all: refactor common config options into includes
This commit is contained in:
parent
30afc8ce5b
commit
d1599dd5e0
|
@ -0,0 +1,8 @@
|
|||
# sr.ht-nginx
|
||||
|
||||
This is the nginx configuration files used by sr.ht in production. They are
|
||||
designed to run on an Alpine Linux system using the official sourcehut Alpine
|
||||
packages. You may use them on your own servers, though your mileage my vary.
|
||||
Install the -nginx package (e.g. git.sr.ht-nginx) to pull in these files, then
|
||||
edit `/etc/nginx/domains.conf` (and `/etc/nginx/nginx.conf`, if necessary) to
|
||||
suit your particular installation.
|
|
@ -1,70 +1,28 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name builds.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $buildssrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name builds.sr.ht;
|
||||
server_name $buildssrht;
|
||||
include port443.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/uacme/$buildssrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$buildssrht/key.pem;
|
||||
client_max_body_size 100M;
|
||||
ssl_certificate /etc/ssl/uacme/builds.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/builds.sr.ht/key.pem;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5002;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/buildsrht;
|
||||
expires 30d;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5102;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
|
||||
include graphql.conf;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
location /static {
|
||||
root /usr/lib/$python/site-packages/buildsrht;
|
||||
expires 30d;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,47 +1,22 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name dispatch.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $dispatchsrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name dispatch.sr.ht;
|
||||
ssl_certificate /etc/ssl/uacme/dispatch.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/dispatch.sr.ht/key.pem;
|
||||
server_name $dispatchsrht;
|
||||
include port443.conf;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/html text/css;
|
||||
ssl_certificate /etc/ssl/uacme/$dispatchsrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$dispatchsrht/key.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5005;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/dispatchsrht;
|
||||
root /usr/lib/$python/site-packages/dispatchsrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
# Update this file to configure the domain names for your sr.ht installation.
|
||||
# Any services you have not set up may be left unchanged.
|
||||
set $buildssrht = "builds.sr.ht";
|
||||
set $dispatchsrht = "dispatch.sr.ht";
|
||||
set $gitsrht = "git.sr.ht";
|
||||
set $hgsrht = "hg.sr.ht";
|
||||
set $hubsrht = "sr.ht";
|
||||
set $listssrht = "lists.sr.ht";
|
||||
set $mansrht = "man.sr.ht";
|
||||
set $metasrht = "meta.sr.ht";
|
||||
set $pastesrht = "paste.sr.ht";
|
||||
set $todosrht = "todo.sr.ht";
|
||||
|
||||
set $private_network = "173.195.146.128/25";
|
|
@ -1,51 +1,31 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name git.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $gitsrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name git.sr.ht;
|
||||
server_name $gitsrht;
|
||||
include port443.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/uacme/$gitsrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$gitsrht/key.pem;
|
||||
client_max_body_size 100M;
|
||||
ssl_certificate /etc/ssl/uacme/git.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/git.sr.ht/key.pem;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5001;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5101;
|
||||
include graphql.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/gitsrht;
|
||||
root /usr/lib/$python/site-packages/gitsrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /authorize {
|
||||
proxy_pass http://127.0.0.1:5001;
|
||||
proxy_pass_request_body off;
|
||||
|
@ -64,30 +44,4 @@ server {
|
|||
include fastcgi_params;
|
||||
gzip off;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5101;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
set_real_ip_from 127.0.0.1/16;
|
||||
set_real_ip_from $private_network;
|
||||
real_ip_header X-Forwarded-For;
|
||||
real_ip_recursive on;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
|
|
@ -1,47 +1,31 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name hg.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $hgsrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name hg.sr.ht;
|
||||
server_name $hgsrht;
|
||||
include port443.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/uacme/$hgsrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$hgsrht/key.pem;
|
||||
client_max_body_size 100M;
|
||||
ssl_certificate /etc/ssl/uacme/hg.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/hg.sr.ht/key.pem;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5010;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5110;
|
||||
include graphql.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/hgsrht;
|
||||
root /usr/lib/$python/site-packages/hgsrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /authorize {
|
||||
proxy_pass http://127.0.0.1:5001;
|
||||
proxy_pass_request_body off;
|
||||
|
@ -55,9 +39,4 @@ server {
|
|||
location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ {
|
||||
root /var/lib/mercurial;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,89 +1,32 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
server_name $hubsrht;
|
||||
include port80.conf;
|
||||
|
||||
# Redirect for legacy.sr.ht
|
||||
location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
|
||||
return 302 https://l.sr.ht$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name sr.ht;
|
||||
ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem;
|
||||
server_name $hubsrht;
|
||||
include port443.conf;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
ssl_certificate /etc/ssl/uacme/$hubsrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$hubsrht/key.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5014;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/hubsrht;
|
||||
root /usr/lib/$python/site-packages/hubsrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
# Redirect for legacy.sr.ht
|
||||
location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
|
||||
return 302 https://l.sr.ht$request_uri;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name hub.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://sr.ht$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name hub.sr.ht;
|
||||
ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem;
|
||||
|
||||
location / {
|
||||
return 302 https://sr.ht$request_uri;
|
||||
}
|
||||
|
||||
location /webhooks {
|
||||
proxy_pass http://127.0.0.1:5014;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,73 +1,27 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name lists.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $listssrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name lists.sr.ht;
|
||||
ssl_certificate /etc/ssl/uacme/lists.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/lists.sr.ht/key.pem;
|
||||
server_name $listssrht;
|
||||
include port443.conf;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/html text/css;
|
||||
ssl_certificate /etc/ssl/uacme/$listssrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$listssrht/key.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5006;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5106;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
|
||||
include graphql.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/listssrht;
|
||||
root /usr/lib/$python/site-packages/listssrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,63 +1,23 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name man.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $mansrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name man.sr.ht;
|
||||
server_name $mansrht;
|
||||
include port443.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/uacme/$mansrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$mansrht/key.pem;
|
||||
client_max_body_size 100M;
|
||||
ssl_certificate /etc/ssl/uacme/man.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/man.sr.ht/key.pem;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5004;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/mansrht;
|
||||
root /usr/lib/$python/site-packages/mansrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location ~ ^(.*)/(.*)/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)).*$ {
|
||||
root /var/lib/man;
|
||||
}
|
||||
|
||||
location ~ ^(.*)/(.*)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
|
||||
root /var/lib/man;
|
||||
fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.sock;
|
||||
fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
|
||||
fastcgi_param PATH_INFO $uri;
|
||||
fastcgi_param GIT_PROJECT_ROOT $document_root;
|
||||
fastcgi_param GIT_HTTP_EXPORT_ALL "";
|
||||
include fastcgi_params;
|
||||
gzip off;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,77 +1,27 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name meta.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $metasrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name meta.sr.ht;
|
||||
ssl_certificate /etc/ssl/uacme/meta.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/meta.sr.ht/key.pem;
|
||||
server_name $metasrht;
|
||||
include port443.conf;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
ssl_certificate /etc/ssl/uacme/$metasrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$metasrht/key.pem;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5000;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/metasrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5100;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
|
||||
include graphql.conf;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
location /static {
|
||||
root /usr/lib/$python/site-packages/metasrht;
|
||||
expires 30d;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
user nginx;
|
||||
worker_processes auto;
|
||||
pcre_jit on;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
include /etc/nginx/modules/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
server_tokens off;
|
||||
client_max_body_size 1m;
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:2m;
|
||||
ssl_session_timeout 1h;
|
||||
ssl_session_tickets off;
|
||||
gzip_vary on;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
set $python = "python3.9";
|
||||
include domains.conf;
|
||||
include /etc/nginx/http.d/*.conf;
|
||||
}
|
|
@ -1,48 +1,23 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name paste.sr.ht pasta.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $pastesrht pasta.sr.ht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name paste.sr.ht pasta.sr.ht;
|
||||
server_name $pastesrht pasta.sr.ht;
|
||||
include port443.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/uacme/$pastesrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$pastesrht/key.pem;
|
||||
client_max_body_size 10M;
|
||||
ssl_certificate /etc/ssl/uacme/paste.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/paste.sr.ht/key.pem;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5011;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/pastesrht;
|
||||
root /usr/lib/$python/site-packages/pastesrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,19 @@
|
|||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
|
@ -0,0 +1,14 @@
|
|||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
|
@ -1,70 +1,28 @@
|
|||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name todo.sr.ht;
|
||||
|
||||
location / {
|
||||
return 302 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
server_name $todosrht;
|
||||
include port80.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name todo.sr.ht;
|
||||
server_name $todosrht;
|
||||
include port443.conf;
|
||||
|
||||
ssl_certificate /etc/ssl/uacme/$todosrht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/$todosrht/key.pem;
|
||||
client_max_body_size 100M;
|
||||
ssl_certificate /etc/ssl/uacme/todo.sr.ht/cert.pem;
|
||||
ssl_certificate_key /etc/ssl/uacme/private/todo.sr.ht/key.pem;
|
||||
|
||||
add_header X-Clacks-Overhead "GNU Terry Pratchett";
|
||||
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
# Fuck you, Google, I don't spy on my users
|
||||
add_header Permissions-Policy interest-cohort=();
|
||||
|
||||
gzip on;
|
||||
gzip_types text/css text/html;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5003;
|
||||
include web.conf;
|
||||
}
|
||||
|
||||
location /query {
|
||||
proxy_pass http://127.0.0.1:5103;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
if ($request_method = 'OPTIONS') {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Max-Age' 1728000;
|
||||
add_header 'Content-Type' 'text/plain; charset=utf-8';
|
||||
add_header 'Content-Length' 0;
|
||||
return 204;
|
||||
}
|
||||
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
|
||||
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
|
||||
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
|
||||
include graphql.conf;
|
||||
}
|
||||
|
||||
location /static {
|
||||
root /usr/lib/python3.9/site-packages/todosrht;
|
||||
root /usr/lib/$python/site-packages/todosrht;
|
||||
expires 30d;
|
||||
}
|
||||
|
||||
location ^~ /.well-known {
|
||||
root /var/www;
|
||||
}
|
||||
|
||||
location = /robots.txt {
|
||||
root /var/www;
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue