cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

wip

Browse source
This commit is contained in:
mwiegand 2021-07-07 01:02:22 +02:00
parent 1114c6d6a3
commit 4150a3fb4d
13 changed files with 219 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bundles/gitea/metadata.py
View file

@ -78,9 +78,10 @@ def nginx(metadata):
'nginx': {
'vhosts': {
metadata.get('gitea/domain'): {
'location /': {
'proxy_pass': 'http://127.0.0.1:3500',
},
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'http://127.0.0.1:3500',
}
},
},
},

8
bundles/nextcloud/metadata.py
View file

@ -73,10 +73,10 @@ def vhost(metadata):
'nginx': {
'vhosts': {
metadata.get('nextcloud/hostname'): {
'root': '/opt/nextcloud',
'include': [
'php.conf',
],
'content': 'nextcloud/vhost.conf',
'context': {
'root': '/opt/nextcloud',
},
},
},
},

12
bundles/nginx/files/80.conf Normal file
View file

@ -0,0 +1,12 @@
server {
listen 80;
listen [::]:80;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
}
}

18
bundles/nginx/files/nginx.conf Normal file
View file

@ -0,0 +1,18 @@
pid /var/run/nginx.pid;
user www-data;
worker_processes 10;
events {
worker_connections 768;
}
http {
access_log /var/log/nginx/access.log;
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
include /etc/nginx/mime.types;
include /etc/nginx/sites/*;
sendfile on;
server_names_hash_bucket_size 128;
tcp_nopush on;
}

5
bundles/nginx/files/stub_status.conf Normal file
View file

@ -0,0 +1,5 @@
server {
listen 127.0.0.1:22999 default_server;
server_name _;
stub_status ;
}

41
bundles/nginx/items.py
View file

@ -1,4 +1,6 @@
from datetime import datetime, timedelta
from mako.template import Template
from os.path import join
directories = {
'/etc/nginx/sites': {
@ -17,8 +19,7 @@ directories = {
}
files = {
'/etc/nginx/nginx.conf': {
'content': repo.libs.nginx.render_config(node.metadata.get('nginx/config')),
'/etc/nginx/nginx.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
@ -28,6 +29,16 @@ files = {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/80.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites-available': {
'delete': True,
},
@ -52,26 +63,14 @@ svc_systemd = {
},
}
for name, config in node.metadata.get('nginx/includes').items():
files[f'/etc/nginx/{name}.conf'] = {
'content': repo.libs.nginx.render_config(config),
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:restart',
},
}
for name, config in {
**node.metadata.get('nginx/default_vhosts'),
**node.metadata.get('nginx/vhosts'),
}.items():
for name, config in node.metadata.get('nginx/vhosts').items():
print(name)
files[f'/etc/nginx/sites/{name}'] = {
'content': repo.libs.nginx.render_config({
'server': config,
}),
'content': Template(filename=join(repo.path, 'data', config['content'])).render(
server_name=name,
**config.get('context', {}),
),
'needs': [],
'needed_by': {
'svc_systemd:nginx',

29
bundles/nginx/metadata.py
View file

@ -7,26 +7,6 @@ defaults = {
},
},
'nginx': {
'config': {
'user': 'www-data',
'worker_processes': 10,
'pid': '/var/run/nginx.pid',
'events': {
'worker_connections': 768,
},
'http': {
'include': [
'/etc/nginx/mime.types',
'/etc/nginx/sites/*',
],
'default_type': 'application/octet-stream',
'sendfile': 'on',
'tcp_nopush': 'on',
'server_names_hash_bucket_size': 128,
'access_log': '/var/log/nginx/access.log',
'error_log': '/var/log/nginx/error.log',
},
},
'default_vhosts': {
'80': {
'listen': [
@ -46,7 +26,14 @@ defaults = {
'stub_status': '',
},
},
'vhosts': {},
'vhosts': {
# '80': {
# 'content': 'nginx/80.conf',
# },
# 'stub_status': {
# 'content': 'nginx/stub_status.conf',
# },
},
'includes': {},
},
}

8
bundles/roundcube/metadata.py
View file

@ -56,10 +56,10 @@ def vhost(metadata):
'nginx': {
'vhosts': {
metadata.get('mailserver/hostname'): {
'root': '/opt/roundcube',
'include': [
'php.conf',
],
'content': 'nginx/php.conf',
'context': {
'root': '/opt/roundcube',
},
},
},
},

100
data/nextcloud/vhost.conf Normal file
View file

@ -0,0 +1,100 @@
upstream php-handler {
server unix:/var/run/php/php7.3-fpm.sock;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
client_max_body_size 512M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
root ${root};
index index.php index.html /index.php$request_uri;
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

6
data/nginx/php.conf Normal file
View file

@ -0,0 +1,6 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
root ${root};
}

16
data/nginx/proxy_pass.conf Normal file
View file

@ -0,0 +1,16 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location / {
proxy_pass ${target};
}
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
}
}

2
nodes/home.server.py
View file

@ -4,7 +4,7 @@
'archive',
'backup',
'debian-10',
# 'nextcloud',
'nextcloud',
'monitored',
'webserver',
],

22
nodes/htz.mails.py
View file

@ -11,7 +11,7 @@
'dnsserver',
],
'bundles': [
'nextcloud',
# 'nextcloud',
'wireguard',
'zfs',
],
@ -79,6 +79,26 @@
# 'woodpipe.de',
],
},
'nginx': {
'vhosts': {
'cloud.sublimity.de': {
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'https://cloud.sublimity.de:443',
}
}
}
},
'nginx': {
'vhosts': {
'git.sublimity.de': {
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'https://git.sublimity.de:443',
}
}
}
},
'roundcube': {
'product_name': 'Sublimity Mail',
'version': '1.4.11',