Initial commit

LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2020 Drew DeVault
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

builds.sr.ht.conf

@@ -0,0 +1,42 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name builds.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name builds.sr.ht;
+	client_max_body_size 100M;
+	ssl_certificate /etc/ssl/uacme/builds.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/builds.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5002;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/buildsrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

dispatch.sr.ht.conf

@@ -0,0 +1,41 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name dispatch.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name dispatch.sr.ht;
+	ssl_certificate /etc/ssl/uacme/dispatch.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/dispatch.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/html text/css;
+
+	location / {
+		proxy_pass http://127.0.0.1:5005;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/dispatchsrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

git.sr.ht.conf

@@ -0,0 +1,87 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name git.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name git.sr.ht;
+	client_max_body_size 100M;
+	ssl_certificate /etc/ssl/uacme/git.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/git.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5001;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto https;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/gitsrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /authorize {
+		proxy_pass http://127.0.0.1:5001;
+		proxy_pass_request_body off;
+		proxy_set_header Content-Length "";
+		proxy_set_header X-Original-URI $request_uri;
+	}
+
+	location ~ ^/([^/]+)/([^/]+)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
+		auth_request /authorize;
+		root /var/lib/git;
+		fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.sock;
+		fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+		fastcgi_param PATH_INFO $uri;
+		fastcgi_param GIT_PROJECT_ROOT $document_root;
+		fastcgi_read_timeout 500s;
+		include fastcgi_params;
+		gzip off;
+	}
+
+	location /query {
+		proxy_pass http://127.0.0.1:5101;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto https;
+		if ($request_method = 'OPTIONS') {
+			add_header 'Access-Control-Allow-Origin' '*';
+			add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+			add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+			add_header 'Access-Control-Max-Age' 1728000;
+			add_header 'Content-Type' 'text/plain; charset=utf-8';
+			add_header 'Content-Length' 0;
+			return 204;
+		}
+
+	        add_header 'Access-Control-Allow-Origin' '*';
+        	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        	add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+        	add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

hg.sr.ht.conf

@@ -0,0 +1,57 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name hg.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name hg.sr.ht;
+	client_max_body_size 100M;
+	ssl_certificate /etc/ssl/uacme/hg.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/hg.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css;
+
+	location / {
+		proxy_pass http://127.0.0.1:5010;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/hgsrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /authorize {
+		proxy_pass http://127.0.0.1:5001;
+		proxy_pass_request_body off;
+		proxy_set_header Content-Length "";
+		proxy_set_header X-Original-URI $request_uri;
+	}
+
+	# Let clients reach pull bundles. We don't really need to lock this down even for
+	# private repos because the bundles are named after the revision hashes... so someone 
+	# would need to guess a SHA value to download anything.
+	location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ {
+		root /var/lib/mercurial;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}
+

hub.sr.ht.conf

@@ -0,0 +1,83 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
+		return 302 https://l.sr.ht$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name sr.ht;
+	ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5014;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/hubsrht;
+		expires 30d;
+	}
+
+	location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
+		return 302 https://l.sr.ht$request_uri;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+	server_name hub.sr.ht;
+
+	location / {
+		return 302 https://sr.ht$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name hub.sr.ht;
+	ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem;
+
+	location / {
+		return 302 https://sr.ht$request_uri;
+	}
+
+	location /webhooks {
+		proxy_pass http://127.0.0.1:5014;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+	}
+}

lists.sr.ht.conf

@@ -0,0 +1,45 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name lists.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name lists.sr.ht;
+	ssl_certificate /etc/ssl/uacme/lists.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/lists.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/html text/css;
+
+	location / {
+		proxy_pass http://127.0.0.1:5006;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto https;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/listssrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

man.sr.ht.conf

@@ -0,0 +1,57 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name man.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name man.sr.ht;
+	client_max_body_size 100M;
+	ssl_certificate /etc/ssl/uacme/man.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/man.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5004;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/mansrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location ~ ^(.*)/(.*)/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)).*$ {
+		root /var/lib/man;
+	}
+
+	location ~ ^(.*)/(.*)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
+		root /var/lib/man;
+                fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.sock;
+                fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+                fastcgi_param PATH_INFO $uri;
+                fastcgi_param GIT_PROJECT_ROOT $document_root;
+                fastcgi_param GIT_HTTP_EXPORT_ALL "";
+                include fastcgi_params;
+                gzip off;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

meta.sr.ht.conf

@@ -0,0 +1,71 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name meta.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name meta.sr.ht;
+	ssl_certificate /etc/ssl/uacme/meta.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/meta.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5000;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto https;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/metasrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location /query {
+		proxy_pass http://127.0.0.1:5100;
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto https;
+		if ($request_method = 'OPTIONS') {
+			add_header 'Access-Control-Allow-Origin' '*';
+			add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+			add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+			add_header 'Access-Control-Max-Age' 1728000;
+			add_header 'Content-Type' 'text/plain; charset=utf-8';
+			add_header 'Content-Length' 0;
+			return 204;
+		}
+
+	        add_header 'Access-Control-Allow-Origin' '*';
+        	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
+        	add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+        	add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

paste.sr.ht.conf

@@ -0,0 +1,42 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name paste.sr.ht pasta.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name paste.sr.ht pasta.sr.ht;
+	client_max_body_size 10M;
+	ssl_certificate /etc/ssl/uacme/paste.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/paste.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5011;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/pastesrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}

robots.txt

@@ -0,0 +1,51 @@
+# Our policy
+#
+# Allowed:
+# - Search engine indexers
+# - Archival services (e.g. IA)
+#
+# Disallowed:
+# - Marketing or SEO crawlers
+# - Bots which are too agressive by default. This is subjective, if you annoy
+#   our sysadmins you'll be blocked.
+#
+# Reach out to sir@cmpwn.com if you have questions.
+
+# It doesn't make sense to index these and it's expensive
+User-agent: *
+Disallow: /*.tar.gz$
+Disallow: /metrics
+
+# Too aggressive, marketing/SEO
+User-agent: SemrushBot
+Disallow: /
+
+# Too aggressive, marketing/SEO
+User-agent: SemrushBot-SA
+Disallow: /
+
+# Marketing/SEO
+User-agent: AhrefsBot
+Disallow: /
+
+# Marketing/SEO
+User-agent: dotbot
+Disallow: /
+
+# Marketing/SEO
+User-agent: rogerbot
+Disallow: /
+
+User-agent: BLEXBot
+Disallow: /
+
+# Huwei something or another, badly behaved
+User-agent: AspiegelBot
+Disallow: /
+
+# Marketing/SEO
+User-agent: ZoominfoBot
+Disallow: /
+
+# TODO: sync this robots.txt with all of our servers
+

todo.sr.ht.conf

@@ -0,0 +1,42 @@
+server {
+	listen 80;
+	listen [::]:80;
+	server_name todo.sr.ht;
+
+	location / {
+		return 302 https://$server_name$request_uri;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+	server_name todo.sr.ht;
+	client_max_body_size 100M;
+	ssl_certificate /etc/ssl/uacme/todo.sr.ht/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/todo.sr.ht/key.pem;
+
+	gzip on;
+	gzip_types text/css text/html;
+
+	location / {
+		proxy_pass http://127.0.0.1:5003;
+	}
+
+	location /static {
+		root /usr/lib/python3.8/site-packages/todosrht;
+		expires 30d;
+	}
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location = /robots.txt {
+		root /var/www;
+	}
+}