summaryrefslogtreecommitdiff
path: root/playbooks.d/webserver-nginx/share
diff options
context:
space:
mode:
authorPatrick Spek <p.spek@tyil.nl>2022-04-25 13:45:34 +0200
committerPatrick Spek <p.spek@tyil.nl>2022-04-25 13:45:34 +0200
commit908718a622fe229d17da7303b117eee0fe7f8d9d (patch)
tree2fa0a4a6e6f953327a463165e6cfed7caea86cd1 /playbooks.d/webserver-nginx/share
parentd5f5413825e75268abaa10d208beac48dd75d159 (diff)
Rename playbooks
Diffstat (limited to 'playbooks.d/webserver-nginx/share')
-rwxr-xr-xplaybooks.d/webserver-nginx/share/cert.sh11
-rw-r--r--playbooks.d/webserver-nginx/share/mime.types88
-rw-r--r--playbooks.d/webserver-nginx/share/nginx.conf23
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/_10
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/net.tyil12
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud12
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv12
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/http/work.tyil13
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties62
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire19
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/net.tyil28
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt22
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil24
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt17
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur20
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit20
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter20
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud137
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist16
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git30
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home52
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew19
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p27
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio17
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx25
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv19
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www25
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru28
-rw-r--r--playbooks.d/webserver-nginx/share/sites.d/https/work.tyil15
-rw-r--r--playbooks.d/webserver-nginx/share/snippets.d/certbot.conf5
-rw-r--r--playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf27
-rw-r--r--playbooks.d/webserver-nginx/share/snippets.d/headers.conf4
-rw-r--r--playbooks.d/webserver-nginx/share/snippets.d/ssl.conf16
-rw-r--r--playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf20
51 files changed, 1116 insertions, 0 deletions
diff --git a/playbooks.d/webserver-nginx/share/cert.sh b/playbooks.d/webserver-nginx/share/cert.sh
new file mode 100755
index 0000000..d290710
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/cert.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+main()
+{
+ certbot certonly \
+ --rsa-key-size 4096 \
+ --webroot -w /var/www/.acme \
+ -d "$1"
+}
+
+main "$@"
diff --git a/playbooks.d/webserver-nginx/share/mime.types b/playbooks.d/webserver-nginx/share/mime.types
new file mode 100644
index 0000000..cd3d700
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/mime.types
@@ -0,0 +1,88 @@
+types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ image/gif gif;
+ image/jpeg jpeg jpg;
+ application/javascript js;
+ application/atom+xml atom;
+ application/rss+xml rss;
+
+ text/mathml mml;
+ text/plain txt;
+ text/vnd.sun.j2me.app-descriptor jad;
+ text/vnd.wap.wml wml;
+ text/x-component htc;
+
+ image/png png;
+ image/tiff tif tiff;
+ image/vnd.wap.wbmp wbmp;
+ image/x-icon ico;
+ image/x-jng jng;
+ image/x-ms-bmp bmp;
+ image/svg+xml svg svgz;
+ image/webp webp;
+
+ application/font-woff woff;
+ application/java-archive jar war ear;
+ application/json json;
+ application/mac-binhex40 hqx;
+ application/msword doc;
+ application/pdf pdf;
+ application/postscript ps eps ai;
+ application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
+ application/vnd.ms-excel xls;
+ application/vnd.ms-fontobject eot;
+ application/vnd.ms-powerpoint ppt;
+ application/vnd.wap.wmlc wmlc;
+ application/vnd.google-earth.kml+xml kml;
+ application/vnd.google-earth.kmz kmz;
+ application/x-7z-compressed 7z;
+ application/x-cocoa cco;
+ application/x-java-archive-diff jardiff;
+ application/x-java-jnlp-file jnlp;
+ application/x-makeself run;
+ application/x-perl pl pm;
+ application/x-pilot prc pdb;
+ application/x-rar-compressed rar;
+ application/x-redhat-package-manager rpm;
+ application/x-sea sea;
+ application/x-shockwave-flash swf;
+ application/x-stuffit sit;
+ application/x-tcl tcl tk;
+ application/x-x509-ca-cert der pem crt;
+ application/x-xpinstall xpi;
+ application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
+ application/zip zip;
+
+ application/octet-stream bin exe dll;
+ application/octet-stream deb;
+ application/octet-stream dmg;
+ application/octet-stream iso img;
+ application/octet-stream msi msp msm;
+
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
+ application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
+
+ audio/midi mid midi kar;
+ audio/mpeg mp3;
+ audio/ogg ogg;
+ audio/x-m4a m4a;
+ audio/x-realaudio ra;
+
+ video/3gpp 3gpp 3gp;
+ video/mp2t ts;
+ video/mp4 mp4;
+ video/mpeg mpeg mpg;
+ video/quicktime mov;
+ video/webm webm;
+ video/x-flv flv;
+ video/x-m4v m4v;
+ video/x-mng mng;
+ video/x-ms-asf asx asf;
+ video/x-ms-wmv wmv;
+ video/x-msvideo avi;
+}
diff --git a/playbooks.d/webserver-nginx/share/nginx.conf b/playbooks.d/webserver-nginx/share/nginx.conf
new file mode 100644
index 0000000..834f220
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/nginx.conf
@@ -0,0 +1,23 @@
+user www;
+worker_processes auto;
+pid /run/nginx.pid;
+
+events {
+ worker_connections 768;
+}
+
+http {
+ include ${etc}/nginx/mime.types;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ default_type application/octet-stream;
+ gzip on;
+ sendfile on;
+ tcp_nopush on;
+ types_hash_max_size 2048;
+
+ include ${etc}/nginx/sites-enabled.d/http/*;
+ include ${etc}/nginx/sites-enabled.d/https/*;
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/_ b/playbooks.d/webserver-nginx/share/sites.d/http/_
new file mode 100644
index 0000000..6207cb2
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/_
@@ -0,0 +1,10 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name _;
+
+ location / {
+ return 404;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties b/playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties
new file mode 100644
index 0000000..0af0235
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name scriptkitties.church;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire b/playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire
new file mode 100644
index 0000000..3fa9728
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name voidfire.com;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/net.tyil b/playbooks.d/webserver-nginx/share/sites.d/http/net.tyil
new file mode 100644
index 0000000..31cca7e
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/net.tyil
@@ -0,0 +1,12 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name tyil.net;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt b/playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt
new file mode 100644
index 0000000..4d80a62
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name fglt.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil
new file mode 100644
index 0000000..b2c93db
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt
new file mode 100644
index 0000000..ecdfbe8
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name alt.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur
new file mode 100644
index 0000000..4ae2082
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name imgur.alt.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit
new file mode 100644
index 0000000..b1ba239
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name reddit.alt.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter
new file mode 100644
index 0000000..4d537c4
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name twitter.alt.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud
new file mode 100644
index 0000000..7c3e941
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud
@@ -0,0 +1,12 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name cloud.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist
new file mode 100644
index 0000000..19bb5fc
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name dist.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git
new file mode 100644
index 0000000..92ce73e
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name git.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home
new file mode 100644
index 0000000..70eeff7
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name home.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew
new file mode 100644
index 0000000..5a87074
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name homebrew.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p
new file mode 100644
index 0000000..8d71cf8
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name p.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio
new file mode 100644
index 0000000..e7adfaf
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name radio.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx
new file mode 100644
index 0000000..3ee75d4
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name searx.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv
new file mode 100644
index 0000000..9179cc9
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv
@@ -0,0 +1,12 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name tv.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www
new file mode 100644
index 0000000..6370823
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name www.tyil.nl;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru b/playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru
new file mode 100644
index 0000000..0aae163
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name memebooru.pictures;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/work.tyil b/playbooks.d/webserver-nginx/share/sites.d/http/work.tyil
new file mode 100644
index 0000000..7b09142
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/http/work.tyil
@@ -0,0 +1,13 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name tyil.work;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties b/playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties
new file mode 100644
index 0000000..de07ad6
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties
@@ -0,0 +1,62 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name scriptkitties.church;
+
+ ssl_certificate /etc/letsencrypt/live/scriptkitties.church/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/scriptkitties.church/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+ include mime.types;
+
+ root /var/www/church.scriptkitties;
+ index index.php;
+
+ autoindex off;
+ fastcgi_param HTTPS on;
+ client_max_body_size 10m;
+ client_body_buffer_size 128k;
+
+ location / {
+ try_files $uri /index.php?pagename=$uri&$args;
+ }
+
+ location ^~ /.well-known/ {
+ allow all;
+ rewrite ^ /index.php?pagename=$uri;
+ }
+
+ location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
+ expires 30d;
+ try_files $uri /index.php?pagename=$uri&$args;
+ }
+
+ location ~* \.php$ {
+ try_files $uri =404;
+
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+ fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
+
+ include /etc/nginx/snippets.d/fcgi.conf;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+ fastcgi_buffers 16 16k;
+ fastcgi_buffer_size 32k;
+ }
+
+ location ~* \.(tpl|md|tgz|log|out)$ {
+ deny all;
+ }
+
+ location ~ /\. {
+ deny all;
+ }
+
+ location ^~ /bin {
+ deny all;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire b/playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire
new file mode 100644
index 0000000..4021ca0
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire
@@ -0,0 +1,19 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name voidfire.com;
+
+ ssl_certificate /etc/letsencrypt/live/voidfire.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/voidfire.com/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /var/www/com.voidfire;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/net.tyil b/playbooks.d/webserver-nginx/share/sites.d/https/net.tyil
new file mode 100644
index 0000000..89fe78e
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/net.tyil
@@ -0,0 +1,28 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name tyil.net;
+
+ ssl_certificate /etc/letsencrypt/live/tyil.net/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tyil.net/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ auth_basic "Bad hacker!";
+ auth_basic_user_file /var/www/net.tyil/htaccess;
+
+ location /grafana/ {
+ proxy_pass http://127.0.0.1:35300/;
+ }
+
+ location /plausible/ {
+ proxy_pass http://127.0.0.1:8796/;
+ }
+
+ location /prometheus/ {
+ proxy_pass http://127.0.0.1:9090/;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt b/playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt
new file mode 100644
index 0000000..e52b6dc
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt
@@ -0,0 +1,22 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name fglt.nl;
+
+ ssl_certificate /etc/letsencrypt/live/fglt.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/fglt.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ access_log /var/log/nginx/nl.fglt-access.log;
+ error_log /var/log/nginx/nl.fglt-error.log;
+
+ root /var/www/nl.fglt;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil
new file mode 100644
index 0000000..f80c4b6
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil
@@ -0,0 +1,24 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location ~ ^/.well-known/openpgpkey(.+)$ {
+ add_header Access-Control-Allow-Origin *;
+
+ root /var/wkd/nl.tyil;
+ try_files $1 =404;
+ }
+
+ location / {
+ return 301 https://www.tyil.nl$request_uri;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt
new file mode 100644
index 0000000..f3232c3
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt
@@ -0,0 +1,17 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name alt.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/alt.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/alt.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location = / {
+ return 301 https://www.tyil.nl/services;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur
new file mode 100644
index 0000000..c0435f4
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur
@@ -0,0 +1,20 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name imgur.alt.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/imgur.alt.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/imgur.alt.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $remote_addr;
+
+ proxy_pass http://127.0.0.1:40648;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit
new file mode 100644
index 0000000..a064c44
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit
@@ -0,0 +1,20 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name reddit.alt.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/reddit.alt.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/reddit.alt.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $remote_addr;
+
+ proxy_pass http://127.0.0.1:43559;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter
new file mode 100644
index 0000000..52ebf0f
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter
@@ -0,0 +1,20 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name twitter.alt.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/twitter.alt.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/twitter.alt.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $remote_addr;
+
+ proxy_pass http://127.0.0.1:25989;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud
new file mode 100644
index 0000000..c4a86cb
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud
@@ -0,0 +1,137 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name cloud.tyil.nl;
+
+ error_log /var/log/nginx/cloud-error.log;
+ access_log /var/log/nginx/cloud-access.log;
+
+ ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/ssl.conf;
+ include /etc/nginx/snippets.d/certbot.conf;
+
+ # Set timeouts
+ fastcgi_read_timeout 300;
+ proxy_read_timeout 300;
+
+ # Set upload size
+ client_max_body_size 200M;
+ fastcgi_buffers 64 4K;
+
+ # Add (security) headers
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Permitted-Cross-Domain-Policies none;
+ add_header Referrer-Policy "no-referrer";
+ add_header X-Frame-Options "SAMEORIGIN";
+ add_header Strict-Transport-Security "max-age=63072000" always;
+
+ # Remove headers
+ fastcgi_hide_header X-Powered-By;
+
+ # Enable gzip
+ gzip off;
+ gzip_vary on;
+ gzip_comp_level 4;
+ gzip_min_length 256;
+ gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+ gzip_types
+ application/atom+xml
+ application/javascript
+ application/json
+ application/ld+json
+ application/manifest+json
+ application/rss+xml
+ application/vnd.geo+json
+ application/vnd.ms-fontobject
+ application/x-font-ttf
+ application/x-web-app-manifest+json
+ application/xhtml+xml
+ application/xml
+ font/opentype
+ image/bmp
+ image/svg+xml
+ image/x-icon
+ text/cache-manifest
+ text/css
+ text/plain
+ text/vcard
+ text/vnd.rim.location.xloc
+ text/vtt
+ text/x-component
+ text/x-cross-domain-policy
+ ;
+
+ root /var/www/nl.tyil.cloud;
+
+ location / {
+ rewrite ^ /index.php?$request_uri;
+ }
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ location ^~ /.well-known {
+ rewrite ^/\.well-known/host-meta.json /public.php?service=host-meta.json last;
+ rewrite ^/\.well-known/host-meta /public.php?service=host-meta last;
+ rewrite ^/\.well-known/webfinger /public.php?service=webfinger last;
+ rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last;
+
+ location = /.well-known/carddav { return 301 /remote.php/dav/; }
+ location = /.well-known/caldav { return 301 /remote.php/dav/; }
+
+ #location ^~ /.well-known { return 301 /index.php$uri; }
+
+ try_files $uri $uri/ =404;
+ }
+
+ location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+ deny all;
+ }
+
+ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+ deny all;
+ }
+
+ location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ include snippets.d/fcgi.conf;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $fastcgi_path_info;
+ fastcgi_param HTTPS on;
+ fastcgi_param modHeadersAvailable true;
+ fastcgi_param front_controller_active true;
+ fastcgi_pass localhost:9000;
+ fastcgi_intercept_errors on;
+ fastcgi_request_buffering off;
+ }
+
+ location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+ try_files $uri/ =404;
+ index index.php;
+ }
+
+ location ~ \.(?:css|js|woff|svg|gif)$ {
+ try_files $uri /index.php$request_uri;
+ add_header Cache-Control "public, max-age=15778463";
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+ add_header X-Robots-Tag none;
+ add_header X-Download-Options noopen;
+ add_header X-Permitted-Cross-Domain-Policies none;
+ access_log off;
+ }
+
+ location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+ try_files $uri /index.php$request_uri;
+ access_log off;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist
new file mode 100644
index 0000000..79f8a3c
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist
@@ -0,0 +1,16 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name dist.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/dist.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dist.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /var/www/nl.tyil.dist;
+ autoindex on;
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git
new file mode 100644
index 0000000..65d1bb9
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git
@@ -0,0 +1,30 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name git.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/git.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/git.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /usr/share/webapps/cgit/1.2.3-r100/htdocs;
+
+ location / {
+ try_files $uri @cgit;
+ }
+
+ location @cgit {
+ include snippets.d/uwsgi.conf;
+
+ gzip off;
+
+ uwsgi_modifier1 9;
+ #uwsgi_param PATH_INFO $fastcgi_path_info;
+
+ uwsgi_pass 127.0.0.1:1234;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home
new file mode 100644
index 0000000..9683ccd
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home
@@ -0,0 +1,52 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name home.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/home.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/home.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location / {
+ return 301 https://www.tyil.nl$request_uri;
+ }
+
+ location ~ ^/~(.+?)(/.*)?$ {
+ alias /home/$1/www$2;
+ autoindex on;
+ }
+
+ location /git {
+ rewrite ^/git/(.*)$ https://git.tyil.nl/$1 redirect;
+ }
+
+ location /media {
+ alias /var/media;
+
+ satisfy any;
+
+ allow 127.0.0.1;
+ allow 10.57.0.0/16;
+ allow 192.168.178.0/24;
+ deny all;
+
+ auth_basic "pls no hack";
+ auth_basic_user_file "/var/media/.htpasswd";
+
+ autoindex on;
+ }
+
+ location /media/backups { deny all; }
+ location /media/nextcloud { deny all; }
+ location /media/pictures { deny all; }
+ location /media/recordings { deny all; }
+
+ location /packages {
+ alias /var/portage/packages;
+ autoindex on;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew
new file mode 100644
index 0000000..2b8de15
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew
@@ -0,0 +1,19 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name homebrew.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/homebrew.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/homebrew.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /var/www/nl.tyil.homebrew;
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p
new file mode 100644
index 0000000..75c0e7a
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p
@@ -0,0 +1,27 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name p.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/p.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/p.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /var/www/nl.tyil.p;
+
+ location = / {
+ return 301 https://www.tyil.nl/services/fiche/;
+ }
+
+ location ~ ^/(?<slug>.+)$ {
+ # Disassociate all filetypes and their Content-Type, and
+ # default everything to text/plain.
+ types { } default_type text/plain;
+
+ alias "/var/www/nl.tyil.p/${slug}/index.txt";
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio
new file mode 100644
index 0000000..7098fc5
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio
@@ -0,0 +1,17 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name radio.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/radio.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/radio.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ location / {
+ proxy_pass http://127.0.0.1:8092/mpd.opus;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx
new file mode 100644
index 0000000..bf461cf
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx
@@ -0,0 +1,25 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name searx.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/searx.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/searx.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /var/docker-compose/searx;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header Connection $http_connection;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Scheme $scheme;
+
+ proxy_pass http://127.0.0.1:60474;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv
new file mode 100644
index 0000000..093d938
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv
@@ -0,0 +1,19 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name tv.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/tv.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tv.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/ssl.conf;
+ include /etc/nginx/snippets.d/certbot.conf;
+
+ location / {
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-For $remote_addr;
+
+ proxy_pass http://127.0.0.1:8096;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www
new file mode 100644
index 0000000..3304c8f
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www
@@ -0,0 +1,25 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name www.tyil.nl;
+
+ ssl_certificate /etc/letsencrypt/live/www.tyil.nl/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/www.tyil.nl/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ root /var/www/nl.tyil.www/public;
+
+ error_page 404 /http-404.html;
+
+ location /atom.xml {
+ return 301 https://www.tyil.nl/posts/index.xml;
+ }
+
+ location / {
+ try_files $uri $uri/ =404;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru b/playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru
new file mode 100644
index 0000000..9d524ef
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru
@@ -0,0 +1,28 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name memebooru.pictures;
+
+ ssl_certificate /etc/letsencrypt/live/memebooru.pictures/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/memebooru.pictures/privkey.pem;
+
+ include /etc/nginx/snippets.d/ssl.conf;
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+
+ client_max_body_size 100M;
+ client_body_timeout 30s;
+
+ location / {
+ proxy_pass http://127.0.0.1:50405;
+ proxy_set_header Host $http_host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Scheme $scheme;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Script-Name /szuru;
+ }
+}
diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/work.tyil b/playbooks.d/webserver-nginx/share/sites.d/https/work.tyil
new file mode 100644
index 0000000..d5a5dd9
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/sites.d/https/work.tyil
@@ -0,0 +1,15 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name tyil.work;
+
+ ssl_certificate /etc/letsencrypt/live/tyil.work/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/tyil.work/privkey.pem;
+
+ include /etc/nginx/snippets.d/certbot.conf;
+ include /etc/nginx/snippets.d/headers.conf;
+ include /etc/nginx/snippets.d/ssl.conf;
+
+ return 301 https://www.tyil.nl$request_uri;
+}
diff --git a/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf b/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf
new file mode 100644
index 0000000..64c9195
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf
@@ -0,0 +1,5 @@
+# Certbot endpoint
+location /.well-known/acme-challenge {
+ root /var/www/.acme;
+ try_files $uri $uri/ =404;
+}
diff --git a/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf b/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf
new file mode 100644
index 0000000..bc235bf
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf
@@ -0,0 +1,27 @@
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
+
+# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962)
+fastcgi_param HTTP_PROXY "";
diff --git a/playbooks.d/webserver-nginx/share/snippets.d/headers.conf b/playbooks.d/webserver-nginx/share/snippets.d/headers.conf
new file mode 100644
index 0000000..c277e3d
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/snippets.d/headers.conf
@@ -0,0 +1,4 @@
+add_header Content-Security-Policy "default-src 'self'" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "SAMEORIGIN" always;
diff --git a/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf b/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf
new file mode 100644
index 0000000..68bcdf0
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf
@@ -0,0 +1,16 @@
+# SSL settings
+ssl_protocols TLSv1.3 TLSv1.2;
+
+ssl_buffer_size 4K;
+ssl_dhparam /etc/nginx/dhparam.pem;
+ssl_ecdh_curve secp521r1:secp384r1;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:le_nginx_SSL:2m;
+ssl_session_tickets off;
+ssl_session_timeout 1440m;
+
+# Ciphers
+ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA';
+
+# Additional headers
+add_header Strict-Transport-Security "max-age=63072000" always;
diff --git a/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf b/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf
new file mode 100644
index 0000000..9d67d3d
--- /dev/null
+++ b/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf
@@ -0,0 +1,20 @@
+
+uwsgi_param QUERY_STRING $query_string;
+uwsgi_param REQUEST_METHOD $request_method;
+uwsgi_param CONTENT_TYPE $content_type;
+uwsgi_param CONTENT_LENGTH $content_length;
+
+uwsgi_param REQUEST_URI $request_uri;
+uwsgi_param PATH_INFO $document_uri;
+uwsgi_param DOCUMENT_ROOT $document_root;
+uwsgi_param SERVER_PROTOCOL $server_protocol;
+uwsgi_param REQUEST_SCHEME $scheme;
+uwsgi_param HTTPS $https if_not_empty;
+
+uwsgi_param REMOTE_ADDR $remote_addr;
+uwsgi_param REMOTE_PORT $remote_port;
+uwsgi_param SERVER_PORT $server_port;
+uwsgi_param SERVER_NAME $server_name;
+
+# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962)
+uwsgi_param HTTP_PROXY "";