summaryrefslogtreecommitdiffstats
path: root/nginx
diff options
context:
space:
mode:
Diffstat (limited to 'nginx')
-rw-r--r--nginx/base.sls32
-rw-r--r--nginx/git_kyriasis_com.sls65
-rw-r--r--nginx/matrix_kyriasis_com.sls74
-rw-r--r--nginx/riot_kyriasis_com.sls58
-rw-r--r--nginx/theos_kyriasis_com.sls138
-rw-r--r--nginx/xan_kyriasis_com.sls82
6 files changed, 449 insertions, 0 deletions
diff --git a/nginx/base.sls b/nginx/base.sls
new file mode 100644
index 0000000..10f39b3
--- /dev/null
+++ b/nginx/base.sls
@@ -0,0 +1,32 @@
+nginx:
+ ng:
+ source:
+ opts: {}
+ service:
+ enable: True
+ opts: {}
+ server:
+ config:
+ events:
+ worker_connections: 1024
+ http:
+ sendfile: 'on'
+ aio: 'on'
+ directio: 4m
+ keepalive_timeout: 65
+ gzip: 'on'
+ gzip_proxied: 'any'
+ gzip_types: '*'
+ gzip_vary: 'on'
+ charset: utf-8
+ charset_types: text/xml text/plain application/javascript application/rss+xml
+ server_tokens: 'off'
+ etag: 'on'
+ ssi: 'on'
+
+ include:
+ - /etc/nginx/mime.types
+ - /etc/nginx/conf.d/*.conf
+ - /etc/nginx/sites-enabled/*
+
+# vim: ft=yaml et:
diff --git a/nginx/git_kyriasis_com.sls b/nginx/git_kyriasis_com.sls
new file mode 100644
index 0000000..78181a5
--- /dev/null
+++ b/nginx/git_kyriasis_com.sls
@@ -0,0 +1,65 @@
+nginx:
+ ng:
+ servers:
+ managed:
+ git.kyriasis.com:
+ enabled: True
+ config:
+ - server:
+ - server_name: git.kyriasis.com
+ - listen: 80
+ - listen: '[::]:80'
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+ - return: '301 https://$server_name$request_uri'
+
+
+ - server:
+ - server_name: git.kyriasis.com
+ - listen: 443 ssl http2
+ - listen: '[::]:443 ssl http2'
+
+ - ssl: 'on'
+ - ssl_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem
+ - ssl_certificate_key: /etc/letsencrypt/live/git.kyriasis.com/privkey.pem
+ - ssl_dhparam: /etc/nginx/dhparam.pem
+
+ - ssl_stapling: 'on'
+ - ssl_stapling_verify: 'on'
+ - ssl_trusted_certificate: /etc/letsencrypt/live/git.kyriasis.com/fullchain.pem
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
+ # Enable the Cross-site scripting filter in most recent browsers.
+ # Normally enabled by default, but enable it anyway if user has disabled it.
+ - add_header: 'X-XSS-Protection "1; mode=block"'
+
+ # http://www.gnuterrypratchett.com/
+ - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'
+
+ - error_log: /var/log/nginx/git.error.log
+
+ - root: /usr/share/webapps/cgit
+
+ - try_files: $uri @cgit
+
+ - location @cgit:
+ - include: fastcgi_params
+ - fastcgi_param: SCRIPT_FILENAME $document_root/cgit.cgi
+ - fastcgi_param: PATH_INFO $uri
+ - fastcgi_param: QUERY_STRING $args
+ - fastcgi_pass: unix:/run/fcgiwrap.sock
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+# vim: ft=yaml et:
diff --git a/nginx/matrix_kyriasis_com.sls b/nginx/matrix_kyriasis_com.sls
new file mode 100644
index 0000000..a511dd2
--- /dev/null
+++ b/nginx/matrix_kyriasis_com.sls
@@ -0,0 +1,74 @@
+nginx:
+ ng:
+ servers:
+ managed:
+ matrix.kyriasis.com:
+ enabled: True
+ config:
+ - upstream synapse:
+ - server: 127.0.0.1:8008
+
+
+ - upstream synapse_metrics:
+ - server: 127.0.0.1:9091
+
+
+ - server:
+ - server_name: matrix.kyriasis.com
+ - listen: 80
+ - listen: '[::]:80'
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+ - return: '301 https://$server_name$request_uri'
+
+
+ - server:
+ - server_name: matrix.kyriasis.com kyriasis.com
+ - listen: 443 ssl http2 default_server
+ - listen: '[::]:443 ssl http2 default_server'
+
+ - ssl: 'on'
+ - ssl_certificate: /etc/letsencrypt/live/matrix.kyriasis.com/fullchain.pem
+ - ssl_certificate_key: /etc/letsencrypt/live/matrix.kyriasis.com/privkey.pem
+ - ssl_dhparam: /etc/nginx/dhparam.pem
+
+ - ssl_stapling: 'on'
+ - ssl_stapling_verify: 'on'
+ - ssl_trusted_certificate: /etc/letsencrypt/live/matrix.kyriasis.com/fullchain.pem
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
+ # Enable the Cross-site scripting filter in most recent browsers.
+ # Normally enabled by default, but enable it anyway if user has disabled it.
+ - add_header: 'X-XSS-Protection "1; mode=block"'
+
+ # http://www.gnuterrypratchett.com/
+ - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'
+
+ - client_max_body_size: 128m
+
+ - error_log: /var/log/nginx/matrix.error.log
+
+ - location /:
+ - return: 301 https://riot.kyriasis.com
+
+ - location /_synapse:
+ - proxy_pass: http://synapse_metrics
+ - proxy_buffering: "off"
+ - proxy_set_header: X-Forwarded-For $remote_addr
+ - proxy_set_header: Host $host
+ - proxy_http_version: 1.1
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+# vim: ft=yaml et:
diff --git a/nginx/riot_kyriasis_com.sls b/nginx/riot_kyriasis_com.sls
new file mode 100644
index 0000000..7f2b0c0
--- /dev/null
+++ b/nginx/riot_kyriasis_com.sls
@@ -0,0 +1,58 @@
+nginx:
+ ng:
+ servers:
+ managed:
+ riot.kyriasis.com:
+ enabled: True
+ config:
+ - server:
+ - server_name: riot.kyriasis.com
+ - listen: 80
+ - listen: '[::]:80'
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+ - return: '301 https://$server_name$request_uri'
+
+
+ - server:
+ - server_name: riot.kyriasis.com
+ - listen: 443 ssl http2
+ - listen: '[::]:443 ssl http2'
+
+ - ssl: 'on'
+ - ssl_certificate: /etc/letsencrypt/live/riot.kyriasis.com/fullchain.pem
+ - ssl_certificate_key: /etc/letsencrypt/live/riot.kyriasis.com/privkey.pem
+ - ssl_dhparam: /etc/nginx/dhparam.pem
+
+ - ssl_stapling: 'on'
+ - ssl_stapling_verify: 'on'
+ - ssl_trusted_certificate: /etc/letsencrypt/live/riot.kyriasis.com/fullchain.pem
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
+ # Enable the Cross-site scripting filter in most recent browsers.
+ # Normally enabled by default, but enable it anyway if user has disabled it.
+ - add_header: 'X-XSS-Protection "1; mode=block"'
+
+ # http://www.gnuterrypratchett.com/
+ - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'
+
+ - client_max_body_size: 128m
+
+ - error_log: /var/log/nginx/riot.error.log
+
+ - root: /home/kyrias/code/vector/public
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+# vim: ft=yaml et:
diff --git a/nginx/theos_kyriasis_com.sls b/nginx/theos_kyriasis_com.sls
new file mode 100644
index 0000000..23b678d
--- /dev/null
+++ b/nginx/theos_kyriasis_com.sls
@@ -0,0 +1,138 @@
+nginx:
+ ng:
+ servers:
+ managed:
+ theos.kyriasis.com:
+ enabled: True
+ config:
+ - server:
+ - server_name: theos.kyriasis.com
+ - listen: 80 default_server
+ - listen: '[::]:80 default_server'
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http
+
+ - return: '301 https://$server_name$request_uri'
+
+
+ - server:
+ - server_name: theos.kyriasis.com
+ - listen: 443 ssl http2
+ - listen: '[::]:443 ssl http2'
+
+ - ssl: 'on'
+ - ssl_certificate: /etc/letsencrypt/live/theos.kyriasis.com/fullchain.pem
+ - ssl_certificate_key: /etc/letsencrypt/live/theos.kyriasis.com/privkey.pem
+ - ssl_dhparam: /etc/nginx/dhparam.pem
+
+ - ssl_stapling: 'on'
+ - ssl_stapling_verify: 'on'
+ - ssl_trusted_certificate: /etc/letsencrypt/live/theos.kyriasis.com/fullchain.pem
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
+ # Enable the Cross-site scripting filter in most recent browsers.
+ # Normally enabled by default, but enable it anyway if user has disabled it.
+ - add_header: 'X-XSS-Protection "1; mode=block"'
+
+ # http://www.gnuterrypratchett.com/
+ - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'
+
+ - error_log: /var/log/nginx/theos.error.log
+
+ - root: /srv/http
+ - index: index.html
+ - autoindex: 'on'
+
+ - location /repo/:
+ - root: /home/kyrias/packaging
+ - autoindex: 'on'
+
+ - location /~kyrias:
+ - alias: /home/kyrias/public_html/
+ - index: index.html
+ - try_files: $uri $uri.html $uri/ =404
+ - autoindex: 'on'
+ - expires: modified +24h
+
+ - location = /~kyrias/journal/10-mercurian-pronouns.html:
+ - return: '301 https://web.archive.org/web/https://theos.kyriasis.com/~kyrias/journal/10-mercurian-pronouns.html'
+
+ - location ~ \.(js|css|png):
+ - expires: modified +7d
+
+ - location /~xanadu:
+ - alias: /home/xanadu/public_html/
+ - index: index.html
+ - try_files: $uri $uri.html $uri/ =404
+ - autoindex: 'on'
+ - expires: modified +24h
+
+ - location /vector:
+ - alias: /home/kyrias/code/vector/public/
+ - try_files: $uri $uri.html $uri/ =404
+
+ - location /znc:
+ - proxy_pass: https://127.0.0.1:6697
+ - proxy_redirect: 'off'
+ - proxy_set_header: X-Real-IP $remote_addr
+ - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
+ - proxy_set_header: X-Forwarded-Host $server_name
+
+
+ - server:
+ - server_name: h.theos.kyriasis.com
+ - listen: 80
+ - listen: '[::]:80'
+
+ - error_log: /var/log/nginx/theos.error.log
+
+ - root: /srv/http
+ - index: index.html
+ - autoindex: 'on'
+
+ - location /repo/:
+ - root: /home/kyrias/packaging
+ - autoindex: 'on'
+
+ - location /~kyrias:
+ - alias: /home/kyrias/public_html/
+ - index: index.html
+ - try_files: $uri $uri.html $uri/ =404
+ - autoindex: 'on'
+ - expires: modified +24h
+
+ - location = /~kyrias/journal/10-mercurian-pronouns.html:
+ - return: '301 https://web.archive.org/web/https://theos.kyriasis.com/~kyrias/journal/10-mercurian-pronouns.html'
+
+ - location ~ \.(js|css|png):
+ - expires: modified +7d
+
+ - location /~xanadu:
+ - alias: /home/xanadu/public_html/
+ - index: index.html
+ - try_files: $uri $uri.html $uri/ =404
+ - autoindex: 'on'
+ - expires: modified +24h
+
+ - location /vector:
+ - alias: /home/kyrias/code/vector/public/
+ - try_files: $uri $uri.html $uri/ =404
+
+ - location /znc:
+ - proxy_pass: https://127.0.0.1:6697
+ - proxy_redirect: 'off'
+ - proxy_set_header: X-Real-IP $remote_addr
+ - proxy_set_header: X-Forwarded-For $proxy_add_x_forwarded_for
+ - proxy_set_header: X-Forwarded-Host $server_name
+
+
+# vim: ft=yaml et:
diff --git a/nginx/xan_kyriasis_com.sls b/nginx/xan_kyriasis_com.sls
new file mode 100644
index 0000000..52a7cca
--- /dev/null
+++ b/nginx/xan_kyriasis_com.sls
@@ -0,0 +1,82 @@
+nginx:
+ ng:
+ servers:
+ managed:
+ xan.kyriasis.com:
+ enabled: True
+ config:
+ - server:
+ - server_name: xan.kyriasis.com
+ - listen: 80
+ - listen: '[::]:80'
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+ - return: '301 https://$server_name$request_uri'
+
+
+ - server:
+ - server_name: xan.kyriasis.com
+ - listen: 443 ssl http2
+ - listen: '[::]:443 ssl http2'
+
+ - ssl: 'on'
+ - ssl_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem
+ - ssl_certificate_key: /etc/letsencrypt/live/xan.kyriasis.com/privkey.pem
+ - ssl_dhparam: /etc/nginx/dhparam.pem
+
+ - ssl_stapling: 'on'
+ - ssl_stapling_verify: 'on'
+ - ssl_trusted_certificate: /etc/letsencrypt/live/xan.kyriasis.com/fullchain.pem
+
+ - error_log: /var/log/nginx/xan.error.log
+
+ # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
+ - add_header: 'Strict-Transport-Security "max-age=31536000"'
+
+ # Tell browsers not to render the page inside a frame, and avoid clickjacking.
+ - add_header: X-Frame-Options SAMEORIGIN
+
+ # Tell browsers to not try to auto-detect the Content-Type.
+ - add_header: X-Content-Type-Options nosniff
+
+ # Enable the Cross-site scripting filter in most recent browsers.
+ # Normally enabled by default, but enable it anyway if user has disabled it.
+ - add_header: 'X-XSS-Protection "1; mode=block"'
+
+ # http://www.gnuterrypratchett.com/
+ - add_header: 'X-Clacks-Overhead "GNU Terry Pratchett"'
+
+ - root: /usr/share/webapps/xans-wiki
+
+ - client_max_body_size: 100m
+ - client_body_timeout: 60
+
+ - try_files: $uri $uri/ @mediawiki
+ - index: index.php index.html
+
+ - location @mediawiki:
+ - rewrite: '^/(.*)$ /index.php?title=$1&$args'
+
+ - location ~ \.php5?$:
+ - include: fastcgi.conf
+ - fastcgi_pass: unix:/var/run/php-fpm/php-fpm.sock
+ - fastcgi_index: index.php
+ - try_files: $uri @mediawiki
+
+ - location ~* \.(js|css|png|jpg|jpeg|gif|ico)$:
+ - try_files: $uri /index.php
+ - expires: max
+
+ # Restrictions based on default htaccess file
+ - location ^~ ^/(cache|includes|maintenance|languages|serialized|tests|images/deleted)/:
+ - deny: all
+
+ - location ^~ ^/(bin|docs|extensions|includes|maintenance|mw-config|resources|serialized|tests)/:
+ - internal: ''
+
+ - location /.well-known/acme-challenge:
+ - root: /srv/http/
+
+# vim: ft=yaml et: