From 908718a622fe229d17da7303b117eee0fe7f8d9d Mon Sep 17 00:00:00 2001 From: Patrick Spek Date: Mon, 25 Apr 2022 13:45:34 +0200 Subject: Rename playbooks --- playbooks.d/vpn-tinc/description.txt | 1 + playbooks.d/vpn-tinc/etc/defaults | 6 + .../vpn-tinc/etc/os.d/linux-debian_gnu_linux | 1 + playbooks.d/vpn-tinc/playbook.bash | 123 ++++++++++++++++++ playbooks.d/vpn-tinc/share/host | 2 + playbooks.d/vpn-tinc/share/hosts/anoia_tyil_net | 16 +++ playbooks.d/vpn-tinc/share/hosts/caeghi_tyil_net | 16 +++ playbooks.d/vpn-tinc/share/hosts/edephas_tyil_net | 16 +++ playbooks.d/vpn-tinc/share/hosts/gaeru_tyil_net | 16 +++ playbooks.d/vpn-tinc/share/tinc-down-ifconfig | 3 + playbooks.d/vpn-tinc/share/tinc-down-ip | 3 + playbooks.d/vpn-tinc/share/tinc-up-ifconfig | 3 + playbooks.d/vpn-tinc/share/tinc-up-ip | 5 + playbooks.d/vpn-tinc/share/tinc.conf | 4 + playbooks.d/vpn/description.txt | 1 - playbooks.d/vpn/etc/defaults | 6 - playbooks.d/vpn/etc/os.d/linux-debian_gnu_linux | 1 - playbooks.d/vpn/playbook.bash | 123 ------------------ playbooks.d/vpn/share/host | 2 - playbooks.d/vpn/share/hosts/anoia_tyil_net | 16 --- playbooks.d/vpn/share/hosts/caeghi_tyil_net | 16 --- playbooks.d/vpn/share/hosts/edephas_tyil_net | 16 --- playbooks.d/vpn/share/hosts/gaeru_tyil_net | 16 --- playbooks.d/vpn/share/tinc-down-ifconfig | 3 - playbooks.d/vpn/share/tinc-down-ip | 3 - playbooks.d/vpn/share/tinc-up-ifconfig | 3 - playbooks.d/vpn/share/tinc-up-ip | 5 - playbooks.d/vpn/share/tinc.conf | 4 - playbooks.d/webserver-nginx/description.txt | 1 + playbooks.d/webserver-nginx/etc/defaults | 4 + playbooks.d/webserver-nginx/playbook.bash | 107 ++++++++++++++++ playbooks.d/webserver-nginx/share/cert.sh | 11 ++ playbooks.d/webserver-nginx/share/mime.types | 88 +++++++++++++ playbooks.d/webserver-nginx/share/nginx.conf | 23 ++++ playbooks.d/webserver-nginx/share/sites.d/http/_ | 10 ++ .../share/sites.d/http/church.scriptkitties | 13 ++ .../share/sites.d/http/com.voidfire | 13 ++ .../webserver-nginx/share/sites.d/http/net.tyil | 12 ++ .../webserver-nginx/share/sites.d/http/nl.fglt | 13 ++ .../webserver-nginx/share/sites.d/http/nl.tyil | 13 ++ .../webserver-nginx/share/sites.d/http/nl.tyil.alt | 13 ++ .../share/sites.d/http/nl.tyil.alt.imgur | 13 ++ .../share/sites.d/http/nl.tyil.alt.reddit | 13 ++ .../share/sites.d/http/nl.tyil.alt.twitter | 13 ++ .../share/sites.d/http/nl.tyil.cloud | 12 ++ .../share/sites.d/http/nl.tyil.dist | 13 ++ .../webserver-nginx/share/sites.d/http/nl.tyil.git | 13 ++ .../share/sites.d/http/nl.tyil.home | 13 ++ .../share/sites.d/http/nl.tyil.homebrew | 13 ++ .../webserver-nginx/share/sites.d/http/nl.tyil.p | 13 ++ .../share/sites.d/http/nl.tyil.radio | 13 ++ .../share/sites.d/http/nl.tyil.searx | 13 ++ .../webserver-nginx/share/sites.d/http/nl.tyil.tv | 12 ++ .../webserver-nginx/share/sites.d/http/nl.tyil.www | 13 ++ .../share/sites.d/http/pictures.memebooru | 13 ++ .../webserver-nginx/share/sites.d/http/work.tyil | 13 ++ .../share/sites.d/https/church.scriptkitties | 62 ++++++++++ .../share/sites.d/https/com.voidfire | 19 +++ .../webserver-nginx/share/sites.d/https/net.tyil | 28 +++++ .../webserver-nginx/share/sites.d/https/nl.fglt | 22 ++++ .../webserver-nginx/share/sites.d/https/nl.tyil | 24 ++++ .../share/sites.d/https/nl.tyil.alt | 17 +++ .../share/sites.d/https/nl.tyil.alt.imgur | 20 +++ .../share/sites.d/https/nl.tyil.alt.reddit | 20 +++ .../share/sites.d/https/nl.tyil.alt.twitter | 20 +++ .../share/sites.d/https/nl.tyil.cloud | 137 +++++++++++++++++++++ .../share/sites.d/https/nl.tyil.dist | 16 +++ .../share/sites.d/https/nl.tyil.git | 30 +++++ .../share/sites.d/https/nl.tyil.home | 52 ++++++++ .../share/sites.d/https/nl.tyil.homebrew | 19 +++ .../webserver-nginx/share/sites.d/https/nl.tyil.p | 27 ++++ .../share/sites.d/https/nl.tyil.radio | 17 +++ .../share/sites.d/https/nl.tyil.searx | 25 ++++ .../webserver-nginx/share/sites.d/https/nl.tyil.tv | 19 +++ .../share/sites.d/https/nl.tyil.www | 25 ++++ .../share/sites.d/https/pictures.memebooru | 28 +++++ .../webserver-nginx/share/sites.d/https/work.tyil | 15 +++ .../webserver-nginx/share/snippets.d/certbot.conf | 5 + .../webserver-nginx/share/snippets.d/fcgi.conf | 27 ++++ .../webserver-nginx/share/snippets.d/headers.conf | 4 + .../webserver-nginx/share/snippets.d/ssl.conf | 16 +++ .../webserver-nginx/share/snippets.d/uwsgi.conf | 20 +++ playbooks.d/webserver/description.txt | 1 - playbooks.d/webserver/etc/defaults | 4 - playbooks.d/webserver/playbook.bash | 107 ---------------- playbooks.d/webserver/share/cert.sh | 11 -- playbooks.d/webserver/share/mime.types | 88 ------------- playbooks.d/webserver/share/nginx.conf | 23 ---- playbooks.d/webserver/share/sites.d/http/_ | 10 -- .../share/sites.d/http/church.scriptkitties | 13 -- .../webserver/share/sites.d/http/com.voidfire | 13 -- playbooks.d/webserver/share/sites.d/http/net.tyil | 12 -- playbooks.d/webserver/share/sites.d/http/nl.fglt | 13 -- playbooks.d/webserver/share/sites.d/http/nl.tyil | 13 -- .../webserver/share/sites.d/http/nl.tyil.alt | 13 -- .../webserver/share/sites.d/http/nl.tyil.alt.imgur | 13 -- .../share/sites.d/http/nl.tyil.alt.reddit | 13 -- .../share/sites.d/http/nl.tyil.alt.twitter | 13 -- .../webserver/share/sites.d/http/nl.tyil.cloud | 12 -- .../webserver/share/sites.d/http/nl.tyil.dist | 13 -- .../webserver/share/sites.d/http/nl.tyil.git | 13 -- .../webserver/share/sites.d/http/nl.tyil.home | 13 -- .../webserver/share/sites.d/http/nl.tyil.homebrew | 13 -- playbooks.d/webserver/share/sites.d/http/nl.tyil.p | 13 -- .../webserver/share/sites.d/http/nl.tyil.radio | 13 -- .../webserver/share/sites.d/http/nl.tyil.searx | 13 -- .../webserver/share/sites.d/http/nl.tyil.tv | 12 -- .../webserver/share/sites.d/http/nl.tyil.www | 13 -- .../share/sites.d/http/pictures.memebooru | 13 -- playbooks.d/webserver/share/sites.d/http/work.tyil | 13 -- .../share/sites.d/https/church.scriptkitties | 62 ---------- .../webserver/share/sites.d/https/com.voidfire | 19 --- playbooks.d/webserver/share/sites.d/https/net.tyil | 28 ----- playbooks.d/webserver/share/sites.d/https/nl.fglt | 22 ---- playbooks.d/webserver/share/sites.d/https/nl.tyil | 24 ---- .../webserver/share/sites.d/https/nl.tyil.alt | 17 --- .../share/sites.d/https/nl.tyil.alt.imgur | 20 --- .../share/sites.d/https/nl.tyil.alt.reddit | 20 --- .../share/sites.d/https/nl.tyil.alt.twitter | 20 --- .../webserver/share/sites.d/https/nl.tyil.cloud | 137 --------------------- .../webserver/share/sites.d/https/nl.tyil.dist | 16 --- .../webserver/share/sites.d/https/nl.tyil.git | 30 ----- .../webserver/share/sites.d/https/nl.tyil.home | 52 -------- .../webserver/share/sites.d/https/nl.tyil.homebrew | 19 --- .../webserver/share/sites.d/https/nl.tyil.p | 27 ---- .../webserver/share/sites.d/https/nl.tyil.radio | 17 --- .../webserver/share/sites.d/https/nl.tyil.searx | 25 ---- .../webserver/share/sites.d/https/nl.tyil.tv | 19 --- .../webserver/share/sites.d/https/nl.tyil.www | 25 ---- .../share/sites.d/https/pictures.memebooru | 28 ----- .../webserver/share/sites.d/https/work.tyil | 15 --- .../webserver/share/snippets.d/certbot.conf | 5 - playbooks.d/webserver/share/snippets.d/fcgi.conf | 27 ---- .../webserver/share/snippets.d/headers.conf | 4 - playbooks.d/webserver/share/snippets.d/ssl.conf | 16 --- playbooks.d/webserver/share/snippets.d/uwsgi.conf | 20 --- registry.d/anoia.tyil.net | 2 +- registry.d/caeghi.tyil.net | 2 +- registry.d/edephas.tyil.net | 4 +- registry.d/gaeru.tyil.net | 2 +- 140 files changed, 1448 insertions(+), 1448 deletions(-) create mode 100644 playbooks.d/vpn-tinc/description.txt create mode 100644 playbooks.d/vpn-tinc/etc/defaults create mode 100644 playbooks.d/vpn-tinc/etc/os.d/linux-debian_gnu_linux create mode 100644 playbooks.d/vpn-tinc/playbook.bash create mode 100644 playbooks.d/vpn-tinc/share/host create mode 100644 playbooks.d/vpn-tinc/share/hosts/anoia_tyil_net create mode 100644 playbooks.d/vpn-tinc/share/hosts/caeghi_tyil_net create mode 100644 playbooks.d/vpn-tinc/share/hosts/edephas_tyil_net create mode 100644 playbooks.d/vpn-tinc/share/hosts/gaeru_tyil_net create mode 100644 playbooks.d/vpn-tinc/share/tinc-down-ifconfig create mode 100644 playbooks.d/vpn-tinc/share/tinc-down-ip create mode 100644 playbooks.d/vpn-tinc/share/tinc-up-ifconfig create mode 100644 playbooks.d/vpn-tinc/share/tinc-up-ip create mode 100644 playbooks.d/vpn-tinc/share/tinc.conf delete mode 100644 playbooks.d/vpn/description.txt delete mode 100644 playbooks.d/vpn/etc/defaults delete mode 100644 playbooks.d/vpn/etc/os.d/linux-debian_gnu_linux delete mode 100644 playbooks.d/vpn/playbook.bash delete mode 100644 playbooks.d/vpn/share/host delete mode 100644 playbooks.d/vpn/share/hosts/anoia_tyil_net delete mode 100644 playbooks.d/vpn/share/hosts/caeghi_tyil_net delete mode 100644 playbooks.d/vpn/share/hosts/edephas_tyil_net delete mode 100644 playbooks.d/vpn/share/hosts/gaeru_tyil_net delete mode 100644 playbooks.d/vpn/share/tinc-down-ifconfig delete mode 100644 playbooks.d/vpn/share/tinc-down-ip delete mode 100644 playbooks.d/vpn/share/tinc-up-ifconfig delete mode 100644 playbooks.d/vpn/share/tinc-up-ip delete mode 100644 playbooks.d/vpn/share/tinc.conf create mode 100644 playbooks.d/webserver-nginx/description.txt create mode 100644 playbooks.d/webserver-nginx/etc/defaults create mode 100644 playbooks.d/webserver-nginx/playbook.bash create mode 100755 playbooks.d/webserver-nginx/share/cert.sh create mode 100644 playbooks.d/webserver-nginx/share/mime.types create mode 100644 playbooks.d/webserver-nginx/share/nginx.conf create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/_ create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/net.tyil create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru create mode 100644 playbooks.d/webserver-nginx/share/sites.d/http/work.tyil create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/net.tyil create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru create mode 100644 playbooks.d/webserver-nginx/share/sites.d/https/work.tyil create mode 100644 playbooks.d/webserver-nginx/share/snippets.d/certbot.conf create mode 100644 playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf create mode 100644 playbooks.d/webserver-nginx/share/snippets.d/headers.conf create mode 100644 playbooks.d/webserver-nginx/share/snippets.d/ssl.conf create mode 100644 playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf delete mode 100644 playbooks.d/webserver/description.txt delete mode 100644 playbooks.d/webserver/etc/defaults delete mode 100644 playbooks.d/webserver/playbook.bash delete mode 100755 playbooks.d/webserver/share/cert.sh delete mode 100644 playbooks.d/webserver/share/mime.types delete mode 100644 playbooks.d/webserver/share/nginx.conf delete mode 100644 playbooks.d/webserver/share/sites.d/http/_ delete mode 100644 playbooks.d/webserver/share/sites.d/http/church.scriptkitties delete mode 100644 playbooks.d/webserver/share/sites.d/http/com.voidfire delete mode 100644 playbooks.d/webserver/share/sites.d/http/net.tyil delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.fglt delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.alt delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.dist delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.git delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.home delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.p delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.radio delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.searx delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.tv delete mode 100644 playbooks.d/webserver/share/sites.d/http/nl.tyil.www delete mode 100644 playbooks.d/webserver/share/sites.d/http/pictures.memebooru delete mode 100644 playbooks.d/webserver/share/sites.d/http/work.tyil delete mode 100644 playbooks.d/webserver/share/sites.d/https/church.scriptkitties delete mode 100644 playbooks.d/webserver/share/sites.d/https/com.voidfire delete mode 100644 playbooks.d/webserver/share/sites.d/https/net.tyil delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.fglt delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.alt delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.dist delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.git delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.home delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.p delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.radio delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.searx delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.tv delete mode 100644 playbooks.d/webserver/share/sites.d/https/nl.tyil.www delete mode 100644 playbooks.d/webserver/share/sites.d/https/pictures.memebooru delete mode 100644 playbooks.d/webserver/share/sites.d/https/work.tyil delete mode 100644 playbooks.d/webserver/share/snippets.d/certbot.conf delete mode 100644 playbooks.d/webserver/share/snippets.d/fcgi.conf delete mode 100644 playbooks.d/webserver/share/snippets.d/headers.conf delete mode 100644 playbooks.d/webserver/share/snippets.d/ssl.conf delete mode 100644 playbooks.d/webserver/share/snippets.d/uwsgi.conf diff --git a/playbooks.d/vpn-tinc/description.txt b/playbooks.d/vpn-tinc/description.txt new file mode 100644 index 0000000..0bad766 --- /dev/null +++ b/playbooks.d/vpn-tinc/description.txt @@ -0,0 +1 @@ +VPN through tinc diff --git a/playbooks.d/vpn-tinc/etc/defaults b/playbooks.d/vpn-tinc/etc/defaults new file mode 100644 index 0000000..3186527 --- /dev/null +++ b/playbooks.d/vpn-tinc/etc/defaults @@ -0,0 +1,6 @@ +app.tinc=tinc +app.tincd=tincd + +pkg.tinc=tinc + +svc.tinc=tincd diff --git a/playbooks.d/vpn-tinc/etc/os.d/linux-debian_gnu_linux b/playbooks.d/vpn-tinc/etc/os.d/linux-debian_gnu_linux new file mode 100644 index 0000000..9a5da58 --- /dev/null +++ b/playbooks.d/vpn-tinc/etc/os.d/linux-debian_gnu_linux @@ -0,0 +1 @@ +svc.tinc=tinc@tyilnet diff --git a/playbooks.d/vpn-tinc/playbook.bash b/playbooks.d/vpn-tinc/playbook.bash new file mode 100644 index 0000000..f9c8dd5 --- /dev/null +++ b/playbooks.d/vpn-tinc/playbook.bash @@ -0,0 +1,123 @@ +#!/usr/bin/env bash + +playbook_add() +{ + local tinc="$(config "app.tinc")" + local tincd="$(config "app.tincd")" + local dir="$(config "fs.etcdir")/tinc/tyilnet" + local name="$(tr "." "_" <<< "${BASHTARD_PLATFORM[fqdn]}")" + local ipv4="$(config "vpn.ipv4")" + + if [[ -z "$ipv4" ]] + then + emerg "$BASHTARD_PLAYBOOK" "No IPv4 address set for ${BASHTARD_PLATFORM[fqdn]}" + return 2 + fi + + case "${BASHTARD_PLATFORM[key]}" in + freebsd) iptool=ifconfig ;; + *) iptool=ip + esac + + info "$BASHTARD_PLAYBOOK" "Installing tinc" + pkg install "tinc" + + info "$BASHTARD_PLAYBOOK" "Creating tinc configuration at $dir" + mkdir -pv -- \ + "$dir" \ + "$dir/hosts" + + file_template tinc.conf \ + "name=$name" \ + > "$dir/tinc.conf" + + file_template "tinc-up-$iptool" \ + "ip4=$(config "vpn.ipv4")" \ + > "$dir/tinc-up" + + file_template "tinc-down-$iptool" \ + "ip4=$(config "vpn.ipv4")" \ + > "$dir/tinc-down" + + file_template "host" \ + "ip4=$(config "vpn.ipv4")" \ + > "$dir/hosts/$name" + + chmod +x \ + "$dir/tinc-up" \ + "$dir/tinc-down" + + info "$BASHTARD_PLAYBOOK" "Generating private keys" + + case "$($tincd --version | awk '{ print $3 }' | head -n1)" in + 1.0*) + $tincd -n tyilnet -K4096 + ;; + 1.1*|*) + $tinc -n tyilnet generate-rsa-keys 4096 + $tinc -n tyilnet generate-ed25519-keys + ;; + esac + + info "$BASHTARD_PLAYBOOK" "Adding new host to Bashtard configs" + + cp -v -- \ + "$dir/hosts/$name" \ + "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/hosts/$name" + + playbook_sync + + info "$BASHTARD_PLAYBOOK" "Enabling VPN service" + + case "${BASHTARD_PLATFORM[key]}" in + freebsd) + if ! grep -Fq 'tincd_cfg="tyilnet"' "/etc/rc.conf.d/tincd" + then + printf 'tincd_cfg="%s"\n' "tyilnet" >> "/etc/rc.conf.d/tincd" + fi + ;; + linux-gentoo) + if ! grep -Fq "NETWORK: tyilnet" /etc/conf.d/tinc.networks + then + printf "NETWORK: %s\n" "tyilnet" >> /etc/conf.d/tinc.networks + fi + ;; + esac + + svc enable "tinc" + svc start "tinc" +} + +playbook_sync() +{ + local dir="$(config "fs.etcdir")/tinc/tyilnet" + local name="$(tr "." "_" <<< "${BASHTARD_PLATFORM[fqdn]}")" + local host + + info "$BASHTARD_PLAYBOOK" "Regenerating tinc hosts" + rm -fr -- "$dir/hosts" + mkdir -p -- "$dir/hosts" + + for path in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/hosts"/* + do + host="$(basename "$path")" + + notice "$BASHTARD_PLAYBOOK" "Updating host $host" + file_template "hosts/$host" \ + > "$dir/hosts/$host" + done + + [[ "$BASHTARD_COMMAND" == "add" ]] && return + + svc reload "tinc" +} + +playbook_del() +{ + svc stop "tinc" + svc disable "tinc" + + pkg uninstall "tinc" + + rm -frv -- "$(config "fs.etcdir")/tinc/tyilnet" +} diff --git a/playbooks.d/vpn-tinc/share/host b/playbooks.d/vpn-tinc/share/host new file mode 100644 index 0000000..c24d4ad --- /dev/null +++ b/playbooks.d/vpn-tinc/share/host @@ -0,0 +1,2 @@ +Subnet = ${ip4}/32 + diff --git a/playbooks.d/vpn-tinc/share/hosts/anoia_tyil_net b/playbooks.d/vpn-tinc/share/hosts/anoia_tyil_net new file mode 100644 index 0000000..4856c95 --- /dev/null +++ b/playbooks.d/vpn-tinc/share/hosts/anoia_tyil_net @@ -0,0 +1,16 @@ +Subnet = 10.57.100.3/32 + +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEAvcW/20fxgdGdNelD/eMwEpLChI03rvDbPHAp9en3cwlYaND40udO +VxjRXj0rE9IA4N0f+o8oJdmG+mzl5Dd3rKXVnBnRymKzpNJ2w+cILPm1sQa6IO85 +F+7Q5v7lb5yFuy3JVi+tg4nqL+xHSZL6w/oPX667bR90oBJEd7C+U7p7r8DXvyHq +cg9U1maDmZ0IzZtl6BxsjyfUr0o6xBtw+pCSIvOXW5xd4mfBPgvp+3nIcux6nek3 +VR6SJ85aXlYZxER23N13Vi3dGUJSIaBPN5MuS3IHBbAP/Feeyo8p4SCzl0AMfo/K ++ZGcheL/NX7EVGg4XcZNgFaTBpusScOfxiRlzAeImomiQwKIywXp1otCn6dKIDj0 +jj146Dodf2nHRbTQj7H/2zyiRDjY/tpis/xTVA5AJu+p5aaXBA/eSb4H1OKL5qYs +38/bUiUJTSbpWvC9WiHq/xi5GSs+3ehDara89yXXhunWLsqvSZOZacqeZQw8k+ip +pNcnXbbtS0zqNQie3OEKY9qqOGKzjUiYu8yWJ4eo370XzlQ9sUgGfKmwCcc2c2jX +Rrhjck+4DGeRA10oJpoxKArPaWrGWezIHJ49Jrc+xiTJ5EMVqOpuGvL5lrKn7g6y +qYk1u6x0We1nCkMNN2LxrmL6j3p6PKRbWg7bczqPO4uEyT/575Ih2ssCAwEAAQ== +-----END RSA PUBLIC KEY----- +Ed25519PublicKey = 7jy41lK2S4BzhUVSAmULDSiZ9NQM4eQ0Geg2+F9pTpG diff --git a/playbooks.d/vpn-tinc/share/hosts/caeghi_tyil_net b/playbooks.d/vpn-tinc/share/hosts/caeghi_tyil_net new file mode 100644 index 0000000..c5d5b05 --- /dev/null +++ b/playbooks.d/vpn-tinc/share/hosts/caeghi_tyil_net @@ -0,0 +1,16 @@ +Address = 116.202.102.33 +Subnet = 10.57.20.2/32 + +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEA2abFKFB1Dr1YMcAIWcy/2+jJn+suPyiQjz6vgt476P9a/I7SUCta +P5QUPxvS9pZxFVTFKzpmdKxG1pbCAkhArtNg2R1VFEiYCxS+iey+F11pMPEZFVpC +EIXeVDQeBm9UXjrOpcTRIwEO7Q2J2lzRrhGm6Rpb6XbdmtQ3S8XgVsXYwWoV7muf +TE/d5fgtz8Hghti8w86FP9q61iH6AHCREwbHEUyat5hwznmbiNJHyjx+otI63sQo +FS37EazhqCEvt9jyvVSmB7kVTOLnIVATWDaUlPCLLvps09eRsz6aAa7RHCGd3x/W +mRHxDCbeKL4ilpo/FPZhANdQImLmFovOtwZ6xawRWKPcRXhkaL24qQC0MLH9wmnY +oM6EMioWUa0F11iFM99DTK+NF2Pk8vHNzm0Ep5g0SHzqnAIDDzeNTC9ogwsETqL5 +t7VY1GXuKWgta9L2q03X7FMEgjIc3lPgVLc0Ccx11MTgVzcIaLxFQ58oo+xFuc9I +rBqjZgJwg5MTdZiyZesLJuV+YP+yRat3LifAwIZhloSBVPU6YKx/y30BHjDM8FP1 +OM2IzJLrafZDy034XyD4s62YsKrHMcQ3CeoQ80QjvSyWvSlvn2vEqrbWIZADi0d/ +8vgl44gF9g9yN++G6S7BsTJ5PNgv0jrRFu/RpEN1hVOuo+nBqFsvxW8CAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/playbooks.d/vpn-tinc/share/hosts/edephas_tyil_net b/playbooks.d/vpn-tinc/share/hosts/edephas_tyil_net new file mode 100644 index 0000000..6e095bb --- /dev/null +++ b/playbooks.d/vpn-tinc/share/hosts/edephas_tyil_net @@ -0,0 +1,16 @@ +Subnet = 10.57.100.7/32 + +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEApxmzAXv4Mch5FP5AxHmpvHjkJGxcegbFzdFzHjhdLDJ9MQQZdM1p +PomhyYXB9Gsq4oJIOcjqJJdbp4dchYGJ++eS3V1wwstLMTl/+kWZ4ojI9sb/J5rl +a3gknTjipdUuoOpdkAkXKCbq9AXyFsvLr4Q6WaFpeTuIjNb2QgPOLUmcD1eNCdnn +KcHQAGR3zRh3uu8zMkaJZwQDZAdRLV6b77OLe7PXCsYgQ68qw3uti3JENv8VC80T +UxUmv8He7xgAqRCJbD3FH3WT2O63mK9jpnFj/BKDTm5k4hUDtZRY1O92JUqQAruw +gq3I8mhSqFMkvt+S67u950hRzN4/ZGs7lzxRkDqDqLy+ZISN2cDpbX1i4WmZFfex +zj7ZbmfsVzwSF/+K31AOQrODt79bGGFwjZgAVn9Cny/bysBxrOJy39D2Awioynpc +mjICtRP7utpo959YmSNsEcjfamIHVfUOTsEoIYhYASmWRjrSF6v7j2bbC+aFOWsf +yIRZc0EtH803/Ks++ieIDWFmhB0ydtkqFm8HK2eyqOqnlHTepmrDflkxfao3JTXP +CbldDpUGKBcLZ5FNaJ5hlQHnJGzU+wbnc133cdYtg9vvhFVgameme8ElcOjZZxMJ +fPWXMAWc2Szx3Hs/jlaTSIH2GoX1Rr2HdrrNg0qOG/qhLPNrtmrxH/sCAwEAAQ== +-----END RSA PUBLIC KEY----- +Ed25519PublicKey = 4ABczlbBBLs5WMztIzafWw1ozwKZVkj4/of3Jc6awiO diff --git a/playbooks.d/vpn-tinc/share/hosts/gaeru_tyil_net b/playbooks.d/vpn-tinc/share/hosts/gaeru_tyil_net new file mode 100644 index 0000000..eba305b --- /dev/null +++ b/playbooks.d/vpn-tinc/share/hosts/gaeru_tyil_net @@ -0,0 +1,16 @@ +Address = 37.48.120.26 +Subnet = 10.57.20.6/32 + +-----BEGIN RSA PUBLIC KEY----- +MIICCgKCAgEA9NUrWO0L8lqrfs4BgZsLdfJZPfKx+Fi8P4k79CIBuVfkQ4OzJmoV +ahupoOo5edjYLJK09epa9zFRc1DuaotYC7Wm9DdIF82WNZXN9x/Mvuq06WaKXBdj +iTJKbYfVN/yv8Xfjzfp4DH3txwsq+9AuICHJkHOmb0lsDinpfbmP8C8ozBnutrLM +XGaIzXzkV2NbunyjaiR7dho5+4P6wedck+IV63KRzepbX36OW9xImmEEpBPeMPzd +VOgWs35FIgnE5uumXXfIax9CA9wFahvMYUlQbxA6kCg9PTteM3C44udFx8DxzGcR +giKEbfxjcZ4pK9JG+LTxNZC2BK1gsUNw8sX6mEEY496cs0T10RWzRZM/HvMIpj1W +5i72yh6kc8ieSr9hGIkm/oM/gwrFeC11PZQKis1P/0O5j7Lv6S7u6Edrpy/+WziV +Yk10eZXzHcFuVAh9+wQUeD3v4bMQA/mE8RPI9JX4Xkpbu1LOhtglEwFU1CWlG179 +B990cfr3cjJkTqS7qEfWuNh2lQd4iwpgqyPZB7Dd7tHT5EKEZSZ+4+w9Xo8xfy0v +7pdfImVHZ1PGVEsRk6AZZqcVcCRrjbKfqqL0m9JmB8vV5L3oZL/mXhFkh52aRMeZ +tzODNlBH0LW2TVVrBw3DJxFyRCRYjk4At8jagVe9fYM4ERkTQxqCFi0CAwEAAQ== +-----END RSA PUBLIC KEY----- diff --git a/playbooks.d/vpn-tinc/share/tinc-down-ifconfig b/playbooks.d/vpn-tinc/share/tinc-down-ifconfig new file mode 100644 index 0000000..6563f07 --- /dev/null +++ b/playbooks.d/vpn-tinc/share/tinc-down-ifconfig @@ -0,0 +1,3 @@ +#!/bin/sh + +ifconfig "$INTERFACE" down diff --git a/playbooks.d/vpn-tinc/share/tinc-down-ip b/playbooks.d/vpn-tinc/share/tinc-down-ip new file mode 100644 index 0000000..800ebb3 --- /dev/null +++ b/playbooks.d/vpn-tinc/share/tinc-down-ip @@ -0,0 +1,3 @@ +#!/bin/sh + +ip link set "$INTERFACE" down diff --git a/playbooks.d/vpn-tinc/share/tinc-up-ifconfig b/playbooks.d/vpn-tinc/share/tinc-up-ifconfig new file mode 100644 index 0000000..66c897e --- /dev/null +++ b/playbooks.d/vpn-tinc/share/tinc-up-ifconfig @@ -0,0 +1,3 @@ +#!/bin/sh + +ifconfig "$INTERFACE" inet ${ip4} netmask 255.255.0.0 diff --git a/playbooks.d/vpn-tinc/share/tinc-up-ip b/playbooks.d/vpn-tinc/share/tinc-up-ip new file mode 100644 index 0000000..191d310 --- /dev/null +++ b/playbooks.d/vpn-tinc/share/tinc-up-ip @@ -0,0 +1,5 @@ +#!/bin/sh + +ip -4 addr add "${ip4}/16" dev "$INTERFACE" + +ip link set "$INTERFACE" up diff --git a/playbooks.d/vpn-tinc/share/tinc.conf b/playbooks.d/vpn-tinc/share/tinc.conf new file mode 100644 index 0000000..618a271 --- /dev/null +++ b/playbooks.d/vpn-tinc/share/tinc.conf @@ -0,0 +1,4 @@ +Name = ${name} + +ConnectTo = caeghi_tyil_net +ConnectTo = gaeru_tyil_net diff --git a/playbooks.d/vpn/description.txt b/playbooks.d/vpn/description.txt deleted file mode 100644 index 0bad766..0000000 --- a/playbooks.d/vpn/description.txt +++ /dev/null @@ -1 +0,0 @@ -VPN through tinc diff --git a/playbooks.d/vpn/etc/defaults b/playbooks.d/vpn/etc/defaults deleted file mode 100644 index 3186527..0000000 --- a/playbooks.d/vpn/etc/defaults +++ /dev/null @@ -1,6 +0,0 @@ -app.tinc=tinc -app.tincd=tincd - -pkg.tinc=tinc - -svc.tinc=tincd diff --git a/playbooks.d/vpn/etc/os.d/linux-debian_gnu_linux b/playbooks.d/vpn/etc/os.d/linux-debian_gnu_linux deleted file mode 100644 index 9a5da58..0000000 --- a/playbooks.d/vpn/etc/os.d/linux-debian_gnu_linux +++ /dev/null @@ -1 +0,0 @@ -svc.tinc=tinc@tyilnet diff --git a/playbooks.d/vpn/playbook.bash b/playbooks.d/vpn/playbook.bash deleted file mode 100644 index f9c8dd5..0000000 --- a/playbooks.d/vpn/playbook.bash +++ /dev/null @@ -1,123 +0,0 @@ -#!/usr/bin/env bash - -playbook_add() -{ - local tinc="$(config "app.tinc")" - local tincd="$(config "app.tincd")" - local dir="$(config "fs.etcdir")/tinc/tyilnet" - local name="$(tr "." "_" <<< "${BASHTARD_PLATFORM[fqdn]}")" - local ipv4="$(config "vpn.ipv4")" - - if [[ -z "$ipv4" ]] - then - emerg "$BASHTARD_PLAYBOOK" "No IPv4 address set for ${BASHTARD_PLATFORM[fqdn]}" - return 2 - fi - - case "${BASHTARD_PLATFORM[key]}" in - freebsd) iptool=ifconfig ;; - *) iptool=ip - esac - - info "$BASHTARD_PLAYBOOK" "Installing tinc" - pkg install "tinc" - - info "$BASHTARD_PLAYBOOK" "Creating tinc configuration at $dir" - mkdir -pv -- \ - "$dir" \ - "$dir/hosts" - - file_template tinc.conf \ - "name=$name" \ - > "$dir/tinc.conf" - - file_template "tinc-up-$iptool" \ - "ip4=$(config "vpn.ipv4")" \ - > "$dir/tinc-up" - - file_template "tinc-down-$iptool" \ - "ip4=$(config "vpn.ipv4")" \ - > "$dir/tinc-down" - - file_template "host" \ - "ip4=$(config "vpn.ipv4")" \ - > "$dir/hosts/$name" - - chmod +x \ - "$dir/tinc-up" \ - "$dir/tinc-down" - - info "$BASHTARD_PLAYBOOK" "Generating private keys" - - case "$($tincd --version | awk '{ print $3 }' | head -n1)" in - 1.0*) - $tincd -n tyilnet -K4096 - ;; - 1.1*|*) - $tinc -n tyilnet generate-rsa-keys 4096 - $tinc -n tyilnet generate-ed25519-keys - ;; - esac - - info "$BASHTARD_PLAYBOOK" "Adding new host to Bashtard configs" - - cp -v -- \ - "$dir/hosts/$name" \ - "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/hosts/$name" - - playbook_sync - - info "$BASHTARD_PLAYBOOK" "Enabling VPN service" - - case "${BASHTARD_PLATFORM[key]}" in - freebsd) - if ! grep -Fq 'tincd_cfg="tyilnet"' "/etc/rc.conf.d/tincd" - then - printf 'tincd_cfg="%s"\n' "tyilnet" >> "/etc/rc.conf.d/tincd" - fi - ;; - linux-gentoo) - if ! grep -Fq "NETWORK: tyilnet" /etc/conf.d/tinc.networks - then - printf "NETWORK: %s\n" "tyilnet" >> /etc/conf.d/tinc.networks - fi - ;; - esac - - svc enable "tinc" - svc start "tinc" -} - -playbook_sync() -{ - local dir="$(config "fs.etcdir")/tinc/tyilnet" - local name="$(tr "." "_" <<< "${BASHTARD_PLATFORM[fqdn]}")" - local host - - info "$BASHTARD_PLAYBOOK" "Regenerating tinc hosts" - rm -fr -- "$dir/hosts" - mkdir -p -- "$dir/hosts" - - for path in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/hosts"/* - do - host="$(basename "$path")" - - notice "$BASHTARD_PLAYBOOK" "Updating host $host" - file_template "hosts/$host" \ - > "$dir/hosts/$host" - done - - [[ "$BASHTARD_COMMAND" == "add" ]] && return - - svc reload "tinc" -} - -playbook_del() -{ - svc stop "tinc" - svc disable "tinc" - - pkg uninstall "tinc" - - rm -frv -- "$(config "fs.etcdir")/tinc/tyilnet" -} diff --git a/playbooks.d/vpn/share/host b/playbooks.d/vpn/share/host deleted file mode 100644 index c24d4ad..0000000 --- a/playbooks.d/vpn/share/host +++ /dev/null @@ -1,2 +0,0 @@ -Subnet = ${ip4}/32 - diff --git a/playbooks.d/vpn/share/hosts/anoia_tyil_net b/playbooks.d/vpn/share/hosts/anoia_tyil_net deleted file mode 100644 index 4856c95..0000000 --- a/playbooks.d/vpn/share/hosts/anoia_tyil_net +++ /dev/null @@ -1,16 +0,0 @@ -Subnet = 10.57.100.3/32 - ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEAvcW/20fxgdGdNelD/eMwEpLChI03rvDbPHAp9en3cwlYaND40udO -VxjRXj0rE9IA4N0f+o8oJdmG+mzl5Dd3rKXVnBnRymKzpNJ2w+cILPm1sQa6IO85 -F+7Q5v7lb5yFuy3JVi+tg4nqL+xHSZL6w/oPX667bR90oBJEd7C+U7p7r8DXvyHq -cg9U1maDmZ0IzZtl6BxsjyfUr0o6xBtw+pCSIvOXW5xd4mfBPgvp+3nIcux6nek3 -VR6SJ85aXlYZxER23N13Vi3dGUJSIaBPN5MuS3IHBbAP/Feeyo8p4SCzl0AMfo/K -+ZGcheL/NX7EVGg4XcZNgFaTBpusScOfxiRlzAeImomiQwKIywXp1otCn6dKIDj0 -jj146Dodf2nHRbTQj7H/2zyiRDjY/tpis/xTVA5AJu+p5aaXBA/eSb4H1OKL5qYs -38/bUiUJTSbpWvC9WiHq/xi5GSs+3ehDara89yXXhunWLsqvSZOZacqeZQw8k+ip -pNcnXbbtS0zqNQie3OEKY9qqOGKzjUiYu8yWJ4eo370XzlQ9sUgGfKmwCcc2c2jX -Rrhjck+4DGeRA10oJpoxKArPaWrGWezIHJ49Jrc+xiTJ5EMVqOpuGvL5lrKn7g6y -qYk1u6x0We1nCkMNN2LxrmL6j3p6PKRbWg7bczqPO4uEyT/575Ih2ssCAwEAAQ== ------END RSA PUBLIC KEY----- -Ed25519PublicKey = 7jy41lK2S4BzhUVSAmULDSiZ9NQM4eQ0Geg2+F9pTpG diff --git a/playbooks.d/vpn/share/hosts/caeghi_tyil_net b/playbooks.d/vpn/share/hosts/caeghi_tyil_net deleted file mode 100644 index c5d5b05..0000000 --- a/playbooks.d/vpn/share/hosts/caeghi_tyil_net +++ /dev/null @@ -1,16 +0,0 @@ -Address = 116.202.102.33 -Subnet = 10.57.20.2/32 - ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEA2abFKFB1Dr1YMcAIWcy/2+jJn+suPyiQjz6vgt476P9a/I7SUCta -P5QUPxvS9pZxFVTFKzpmdKxG1pbCAkhArtNg2R1VFEiYCxS+iey+F11pMPEZFVpC -EIXeVDQeBm9UXjrOpcTRIwEO7Q2J2lzRrhGm6Rpb6XbdmtQ3S8XgVsXYwWoV7muf -TE/d5fgtz8Hghti8w86FP9q61iH6AHCREwbHEUyat5hwznmbiNJHyjx+otI63sQo -FS37EazhqCEvt9jyvVSmB7kVTOLnIVATWDaUlPCLLvps09eRsz6aAa7RHCGd3x/W -mRHxDCbeKL4ilpo/FPZhANdQImLmFovOtwZ6xawRWKPcRXhkaL24qQC0MLH9wmnY -oM6EMioWUa0F11iFM99DTK+NF2Pk8vHNzm0Ep5g0SHzqnAIDDzeNTC9ogwsETqL5 -t7VY1GXuKWgta9L2q03X7FMEgjIc3lPgVLc0Ccx11MTgVzcIaLxFQ58oo+xFuc9I -rBqjZgJwg5MTdZiyZesLJuV+YP+yRat3LifAwIZhloSBVPU6YKx/y30BHjDM8FP1 -OM2IzJLrafZDy034XyD4s62YsKrHMcQ3CeoQ80QjvSyWvSlvn2vEqrbWIZADi0d/ -8vgl44gF9g9yN++G6S7BsTJ5PNgv0jrRFu/RpEN1hVOuo+nBqFsvxW8CAwEAAQ== ------END RSA PUBLIC KEY----- diff --git a/playbooks.d/vpn/share/hosts/edephas_tyil_net b/playbooks.d/vpn/share/hosts/edephas_tyil_net deleted file mode 100644 index 6e095bb..0000000 --- a/playbooks.d/vpn/share/hosts/edephas_tyil_net +++ /dev/null @@ -1,16 +0,0 @@ -Subnet = 10.57.100.7/32 - ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEApxmzAXv4Mch5FP5AxHmpvHjkJGxcegbFzdFzHjhdLDJ9MQQZdM1p -PomhyYXB9Gsq4oJIOcjqJJdbp4dchYGJ++eS3V1wwstLMTl/+kWZ4ojI9sb/J5rl -a3gknTjipdUuoOpdkAkXKCbq9AXyFsvLr4Q6WaFpeTuIjNb2QgPOLUmcD1eNCdnn -KcHQAGR3zRh3uu8zMkaJZwQDZAdRLV6b77OLe7PXCsYgQ68qw3uti3JENv8VC80T -UxUmv8He7xgAqRCJbD3FH3WT2O63mK9jpnFj/BKDTm5k4hUDtZRY1O92JUqQAruw -gq3I8mhSqFMkvt+S67u950hRzN4/ZGs7lzxRkDqDqLy+ZISN2cDpbX1i4WmZFfex -zj7ZbmfsVzwSF/+K31AOQrODt79bGGFwjZgAVn9Cny/bysBxrOJy39D2Awioynpc -mjICtRP7utpo959YmSNsEcjfamIHVfUOTsEoIYhYASmWRjrSF6v7j2bbC+aFOWsf -yIRZc0EtH803/Ks++ieIDWFmhB0ydtkqFm8HK2eyqOqnlHTepmrDflkxfao3JTXP -CbldDpUGKBcLZ5FNaJ5hlQHnJGzU+wbnc133cdYtg9vvhFVgameme8ElcOjZZxMJ -fPWXMAWc2Szx3Hs/jlaTSIH2GoX1Rr2HdrrNg0qOG/qhLPNrtmrxH/sCAwEAAQ== ------END RSA PUBLIC KEY----- -Ed25519PublicKey = 4ABczlbBBLs5WMztIzafWw1ozwKZVkj4/of3Jc6awiO diff --git a/playbooks.d/vpn/share/hosts/gaeru_tyil_net b/playbooks.d/vpn/share/hosts/gaeru_tyil_net deleted file mode 100644 index eba305b..0000000 --- a/playbooks.d/vpn/share/hosts/gaeru_tyil_net +++ /dev/null @@ -1,16 +0,0 @@ -Address = 37.48.120.26 -Subnet = 10.57.20.6/32 - ------BEGIN RSA PUBLIC KEY----- -MIICCgKCAgEA9NUrWO0L8lqrfs4BgZsLdfJZPfKx+Fi8P4k79CIBuVfkQ4OzJmoV -ahupoOo5edjYLJK09epa9zFRc1DuaotYC7Wm9DdIF82WNZXN9x/Mvuq06WaKXBdj -iTJKbYfVN/yv8Xfjzfp4DH3txwsq+9AuICHJkHOmb0lsDinpfbmP8C8ozBnutrLM -XGaIzXzkV2NbunyjaiR7dho5+4P6wedck+IV63KRzepbX36OW9xImmEEpBPeMPzd -VOgWs35FIgnE5uumXXfIax9CA9wFahvMYUlQbxA6kCg9PTteM3C44udFx8DxzGcR -giKEbfxjcZ4pK9JG+LTxNZC2BK1gsUNw8sX6mEEY496cs0T10RWzRZM/HvMIpj1W -5i72yh6kc8ieSr9hGIkm/oM/gwrFeC11PZQKis1P/0O5j7Lv6S7u6Edrpy/+WziV -Yk10eZXzHcFuVAh9+wQUeD3v4bMQA/mE8RPI9JX4Xkpbu1LOhtglEwFU1CWlG179 -B990cfr3cjJkTqS7qEfWuNh2lQd4iwpgqyPZB7Dd7tHT5EKEZSZ+4+w9Xo8xfy0v -7pdfImVHZ1PGVEsRk6AZZqcVcCRrjbKfqqL0m9JmB8vV5L3oZL/mXhFkh52aRMeZ -tzODNlBH0LW2TVVrBw3DJxFyRCRYjk4At8jagVe9fYM4ERkTQxqCFi0CAwEAAQ== ------END RSA PUBLIC KEY----- diff --git a/playbooks.d/vpn/share/tinc-down-ifconfig b/playbooks.d/vpn/share/tinc-down-ifconfig deleted file mode 100644 index 6563f07..0000000 --- a/playbooks.d/vpn/share/tinc-down-ifconfig +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -ifconfig "$INTERFACE" down diff --git a/playbooks.d/vpn/share/tinc-down-ip b/playbooks.d/vpn/share/tinc-down-ip deleted file mode 100644 index 800ebb3..0000000 --- a/playbooks.d/vpn/share/tinc-down-ip +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -ip link set "$INTERFACE" down diff --git a/playbooks.d/vpn/share/tinc-up-ifconfig b/playbooks.d/vpn/share/tinc-up-ifconfig deleted file mode 100644 index 66c897e..0000000 --- a/playbooks.d/vpn/share/tinc-up-ifconfig +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -ifconfig "$INTERFACE" inet ${ip4} netmask 255.255.0.0 diff --git a/playbooks.d/vpn/share/tinc-up-ip b/playbooks.d/vpn/share/tinc-up-ip deleted file mode 100644 index 191d310..0000000 --- a/playbooks.d/vpn/share/tinc-up-ip +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/sh - -ip -4 addr add "${ip4}/16" dev "$INTERFACE" - -ip link set "$INTERFACE" up diff --git a/playbooks.d/vpn/share/tinc.conf b/playbooks.d/vpn/share/tinc.conf deleted file mode 100644 index 618a271..0000000 --- a/playbooks.d/vpn/share/tinc.conf +++ /dev/null @@ -1,4 +0,0 @@ -Name = ${name} - -ConnectTo = caeghi_tyil_net -ConnectTo = gaeru_tyil_net diff --git a/playbooks.d/webserver-nginx/description.txt b/playbooks.d/webserver-nginx/description.txt new file mode 100644 index 0000000..d902a81 --- /dev/null +++ b/playbooks.d/webserver-nginx/description.txt @@ -0,0 +1 @@ +Nginx webserver configuration diff --git a/playbooks.d/webserver-nginx/etc/defaults b/playbooks.d/webserver-nginx/etc/defaults new file mode 100644 index 0000000..9ecd4ae --- /dev/null +++ b/playbooks.d/webserver-nginx/etc/defaults @@ -0,0 +1,4 @@ +pkg.certbot=certbox +pkg.nginx=nginx + +svc.nginx=nginx diff --git a/playbooks.d/webserver-nginx/playbook.bash b/playbooks.d/webserver-nginx/playbook.bash new file mode 100644 index 0000000..85c38be --- /dev/null +++ b/playbooks.d/webserver-nginx/playbook.bash @@ -0,0 +1,107 @@ +#!/usr/bin/env bash + +playbook_add() +{ + info "webserver/add" "Installing packages" + pkg install certbot nginx + + info "webserver/add" "Create www user" + groupadd www + useradd \ + --home-dir /var/www \ + --gid www \ + --system \ + --shell /sbin/nologin \ + www + + info "webserver/add" "Cleaning up whatever the package manager did" + rm -frv -- "$(config "fs.etcdir")/nginx" + + info "webserver/add" "Creating desired directory structure" + mkdir -pv -- \ + "$(config "fs.etcdir")/nginx" \ + "$(config "fs.etcdir")/nginx/sites-available.d" \ + "$(config "fs.etcdir")/nginx/sites-available.d/http" \ + "$(config "fs.etcdir")/nginx/sites-available.d/https" \ + "$(config "fs.etcdir")/nginx/sites-enabled.d" \ + "$(config "fs.etcdir")/nginx/sites-enabled.d/http" \ + "$(config "fs.etcdir")/nginx/sites-enabled.d/https" \ + "$(config "fs.etcdir")/nginx/snippets.d" \ + /var/www + + info "webserver/add" "Generating dhparam.pem" + openssl dhparam -out "$(config "fs.etcdir")/nginx/dhparam.pem" 4096 + + info "webserver/add" "Running sync to get all configuration going" + playbook_sync + + svc enable nginx + svc start nginx +} + +playbook_sync() +{ + local snippets + local sites + + notice "webserver/sync" "Updating nginx.conf" + file_template "nginx.conf" \ + etc="$(config "fs.etcdir")" \ + > "$(config "fs.etcdir")/nginx/nginx.conf" + + notice "webserver/sync" "Updating mime.types" + file_template "mime.types" \ + etc="$(config "fs.etcdir")" \ + > "$(config "fs.etcdir")/nginx/mime.types" + + notice "webserver/sync" "Updating cert.sh" + file_template "cert.sh" \ + > "$(config "fs.bindir")/cert.sh" \ + && chmod +x "$(config "fs.bindir")/cert.sh" + + for path in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/snippets.d"/*.conf + do + snippet="$(basename "$path")" + + notice "webserver/sync" "Updating snippet $snippet" + file_template "snippets.d/$snippet" \ + > "$(config "fs.etcdir")/nginx/snippets.d/$snippet" + done + + for path_dir in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/sites.d"/* + do + dir="$(basename "$path_dir")" + + for path_site in "$path_dir"/* + do + site="$(basename "$path_site")" + + notice "webserver/sync" "Updating site $dir/$site" + file_template "sites.d/$dir/$site" \ + > "$(config "fs.etcdir")/nginx/sites-available.d/$dir/$site" + done + done + + notice "webserver/sync" "Set nginx permissions to www user" + chown -R www:www "$(config "fs.etcdir")/nginx" + + notice "webserver/sync" "Renewing Let's Encrypt certificates" + certbot renew --no-random-sleep-on-renew + + [[ "$BASHTARD_COMMAND" == "add" ]] && return + + svc reload nginx +} + +playbook_del() +{ + # Stop and remove the service + svc stop nginx + svc disable nginx + + # Clean up resources + pkg uninstall nginx + rm -fr -- /etc/nginx "$(config "fs.bindir")/cert.sh" /var/www/.acme + userdel www + groupdel www +} diff --git a/playbooks.d/webserver-nginx/share/cert.sh b/playbooks.d/webserver-nginx/share/cert.sh new file mode 100755 index 0000000..d290710 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/cert.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +main() +{ + certbot certonly \ + --rsa-key-size 4096 \ + --webroot -w /var/www/.acme \ + -d "$1" +} + +main "$@" diff --git a/playbooks.d/webserver-nginx/share/mime.types b/playbooks.d/webserver-nginx/share/mime.types new file mode 100644 index 0000000..cd3d700 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/mime.types @@ -0,0 +1,88 @@ +types { + text/html html htm shtml; + text/css css; + text/xml xml; + image/gif gif; + image/jpeg jpeg jpg; + application/javascript js; + application/atom+xml atom; + application/rss+xml rss; + + text/mathml mml; + text/plain txt; + text/vnd.sun.j2me.app-descriptor jad; + text/vnd.wap.wml wml; + text/x-component htc; + + image/png png; + image/tiff tif tiff; + image/vnd.wap.wbmp wbmp; + image/x-icon ico; + image/x-jng jng; + image/x-ms-bmp bmp; + image/svg+xml svg svgz; + image/webp webp; + + application/font-woff woff; + application/java-archive jar war ear; + application/json json; + application/mac-binhex40 hqx; + application/msword doc; + application/pdf pdf; + application/postscript ps eps ai; + application/rtf rtf; + application/vnd.apple.mpegurl m3u8; + application/vnd.ms-excel xls; + application/vnd.ms-fontobject eot; + application/vnd.ms-powerpoint ppt; + application/vnd.wap.wmlc wmlc; + application/vnd.google-earth.kml+xml kml; + application/vnd.google-earth.kmz kmz; + application/x-7z-compressed 7z; + application/x-cocoa cco; + application/x-java-archive-diff jardiff; + application/x-java-jnlp-file jnlp; + application/x-makeself run; + application/x-perl pl pm; + application/x-pilot prc pdb; + application/x-rar-compressed rar; + application/x-redhat-package-manager rpm; + application/x-sea sea; + application/x-shockwave-flash swf; + application/x-stuffit sit; + application/x-tcl tcl tk; + application/x-x509-ca-cert der pem crt; + application/x-xpinstall xpi; + application/xhtml+xml xhtml; + application/xspf+xml xspf; + application/zip zip; + + application/octet-stream bin exe dll; + application/octet-stream deb; + application/octet-stream dmg; + application/octet-stream iso img; + application/octet-stream msi msp msm; + + application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; + application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; + application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; + + audio/midi mid midi kar; + audio/mpeg mp3; + audio/ogg ogg; + audio/x-m4a m4a; + audio/x-realaudio ra; + + video/3gpp 3gpp 3gp; + video/mp2t ts; + video/mp4 mp4; + video/mpeg mpeg mpg; + video/quicktime mov; + video/webm webm; + video/x-flv flv; + video/x-m4v m4v; + video/x-mng mng; + video/x-ms-asf asx asf; + video/x-ms-wmv wmv; + video/x-msvideo avi; +} diff --git a/playbooks.d/webserver-nginx/share/nginx.conf b/playbooks.d/webserver-nginx/share/nginx.conf new file mode 100644 index 0000000..834f220 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/nginx.conf @@ -0,0 +1,23 @@ +user www; +worker_processes auto; +pid /run/nginx.pid; + +events { + worker_connections 768; +} + +http { + include ${etc}/nginx/mime.types; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + default_type application/octet-stream; + gzip on; + sendfile on; + tcp_nopush on; + types_hash_max_size 2048; + + include ${etc}/nginx/sites-enabled.d/http/*; + include ${etc}/nginx/sites-enabled.d/https/*; +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/_ b/playbooks.d/webserver-nginx/share/sites.d/http/_ new file mode 100644 index 0000000..6207cb2 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/_ @@ -0,0 +1,10 @@ +server { + listen 80 default_server; + listen [::]:80 default_server; + + server_name _; + + location / { + return 404; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties b/playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties new file mode 100644 index 0000000..0af0235 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/church.scriptkitties @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name scriptkitties.church; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire b/playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire new file mode 100644 index 0000000..3fa9728 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/com.voidfire @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name voidfire.com; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/net.tyil b/playbooks.d/webserver-nginx/share/sites.d/http/net.tyil new file mode 100644 index 0000000..31cca7e --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/net.tyil @@ -0,0 +1,12 @@ +server { + listen 80; + listen [::]:80; + + server_name tyil.net; + + include /etc/nginx/snippets.d/certbot.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt b/playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt new file mode 100644 index 0000000..4d80a62 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.fglt @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name fglt.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil new file mode 100644 index 0000000..b2c93db --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt new file mode 100644 index 0000000..ecdfbe8 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur new file mode 100644 index 0000000..4ae2082 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.imgur @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name imgur.alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit new file mode 100644 index 0000000..b1ba239 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.reddit @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name reddit.alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter new file mode 100644 index 0000000..4d537c4 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.alt.twitter @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name twitter.alt.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud new file mode 100644 index 0000000..7c3e941 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.cloud @@ -0,0 +1,12 @@ +server { + listen 80; + listen [::]:80; + + server_name cloud.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist new file mode 100644 index 0000000..19bb5fc --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.dist @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name dist.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git new file mode 100644 index 0000000..92ce73e --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.git @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name git.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home new file mode 100644 index 0000000..70eeff7 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.home @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name home.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew new file mode 100644 index 0000000..5a87074 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.homebrew @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name homebrew.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p new file mode 100644 index 0000000..8d71cf8 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.p @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name p.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio new file mode 100644 index 0000000..e7adfaf --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.radio @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name radio.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx new file mode 100644 index 0000000..3ee75d4 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.searx @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name searx.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv new file mode 100644 index 0000000..9179cc9 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.tv @@ -0,0 +1,12 @@ +server { + listen 80; + listen [::]:80; + + server_name tv.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www new file mode 100644 index 0000000..6370823 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/nl.tyil.www @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name www.tyil.nl; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru b/playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru new file mode 100644 index 0000000..0aae163 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/pictures.memebooru @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name memebooru.pictures; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/http/work.tyil b/playbooks.d/webserver-nginx/share/sites.d/http/work.tyil new file mode 100644 index 0000000..7b09142 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/http/work.tyil @@ -0,0 +1,13 @@ +server { + listen 80; + listen [::]:80; + + server_name tyil.work; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties b/playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties new file mode 100644 index 0000000..de07ad6 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/church.scriptkitties @@ -0,0 +1,62 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name scriptkitties.church; + + ssl_certificate /etc/letsencrypt/live/scriptkitties.church/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/scriptkitties.church/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/ssl.conf; + include mime.types; + + root /var/www/church.scriptkitties; + index index.php; + + autoindex off; + fastcgi_param HTTPS on; + client_max_body_size 10m; + client_body_buffer_size 128k; + + location / { + try_files $uri /index.php?pagename=$uri&$args; + } + + location ^~ /.well-known/ { + allow all; + rewrite ^ /index.php?pagename=$uri; + } + + location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { + expires 30d; + try_files $uri /index.php?pagename=$uri&$args; + } + + location ~* \.php$ { + try_files $uri =404; + + fastcgi_split_path_info ^(.+\.php)(/.+)$; + + fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; + + include /etc/nginx/snippets.d/fcgi.conf; + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + + fastcgi_buffers 16 16k; + fastcgi_buffer_size 32k; + } + + location ~* \.(tpl|md|tgz|log|out)$ { + deny all; + } + + location ~ /\. { + deny all; + } + + location ^~ /bin { + deny all; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire b/playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire new file mode 100644 index 0000000..4021ca0 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/com.voidfire @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name voidfire.com; + + ssl_certificate /etc/letsencrypt/live/voidfire.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/voidfire.com/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/com.voidfire; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/net.tyil b/playbooks.d/webserver-nginx/share/sites.d/https/net.tyil new file mode 100644 index 0000000..89fe78e --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/net.tyil @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tyil.net; + + ssl_certificate /etc/letsencrypt/live/tyil.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tyil.net/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + auth_basic "Bad hacker!"; + auth_basic_user_file /var/www/net.tyil/htaccess; + + location /grafana/ { + proxy_pass http://127.0.0.1:35300/; + } + + location /plausible/ { + proxy_pass http://127.0.0.1:8796/; + } + + location /prometheus/ { + proxy_pass http://127.0.0.1:9090/; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt b/playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt new file mode 100644 index 0000000..e52b6dc --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.fglt @@ -0,0 +1,22 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name fglt.nl; + + ssl_certificate /etc/letsencrypt/live/fglt.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/fglt.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + access_log /var/log/nginx/nl.fglt-access.log; + error_log /var/log/nginx/nl.fglt-error.log; + + root /var/www/nl.fglt; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil new file mode 100644 index 0000000..f80c4b6 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil @@ -0,0 +1,24 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tyil.nl; + + ssl_certificate /etc/letsencrypt/live/tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location ~ ^/.well-known/openpgpkey(.+)$ { + add_header Access-Control-Allow-Origin *; + + root /var/wkd/nl.tyil; + try_files $1 =404; + } + + location / { + return 301 https://www.tyil.nl$request_uri; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt new file mode 100644 index 0000000..f3232c3 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location = / { + return 301 https://www.tyil.nl/services; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur new file mode 100644 index 0000000..c0435f4 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.imgur @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name imgur.alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/imgur.alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/imgur.alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:40648; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit new file mode 100644 index 0000000..a064c44 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.reddit @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name reddit.alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/reddit.alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/reddit.alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:43559; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter new file mode 100644 index 0000000..52ebf0f --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.alt.twitter @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name twitter.alt.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/twitter.alt.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/twitter.alt.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:25989; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud new file mode 100644 index 0000000..c4a86cb --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.cloud @@ -0,0 +1,137 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name cloud.tyil.nl; + + error_log /var/log/nginx/cloud-error.log; + access_log /var/log/nginx/cloud-access.log; + + ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + + # Set timeouts + fastcgi_read_timeout 300; + proxy_read_timeout 300; + + # Set upload size + client_max_body_size 200M; + fastcgi_buffers 64 4K; + + # Add (security) headers + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + add_header Referrer-Policy "no-referrer"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Strict-Transport-Security "max-age=63072000" always; + + # Remove headers + fastcgi_hide_header X-Powered-By; + + # Enable gzip + gzip off; + gzip_vary on; + gzip_comp_level 4; + gzip_min_length 256; + gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/bmp + image/svg+xml + image/x-icon + text/cache-manifest + text/css + text/plain + text/vcard + text/vnd.rim.location.xloc + text/vtt + text/x-component + text/x-cross-domain-policy + ; + + root /var/www/nl.tyil.cloud; + + location / { + rewrite ^ /index.php?$request_uri; + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + location ^~ /.well-known { + rewrite ^/\.well-known/host-meta.json /public.php?service=host-meta.json last; + rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; + rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; + rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + #location ^~ /.well-known { return 301 /index.php$uri; } + + try_files $uri $uri/ =404; + } + + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { + deny all; + } + + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { + deny all; + } + + location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + include snippets.d/fcgi.conf; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param HTTPS on; + fastcgi_param modHeadersAvailable true; + fastcgi_param front_controller_active true; + fastcgi_pass localhost:9000; + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + } + + location ~ ^/(?:updater|ocs-provider)(?:$|/) { + try_files $uri/ =404; + index index.php; + } + + location ~ \.(?:css|js|woff|svg|gif)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463"; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Robots-Tag none; + add_header X-Download-Options noopen; + add_header X-Permitted-Cross-Domain-Policies none; + access_log off; + } + + location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { + try_files $uri /index.php$request_uri; + access_log off; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist new file mode 100644 index 0000000..79f8a3c --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.dist @@ -0,0 +1,16 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name dist.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/dist.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/dist.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.dist; + autoindex on; +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git new file mode 100644 index 0000000..65d1bb9 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.git @@ -0,0 +1,30 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name git.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/git.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/git.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /usr/share/webapps/cgit/1.2.3-r100/htdocs; + + location / { + try_files $uri @cgit; + } + + location @cgit { + include snippets.d/uwsgi.conf; + + gzip off; + + uwsgi_modifier1 9; + #uwsgi_param PATH_INFO $fastcgi_path_info; + + uwsgi_pass 127.0.0.1:1234; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home new file mode 100644 index 0000000..9683ccd --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.home @@ -0,0 +1,52 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name home.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/home.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/home.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + return 301 https://www.tyil.nl$request_uri; + } + + location ~ ^/~(.+?)(/.*)?$ { + alias /home/$1/www$2; + autoindex on; + } + + location /git { + rewrite ^/git/(.*)$ https://git.tyil.nl/$1 redirect; + } + + location /media { + alias /var/media; + + satisfy any; + + allow 127.0.0.1; + allow 10.57.0.0/16; + allow 192.168.178.0/24; + deny all; + + auth_basic "pls no hack"; + auth_basic_user_file "/var/media/.htpasswd"; + + autoindex on; + } + + location /media/backups { deny all; } + location /media/nextcloud { deny all; } + location /media/pictures { deny all; } + location /media/recordings { deny all; } + + location /packages { + alias /var/portage/packages; + autoindex on; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew new file mode 100644 index 0000000..2b8de15 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.homebrew @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name homebrew.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/homebrew.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/homebrew.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.homebrew; + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p new file mode 100644 index 0000000..75c0e7a --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.p @@ -0,0 +1,27 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name p.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/p.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/p.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.p; + + location = / { + return 301 https://www.tyil.nl/services/fiche/; + } + + location ~ ^/(?.+)$ { + # Disassociate all filetypes and their Content-Type, and + # default everything to text/plain. + types { } default_type text/plain; + + alias "/var/www/nl.tyil.p/${slug}/index.txt"; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio new file mode 100644 index 0000000..7098fc5 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.radio @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name radio.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/radio.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/radio.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + location / { + proxy_pass http://127.0.0.1:8092/mpd.opus; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx new file mode 100644 index 0000000..bf461cf --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.searx @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name searx.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/searx.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/searx.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/docker-compose/searx; + + location / { + proxy_set_header Host $host; + proxy_set_header Connection $http_connection; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + + proxy_pass http://127.0.0.1:60474; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv new file mode 100644 index 0000000..093d938 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.tv @@ -0,0 +1,19 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tv.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/tv.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tv.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + + proxy_pass http://127.0.0.1:8096; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www new file mode 100644 index 0000000..3304c8f --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/nl.tyil.www @@ -0,0 +1,25 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name www.tyil.nl; + + ssl_certificate /etc/letsencrypt/live/www.tyil.nl/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/www.tyil.nl/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + root /var/www/nl.tyil.www/public; + + error_page 404 /http-404.html; + + location /atom.xml { + return 301 https://www.tyil.nl/posts/index.xml; + } + + location / { + try_files $uri $uri/ =404; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru b/playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru new file mode 100644 index 0000000..9d524ef --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/pictures.memebooru @@ -0,0 +1,28 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name memebooru.pictures; + + ssl_certificate /etc/letsencrypt/live/memebooru.pictures/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/memebooru.pictures/privkey.pem; + + include /etc/nginx/snippets.d/ssl.conf; + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + + client_max_body_size 100M; + client_body_timeout 30s; + + location / { + proxy_pass http://127.0.0.1:50405; + proxy_set_header Host $http_host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Script-Name /szuru; + } +} diff --git a/playbooks.d/webserver-nginx/share/sites.d/https/work.tyil b/playbooks.d/webserver-nginx/share/sites.d/https/work.tyil new file mode 100644 index 0000000..d5a5dd9 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/sites.d/https/work.tyil @@ -0,0 +1,15 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name tyil.work; + + ssl_certificate /etc/letsencrypt/live/tyil.work/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/tyil.work/privkey.pem; + + include /etc/nginx/snippets.d/certbot.conf; + include /etc/nginx/snippets.d/headers.conf; + include /etc/nginx/snippets.d/ssl.conf; + + return 301 https://www.tyil.nl$request_uri; +} diff --git a/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf b/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf new file mode 100644 index 0000000..64c9195 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf @@ -0,0 +1,5 @@ +# Certbot endpoint +location /.well-known/acme-challenge { + root /var/www/.acme; + try_files $uri $uri/ =404; +} diff --git a/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf b/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf new file mode 100644 index 0000000..bc235bf --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf @@ -0,0 +1,27 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; + +# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) +fastcgi_param HTTP_PROXY ""; diff --git a/playbooks.d/webserver-nginx/share/snippets.d/headers.conf b/playbooks.d/webserver-nginx/share/snippets.d/headers.conf new file mode 100644 index 0000000..c277e3d --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/headers.conf @@ -0,0 +1,4 @@ +add_header Content-Security-Policy "default-src 'self'" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; diff --git a/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf b/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf new file mode 100644 index 0000000..68bcdf0 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf @@ -0,0 +1,16 @@ +# SSL settings +ssl_protocols TLSv1.3 TLSv1.2; + +ssl_buffer_size 4K; +ssl_dhparam /etc/nginx/dhparam.pem; +ssl_ecdh_curve secp521r1:secp384r1; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:le_nginx_SSL:2m; +ssl_session_tickets off; +ssl_session_timeout 1440m; + +# Ciphers +ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA'; + +# Additional headers +add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf b/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf new file mode 100644 index 0000000..9d67d3d --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf @@ -0,0 +1,20 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; + +# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) +uwsgi_param HTTP_PROXY ""; diff --git a/playbooks.d/webserver/description.txt b/playbooks.d/webserver/description.txt deleted file mode 100644 index d902a81..0000000 --- a/playbooks.d/webserver/description.txt +++ /dev/null @@ -1 +0,0 @@ -Nginx webserver configuration diff --git a/playbooks.d/webserver/etc/defaults b/playbooks.d/webserver/etc/defaults deleted file mode 100644 index 9ecd4ae..0000000 --- a/playbooks.d/webserver/etc/defaults +++ /dev/null @@ -1,4 +0,0 @@ -pkg.certbot=certbox -pkg.nginx=nginx - -svc.nginx=nginx diff --git a/playbooks.d/webserver/playbook.bash b/playbooks.d/webserver/playbook.bash deleted file mode 100644 index 85c38be..0000000 --- a/playbooks.d/webserver/playbook.bash +++ /dev/null @@ -1,107 +0,0 @@ -#!/usr/bin/env bash - -playbook_add() -{ - info "webserver/add" "Installing packages" - pkg install certbot nginx - - info "webserver/add" "Create www user" - groupadd www - useradd \ - --home-dir /var/www \ - --gid www \ - --system \ - --shell /sbin/nologin \ - www - - info "webserver/add" "Cleaning up whatever the package manager did" - rm -frv -- "$(config "fs.etcdir")/nginx" - - info "webserver/add" "Creating desired directory structure" - mkdir -pv -- \ - "$(config "fs.etcdir")/nginx" \ - "$(config "fs.etcdir")/nginx/sites-available.d" \ - "$(config "fs.etcdir")/nginx/sites-available.d/http" \ - "$(config "fs.etcdir")/nginx/sites-available.d/https" \ - "$(config "fs.etcdir")/nginx/sites-enabled.d" \ - "$(config "fs.etcdir")/nginx/sites-enabled.d/http" \ - "$(config "fs.etcdir")/nginx/sites-enabled.d/https" \ - "$(config "fs.etcdir")/nginx/snippets.d" \ - /var/www - - info "webserver/add" "Generating dhparam.pem" - openssl dhparam -out "$(config "fs.etcdir")/nginx/dhparam.pem" 4096 - - info "webserver/add" "Running sync to get all configuration going" - playbook_sync - - svc enable nginx - svc start nginx -} - -playbook_sync() -{ - local snippets - local sites - - notice "webserver/sync" "Updating nginx.conf" - file_template "nginx.conf" \ - etc="$(config "fs.etcdir")" \ - > "$(config "fs.etcdir")/nginx/nginx.conf" - - notice "webserver/sync" "Updating mime.types" - file_template "mime.types" \ - etc="$(config "fs.etcdir")" \ - > "$(config "fs.etcdir")/nginx/mime.types" - - notice "webserver/sync" "Updating cert.sh" - file_template "cert.sh" \ - > "$(config "fs.bindir")/cert.sh" \ - && chmod +x "$(config "fs.bindir")/cert.sh" - - for path in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/snippets.d"/*.conf - do - snippet="$(basename "$path")" - - notice "webserver/sync" "Updating snippet $snippet" - file_template "snippets.d/$snippet" \ - > "$(config "fs.etcdir")/nginx/snippets.d/$snippet" - done - - for path_dir in "$BASHTARD_ETCDIR/playbooks.d/$BASHTARD_PLAYBOOK/share/sites.d"/* - do - dir="$(basename "$path_dir")" - - for path_site in "$path_dir"/* - do - site="$(basename "$path_site")" - - notice "webserver/sync" "Updating site $dir/$site" - file_template "sites.d/$dir/$site" \ - > "$(config "fs.etcdir")/nginx/sites-available.d/$dir/$site" - done - done - - notice "webserver/sync" "Set nginx permissions to www user" - chown -R www:www "$(config "fs.etcdir")/nginx" - - notice "webserver/sync" "Renewing Let's Encrypt certificates" - certbot renew --no-random-sleep-on-renew - - [[ "$BASHTARD_COMMAND" == "add" ]] && return - - svc reload nginx -} - -playbook_del() -{ - # Stop and remove the service - svc stop nginx - svc disable nginx - - # Clean up resources - pkg uninstall nginx - rm -fr -- /etc/nginx "$(config "fs.bindir")/cert.sh" /var/www/.acme - userdel www - groupdel www -} diff --git a/playbooks.d/webserver/share/cert.sh b/playbooks.d/webserver/share/cert.sh deleted file mode 100755 index d290710..0000000 --- a/playbooks.d/webserver/share/cert.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -main() -{ - certbot certonly \ - --rsa-key-size 4096 \ - --webroot -w /var/www/.acme \ - -d "$1" -} - -main "$@" diff --git a/playbooks.d/webserver/share/mime.types b/playbooks.d/webserver/share/mime.types deleted file mode 100644 index cd3d700..0000000 --- a/playbooks.d/webserver/share/mime.types +++ /dev/null @@ -1,88 +0,0 @@ -types { - text/html html htm shtml; - text/css css; - text/xml xml; - image/gif gif; - image/jpeg jpeg jpg; - application/javascript js; - application/atom+xml atom; - application/rss+xml rss; - - text/mathml mml; - text/plain txt; - text/vnd.sun.j2me.app-descriptor jad; - text/vnd.wap.wml wml; - text/x-component htc; - - image/png png; - image/tiff tif tiff; - image/vnd.wap.wbmp wbmp; - image/x-icon ico; - image/x-jng jng; - image/x-ms-bmp bmp; - image/svg+xml svg svgz; - image/webp webp; - - application/font-woff woff; - application/java-archive jar war ear; - application/json json; - application/mac-binhex40 hqx; - application/msword doc; - application/pdf pdf; - application/postscript ps eps ai; - application/rtf rtf; - application/vnd.apple.mpegurl m3u8; - application/vnd.ms-excel xls; - application/vnd.ms-fontobject eot; - application/vnd.ms-powerpoint ppt; - application/vnd.wap.wmlc wmlc; - application/vnd.google-earth.kml+xml kml; - application/vnd.google-earth.kmz kmz; - application/x-7z-compressed 7z; - application/x-cocoa cco; - application/x-java-archive-diff jardiff; - application/x-java-jnlp-file jnlp; - application/x-makeself run; - application/x-perl pl pm; - application/x-pilot prc pdb; - application/x-rar-compressed rar; - application/x-redhat-package-manager rpm; - application/x-sea sea; - application/x-shockwave-flash swf; - application/x-stuffit sit; - application/x-tcl tcl tk; - application/x-x509-ca-cert der pem crt; - application/x-xpinstall xpi; - application/xhtml+xml xhtml; - application/xspf+xml xspf; - application/zip zip; - - application/octet-stream bin exe dll; - application/octet-stream deb; - application/octet-stream dmg; - application/octet-stream iso img; - application/octet-stream msi msp msm; - - application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; - application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; - application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; - - audio/midi mid midi kar; - audio/mpeg mp3; - audio/ogg ogg; - audio/x-m4a m4a; - audio/x-realaudio ra; - - video/3gpp 3gpp 3gp; - video/mp2t ts; - video/mp4 mp4; - video/mpeg mpeg mpg; - video/quicktime mov; - video/webm webm; - video/x-flv flv; - video/x-m4v m4v; - video/x-mng mng; - video/x-ms-asf asx asf; - video/x-ms-wmv wmv; - video/x-msvideo avi; -} diff --git a/playbooks.d/webserver/share/nginx.conf b/playbooks.d/webserver/share/nginx.conf deleted file mode 100644 index 834f220..0000000 --- a/playbooks.d/webserver/share/nginx.conf +++ /dev/null @@ -1,23 +0,0 @@ -user www; -worker_processes auto; -pid /run/nginx.pid; - -events { - worker_connections 768; -} - -http { - include ${etc}/nginx/mime.types; - - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; - - default_type application/octet-stream; - gzip on; - sendfile on; - tcp_nopush on; - types_hash_max_size 2048; - - include ${etc}/nginx/sites-enabled.d/http/*; - include ${etc}/nginx/sites-enabled.d/https/*; -} diff --git a/playbooks.d/webserver/share/sites.d/http/_ b/playbooks.d/webserver/share/sites.d/http/_ deleted file mode 100644 index 6207cb2..0000000 --- a/playbooks.d/webserver/share/sites.d/http/_ +++ /dev/null @@ -1,10 +0,0 @@ -server { - listen 80 default_server; - listen [::]:80 default_server; - - server_name _; - - location / { - return 404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/church.scriptkitties b/playbooks.d/webserver/share/sites.d/http/church.scriptkitties deleted file mode 100644 index 0af0235..0000000 --- a/playbooks.d/webserver/share/sites.d/http/church.scriptkitties +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name scriptkitties.church; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/com.voidfire b/playbooks.d/webserver/share/sites.d/http/com.voidfire deleted file mode 100644 index 3fa9728..0000000 --- a/playbooks.d/webserver/share/sites.d/http/com.voidfire +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name voidfire.com; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/net.tyil b/playbooks.d/webserver/share/sites.d/http/net.tyil deleted file mode 100644 index 31cca7e..0000000 --- a/playbooks.d/webserver/share/sites.d/http/net.tyil +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name tyil.net; - - include /etc/nginx/snippets.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.fglt b/playbooks.d/webserver/share/sites.d/http/nl.fglt deleted file mode 100644 index 4d80a62..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.fglt +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name fglt.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil b/playbooks.d/webserver/share/sites.d/http/nl.tyil deleted file mode 100644 index b2c93db..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt deleted file mode 100644 index ecdfbe8..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name alt.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur deleted file mode 100644 index 4ae2082..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.imgur +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name imgur.alt.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit deleted file mode 100644 index b1ba239..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.reddit +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name reddit.alt.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter b/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter deleted file mode 100644 index 4d537c4..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.alt.twitter +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name twitter.alt.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud b/playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud deleted file mode 100644 index 7c3e941..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.cloud +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name cloud.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.dist b/playbooks.d/webserver/share/sites.d/http/nl.tyil.dist deleted file mode 100644 index 19bb5fc..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.dist +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name dist.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.git b/playbooks.d/webserver/share/sites.d/http/nl.tyil.git deleted file mode 100644 index 92ce73e..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.git +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name git.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.home b/playbooks.d/webserver/share/sites.d/http/nl.tyil.home deleted file mode 100644 index 70eeff7..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.home +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name home.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew b/playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew deleted file mode 100644 index 5a87074..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.homebrew +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name homebrew.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.p b/playbooks.d/webserver/share/sites.d/http/nl.tyil.p deleted file mode 100644 index 8d71cf8..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.p +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name p.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.radio b/playbooks.d/webserver/share/sites.d/http/nl.tyil.radio deleted file mode 100644 index e7adfaf..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.radio +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name radio.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.searx b/playbooks.d/webserver/share/sites.d/http/nl.tyil.searx deleted file mode 100644 index 3ee75d4..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.searx +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name searx.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.tv b/playbooks.d/webserver/share/sites.d/http/nl.tyil.tv deleted file mode 100644 index 9179cc9..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.tv +++ /dev/null @@ -1,12 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name tv.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/nl.tyil.www b/playbooks.d/webserver/share/sites.d/http/nl.tyil.www deleted file mode 100644 index 6370823..0000000 --- a/playbooks.d/webserver/share/sites.d/http/nl.tyil.www +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name www.tyil.nl; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/pictures.memebooru b/playbooks.d/webserver/share/sites.d/http/pictures.memebooru deleted file mode 100644 index 0aae163..0000000 --- a/playbooks.d/webserver/share/sites.d/http/pictures.memebooru +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name memebooru.pictures; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/http/work.tyil b/playbooks.d/webserver/share/sites.d/http/work.tyil deleted file mode 100644 index 7b09142..0000000 --- a/playbooks.d/webserver/share/sites.d/http/work.tyil +++ /dev/null @@ -1,13 +0,0 @@ -server { - listen 80; - listen [::]:80; - - server_name tyil.work; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - location / { - return 301 https://$host$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/church.scriptkitties b/playbooks.d/webserver/share/sites.d/https/church.scriptkitties deleted file mode 100644 index de07ad6..0000000 --- a/playbooks.d/webserver/share/sites.d/https/church.scriptkitties +++ /dev/null @@ -1,62 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name scriptkitties.church; - - ssl_certificate /etc/letsencrypt/live/scriptkitties.church/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/scriptkitties.church/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/ssl.conf; - include mime.types; - - root /var/www/church.scriptkitties; - index index.php; - - autoindex off; - fastcgi_param HTTPS on; - client_max_body_size 10m; - client_body_buffer_size 128k; - - location / { - try_files $uri /index.php?pagename=$uri&$args; - } - - location ^~ /.well-known/ { - allow all; - rewrite ^ /index.php?pagename=$uri; - } - - location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ { - expires 30d; - try_files $uri /index.php?pagename=$uri&$args; - } - - location ~* \.php$ { - try_files $uri =404; - - fastcgi_split_path_info ^(.+\.php)(/.+)$; - - fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; - - include /etc/nginx/snippets.d/fcgi.conf; - fastcgi_index index.php; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - - fastcgi_buffers 16 16k; - fastcgi_buffer_size 32k; - } - - location ~* \.(tpl|md|tgz|log|out)$ { - deny all; - } - - location ~ /\. { - deny all; - } - - location ^~ /bin { - deny all; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/com.voidfire b/playbooks.d/webserver/share/sites.d/https/com.voidfire deleted file mode 100644 index 4021ca0..0000000 --- a/playbooks.d/webserver/share/sites.d/https/com.voidfire +++ /dev/null @@ -1,19 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name voidfire.com; - - ssl_certificate /etc/letsencrypt/live/voidfire.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/voidfire.com/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /var/www/com.voidfire; - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/net.tyil b/playbooks.d/webserver/share/sites.d/https/net.tyil deleted file mode 100644 index 89fe78e..0000000 --- a/playbooks.d/webserver/share/sites.d/https/net.tyil +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name tyil.net; - - ssl_certificate /etc/letsencrypt/live/tyil.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tyil.net/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - auth_basic "Bad hacker!"; - auth_basic_user_file /var/www/net.tyil/htaccess; - - location /grafana/ { - proxy_pass http://127.0.0.1:35300/; - } - - location /plausible/ { - proxy_pass http://127.0.0.1:8796/; - } - - location /prometheus/ { - proxy_pass http://127.0.0.1:9090/; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.fglt b/playbooks.d/webserver/share/sites.d/https/nl.fglt deleted file mode 100644 index e52b6dc..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.fglt +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name fglt.nl; - - ssl_certificate /etc/letsencrypt/live/fglt.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/fglt.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - access_log /var/log/nginx/nl.fglt-access.log; - error_log /var/log/nginx/nl.fglt-error.log; - - root /var/www/nl.fglt; - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil b/playbooks.d/webserver/share/sites.d/https/nl.tyil deleted file mode 100644 index f80c4b6..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil +++ /dev/null @@ -1,24 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name tyil.nl; - - ssl_certificate /etc/letsencrypt/live/tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location ~ ^/.well-known/openpgpkey(.+)$ { - add_header Access-Control-Allow-Origin *; - - root /var/wkd/nl.tyil; - try_files $1 =404; - } - - location / { - return 301 https://www.tyil.nl$request_uri; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt deleted file mode 100644 index f3232c3..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt +++ /dev/null @@ -1,17 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/alt.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location = / { - return 301 https://www.tyil.nl/services; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur deleted file mode 100644 index c0435f4..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.imgur +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name imgur.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/imgur.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/imgur.alt.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://127.0.0.1:40648; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit deleted file mode 100644 index a064c44..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.reddit +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name reddit.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/reddit.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/reddit.alt.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://127.0.0.1:43559; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter b/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter deleted file mode 100644 index 52ebf0f..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.alt.twitter +++ /dev/null @@ -1,20 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name twitter.alt.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/twitter.alt.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/twitter.alt.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://127.0.0.1:25989; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud b/playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud deleted file mode 100644 index c4a86cb..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.cloud +++ /dev/null @@ -1,137 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name cloud.tyil.nl; - - error_log /var/log/nginx/cloud-error.log; - access_log /var/log/nginx/cloud-access.log; - - ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/ssl.conf; - include /etc/nginx/snippets.d/certbot.conf; - - # Set timeouts - fastcgi_read_timeout 300; - proxy_read_timeout 300; - - # Set upload size - client_max_body_size 200M; - fastcgi_buffers 64 4K; - - # Add (security) headers - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - add_header Referrer-Policy "no-referrer"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header Strict-Transport-Security "max-age=63072000" always; - - # Remove headers - fastcgi_hide_header X-Powered-By; - - # Enable gzip - gzip off; - gzip_vary on; - gzip_comp_level 4; - gzip_min_length 256; - gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types - application/atom+xml - application/javascript - application/json - application/ld+json - application/manifest+json - application/rss+xml - application/vnd.geo+json - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/bmp - image/svg+xml - image/x-icon - text/cache-manifest - text/css - text/plain - text/vcard - text/vnd.rim.location.xloc - text/vtt - text/x-component - text/x-cross-domain-policy - ; - - root /var/www/nl.tyil.cloud; - - location / { - rewrite ^ /index.php?$request_uri; - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - - location ^~ /.well-known { - rewrite ^/\.well-known/host-meta.json /public.php?service=host-meta.json last; - rewrite ^/\.well-known/host-meta /public.php?service=host-meta last; - rewrite ^/\.well-known/webfinger /public.php?service=webfinger last; - rewrite ^/\.well-known/nodeinfo /public.php?service=nodeinfo last; - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - #location ^~ /.well-known { return 301 /index.php$uri; } - - try_files $uri $uri/ =404; - } - - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { - deny all; - } - - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { - deny all; - } - - location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) { - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - include snippets.d/fcgi.conf; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param HTTPS on; - fastcgi_param modHeadersAvailable true; - fastcgi_param front_controller_active true; - fastcgi_pass localhost:9000; - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - } - - location ~ ^/(?:updater|ocs-provider)(?:$|/) { - try_files $uri/ =404; - index index.php; - } - - location ~ \.(?:css|js|woff|svg|gif)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header X-Robots-Tag none; - add_header X-Download-Options noopen; - add_header X-Permitted-Cross-Domain-Policies none; - access_log off; - } - - location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$request_uri; - access_log off; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.dist b/playbooks.d/webserver/share/sites.d/https/nl.tyil.dist deleted file mode 100644 index 79f8a3c..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.dist +++ /dev/null @@ -1,16 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name dist.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/dist.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/dist.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /var/www/nl.tyil.dist; - autoindex on; -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.git b/playbooks.d/webserver/share/sites.d/https/nl.tyil.git deleted file mode 100644 index 65d1bb9..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.git +++ /dev/null @@ -1,30 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name git.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/git.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/git.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /usr/share/webapps/cgit/1.2.3-r100/htdocs; - - location / { - try_files $uri @cgit; - } - - location @cgit { - include snippets.d/uwsgi.conf; - - gzip off; - - uwsgi_modifier1 9; - #uwsgi_param PATH_INFO $fastcgi_path_info; - - uwsgi_pass 127.0.0.1:1234; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.home b/playbooks.d/webserver/share/sites.d/https/nl.tyil.home deleted file mode 100644 index 9683ccd..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.home +++ /dev/null @@ -1,52 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name home.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/home.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/home.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location / { - return 301 https://www.tyil.nl$request_uri; - } - - location ~ ^/~(.+?)(/.*)?$ { - alias /home/$1/www$2; - autoindex on; - } - - location /git { - rewrite ^/git/(.*)$ https://git.tyil.nl/$1 redirect; - } - - location /media { - alias /var/media; - - satisfy any; - - allow 127.0.0.1; - allow 10.57.0.0/16; - allow 192.168.178.0/24; - deny all; - - auth_basic "pls no hack"; - auth_basic_user_file "/var/media/.htpasswd"; - - autoindex on; - } - - location /media/backups { deny all; } - location /media/nextcloud { deny all; } - location /media/pictures { deny all; } - location /media/recordings { deny all; } - - location /packages { - alias /var/portage/packages; - autoindex on; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew b/playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew deleted file mode 100644 index 2b8de15..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.homebrew +++ /dev/null @@ -1,19 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name homebrew.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/homebrew.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/homebrew.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /var/www/nl.tyil.homebrew; - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.p b/playbooks.d/webserver/share/sites.d/https/nl.tyil.p deleted file mode 100644 index 75c0e7a..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.p +++ /dev/null @@ -1,27 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name p.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/p.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/p.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /var/www/nl.tyil.p; - - location = / { - return 301 https://www.tyil.nl/services/fiche/; - } - - location ~ ^/(?.+)$ { - # Disassociate all filetypes and their Content-Type, and - # default everything to text/plain. - types { } default_type text/plain; - - alias "/var/www/nl.tyil.p/${slug}/index.txt"; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.radio b/playbooks.d/webserver/share/sites.d/https/nl.tyil.radio deleted file mode 100644 index 7098fc5..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.radio +++ /dev/null @@ -1,17 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name radio.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/radio.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/radio.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - location / { - proxy_pass http://127.0.0.1:8092/mpd.opus; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.searx b/playbooks.d/webserver/share/sites.d/https/nl.tyil.searx deleted file mode 100644 index bf461cf..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.searx +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name searx.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/searx.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/searx.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /var/docker-compose/searx; - - location / { - proxy_set_header Host $host; - proxy_set_header Connection $http_connection; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - - proxy_pass http://127.0.0.1:60474; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.tv b/playbooks.d/webserver/share/sites.d/https/nl.tyil.tv deleted file mode 100644 index 093d938..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.tv +++ /dev/null @@ -1,19 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name tv.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/tv.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tv.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/ssl.conf; - include /etc/nginx/snippets.d/certbot.conf; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - - proxy_pass http://127.0.0.1:8096; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/nl.tyil.www b/playbooks.d/webserver/share/sites.d/https/nl.tyil.www deleted file mode 100644 index 3304c8f..0000000 --- a/playbooks.d/webserver/share/sites.d/https/nl.tyil.www +++ /dev/null @@ -1,25 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name www.tyil.nl; - - ssl_certificate /etc/letsencrypt/live/www.tyil.nl/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/www.tyil.nl/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - root /var/www/nl.tyil.www/public; - - error_page 404 /http-404.html; - - location /atom.xml { - return 301 https://www.tyil.nl/posts/index.xml; - } - - location / { - try_files $uri $uri/ =404; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/pictures.memebooru b/playbooks.d/webserver/share/sites.d/https/pictures.memebooru deleted file mode 100644 index 9d524ef..0000000 --- a/playbooks.d/webserver/share/sites.d/https/pictures.memebooru +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name memebooru.pictures; - - ssl_certificate /etc/letsencrypt/live/memebooru.pictures/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/memebooru.pictures/privkey.pem; - - include /etc/nginx/snippets.d/ssl.conf; - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - - client_max_body_size 100M; - client_body_timeout 30s; - - location / { - proxy_pass http://127.0.0.1:50405; - proxy_set_header Host $http_host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Script-Name /szuru; - } -} diff --git a/playbooks.d/webserver/share/sites.d/https/work.tyil b/playbooks.d/webserver/share/sites.d/https/work.tyil deleted file mode 100644 index d5a5dd9..0000000 --- a/playbooks.d/webserver/share/sites.d/https/work.tyil +++ /dev/null @@ -1,15 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name tyil.work; - - ssl_certificate /etc/letsencrypt/live/tyil.work/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/tyil.work/privkey.pem; - - include /etc/nginx/snippets.d/certbot.conf; - include /etc/nginx/snippets.d/headers.conf; - include /etc/nginx/snippets.d/ssl.conf; - - return 301 https://www.tyil.nl$request_uri; -} diff --git a/playbooks.d/webserver/share/snippets.d/certbot.conf b/playbooks.d/webserver/share/snippets.d/certbot.conf deleted file mode 100644 index 64c9195..0000000 --- a/playbooks.d/webserver/share/snippets.d/certbot.conf +++ /dev/null @@ -1,5 +0,0 @@ -# Certbot endpoint -location /.well-known/acme-challenge { - root /var/www/.acme; - try_files $uri $uri/ =404; -} diff --git a/playbooks.d/webserver/share/snippets.d/fcgi.conf b/playbooks.d/webserver/share/snippets.d/fcgi.conf deleted file mode 100644 index bc235bf..0000000 --- a/playbooks.d/webserver/share/snippets.d/fcgi.conf +++ /dev/null @@ -1,27 +0,0 @@ -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; - -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param REQUEST_SCHEME $scheme; -fastcgi_param HTTPS $https if_not_empty; - -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; - -# PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; - -# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) -fastcgi_param HTTP_PROXY ""; diff --git a/playbooks.d/webserver/share/snippets.d/headers.conf b/playbooks.d/webserver/share/snippets.d/headers.conf deleted file mode 100644 index c277e3d..0000000 --- a/playbooks.d/webserver/share/snippets.d/headers.conf +++ /dev/null @@ -1,4 +0,0 @@ -add_header Content-Security-Policy "default-src 'self'" always; -add_header Referrer-Policy "strict-origin-when-cross-origin" always; -add_header X-Content-Type-Options "nosniff" always; -add_header X-Frame-Options "SAMEORIGIN" always; diff --git a/playbooks.d/webserver/share/snippets.d/ssl.conf b/playbooks.d/webserver/share/snippets.d/ssl.conf deleted file mode 100644 index 68bcdf0..0000000 --- a/playbooks.d/webserver/share/snippets.d/ssl.conf +++ /dev/null @@ -1,16 +0,0 @@ -# SSL settings -ssl_protocols TLSv1.3 TLSv1.2; - -ssl_buffer_size 4K; -ssl_dhparam /etc/nginx/dhparam.pem; -ssl_ecdh_curve secp521r1:secp384r1; -ssl_prefer_server_ciphers on; -ssl_session_cache shared:le_nginx_SSL:2m; -ssl_session_tickets off; -ssl_session_timeout 1440m; - -# Ciphers -ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA'; - -# Additional headers -add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks.d/webserver/share/snippets.d/uwsgi.conf b/playbooks.d/webserver/share/snippets.d/uwsgi.conf deleted file mode 100644 index 9d67d3d..0000000 --- a/playbooks.d/webserver/share/snippets.d/uwsgi.conf +++ /dev/null @@ -1,20 +0,0 @@ - -uwsgi_param QUERY_STRING $query_string; -uwsgi_param REQUEST_METHOD $request_method; -uwsgi_param CONTENT_TYPE $content_type; -uwsgi_param CONTENT_LENGTH $content_length; - -uwsgi_param REQUEST_URI $request_uri; -uwsgi_param PATH_INFO $document_uri; -uwsgi_param DOCUMENT_ROOT $document_root; -uwsgi_param SERVER_PROTOCOL $server_protocol; -uwsgi_param REQUEST_SCHEME $scheme; -uwsgi_param HTTPS $https if_not_empty; - -uwsgi_param REMOTE_ADDR $remote_addr; -uwsgi_param REMOTE_PORT $remote_port; -uwsgi_param SERVER_PORT $server_port; -uwsgi_param SERVER_NAME $server_name; - -# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) -uwsgi_param HTTP_PROXY ""; diff --git a/registry.d/anoia.tyil.net b/registry.d/anoia.tyil.net index d98373d..98cfbf8 100644 --- a/registry.d/anoia.tyil.net +++ b/registry.d/anoia.tyil.net @@ -1 +1 @@ -vpn +vpn-tinc diff --git a/registry.d/caeghi.tyil.net b/registry.d/caeghi.tyil.net index d98373d..98cfbf8 100644 --- a/registry.d/caeghi.tyil.net +++ b/registry.d/caeghi.tyil.net @@ -1 +1 @@ -vpn +vpn-tinc diff --git a/registry.d/edephas.tyil.net b/registry.d/edephas.tyil.net index d77aaf3..732f695 100644 --- a/registry.d/edephas.tyil.net +++ b/registry.d/edephas.tyil.net @@ -1,2 +1,2 @@ -vpn -webserver +vpn-tinc +webserver-nginx diff --git a/registry.d/gaeru.tyil.net b/registry.d/gaeru.tyil.net index d98373d..98cfbf8 100644 --- a/registry.d/gaeru.tyil.net +++ b/registry.d/gaeru.tyil.net @@ -1 +1 @@ -vpn +vpn-tinc -- cgit v1.1