/sites.d/nl.tyil.homebrew deleted file mode 100644 index 26f8272..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.homebrew +++ /dev/null @@ -1,33 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name homebrew.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/homebrew.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/homebrew.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; - - root /var/www/nl.tyil.homebrew; - - location / { - try_files $uri $uri/ =404; - } -} - -server { - listen 80; - listen [::]:80; - - server_name homebrew.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.radio b/playbooks.d/webserver/share/sites.d/nl.tyil.radio deleted file mode 100644 index e71f55d..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.radio +++ /dev/null @@ -1,34 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name radio.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/radio.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/radio.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name radio.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.searx b/playbooks.d/webserver/share/sites.d/nl.tyil.searx deleted file mode 100644 index 643ec0b..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.searx +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name searx.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/searx.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/searx.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name searx.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.tv b/playbooks.d/webserver/share/sites.d/nl.tyil.tv deleted file mode 100644 index 569ef73..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.tv +++ /dev/null @@ -1,32 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name tv.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/tv.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tv.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name tv.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/nl.tyil.www b/playbooks.d/webserver/share/sites.d/nl.tyil.www deleted file mode 100644 index 5717b98..0000000 --- a/playbooks.d/webserver/share/sites.d/nl.tyil.www +++ /dev/null @@ -1,39 +0,0 @@ -server { - listen 443 ssl http2; # managed by Certbot - listen [::]:443 ssl http2; # managed by Certbot - - server_name www.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/www.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tyil.nl/privkey.pem; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - include /etc/nginx/conf.d/ssl.conf; - - root /var/www/nl.tyil.www/public; - - error_page 404 /http-404.html; - - location /atom.xml { - return 301 https://www.tyil.nl/posts/index.xml; - } - - location / { - try_files $uri $uri/ =404; - } -} - -server { - listen 80; - listen [::]:80; - - server_name www.tyil.nl; - - include /etc/nginx/conf.d/certbot.conf; - include /etc/nginx/conf.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/onion.ak444pkh3dsgeruzq5nncg7yzdvqvhevxybwl2n35wht6uyaav6uh4ad b/playbooks.d/webserver/share/sites.d/onion.ak444pkh3dsgeruzq5nncg7yzdvqvhevxybwl2n35wht6uyaav6uh4ad deleted file mode 100644 index 77c4a75..0000000 --- a/playbooks.d/webserver/share/sites.d/onion.ak444pkh3dsgeruzq5nncg7yzdvqvhevxybwl2n35wht6uyaav6uh4ad +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name ak444pkh3dsgeruzq5nncg7yzdvqvhevxybwl2n35wht6uyaav6uh4ad.onion; - - root /var/www/nl.tyil.www; - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/pictures.memebooru b/playbooks.d/webserver/share/sites.d/pictures.memebooru deleted file mode 100644 index eca3b4e..0000000 --- a/playbooks.d/webserver/share/sites.d/pictures.memebooru +++ /dev/null @@ -1,35 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name memebooru.pictures; - - ssl_certificate /etc/letsencrypt/live/memebooru.pictures/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/memebooru.pictures/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - client_max_body_size 100M; - client_body_timeout 30s; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://10.57.100.7; - } -} - -server { - listen 80; - listen [::]:80; - - server_name memebooru.pictures; - - include /etc/nginx/conf.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/work.tyil b/playbooks.d/webserver/share/sites.d/work.tyil deleted file mode 100644 index cdb957a..0000000 --- a/playbooks.d/webserver/share/sites.d/work.tyil +++ /dev/null @@ -1,27 +0,0 @@ -server { - listen 443 ssl; # managed by Certbot - listen [::]:443 ssl; # managed by Certbot - - server_name tyil.work; - - ssl_certificate /etc/letsencrypt/live/tyil.work/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tyil.work/privkey.pem; - - include /etc/nginx/conf.d/ssl.conf; - include /etc/nginx/conf.d/certbot.conf; - - return 301 https://www.tyil.nl$request_uri; -} - -server { - listen 80; - listen [::]:80; - - server_name tyil.work; - - location / { - return 301 https://$host$request_uri; - } - - include /etc/nginx/conf.d/certbot.conf; -} diff --git a/playbooks.d/webserver/share/snippets.d/fcgi.conf b/playbooks.d/webserver/share/snippets.d/fcgi.conf new file mode 100644 index 0000000..bc235bf --- /dev/null +++ b/playbooks.d/webserver/share/snippets.d/fcgi.conf @@ -0,0 +1,27 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; + +# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) +fastcgi_param HTTP_PROXY ""; diff --git a/playbooks.d/webserver/share/snippets.d/uwsgi.conf b/playbooks.d/webserver/share/snippets.d/uwsgi.conf new file mode 100644 index 0000000..9d67d3d --- /dev/null +++ b/playbooks.d/webserver/share/snippets.d/uwsgi.conf @@ -0,0 +1,20 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; + +# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) +uwsgi_param HTTP_PROXY ""; |