From b5ab21549d5bcbd6176716dbd26a3662665c6e53 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Sun, 4 Jul 2021 19:27:12 +0200 Subject: [PATCH] bundles/nginx: rename 'proxy' metadata to 'locations', support more generic options, move extras files to metadata --- bundles/c3voc-addons/files/site_template | 4 +- bundles/gitea/metadata.py | 2 +- bundles/miniflux/metadata.py | 2 +- bundles/nginx/files/site_template | 49 +++++--- bundles/pleroma/metadata.py | 2 +- .../files/extras/home.paperless/paperless | 3 - .../htz-cloud.pleroma/pleroma-www-redir | 1 - .../htz.ex42-1048908/chat.franzi.business | 11 -- .../htz.ex42-1048908/daskritzelt-redirect | 3 - .../extras/htz.ex42-1048908/dav.kunsmann.eu | 14 --- .../dimension.franzi.business | 14 +-- .../extras/htz.ex42-1048908/franzi.business | 11 -- .../files/extras/htz.ex42-1048908/kunsmann.eu | 9 -- .../htz.ex42-1048908/matrix.franzi.business | 32 ----- data/nginx/files/extras/rx300/travelynx | 7 -- nodes.py | 1 + nodes/gce/bind01.py | 2 +- nodes/home/paperless-sophie.py | 2 +- nodes/home/paperless.py | 6 +- nodes/htz-cloud/influxdb.py | 2 +- nodes/htz-cloud/miniserver.py | 2 +- nodes/htz-cloud/pleroma.py | 6 +- nodes/htz/ex42-1048908.py | 112 ++++++++++++++++-- nodes/ovh/icinga2.py | 2 +- nodes/rx300.py | 9 +- 25 files changed, 164 insertions(+), 144 deletions(-) delete mode 100644 data/nginx/files/extras/home.paperless/paperless delete mode 100644 data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir delete mode 100644 data/nginx/files/extras/htz.ex42-1048908/chat.franzi.business delete mode 100644 data/nginx/files/extras/htz.ex42-1048908/daskritzelt-redirect delete mode 100644 data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu delete mode 100644 data/nginx/files/extras/htz.ex42-1048908/franzi.business delete mode 100644 data/nginx/files/extras/htz.ex42-1048908/kunsmann.eu delete mode 100644 data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business delete mode 100644 data/nginx/files/extras/rx300/travelynx diff --git a/bundles/c3voc-addons/files/site_template b/bundles/c3voc-addons/files/site_template index 04abd85..e2b4f30 100644 --- a/bundles/c3voc-addons/files/site_template +++ b/bundles/c3voc-addons/files/site_template @@ -32,8 +32,8 @@ server { alias /var/www/dehydrated; } -% if proxy: -% for location, options in proxy.items(): +% if locations: +% for location, options in locations.items(): location ${location} { proxy_pass ${options['target']}; proxy_http_version ${options.get('http_version', '1.1')}; diff --git a/bundles/gitea/metadata.py b/bundles/gitea/metadata.py index 978369c..e18b9fd 100644 --- a/bundles/gitea/metadata.py +++ b/bundles/gitea/metadata.py @@ -58,7 +58,7 @@ def nginx(metadata): 'nginx': { 'vhosts': { metadata.get('gitea/domain'): { - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:22000', }, diff --git a/bundles/miniflux/metadata.py b/bundles/miniflux/metadata.py index 73a7f04..907d2ae 100644 --- a/bundles/miniflux/metadata.py +++ b/bundles/miniflux/metadata.py @@ -47,7 +47,7 @@ def nginx(metadata): 'vhosts': { 'miniflux': { 'domain': metadata.get('miniflux/domain'), - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:22040', }, diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template index 8da4e89..d63e544 100644 --- a/bundles/nginx/files/site_template +++ b/bundles/nginx/files/site_template @@ -62,8 +62,6 @@ server { % if max_body_size: client_max_body_size ${max_body_size}; -% elif proxy or php: - client_max_body_size 5M; % endif % if not do_not_set_content_security_headers: @@ -86,40 +84,61 @@ server { } % endif -% if proxy: -% for location, options in proxy.items(): +% if locations: +% for location, options in sorted(locations.items()): location ${location} { +% if 'target' in options: proxy_pass ${options['target']}; proxy_http_version ${options.get('http_version', '1.1')}; proxy_set_header Host ${domain}; -% if options.get('websockets', False): +% if options.get('websockets', False): proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; -% endif +% endif proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -% if ssl: +% if ssl: proxy_set_header X-Forwarded-Proto HTTPS; -% endif +% endif proxy_set_header X-Forwarded-Host ${domain}; -% for option, value in options.get('proxy_set_header', {}).items(): +% for option, value in options.get('proxy_set_header', {}).items(): proxy_set_header ${option} ${value}; -% endfor -% if location != '/': +% endfor +% if location != '/': proxy_set_header X-Script-Name ${location}; -% endif +% endif proxy_buffering off; + client_max_body_size ${options.get('max_body_size', '5M')}; +% elif 'redirect' in options: + return ${options.get('mode', 302)} ${options['redirect']}; +% elif 'return' in options: + return ${options.get('mode', 200)} '${options['return']}'; +% elif 'root' in options: + root ${options['root']}; +% elif 'alias' in options: + alias ${options['alias']}; +% endif +% if 'auth' in options: + auth_basic "${options['auth'].get('realm', vhost)}"; + auth_basic_user_file ${options['auth']['file']}; +% endif +% for opt in sorted(options.get('additional_config', set())): + ${opt}; +% endfor } -% endfor -% endif +% endfor +% endif % if php: location ~ \.php$ { include fastcgi.conf; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/run/php/php${php_version}-fpm.sock; } -% endif +% if not max_body_size: + client_max_body_size 5M; +% endif +% endif % if extras: <%include file="extras/${node.name}/${vhost}" /> % endif diff --git a/bundles/pleroma/metadata.py b/bundles/pleroma/metadata.py index 0007ec2..056b72d 100644 --- a/bundles/pleroma/metadata.py +++ b/bundles/pleroma/metadata.py @@ -45,7 +45,7 @@ def nginx(metadata): 'vhosts': { 'pleroma': { 'domain': metadata.get('pleroma/url'), - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:21000', 'websockets': True, diff --git a/data/nginx/files/extras/home.paperless/paperless b/data/nginx/files/extras/home.paperless/paperless deleted file mode 100644 index 1aa1b28..0000000 --- a/data/nginx/files/extras/home.paperless/paperless +++ /dev/null @@ -1,3 +0,0 @@ - location /static/ { - alias /opt/paperless/static/; - } diff --git a/data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir b/data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir deleted file mode 100644 index eefd814..0000000 --- a/data/nginx/files/extras/htz-cloud.pleroma/pleroma-www-redir +++ /dev/null @@ -1 +0,0 @@ - return 308 https://cybert-media.net$request_uri; diff --git a/data/nginx/files/extras/htz.ex42-1048908/chat.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/chat.franzi.business deleted file mode 100644 index cdec6e8..0000000 --- a/data/nginx/files/extras/htz.ex42-1048908/chat.franzi.business +++ /dev/null @@ -1,11 +0,0 @@ - location /.well-known/matrix/client { - return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - - location /.well-known/matrix/server { - return 200 '{"m.server": "matrix.franzi.business:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } diff --git a/data/nginx/files/extras/htz.ex42-1048908/daskritzelt-redirect b/data/nginx/files/extras/htz.ex42-1048908/daskritzelt-redirect deleted file mode 100644 index 7a0fd35..0000000 --- a/data/nginx/files/extras/htz.ex42-1048908/daskritzelt-redirect +++ /dev/null @@ -1,3 +0,0 @@ - location / { - return 302 https://twitter.com/daskritzelt/status/1259167444373028864; - } diff --git a/data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu b/data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu deleted file mode 100644 index 5cdae6c..0000000 --- a/data/nginx/files/extras/htz.ex42-1048908/dav.kunsmann.eu +++ /dev/null @@ -1,14 +0,0 @@ - location / { - proxy_pass http://[::1]:22050; - proxy_set_header X-Script-Name /; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Remote-User $remote_user; - auth_basic "Radicale"; - auth_basic_user_file /etc/radicale/htpasswd; - } - - location /.web/ { - proxy_pass http://[::1]:22050; - proxy_set_header X-Script-Name /; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } diff --git a/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business index d17afa5..d8a3ff9 100644 --- a/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business +++ b/data/nginx/files/extras/htz.ex42-1048908/dimension.franzi.business @@ -1,13 +1 @@ - add_header Content-Security-Policy "frame-ancestors 'self' chat.franzi.business chat.sophies-kitchen.eu"; - - location /.well-known/matrix/client { - return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - - location /.well-known/matrix/server { - return 200 '{"m.server": "matrix.franzi.business:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } + add_header Content-Security-Policy "frame-ancestors 'self' chat.franzi.business"; diff --git a/data/nginx/files/extras/htz.ex42-1048908/franzi.business b/data/nginx/files/extras/htz.ex42-1048908/franzi.business deleted file mode 100644 index cdec6e8..0000000 --- a/data/nginx/files/extras/htz.ex42-1048908/franzi.business +++ /dev/null @@ -1,11 +0,0 @@ - location /.well-known/matrix/client { - return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - - location /.well-known/matrix/server { - return 200 '{"m.server": "matrix.franzi.business:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } diff --git a/data/nginx/files/extras/htz.ex42-1048908/kunsmann.eu b/data/nginx/files/extras/htz.ex42-1048908/kunsmann.eu deleted file mode 100644 index 154eb15..0000000 --- a/data/nginx/files/extras/htz.ex42-1048908/kunsmann.eu +++ /dev/null @@ -1,9 +0,0 @@ - location / { - return 301 https://franzi.business$request_uri; - } - - location /.well-known/openpgpkey/ { - alias /var/www/kunsmann.eu/.well-known/openpgpkey/; - default_type application/octet-stream; - add_header Access-Control-Allow-Origin * always; - } diff --git a/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business b/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business deleted file mode 100644 index 01db332..0000000 --- a/data/nginx/files/extras/htz.ex42-1048908/matrix.franzi.business +++ /dev/null @@ -1,32 +0,0 @@ - location /.well-known/matrix/client { - return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - - location /.well-known/matrix/server { - return 200 '{"m.server": "matrix.franzi.business:443"}'; - default_type application/json; - add_header Access-Control-Allow-Origin *; - } - - location /_matrix { - proxy_pass http://[::1]:20080; - - proxy_set_header Host "franzi.business"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } - - location /_matrix/media { - proxy_pass http://localhost:20090; - - client_max_body_size 500M; - - proxy_read_timeout 600s; - proxy_set_header Host "franzi.business"; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - } diff --git a/data/nginx/files/extras/rx300/travelynx b/data/nginx/files/extras/rx300/travelynx deleted file mode 100644 index 15e999c..0000000 --- a/data/nginx/files/extras/rx300/travelynx +++ /dev/null @@ -1,7 +0,0 @@ - location /static { - root /opt/travelynx/public; - } - - location /service-worker.js { - root /opt/travelynx/public; - } diff --git a/nodes.py b/nodes.py index c84b08d..92f2ed2 100644 --- a/nodes.py +++ b/nodes.py @@ -1,3 +1,4 @@ +from json import dumps as json_dumps from os.path import join from pathlib import Path diff --git a/nodes/gce/bind01.py b/nodes/gce/bind01.py index 7bc34fe..544827e 100644 --- a/nodes/gce/bind01.py +++ b/nodes/gce/bind01.py @@ -28,7 +28,7 @@ nodes['gce.bind01'] = { 'nginx': { 'vhosts': { 'ns-1.kunbox.net': { - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:8000/', }, diff --git a/nodes/home/paperless-sophie.py b/nodes/home/paperless-sophie.py index 89ef2df..dab7b46 100644 --- a/nodes/home/paperless-sophie.py +++ b/nodes/home/paperless-sophie.py @@ -51,7 +51,7 @@ nodes['home.paperless-sophie'] = { 'paperless': { 'domain': 'paperless-sophie.home.kunbox.net', 'ssl': '_.home.kunbox.net', - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:22070', 'websockets': True, diff --git a/nodes/home/paperless.py b/nodes/home/paperless.py index bc037bd..23844fc 100644 --- a/nodes/home/paperless.py +++ b/nodes/home/paperless.py @@ -40,7 +40,7 @@ nodes['home.paperless'] = { 'paperless': { 'domain': 'paperless.home.kunbox.net', 'ssl': '_.home.kunbox.net', - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:22070', 'websockets': True, @@ -48,8 +48,10 @@ nodes['home.paperless'] = { 'X-Forwarded-Host': '$server_name', }, }, + '/static/': { + 'alias': '/opt/paperless/static/', + }, }, - 'extras': True, 'max_body_size': '100M', }, }, diff --git a/nodes/htz-cloud/influxdb.py b/nodes/htz-cloud/influxdb.py index 2e0e40b..b1f5e1a 100644 --- a/nodes/htz-cloud/influxdb.py +++ b/nodes/htz-cloud/influxdb.py @@ -42,7 +42,7 @@ nodes['htz-cloud.influxdb'] = { 'vhosts': { 'influxdb': { 'domain': 'influxdb.kunsmann.eu', - 'proxy': { + 'locations': { '/': { 'target': 'http://localhost:8086', 'websockets': True, diff --git a/nodes/htz-cloud/miniserver.py b/nodes/htz-cloud/miniserver.py index f7f9437..1085b16 100644 --- a/nodes/htz-cloud/miniserver.py +++ b/nodes/htz-cloud/miniserver.py @@ -160,7 +160,7 @@ nodes['htz-cloud.miniserver'] = { # 'extras': True, # 'do_not_set_content_security_headers': True, # 'max_body_size': '50M', - # 'proxy': { + # 'locations': { # '/': { # 'target': 'http://127.0.0.1:8184', # }, diff --git a/nodes/htz-cloud/pleroma.py b/nodes/htz-cloud/pleroma.py index 2f8ff14..5e3582d 100644 --- a/nodes/htz-cloud/pleroma.py +++ b/nodes/htz-cloud/pleroma.py @@ -44,7 +44,11 @@ nodes['htz-cloud.pleroma'] = { }, 'pleroma-www-redir': { 'domain': 'www.cybert-media.net', - 'extras': True, + 'locations': { + '/': { + 'redirect': 'https://cybert-media.net$request_uri', + }, + }, }, }, }, diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index 3c696b6..6edbb4e 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -261,18 +261,35 @@ nodes['htz.ex42-1048908'] = { 'vhosts': { # TODO maybe some of this can be moved to a bundle? 'dav.kunsmann.eu': { - 'extras': True, + 'locations': { + '/': { + 'target': 'http://[::1]:22050', + 'auth': { + 'file': '/etc/radicale/htpasswd', + }, + 'proxy_set_header': { + 'X-Remote-User': '$remote_user', + }, + }, + '/.web/': { + 'target': 'http://[::1]:22050', + } + }, }, 'daskritzelt-redirect': { 'domain': 'die-brontosaurier-waren-es.org', - 'ssl': False, # TODO enable ssl once domain transfer is done - 'extras': True, + 'ssl': None, + 'locations': { + '/': { + 'redirect': 'https://twitter.com/daskritzelt/status/1259167444373028864', + }, + }, }, 'dimension.franzi.business': { 'extras': True, 'do_not_set_content_security_headers': True, 'max_body_size': '50M', - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:8184', }, @@ -280,10 +297,37 @@ nodes['htz.ex42-1048908'] = { }, 'franzi.business': { 'webroot': '/var/www/franzi.business/_site/', - 'extras': True, + 'locations': { + '/.well-known/matrix/client': { + 'return': json_dumps({ + 'm.homeserver': { + 'base_url': 'https://matrix.franzi.business', + }, + 'm.identity_server': { + 'base_url': 'https://matrix.org', + }, + 'im.vector.riot.jitsi': { + 'preferredDomain': 'meet.ffmuc.net', + }, + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + '/.well-known/matrix/server': { + 'return': json_dumps({ + 'm.server': 'https://matrix.franzi.business', + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + }, }, 'jenkins.kunsmann.eu': { - 'proxy': { + 'locations': { '/': { 'target': 'http://localhost:22010/', }, @@ -293,10 +337,58 @@ nodes['htz.ex42-1048908'] = { }, 'kunbox.net': {}, 'kunsmann.eu': { - 'extras': True, + 'locations': { + '/': { + 'redirect': 'https://franzi.business$request_uri', + }, + '/.well-known/openpgpkey': { + 'alias': '/var/www/kunsmann.eu/.well-known/openpgpkey/', + 'additional_config': { + 'default_type application/octet-stream', + 'add_header Access-Control-Allow-Origin *', + }, + }, + }, }, 'matrix.franzi.business': { - 'extras': True, + 'locations': { + '/_matrix': { + 'target': 'http://[::1]:20080', + }, + '/_matrix/media': { + 'target': 'http://localhost:20090', + 'client_max_body_size': '500M', + }, + '/_synapse': { + 'target': 'http://[::1]:20080', + }, + '/.well-known/matrix/client': { + 'return': json_dumps({ + 'm.homeserver': { + 'base_url': 'https://matrix.franzi.business', + }, + 'm.identity_server': { + 'base_url': 'https://matrix.org', + }, + 'im.vector.riot.jitsi': { + 'preferredDomain': 'meet.ffmuc.net', + }, + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + '/.well-known/matrix/server': { + 'return': json_dumps({ + 'm.server': 'https://matrix.franzi.business', + }, sort_keys=True), + 'additional_config': { + 'default_type application/json', + 'add_header Access-Control-Allow-Origin *', + }, + }, + }, }, 'mta-sts': { 'domain': 'mta-sts.mx0.kunbox.net', @@ -322,14 +414,14 @@ nodes['htz.ex42-1048908'] = { 'website_check_string': 'login', }, 'rspamd.mx0.kunbox.net': { - 'proxy': { + 'locations': { '/': { 'target': 'http://localhost:11334/', }, }, }, # 'travelynx.franzi.business': { -# 'proxy': { +# 'locations': { # '/': { # 'target': 'http://127.0.0.1:22020', # }, diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 60f3acd..025eb84 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -79,7 +79,7 @@ nodes['ovh.icinga2'] = { }, 'icinga_statusmonitor': { 'domain': 'statusmonitor.icinga.kunsmann.eu', - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:5000/', } diff --git a/nodes/rx300.py b/nodes/rx300.py index 429b267..636ed45 100644 --- a/nodes/rx300.py +++ b/nodes/rx300.py @@ -66,12 +66,17 @@ nodes['rx300'] = { 'travelynx': { 'domain': 'travelynx.franzi.business', 'ssl': '_.franzi.business', - 'proxy': { + 'locations': { '/': { 'target': 'http://127.0.0.1:22020', }, + '/static': { + 'root': '/opt/travelynx/public', + }, + '/service-worker.js': { + 'root': '/opt/travelynx/public', + }, }, - 'extras': True, }, }, },