cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

wip

Browse source
This commit is contained in:
mwiegand 2021-07-07 01:02:22 +02:00
parent 1114c6d6a3
commit 4150a3fb4d
13 changed files with 219 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
bundles/gitea/metadata.py
View file

@ -78,9 +78,10 @@ def nginx(metadata):
'nginx': { 'nginx': {
'vhosts': { 'vhosts': {
metadata.get('gitea/domain'): { metadata.get('gitea/domain'): {
'location /': { 'content': 'nginx/proxy_pass.conf',
'proxy_pass': 'http://127.0.0.1:3500', 'context': {
}, 'target': 'http://127.0.0.1:3500',
}
}, },
}, },
}, },

8
bundles/nextcloud/metadata.py
View file

@ -73,10 +73,10 @@ def vhost(metadata):
'nginx': { 'nginx': {
'vhosts': { 'vhosts': {
metadata.get('nextcloud/hostname'): { metadata.get('nextcloud/hostname'): {
'root': '/opt/nextcloud', 'content': 'nextcloud/vhost.conf',
'include': [ 'context': {
'php.conf', 'root': '/opt/nextcloud',
], },
}, },
}, },
}, },

12
bundles/nginx/files/80.conf Normal file
View file

@ -0,0 +1,12 @@
server {
listen 80;
listen [::]:80;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
}
}

18
bundles/nginx/files/nginx.conf Normal file
View file

@ -0,0 +1,18 @@
pid /var/run/nginx.pid;
user www-data;
worker_processes 10;
events {
worker_connections 768;
}
http {
access_log /var/log/nginx/access.log;
default_type application/octet-stream;
error_log /var/log/nginx/error.log;
include /etc/nginx/mime.types;
include /etc/nginx/sites/*;
sendfile on;
server_names_hash_bucket_size 128;
tcp_nopush on;
}

5
bundles/nginx/files/stub_status.conf Normal file
View file

@ -0,0 +1,5 @@
server {
listen 127.0.0.1:22999 default_server;
server_name _;
stub_status ;
}

41
bundles/nginx/items.py
View file

@ -1,4 +1,6 @@
from datetime import datetime, timedelta from datetime import datetime, timedelta
from mako.template import Template
from os.path import join
directories = { directories = {
'/etc/nginx/sites': { '/etc/nginx/sites': {
@ -17,8 +19,7 @@ directories = {
} }
files = { files = {
'/etc/nginx/nginx.conf': { '/etc/nginx/nginx.conf': {
'content': repo.libs.nginx.render_config(node.metadata.get('nginx/config')),
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
@ -28,6 +29,16 @@ files = {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
}, },
'/etc/nginx/sites/80.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites-available': { '/etc/nginx/sites-available': {
'delete': True, 'delete': True,
}, },
@ -52,26 +63,14 @@ svc_systemd = {
}, },
} }
for name, config in node.metadata.get('nginx/includes').items():
files[f'/etc/nginx/{name}.conf'] = { for name, config in node.metadata.get('nginx/vhosts').items():
'content': repo.libs.nginx.render_config(config), print(name)
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:restart',
},
}
for name, config in {
**node.metadata.get('nginx/default_vhosts'),
**node.metadata.get('nginx/vhosts'),
}.items():
files[f'/etc/nginx/sites/{name}'] = { files[f'/etc/nginx/sites/{name}'] = {
'content': repo.libs.nginx.render_config({ 'content': Template(filename=join(repo.path, 'data', config['content'])).render(
'server': config, server_name=name,
}), **config.get('context', {}),
),
'needs': [], 'needs': [],
'needed_by': { 'needed_by': {
'svc_systemd:nginx', 'svc_systemd:nginx',

29
bundles/nginx/metadata.py
View file

@ -7,26 +7,6 @@ defaults = {
}, },
}, },
'nginx': { 'nginx': {
'config': {
'user': 'www-data',
'worker_processes': 10,
'pid': '/var/run/nginx.pid',
'events': {
'worker_connections': 768,
},
'http': {
'include': [
'/etc/nginx/mime.types',
'/etc/nginx/sites/*',
],
'default_type': 'application/octet-stream',
'sendfile': 'on',
'tcp_nopush': 'on',
'server_names_hash_bucket_size': 128,
'access_log': '/var/log/nginx/access.log',
'error_log': '/var/log/nginx/error.log',
},
},
'default_vhosts': { 'default_vhosts': {
'80': { '80': {
'listen': [ 'listen': [
@ -46,7 +26,14 @@ defaults = {
'stub_status': '', 'stub_status': '',
}, },
}, },
'vhosts': {}, 'vhosts': {
# '80': {
# 'content': 'nginx/80.conf',
# },
# 'stub_status': {
# 'content': 'nginx/stub_status.conf',
# },
},
'includes': {}, 'includes': {},
}, },
} }

8
bundles/roundcube/metadata.py
View file

@ -56,10 +56,10 @@ def vhost(metadata):
'nginx': { 'nginx': {
'vhosts': { 'vhosts': {
metadata.get('mailserver/hostname'): { metadata.get('mailserver/hostname'): {
'root': '/opt/roundcube', 'content': 'nginx/php.conf',
'include': [ 'context': {
'php.conf', 'root': '/opt/roundcube',
], },
}, },
}, },
}, },

100
data/nextcloud/vhost.conf Normal file
View file

@ -0,0 +1,100 @@
upstream php-handler {
server unix:/var/run/php/php7.3-fpm.sock;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
client_max_body_size 512M;
fastcgi_buffers 64 4K;
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
fastcgi_hide_header X-Powered-By;
root ${root};
index index.php index.html /index.php$request_uri;
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known {
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
return 301 /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

6
data/nginx/php.conf Normal file
View file

@ -0,0 +1,6 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
root ${root};
}

16
data/nginx/proxy_pass.conf Normal file
View file

@ -0,0 +1,16 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ${server_name};
ssl_certificate /var/lib/dehydrated/certs/${server_name}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${server_name}/privkey.pem;
location / {
proxy_pass ${target};
}
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
}
}

2
nodes/home.server.py
View file

@ -4,7 +4,7 @@
'archive', 'archive',
'backup', 'backup',
'debian-10', 'debian-10',
# 'nextcloud', 'nextcloud',
'monitored', 'monitored',
'webserver', 'webserver',
], ],

22
nodes/htz.mails.py
View file

@ -11,7 +11,7 @@
'dnsserver', 'dnsserver',
], ],
'bundles': [ 'bundles': [
'nextcloud', # 'nextcloud',
'wireguard', 'wireguard',
'zfs', 'zfs',
], ],
@ -79,6 +79,26 @@
# 'woodpipe.de', # 'woodpipe.de',
], ],
}, },
'nginx': {
'vhosts': {
'cloud.sublimity.de': {
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'https://cloud.sublimity.de:443',
}
}
}
},
'nginx': {
'vhosts': {
'git.sublimity.de': {
'content': 'nginx/proxy_pass.conf',
'context': {
'target': 'https://git.sublimity.de:443',
}
}
}
},
'roundcube': { 'roundcube': {
'product_name': 'Sublimity Mail', 'product_name': 'Sublimity Mail',
'version': '1.4.11', 'version': '1.4.11',