aboutsummaryrefslogtreecommitdiff
path: root/services/docker/nginx/configs
diff options
context:
space:
mode:
Diffstat (limited to 'services/docker/nginx/configs')
-rw-r--r--services/docker/nginx/configs/common/acme-challenge3
-rw-r--r--services/docker/nginx/configs/common/http-listen2
-rw-r--r--services/docker/nginx/configs/common/https-listen3
-rw-r--r--services/docker/nginx/configs/common/https-redirect3
-rw-r--r--services/docker/nginx/configs/common/proxy-common7
-rw-r--r--services/docker/nginx/configs/conf.d/default.conf9
-rw-r--r--services/docker/nginx/configs/conf.d/websocket.conf4
-rw-r--r--services/docker/nginx/configs/templates/code.conf.template6
-rw-r--r--services/docker/nginx/configs/templates/mail.conf.template29
-rw-r--r--services/docker/nginx/configs/templates/root.conf.template45
-rw-r--r--services/docker/nginx/configs/templates/ssl.conf.template17
-rw-r--r--services/docker/nginx/configs/templates/timeline.conf.template6
12 files changed, 134 insertions, 0 deletions
diff --git a/services/docker/nginx/configs/common/acme-challenge b/services/docker/nginx/configs/common/acme-challenge
new file mode 100644
index 0000000..26054b8
--- /dev/null
+++ b/services/docker/nginx/configs/common/acme-challenge
@@ -0,0 +1,3 @@
+location /.well-known/acme-challenge {
+ root /srv/acme;
+}
diff --git a/services/docker/nginx/configs/common/http-listen b/services/docker/nginx/configs/common/http-listen
new file mode 100644
index 0000000..76cb18d
--- /dev/null
+++ b/services/docker/nginx/configs/common/http-listen
@@ -0,0 +1,2 @@
+listen 80;
+listen [::]:80;
diff --git a/services/docker/nginx/configs/common/https-listen b/services/docker/nginx/configs/common/https-listen
new file mode 100644
index 0000000..db2f68e
--- /dev/null
+++ b/services/docker/nginx/configs/common/https-listen
@@ -0,0 +1,3 @@
+listen 443 ssl;
+listen [::]:443 ssl;
+http2 on;
diff --git a/services/docker/nginx/configs/common/https-redirect b/services/docker/nginx/configs/common/https-redirect
new file mode 100644
index 0000000..56d095d
--- /dev/null
+++ b/services/docker/nginx/configs/common/https-redirect
@@ -0,0 +1,3 @@
+location / {
+ return 301 https://$host$request_uri;
+}
diff --git a/services/docker/nginx/configs/common/proxy-common b/services/docker/nginx/configs/common/proxy-common
new file mode 100644
index 0000000..4193548
--- /dev/null
+++ b/services/docker/nginx/configs/common/proxy-common
@@ -0,0 +1,7 @@
+proxy_http_version 1.1;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $connection_upgrade;
+proxy_set_header Host $host;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Real-IP $remote_addr;
diff --git a/services/docker/nginx/configs/conf.d/default.conf b/services/docker/nginx/configs/conf.d/default.conf
new file mode 100644
index 0000000..515942b
--- /dev/null
+++ b/services/docker/nginx/configs/conf.d/default.conf
@@ -0,0 +1,9 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ http2 on;
+
+ return 444;
+}
diff --git a/services/docker/nginx/configs/conf.d/websocket.conf b/services/docker/nginx/configs/conf.d/websocket.conf
new file mode 100644
index 0000000..32af4c3
--- /dev/null
+++ b/services/docker/nginx/configs/conf.d/websocket.conf
@@ -0,0 +1,4 @@
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
diff --git a/services/docker/nginx/configs/templates/code.conf.template b/services/docker/nginx/configs/templates/code.conf.template
new file mode 100644
index 0000000..aa70ebc
--- /dev/null
+++ b/services/docker/nginx/configs/templates/code.conf.template
@@ -0,0 +1,6 @@
+server {
+ server_name code.${CRUPEST_DOMAIN};
+ include common/http-listen;
+
+ include common/acme-challenge;
+}
diff --git a/services/docker/nginx/configs/templates/mail.conf.template b/services/docker/nginx/configs/templates/mail.conf.template
new file mode 100644
index 0000000..7f5f215
--- /dev/null
+++ b/services/docker/nginx/configs/templates/mail.conf.template
@@ -0,0 +1,29 @@
+server {
+ server_name mail.${CRUPEST_DOMAIN};
+ include common/https-listen;
+
+ location = /robots.txt {
+ root /srv/mail;
+ }
+
+ location / {
+ include common/proxy-common;
+ proxy_pass http://roundcubemail:80/;
+ }
+
+ location /rspamd/ {
+ include common/proxy-common;
+ proxy_pass http://mailserver:11334/;
+ }
+
+ client_max_body_size 5G;
+}
+
+
+server {
+ server_name mail.${CRUPEST_DOMAIN};
+ include common/http-listen;
+
+ include common/https-redirect;
+ include common/acme-challenge;
+}
diff --git a/services/docker/nginx/configs/templates/root.conf.template b/services/docker/nginx/configs/templates/root.conf.template
new file mode 100644
index 0000000..e3e93ad
--- /dev/null
+++ b/services/docker/nginx/configs/templates/root.conf.template
@@ -0,0 +1,45 @@
+server {
+ server_name ${CRUPEST_DOMAIN};
+ include common/https-listen;
+
+ location / {
+ root /srv/www;
+ }
+
+ location /2fa/ {
+ include common/proxy-common;
+ proxy_pass http://2fauth:8000/;
+ }
+
+ location /git/ {
+ include common/proxy-common;
+ client_max_body_size 5G;
+ proxy_pass http://git-server:3636;
+ }
+
+ location = /github {
+ return 301 ${CRUPEST_GITHUB};
+ }
+
+ location = /github/ {
+ return 301 ${CRUPEST_GITHUB};
+ }
+
+ location /_${CRUPEST_V2RAY_PATH} {
+ if ($http_upgrade != "websocket") {
+ return 404;
+ }
+
+ proxy_redirect off;
+ include common/proxy-common;
+ proxy_pass http://v2ray:10000;
+ }
+}
+
+server {
+ server_name ${CRUPEST_DOMAIN};
+ include common/http-listen;
+
+ include common/https-redirect;
+ include common/acme-challenge;
+}
diff --git a/services/docker/nginx/configs/templates/ssl.conf.template b/services/docker/nginx/configs/templates/ssl.conf.template
new file mode 100644
index 0000000..54205f1
--- /dev/null
+++ b/services/docker/nginx/configs/templates/ssl.conf.template
@@ -0,0 +1,17 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file. Contents are based on https://ssl-config.mozilla.org
+
+ssl_certificate /etc/letsencrypt/live/${CRUPEST_DOMAIN}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_DOMAIN}/privkey.pem;
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff --git a/services/docker/nginx/configs/templates/timeline.conf.template b/services/docker/nginx/configs/templates/timeline.conf.template
new file mode 100644
index 0000000..a467594
--- /dev/null
+++ b/services/docker/nginx/configs/templates/timeline.conf.template
@@ -0,0 +1,6 @@
+server {
+ server_name timeline.${CRUPEST_DOMAIN};
+ include common/http-listen;
+
+ include common/acme-challenge;
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-08 06:23:19 +0000