CroneKorkN
6f2073847d
Two things from the left4me-integration session worth pinning:
- 80.conf was orphaned in sites/ (not sites-enabled/) for an
unknown amount of time. Commit d49259f moved it; document the
resulting wiring so it's not re-broken accidentally.
- items.py reads node.metadata.get('vm/cores') with no default
for worker_processes; bare-metal nodes outside the vm group
raise at item-build time. Cost the agent ~10 min when
ovh.left4me first opted into webserver.
Also note the cross-namespace read on letsencrypt/domains.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
36 lines
1.3 KiB
Markdown
36 lines
1.3 KiB
Markdown
# nginx
|
|
|
|
Webserver. Per-node vhosts in `nginx/vhosts`; per-vhost templates in
|
|
`data/nginx/*.conf`.
|
|
|
|
## How port 80 is served
|
|
|
|
The bundle ships a fixed `80.conf` to
|
|
`/etc/nginx/sites-available/80.conf` (picked up by the
|
|
`sites-enabled/` symlink) that handles **all** port-80 traffic
|
|
across vhosts:
|
|
|
|
1. ACME HTTP-01 challenges (`/.well-known/acme-challenge/`) are
|
|
served from `/var/lib/dehydrated/acme-challenges/`.
|
|
2. All other port-80 requests are 301-redirected to
|
|
`https://$host$request_uri`.
|
|
|
|
Per-vhost templates only declare `listen 443 ssl http2;`, so they
|
|
don't need their own port-80 server blocks. If you need vhost-
|
|
specific port-80 behaviour (e.g. plain-HTTP without redirect),
|
|
override 80.conf or add a per-vhost block.
|
|
|
|
## Required metadata
|
|
|
|
- `vm/cores` — read directly by `items.py` for `worker_processes`.
|
|
No default; `bw items <node>` raises at item-build time if missing.
|
|
Typically supplied by the `vm` bundle / hetzner-vm group; double-
|
|
check on bare-metal hosts.
|
|
- `nginx/vhosts` — dict of vhost-name → vhost-config.
|
|
- `nginx/modules` — list of dynamic modules to load.
|
|
|
|
## Cross-namespace
|
|
|
|
`items.py` reads `letsencrypt/domains` to skip emitting a per-vhost
|
|
HTTPS block when LE hasn't declared the domain yet — keeps the
|
|
bundle loadable on a node where letsencrypt isn't fully wired up.
|