sourcehut
/
sr.ht-nginx
mirror of https://git.sr.ht/~sircmpwn/sr.ht-nginx
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

all: refactor common config options into includes

This commit is contained in:
Drew DeVault 2021-08-30 09:22:32 +02:00
parent 30afc8ce5b
commit d1599dd5e0
17 changed files with 223 additions and 500 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md Normal file
View File

@ -0,0 +1,8 @@
# sr.ht-nginx
This is the nginx configuration files used by sr.ht in production. They are
designed to run on an Alpine Linux system using the official sourcehut Alpine
packages. You may use them on your own servers, though your mileage my vary.
Install the -nginx package (e.g. git.sr.ht-nginx) to pull in these files, then
edit `/etc/nginx/domains.conf` (and `/etc/nginx/nginx.conf`, if necessary) to
suit your particular installation.

66
builds.sr.ht.conf
View File

@ -1,70 +1,28 @@
server {
listen 80;
listen [::]:80;
server_name builds.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $buildssrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name builds.sr.ht;
server_name $buildssrht;
include port443.conf;
ssl_certificate /etc/ssl/uacme/$buildssrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$buildssrht/key.pem;
client_max_body_size 100M;
ssl_certificate /etc/ssl/uacme/builds.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/builds.sr.ht/key.pem;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
location / {
proxy_pass http://127.0.0.1:5002;
}
location /static {
root /usr/lib/python3.9/site-packages/buildsrht;
expires 30d;
include web.conf;
}
location /query {
proxy_pass http://127.0.0.1:5102;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
include graphql.conf;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
location /static {
root /usr/lib/$python/site-packages/buildsrht;
expires 30d;
}
}

41
dispatch.sr.ht.conf
View File

@ -1,47 +1,22 @@
server {
listen 80;
listen [::]:80;
server_name dispatch.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $dispatchsrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dispatch.sr.ht;
ssl_certificate /etc/ssl/uacme/dispatch.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/dispatch.sr.ht/key.pem;
server_name $dispatchsrht;
include port443.conf;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/html text/css;
ssl_certificate /etc/ssl/uacme/$dispatchsrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$dispatchsrht/key.pem;
location / {
proxy_pass http://127.0.0.1:5005;
include web.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/dispatchsrht;
root /usr/lib/$python/site-packages/dispatchsrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}
}

14
domains.conf Normal file
View File

@ -0,0 +1,14 @@
# Update this file to configure the domain names for your sr.ht installation.
# Any services you have not set up may be left unchanged.
set $buildssrht = "builds.sr.ht";
set $dispatchsrht = "dispatch.sr.ht";
set $gitsrht = "git.sr.ht";
set $hgsrht = "hg.sr.ht";
set $hubsrht = "sr.ht";
set $listssrht = "lists.sr.ht";
set $mansrht = "man.sr.ht";
set $metasrht = "meta.sr.ht";
set $pastesrht = "paste.sr.ht";
set $todosrht = "todo.sr.ht";
set $private_network = "173.195.146.128/25";

74
git.sr.ht.conf
View File

@ -1,51 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name git.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $gitsrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name git.sr.ht;
server_name $gitsrht;
include port443.conf;
ssl_certificate /etc/ssl/uacme/$gitsrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$gitsrht/key.pem;
client_max_body_size 100M;
ssl_certificate /etc/ssl/uacme/git.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/git.sr.ht/key.pem;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
location / {
proxy_pass http://127.0.0.1:5001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
include web.conf;
}
location /query {
proxy_pass http://127.0.0.1:5101;
include graphql.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/gitsrht;
root /usr/lib/$python/site-packages/gitsrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location = /authorize {
proxy_pass http://127.0.0.1:5001;
proxy_pass_request_body off;
@ -64,30 +44,4 @@ server {
include fastcgi_params;
gzip off;
}
location /query {
proxy_pass http://127.0.0.1:5101;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
}
location = /robots.txt {
root /var/www;
}
}

21
graphql.conf Normal file
View File

@ -0,0 +1,21 @@
set_real_ip_from 127.0.0.1/16;
set_real_ip_from $private_network;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';

49
hg.sr.ht.conf
View File

@ -1,47 +1,31 @@
server {
listen 80;
listen [::]:80;
server_name hg.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $hgsrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hg.sr.ht;
server_name $hgsrht;
include port443.conf;
ssl_certificate /etc/ssl/uacme/$hgsrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$hgsrht/key.pem;
client_max_body_size 100M;
ssl_certificate /etc/ssl/uacme/hg.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/hg.sr.ht/key.pem;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css;
location / {
proxy_pass http://127.0.0.1:5010;
include web.conf;
}
location /query {
proxy_pass http://127.0.0.1:5110;
include graphql.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/hgsrht;
root /usr/lib/$python/site-packages/hgsrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location = /authorize {
proxy_pass http://127.0.0.1:5001;
proxy_pass_request_body off;
@ -55,9 +39,4 @@ server {
location ~ ^/[~^][a-z0-9_]+/[a-zA-Z0-9_.-]+/\.hg/bundles/.*$ {
root /var/lib/mercurial;
}
location = /robots.txt {
root /var/www;
}
}

77
hub.sr.ht.conf
View File

@ -1,89 +1,32 @@
server {
listen 80;
listen [::]:80;
server_name sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
server_name $hubsrht;
include port80.conf;
# Redirect for legacy.sr.ht
location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
return 302 https://l.sr.ht$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name sr.ht;
ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem;
server_name $hubsrht;
include port443.conf;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
ssl_certificate /etc/ssl/uacme/$hubsrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$hubsrht/key.pem;
location / {
proxy_pass http://127.0.0.1:5014;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
include web.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/hubsrht;
root /usr/lib/$python/site-packages/hubsrht;
expires 30d;
}
# Redirect for legacy.sr.ht
location ~ ^/[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$ {
return 302 https://l.sr.ht$request_uri;
}
location = /robots.txt {
root /var/www;
}
}
server {
listen 80;
listen [::]:80;
server_name hub.sr.ht;
location / {
return 302 https://sr.ht$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name hub.sr.ht;
ssl_certificate /etc/ssl/uacme/sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/sr.ht/key.pem;
location / {
return 302 https://sr.ht$request_uri;
}
location /webhooks {
proxy_pass http://127.0.0.1:5014;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}

64
lists.sr.ht.conf
View File

@ -1,73 +1,27 @@
server {
listen 80;
listen [::]:80;
server_name lists.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $listssrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name lists.sr.ht;
ssl_certificate /etc/ssl/uacme/lists.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/lists.sr.ht/key.pem;
server_name $listssrht;
include port443.conf;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/html text/css;
ssl_certificate /etc/ssl/uacme/$listssrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$listssrht/key.pem;
location / {
proxy_pass http://127.0.0.1:5006;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
include web.conf;
}
location /query {
proxy_pass http://127.0.0.1:5106;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
include graphql.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/listssrht;
root /usr/lib/$python/site-packages/listssrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}
}

58
man.sr.ht.conf
View File

@ -1,63 +1,23 @@
server {
listen 80;
listen [::]:80;
server_name man.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $mansrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name man.sr.ht;
server_name $mansrht;
include port443.conf;
ssl_certificate /etc/ssl/uacme/$mansrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$mansrht/key.pem;
client_max_body_size 100M;
ssl_certificate /etc/ssl/uacme/man.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/man.sr.ht/key.pem;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
location / {
proxy_pass http://127.0.0.1:5004;
include web.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/mansrht;
root /usr/lib/$python/site-packages/mansrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location ~ ^(.*)/(.*)/objects/([0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx)).*$ {
root /var/lib/man;
}
location ~ ^(.*)/(.*)/(HEAD|info/refs|objects/info/.*|git-upload-pack).*$ {
root /var/lib/man;
fastcgi_pass unix:/run/fcgiwrap/fcgiwrap.sock;
fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
fastcgi_param PATH_INFO $uri;
fastcgi_param GIT_PROJECT_ROOT $document_root;
fastcgi_param GIT_HTTP_EXPORT_ALL "";
include fastcgi_params;
gzip off;
}
location = /robots.txt {
root /var/www;
}
}

72
meta.sr.ht.conf
View File

@ -1,77 +1,27 @@
server {
listen 80;
listen [::]:80;
server_name meta.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}
server_name $metasrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name meta.sr.ht;
ssl_certificate /etc/ssl/uacme/meta.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/meta.sr.ht/key.pem;
server_name $metasrht;
include port443.conf;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
ssl_certificate /etc/ssl/uacme/$metasrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$metasrht/key.pem;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
location /static {
root /usr/lib/python3.9/site-packages/metasrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
include web.conf;
}
location /query {
proxy_pass http://127.0.0.1:5100;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
include graphql.conf;
}
location = /robots.txt {
root /var/www;
location /static {
root /usr/lib/$python/site-packages/metasrht;
expires 30d;
}
}

35
nginx.conf Normal file
View File

@ -0,0 +1,35 @@
user nginx;
worker_processes auto;
pcre_jit on;
error_log /var/log/nginx/error.log warn;
include /etc/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
client_max_body_size 1m;
sendfile on;
tcp_nopush on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 1h;
ssl_session_tickets off;
gzip_vary on;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
set $python = "python3.9";
include domains.conf;
include /etc/nginx/http.d/*.conf;
}

43
paste.sr.ht.conf
View File

@ -1,48 +1,23 @@
server {
listen 80;
listen [::]:80;
server_name paste.sr.ht pasta.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $pastesrht pasta.sr.ht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name paste.sr.ht pasta.sr.ht;
server_name $pastesrht pasta.sr.ht;
include port443.conf;
ssl_certificate /etc/ssl/uacme/$pastesrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$pastesrht/key.pem;
client_max_body_size 10M;
ssl_certificate /etc/ssl/uacme/paste.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/paste.sr.ht/key.pem;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
location / {
proxy_pass http://127.0.0.1:5011;
include web.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/pastesrht;
root /usr/lib/$python/site-packages/pastesrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}
}

19
port443.conf Normal file
View File

@ -0,0 +1,19 @@
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline' *.stripe.com *.stripe.network; frame-src *.stripe.com *.stripe.network" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}

14
port80.conf Normal file
View File

@ -0,0 +1,14 @@
listen 80;
listen [::]:80;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}

62
todo.sr.ht.conf
View File

@ -1,70 +1,28 @@
server {
listen 80;
listen [::]:80;
server_name todo.sr.ht;
location / {
return 302 https://$server_name$request_uri;
}
location ^~ /.well-known {
root /var/www;
}
server_name $todosrht;
include port80.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name todo.sr.ht;
server_name $todosrht;
include port443.conf;
ssl_certificate /etc/ssl/uacme/$todosrht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/$todosrht/key.pem;
client_max_body_size 100M;
ssl_certificate /etc/ssl/uacme/todo.sr.ht/cert.pem;
ssl_certificate_key /etc/ssl/uacme/private/todo.sr.ht/key.pem;
add_header X-Clacks-Overhead "GNU Terry Pratchett";
add_header Content-Security-Policy "default-src 'none'; style-src 'self' 'unsafe-inline'; img-src * data:; script-src 'self'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# Fuck you, Google, I don't spy on my users
add_header Permissions-Policy interest-cohort=();
gzip on;
gzip_types text/css text/html;
location / {
proxy_pass http://127.0.0.1:5003;
include web.conf;
}
location /query {
proxy_pass http://127.0.0.1:5103;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
include graphql.conf;
}
location /static {
root /usr/lib/python3.9/site-packages/todosrht;
root /usr/lib/$python/site-packages/todosrht;
expires 30d;
}
location ^~ /.well-known {
root /var/www;
}
location = /robots.txt {
root /var/www;
}
}

6
web.conf Normal file
View File

@ -0,0 +1,6 @@
set_real_ip_from 127.0.0.1/16;
set_real_ip_from 173.195.146.128/25;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;