bundles/nginx: rename 'proxy' metadata to 'locations', support more generic options, move extras files to metadata
All checks were successful
bundlewrap/pipeline/head This commit looks good

This commit is contained in:
Franzi 2021-07-04 19:27:12 +02:00
parent a3a228fc2d
commit b5ab21549d
Signed by: kunsi
GPG key ID: 12E3D2136B818350
25 changed files with 164 additions and 144 deletions

View file

@ -32,8 +32,8 @@ server {
alias /var/www/dehydrated; alias /var/www/dehydrated;
} }
% if proxy: % if locations:
% for location, options in proxy.items(): % for location, options in locations.items():
location ${location} { location ${location} {
proxy_pass ${options['target']}; proxy_pass ${options['target']};
proxy_http_version ${options.get('http_version', '1.1')}; proxy_http_version ${options.get('http_version', '1.1')};

View file

@ -58,7 +58,7 @@ def nginx(metadata):
'nginx': { 'nginx': {
'vhosts': { 'vhosts': {
metadata.get('gitea/domain'): { metadata.get('gitea/domain'): {
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:22000', 'target': 'http://127.0.0.1:22000',
}, },

View file

@ -47,7 +47,7 @@ def nginx(metadata):
'vhosts': { 'vhosts': {
'miniflux': { 'miniflux': {
'domain': metadata.get('miniflux/domain'), 'domain': metadata.get('miniflux/domain'),
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:22040', 'target': 'http://127.0.0.1:22040',
}, },

View file

@ -62,8 +62,6 @@ server {
% if max_body_size: % if max_body_size:
client_max_body_size ${max_body_size}; client_max_body_size ${max_body_size};
% elif proxy or php:
client_max_body_size 5M;
% endif % endif
% if not do_not_set_content_security_headers: % if not do_not_set_content_security_headers:
@ -86,9 +84,10 @@ server {
} }
% endif % endif
% if proxy: % if locations:
% for location, options in proxy.items(): % for location, options in sorted(locations.items()):
location ${location} { location ${location} {
% if 'target' in options:
proxy_pass ${options['target']}; proxy_pass ${options['target']};
proxy_http_version ${options.get('http_version', '1.1')}; proxy_http_version ${options.get('http_version', '1.1')};
proxy_set_header Host ${domain}; proxy_set_header Host ${domain};
@ -108,18 +107,38 @@ server {
proxy_set_header X-Script-Name ${location}; proxy_set_header X-Script-Name ${location};
% endif % endif
proxy_buffering off; proxy_buffering off;
client_max_body_size ${options.get('max_body_size', '5M')};
% elif 'redirect' in options:
return ${options.get('mode', 302)} ${options['redirect']};
% elif 'return' in options:
return ${options.get('mode', 200)} '${options['return']}';
% elif 'root' in options:
root ${options['root']};
% elif 'alias' in options:
alias ${options['alias']};
% endif
% if 'auth' in options:
auth_basic "${options['auth'].get('realm', vhost)}";
auth_basic_user_file ${options['auth']['file']};
% endif
% for opt in sorted(options.get('additional_config', set())):
${opt};
% endfor
} }
% endfor % endfor
% endif % endif
% if php: % if php:
location ~ \.php$ { location ~ \.php$ {
include fastcgi.conf; include fastcgi.conf;
fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php${php_version}-fpm.sock; fastcgi_pass unix:/run/php/php${php_version}-fpm.sock;
} }
% if not max_body_size:
client_max_body_size 5M;
% endif % endif
% endif
% if extras: % if extras:
<%include file="extras/${node.name}/${vhost}" /> <%include file="extras/${node.name}/${vhost}" />
% endif % endif

View file

@ -45,7 +45,7 @@ def nginx(metadata):
'vhosts': { 'vhosts': {
'pleroma': { 'pleroma': {
'domain': metadata.get('pleroma/url'), 'domain': metadata.get('pleroma/url'),
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:21000', 'target': 'http://127.0.0.1:21000',
'websockets': True, 'websockets': True,

View file

@ -1,3 +0,0 @@
location /static/ {
alias /opt/paperless/static/;
}

View file

@ -1 +0,0 @@
return 308 https://cybert-media.net$request_uri;

View file

@ -1,11 +0,0 @@
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.franzi.business:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}

View file

@ -1,3 +0,0 @@
location / {
return 302 https://twitter.com/daskritzelt/status/1259167444373028864;
}

View file

@ -1,14 +0,0 @@
location / {
proxy_pass http://[::1]:22050;
proxy_set_header X-Script-Name /;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-User $remote_user;
auth_basic "Radicale";
auth_basic_user_file /etc/radicale/htpasswd;
}
location /.web/ {
proxy_pass http://[::1]:22050;
proxy_set_header X-Script-Name /;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

View file

@ -1,13 +1 @@
add_header Content-Security-Policy "frame-ancestors 'self' chat.franzi.business chat.sophies-kitchen.eu"; add_header Content-Security-Policy "frame-ancestors 'self' chat.franzi.business";
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.franzi.business:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}

View file

@ -1,11 +0,0 @@
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.franzi.business:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}

View file

@ -1,9 +0,0 @@
location / {
return 301 https://franzi.business$request_uri;
}
location /.well-known/openpgpkey/ {
alias /var/www/kunsmann.eu/.well-known/openpgpkey/;
default_type application/octet-stream;
add_header Access-Control-Allow-Origin * always;
}

View file

@ -1,32 +0,0 @@
location /.well-known/matrix/client {
return 200 '{"m.homeserver": {"base_url": "https://matrix.franzi.business"},"m.identity_server": {"base_url": "https://matrix.org"},"im.vector.riot.jitsi": {"preferredDomain": "meet.ffmuc.net"}}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /.well-known/matrix/server {
return 200 '{"m.server": "matrix.franzi.business:443"}';
default_type application/json;
add_header Access-Control-Allow-Origin *;
}
location /_matrix {
proxy_pass http://[::1]:20080;
proxy_set_header Host "franzi.business";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /_matrix/media {
proxy_pass http://localhost:20090;
client_max_body_size 500M;
proxy_read_timeout 600s;
proxy_set_header Host "franzi.business";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}

View file

@ -1,7 +0,0 @@
location /static {
root /opt/travelynx/public;
}
location /service-worker.js {
root /opt/travelynx/public;
}

View file

@ -1,3 +1,4 @@
from json import dumps as json_dumps
from os.path import join from os.path import join
from pathlib import Path from pathlib import Path

View file

@ -28,7 +28,7 @@ nodes['gce.bind01'] = {
'nginx': { 'nginx': {
'vhosts': { 'vhosts': {
'ns-1.kunbox.net': { 'ns-1.kunbox.net': {
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:8000/', 'target': 'http://127.0.0.1:8000/',
}, },

View file

@ -51,7 +51,7 @@ nodes['home.paperless-sophie'] = {
'paperless': { 'paperless': {
'domain': 'paperless-sophie.home.kunbox.net', 'domain': 'paperless-sophie.home.kunbox.net',
'ssl': '_.home.kunbox.net', 'ssl': '_.home.kunbox.net',
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:22070', 'target': 'http://127.0.0.1:22070',
'websockets': True, 'websockets': True,

View file

@ -40,7 +40,7 @@ nodes['home.paperless'] = {
'paperless': { 'paperless': {
'domain': 'paperless.home.kunbox.net', 'domain': 'paperless.home.kunbox.net',
'ssl': '_.home.kunbox.net', 'ssl': '_.home.kunbox.net',
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:22070', 'target': 'http://127.0.0.1:22070',
'websockets': True, 'websockets': True,
@ -48,8 +48,10 @@ nodes['home.paperless'] = {
'X-Forwarded-Host': '$server_name', 'X-Forwarded-Host': '$server_name',
}, },
}, },
'/static/': {
'alias': '/opt/paperless/static/',
},
}, },
'extras': True,
'max_body_size': '100M', 'max_body_size': '100M',
}, },
}, },

View file

@ -42,7 +42,7 @@ nodes['htz-cloud.influxdb'] = {
'vhosts': { 'vhosts': {
'influxdb': { 'influxdb': {
'domain': 'influxdb.kunsmann.eu', 'domain': 'influxdb.kunsmann.eu',
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://localhost:8086', 'target': 'http://localhost:8086',
'websockets': True, 'websockets': True,

View file

@ -160,7 +160,7 @@ nodes['htz-cloud.miniserver'] = {
# 'extras': True, # 'extras': True,
# 'do_not_set_content_security_headers': True, # 'do_not_set_content_security_headers': True,
# 'max_body_size': '50M', # 'max_body_size': '50M',
# 'proxy': { # 'locations': {
# '/': { # '/': {
# 'target': 'http://127.0.0.1:8184', # 'target': 'http://127.0.0.1:8184',
# }, # },

View file

@ -44,7 +44,11 @@ nodes['htz-cloud.pleroma'] = {
}, },
'pleroma-www-redir': { 'pleroma-www-redir': {
'domain': 'www.cybert-media.net', 'domain': 'www.cybert-media.net',
'extras': True, 'locations': {
'/': {
'redirect': 'https://cybert-media.net$request_uri',
},
},
}, },
}, },
}, },

View file

@ -261,18 +261,35 @@ nodes['htz.ex42-1048908'] = {
'vhosts': { 'vhosts': {
# TODO maybe some of this can be moved to a bundle? # TODO maybe some of this can be moved to a bundle?
'dav.kunsmann.eu': { 'dav.kunsmann.eu': {
'extras': True, 'locations': {
'/': {
'target': 'http://[::1]:22050',
'auth': {
'file': '/etc/radicale/htpasswd',
},
'proxy_set_header': {
'X-Remote-User': '$remote_user',
},
},
'/.web/': {
'target': 'http://[::1]:22050',
}
},
}, },
'daskritzelt-redirect': { 'daskritzelt-redirect': {
'domain': 'die-brontosaurier-waren-es.org', 'domain': 'die-brontosaurier-waren-es.org',
'ssl': False, # TODO enable ssl once domain transfer is done 'ssl': None,
'extras': True, 'locations': {
'/': {
'redirect': 'https://twitter.com/daskritzelt/status/1259167444373028864',
},
},
}, },
'dimension.franzi.business': { 'dimension.franzi.business': {
'extras': True, 'extras': True,
'do_not_set_content_security_headers': True, 'do_not_set_content_security_headers': True,
'max_body_size': '50M', 'max_body_size': '50M',
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:8184', 'target': 'http://127.0.0.1:8184',
}, },
@ -280,10 +297,37 @@ nodes['htz.ex42-1048908'] = {
}, },
'franzi.business': { 'franzi.business': {
'webroot': '/var/www/franzi.business/_site/', 'webroot': '/var/www/franzi.business/_site/',
'extras': True, 'locations': {
'/.well-known/matrix/client': {
'return': json_dumps({
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
},
'm.identity_server': {
'base_url': 'https://matrix.org',
},
'im.vector.riot.jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'https://matrix.franzi.business',
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
},
}, },
'jenkins.kunsmann.eu': { 'jenkins.kunsmann.eu': {
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://localhost:22010/', 'target': 'http://localhost:22010/',
}, },
@ -293,10 +337,58 @@ nodes['htz.ex42-1048908'] = {
}, },
'kunbox.net': {}, 'kunbox.net': {},
'kunsmann.eu': { 'kunsmann.eu': {
'extras': True, 'locations': {
'/': {
'redirect': 'https://franzi.business$request_uri',
},
'/.well-known/openpgpkey': {
'alias': '/var/www/kunsmann.eu/.well-known/openpgpkey/',
'additional_config': {
'default_type application/octet-stream',
'add_header Access-Control-Allow-Origin *',
},
},
},
}, },
'matrix.franzi.business': { 'matrix.franzi.business': {
'extras': True, 'locations': {
'/_matrix': {
'target': 'http://[::1]:20080',
},
'/_matrix/media': {
'target': 'http://localhost:20090',
'client_max_body_size': '500M',
},
'/_synapse': {
'target': 'http://[::1]:20080',
},
'/.well-known/matrix/client': {
'return': json_dumps({
'm.homeserver': {
'base_url': 'https://matrix.franzi.business',
},
'm.identity_server': {
'base_url': 'https://matrix.org',
},
'im.vector.riot.jitsi': {
'preferredDomain': 'meet.ffmuc.net',
},
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
'/.well-known/matrix/server': {
'return': json_dumps({
'm.server': 'https://matrix.franzi.business',
}, sort_keys=True),
'additional_config': {
'default_type application/json',
'add_header Access-Control-Allow-Origin *',
},
},
},
}, },
'mta-sts': { 'mta-sts': {
'domain': 'mta-sts.mx0.kunbox.net', 'domain': 'mta-sts.mx0.kunbox.net',
@ -322,14 +414,14 @@ nodes['htz.ex42-1048908'] = {
'website_check_string': 'login', 'website_check_string': 'login',
}, },
'rspamd.mx0.kunbox.net': { 'rspamd.mx0.kunbox.net': {
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://localhost:11334/', 'target': 'http://localhost:11334/',
}, },
}, },
}, },
# 'travelynx.franzi.business': { # 'travelynx.franzi.business': {
# 'proxy': { # 'locations': {
# '/': { # '/': {
# 'target': 'http://127.0.0.1:22020', # 'target': 'http://127.0.0.1:22020',
# }, # },

View file

@ -79,7 +79,7 @@ nodes['ovh.icinga2'] = {
}, },
'icinga_statusmonitor': { 'icinga_statusmonitor': {
'domain': 'statusmonitor.icinga.kunsmann.eu', 'domain': 'statusmonitor.icinga.kunsmann.eu',
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:5000/', 'target': 'http://127.0.0.1:5000/',
} }

View file

@ -66,12 +66,17 @@ nodes['rx300'] = {
'travelynx': { 'travelynx': {
'domain': 'travelynx.franzi.business', 'domain': 'travelynx.franzi.business',
'ssl': '_.franzi.business', 'ssl': '_.franzi.business',
'proxy': { 'locations': {
'/': { '/': {
'target': 'http://127.0.0.1:22020', 'target': 'http://127.0.0.1:22020',
}, },
'/static': {
'root': '/opt/travelynx/public',
},
'/service-worker.js': {
'root': '/opt/travelynx/public',
},
}, },
'extras': True,
}, },
}, },
}, },