Add configuration for sober.page servers

MTecknology · Feb 18, 2024 · 7f22630 · 7f22630
1 parent d7fe4c2
commit 7f22630
Show file tree

Hide file tree

Showing 7 changed files with 89 additions and 12 deletions.
diff --git a/pillar/top.sls b/pillar/top.sls
@@ -6,3 +6,6 @@ base:
 
   'irc*':
     - webapps
+
+  '*.sobersupport.group':
+    - webapps
diff --git a/pillar/webapps.sls b/pillar/webapps.sls
@@ -1,6 +1,7 @@
-{% if salt.match.glob('irc.lustfield.net') %}
 webapps:
+  {% if salt.match.glob('irc.lustfield.net') %}
   mtpaste: paste.lustfield.net
   ipecho: ip.lustfield.net
-
-{% endif %}
+  {% elif salt.match.glob('*.sobersupport.group') %}
+  soberpage: None  # monolithic
+  {% endif %}
diff --git a/states/nginx/init.sls b/states/nginx/init.sls
@@ -21,13 +21,10 @@ nginx:
   file.managed:
     - contents: |
         ssl_session_cache shared:SSL:10m;
+        ssl_session_tickets off;
         ssl_session_timeout 10m;
-        ssl_ciphers 'kEECDH+CHACHA kEECDH+AESGCM HIGH+kEECDH AESGCM 3DES !SRP !PSK !DSS !MD5 !LOW !MEDIUM !aNULL !eNULL !DH !kECDH';
         ssl_stapling on;
         ssl_stapling_verify on;
-        #ssl_dhparam ssl/dhparam.pem;
-        ssl_session_tickets off;
-        ssl_protocols TLSv1.2;
     - require:
       - pkg: nginx
 

diff --git a/states/nginx/nginx.conf b/states/nginx/nginx.conf
@@ -1,6 +1,7 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
 include /etc/nginx/modules-enabled/*.conf;
 
 events {
@@ -31,21 +32,20 @@ http {
 	# SSL Settings
 	##
 
+	ssl_protocols TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers on;
 
 	##
 	# Logging Settings
 	##
 
 	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
 
 	##
 	# Gzip Settings
 	##
 
 	gzip on;
-	gzip_disable "msie6";
 
 	# gzip_vary on;
 	# gzip_proxied any;
@@ -58,6 +58,9 @@ http {
 	# Virtual Host Configs
 	##
 
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
+	#include /etc/nginx/conf.d/*.conf;
+	#include /etc/nginx/sites-enabled/*;
+	{%- for webapp in salt.pillar.get('webapps', {}).keys() %}
+	include /etc/nginx/conf.d/{{ webapp }}.conf;
+	{%- endfor %}
 }
diff --git a/states/webapps/nginx-cfg/soberpage.conf b/states/webapps/nginx-cfg/soberpage.conf
@@ -0,0 +1,51 @@
+##
+# Canonical Domain: sobersupport.group
+# Note: Only external redirects should be hanlded by this server block.
+##
+map $host $canonical_redirect {
+	default "https;//about.sobersupport.group/oops.html";
+	include canonical_redirects.map;
+}
+server {
+	# Socket Settings
+	listen 80;
+	listen [::]:80;
+	#listen 443 ssl;
+	#listen [::]:443 ssl;
+	#ssl_certificate /etc/letsencrypt/live/sobersupport.group/fullchain.pem;
+	#ssl_certificate_key /etc/letsencrypt/live/sobersupport.group/privkey.pem;
+
+	# Common Headers
+	#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
+	add_header Vary "Accept-Encoding";
+
+	# Forward to external domain
+	server_name *.sobersupport.group;
+	return 302 $canonical_redirect;
+}
+
+##
+# Alias: sober.page
+# Note: Nearly all requests to this domain will use this server block.
+##
+server {
+	# Socket Settings
+	listen 80;
+	listen [::]:80;
+	#listen 443 ssl;
+	#listen [::]:443 ssl;
+	#ssl_certificate /etc/letsencrypt/live/sober.page/fullchain.pem;
+	#ssl_certificate_key /etc/letsencrypt/live/sober.page/privkey.pem;
+
+	# Common Headers
+	#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
+	add_header X-Frame-Options DENY;
+	add_header X-Content-Type-Options nosniff;
+	add_header Vary "Accept-Encoding";
+
+	# Forward <fwd>.sober.page/<path> to <fwd>.sobersupport.group/<path>
+	server_name ~^(?<fwd>.+)\.sober\.page$;
+	return 301 $scheme://$fwd.sobersupport.group$request_uri;
+}
diff --git a/states/webapps/soberpage.sls b/states/webapps/soberpage.sls
@@ -0,0 +1,21 @@
+include:
+  - nginx
+
+soberpage:
+  git.latest:
+    - name: https://danwin1210.de:1443/recoverysource/sober.page
+    - target: /srv/soberpage
+    - force_checkout: True
+  file.managed:
+    - name: /etc/nginx/conf.d/soberpage.conf
+    - source: salt://webapps/nginx-cfg/soberpage.conf
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
+  cmd.run:
+    - name: /srv/soberpage/sync.py -n
+    - watch:
+      - git: soberpage
+    - watch_in:
+      - service: nginx
diff --git a/test/vbox_create b/test/vbox_create
@@ -152,7 +152,8 @@ install_os() {
 			# Switch to TTY4 around preseed invokation
 			[ "$i" = 18 ] && VBoxManage controlvm "$TH_VMNAME" keyboardputscancode 1D 38 3E BE B8 9D
 		fi
-		printf '.'; sleep 10
+		printf '.'; [ "$(uname -s)" = Darwin ] && printf '\n'  # ping on mac runner
+		sleep 10
 		# The installer iso will remain mounted until the installer triggers an eject.
 		VBoxManage showvminfo "$TH_VMNAME" | grep -q "$TH_ISOPATH" || break
 	done
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,3 +6,6 @@ base: @@
       'irc*':
         - webapps
+      '*.sobersupport.group':
+        - webapps