initial public commit

nginx_templates/conf.d/default.conf.template

@@ -0,0 +1,97 @@
+server {
+    listen 80;
+
+    return 301 https://${DOLLAR}host${DOLLAR}request_uri;
+}
+
+server {
+    include /etc/nginx/ssl_listen.conf;
+
+    location / {
+        error_page 404 /404.html;
+        root /var/www/html;
+        index index.html index.htm;
+    }
+
+    location /.well-known/acme-challenge {
+        root   /var/www;
+    }
+
+    location ~ /\.(?!well-known).* {
+        return 404;
+        access_log off;
+        log_not_found off;
+    }
+}
+
+server {
+    include /etc/nginx/ssl_listen.conf;
+
+    server_name git.${BASE_DOMAIN_NAME};
+
+    location /.well-known/acme-challenge {
+        root   /var/www;
+    }
+
+    location / {
+        proxy_pass http://forgejo:3000;
+
+        proxy_set_header Connection ${DOLLAR}http_connection;
+        proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+
+        client_max_body_size 512M;
+    }
+}
+
+server {
+    include /etc/nginx/ssl_listen.conf;
+
+    location /.well-known/acme-challenge {
+        root   /var/www;
+    }
+
+    server_name mail.${BASE_DOMAIN_NAME};
+    location / {
+        proxy_pass http://mail:80;
+
+        proxy_set_header Connection ${DOLLAR}http_connection;
+        proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+    }
+}
+
+server {
+    include /etc/nginx/ssl_listen.conf;
+
+    location /.well-known/acme-challenge {
+        root   /var/www;
+    }
+
+    server_name forum.${BASE_DOMAIN_NAME};
+    location / {
+        proxy_pass http://unix:/forum/nginx.http.sock:;
+
+        proxy_http_version 1.1;
+        proxy_set_header Connection ${DOLLAR}http_connection;
+        proxy_set_header Upgrade ${DOLLAR}http_upgrade;
+        proxy_set_header Host ${DOLLAR}host;
+        proxy_set_header X-Real-IP ${DOLLAR}remote_addr;
+        proxy_set_header X-Forwarded-For ${DOLLAR}proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto ${DOLLAR}scheme;
+    }
+}
+
+server {
+    include /etc/nginx/ssl_listen.conf;
+
+    server_name ~^(?<subdomain>.*)${ALT_BASE_DOMAIN_NAME}${DOLLAR};
+    return 301 https://${DOLLAR}{subdomain}${BASE_DOMAIN_NAME}${DOLLAR}request_uri;
+}
+

nginx_templates/options-ssl-nginx.conf.template

@@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file. Contents are based on https://ssl-config.mozilla.org
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

nginx_templates/ssl-dhparams.pem.template

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

nginx_templates/ssl_listen.conf.template

@@ -0,0 +1,8 @@
+listen 443 ssl;
+
+http2 on;
+
+ssl_certificate /etc/letsencrypt/live/server/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/server/privkey.pem;
+include /etc/nginx/options-ssl-nginx.conf;
+ssl_dhparam /etc/nginx/ssl-dhparams.pem;