8 files changed, 203 insertions, 0 deletions
diff --git a/template/nginx/https-redirect.conf b/template/nginx/https-redirect.conf
new file mode 100644
index 0000000..6301836
--- /dev/null
+++ b/template/nginx/https-redirect.conf
@@ -0,0 +1,12 @@
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+
+    location /.well-known/acme-challenge {
+        root /srv/acme;
+    }
+}
diff --git a/template/nginx/reverse-proxy.conf.template b/template/nginx/reverse-proxy.conf.template
new file mode 100644
index 0000000..e98c066
--- /dev/null
+++ b/template/nginx/reverse-proxy.conf.template
@@ -0,0 +1,23 @@
+upstream ${CRUPEST_NGINX_UPSTREAM_NAME} {
+    server ${CRUPEST_NGINX_UPSTREAM_SERVER};
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN};
+
+    ssl_certificate /etc/letsencrypt/live/${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN}/privkey.pem;
+
+    location / {
+        proxy_pass http://${CRUPEST_NGINX_UPSTREAM_NAME};
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+}
diff --git a/template/nginx/root.conf.template b/template/nginx/root.conf.template
new file mode 100644
index 0000000..8af8fff
--- /dev/null
+++ b/template/nginx/root.conf.template
@@ -0,0 +1,10 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${CRUPEST_DOMAIN};
+
+    ssl_certificate /etc/letsencrypt/live/${CRUPEST_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_DOMAIN}/privkey.pem;
+
+    root /srv/www;
+}
diff --git a/template/nginx/server.json b/template/nginx/server.json
new file mode 100644
index 0000000..cad0cb3
--- /dev/null
+++ b/template/nginx/server.json
@@ -0,0 +1,25 @@
+{
+    "$schema": "./server.schema.json",
+    "sites": [
+        {
+            "type": "reverse-proxy",
+            "subdomain": "code",
+            "upstream": {
+                "name": "code-server",
+                "server": "code-server:8080"
+            }
+        },
+        {
+            "type": "reverse-proxy",
+            "subdomain": "halo",
+            "upstream": {
+                "name": "halo",
+                "server": "halo:8090"
+            }
+        },
+        {
+            "type": "cert-only",
+            "subdomain": "mail"
+        }
+    ]
+}
+\ No newline at end of file
diff --git a/template/nginx/server.schema.json b/template/nginx/server.schema.json
new file mode 100644
index 0000000..536fead
--- /dev/null
+++ b/template/nginx/server.schema.json
@@ -0,0 +1,80 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "definitions": {
+        "CertOnlySite": {
+            "properties": {
+                "subdomain": {
+                    "type": "string"
+                },
+                "type": {
+                    "enum": [
+                        "cert-only"
+                    ],
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        },
+        "ReverseProxySite": {
+            "properties": {
+                "subdomain": {
+                    "type": "string"
+                },
+                "type": {
+                    "enum": [
+                        "reverse-proxy"
+                    ],
+                    "type": "string"
+                },
+                "upstream": {
+                    "properties": {
+                        "name": {
+                            "type": "string"
+                        },
+                        "server": {
+                            "type": "string"
+                        }
+                    },
+                    "type": "object"
+                }
+            },
+            "type": "object"
+        },
+        "StaticFileSite": {
+            "properties": {
+                "root": {
+                    "type": "string"
+                },
+                "subdomain": {
+                    "type": "string"
+                },
+                "type": {
+                    "enum": [
+                        "static-file"
+                    ],
+                    "type": "string"
+                }
+            },
+            "type": "object"
+        }
+    },
+    "properties": {
+        "sites": {
+            "items": {
+                "anyOf": [
+                    {
+                        "$ref": "#/definitions/ReverseProxySite"
+                    },
+                    {
+                        "$ref": "#/definitions/StaticFileSite"
+                    },
+                    {
+                        "$ref": "#/definitions/CertOnlySite"
+                    }
+                ]
+            },
+            "type": "array"
+        }
+    },
+    "type": "object"
+}
+\ No newline at end of file
diff --git a/template/nginx/server.ts b/template/nginx/server.ts
new file mode 100644
index 0000000..6a5d24d
--- /dev/null
+++ b/template/nginx/server.ts
@@ -0,0 +1,29 @@
+// Used to generate json schema.
+
+export interface ReverseProxySite {
+  type: "reverse-proxy";
+  subdomain: string;
+  upstream: {
+    name: string;
+    server: string;
+  };
+}
+
+export interface StaticFileSite {
+  type: "static-file";
+  subdomain: string;
+  root: string;
+}
+
+export interface CertOnlySite {
+  type: "cert-only";
+  subdomain: string;
+}
+
+export type Site = ReverseProxySite | StaticFileSite | CertOnlySite;
+
+export type Sites = Site[];
+
+export interface Server {
+  sites: Sites;
+}
diff --git a/template/nginx/ssl.conf b/template/nginx/ssl.conf
new file mode 100644
index 0000000..f2aadba
--- /dev/null
+++ b/template/nginx/ssl.conf
@@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file. Contents are based on https://ssl-config.mozilla.org
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
diff --git a/template/nginx/static-file.conf.template b/template/nginx/static-file.conf.template
new file mode 100644
index 0000000..01054cf
--- /dev/null
+++ b/template/nginx/static-file.conf.template
@@ -0,0 +1,10 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name ${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN};
+
+    ssl_certificate /etc/letsencrypt/live/${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${CRUPEST_NGINX_SUBDOMAIN}.${CRUPEST_DOMAIN}/privkey.pem;
+
+    root ${CRUPEST_NGINX_ROOT};
+}