Merge branch 'env-friendly'

* env-friendly:
  move templates, make jinja-env-approach-friendly

.gitignore

@@ -1,5 +1,8 @@
+*.j2
 site/
 letsencrypt/
 letsencrypt_certs/
 nginx.conf.default
 conf.d/
+conf.d_templates/http.DOMAIN.conf
+conf.d_templates/https.DOMAIN.conf

conf.d/csp.conf

@@ -0,0 +1 @@
+add_header Content-Security-Policy-Report-Only "default-src 'self' 'unsafe-inline' 'unsafe-eval';";

conf.d/giteacsp.conf

@@ -0,0 +1 @@
+add_header Content-Security-Policy-Report-Only "default-src 'self' 'unsafe-inline' 'unsafe-eval';";

conf.d/http.DOMAIN.conf.j2

@@ -0,0 +1,29 @@
+####################
+# 
+# {{ server_name_default }}
+# http/{{ port_default }}
+# 
+# basically, just redirects to https
+#
+####################
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ server_name_default }};
+    return 301 https://{{ server_name_default }}$request_uri;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name www.{{ server_name_default }};
+    return 301 https://www.{{ server_name_default }}$request_uri;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name git.{{ server_name_default }};
+    return 301 https://git.{{ server_name_default }}$request_uri;
+}

conf.d/https.DOMAIN.conf.j2

@@ -1,27 +1,27 @@
 ####################
 #
 # {{ server_name_default }}
-# https/{{ port_ssl_default }}
+# https/443
 # 
 # {{ server_name_default }} and www.{{ server_name_default }}
 # should handle the following cases:
 # - w/ and wiki/ should reverse proxy story_mw
-# - phpMyAdmin/ should reverse proxy stormy_myadmin
+# - gitea subdomain should reverse proxy stormy_gitea
 #
 ####################
 
 
 # default 
 server {
-    listen {{ port_ssl_default }} ssl;
+    listen 443 ssl;
-    listen [::]:{{ port_ssl_default }} ssl;
+    listen [::]:443 ssl;
     server_name {{ server_name_default }} default_server;
 
     ssl_certificate /etc/letsencrypt/live/{{ server_name_default }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/{{ server_name_default }}/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
-
+    include /etc/nginx/conf.d/secheaders.conf;
-    client_max_body_size 100m;
+    include /etc/nginx/conf.d/csp.conf;
 
     location / {
         try_files $uri $uri/ =404;
@@ -43,13 +43,6 @@ server {
         proxy_pass http://stormy_mw:8989/w/;
     }
 
-    #location /phpMyAdmin/ {
-    #    proxy_set_header X-Real-IP  $remote_addr;
-    #    proxy_set_header X-Forwarded-For $remote_addr;
-    #    proxy_set_header Host $host;
-    #    proxy_pass http://stormy_myadmin:80/;
-    #}
-
     # ~ means case-sensitive regex match, rather than string literal
     # (ignores .git, .gitignore, etc.)
     location ~ /\.git {
@@ -60,15 +53,15 @@ server {
 
 # www
 server {
-    listen {{ port_ssl_default }} ssl;
+    listen 443 ssl;
-    listen [::]:{{ port_ssl_default }} ssl;
+    listen [::]:443 ssl;
     server_name www.{{ server_name_default }};
 
     ssl_certificate /etc/letsencrypt/live/www.{{ server_name_default }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/www.{{ server_name_default }}/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
-
+    include /etc/nginx/conf.d/secheaders.conf;
-    client_max_body_size 100m;
+    include /etc/nginx/conf.d/csp.conf;
 
     root /www/{{ server_name_default }}/htdocs;
 
@@ -91,13 +84,6 @@ server {
         proxy_pass http://stormy_mw:8989/w/;
     }
 
-    #location /phpMyAdmin/ {
-    #    proxy_set_header X-Real-IP  $remote_addr;
-    #    proxy_set_header X-Forwarded-For $remote_addr;
-    #    proxy_set_header Host $host;
-    #    proxy_pass http://stormy_myadmin:80/;
-    #}
-
     location ~ /\.git {
         deny all;
     }
@@ -106,15 +92,15 @@ server {
 
 # gitea 
 server {
-    listen {{ port_ssl_gitea}} ssl;
+    listen 443 ssl;
-    listen [::]:{{ port_ssl_gitea }} ssl;
+    listen [::]:443 ssl;
     server_name git.{{ server_name_default }};
 
     ssl_certificate /etc/letsencrypt/live/git.{{ server_name_default }}/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/git.{{ server_name_default }}/privkey.pem;
     include /etc/letsencrypt/options-ssl-nginx.conf;
-
+    include /etc/nginx/conf.d/secheaders.conf;
-    client_max_body_size 100m;
+    include /etc/nginx/conf.d/giteacsp.conf;
 
     location / {
         proxy_set_header X-Real-IP  $remote_addr;

conf.d/secheaders.conf

@@ -0,0 +1,8 @@
+server_tokens off;
+
+add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+
+client_max_body_size 100m;

conf.d_examples/http.charlesreid1.com.conf

@@ -1,71 +0,0 @@
-####################
-# 
-# charlesreid1.com
-# http/80
-# 
-# basically, just redirects to https
-#
-####################
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name charlesreid1.com;
-    location / {
-        return 301 https://charlesreid1.com$request_uri;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name www.charlesreid1.com;
-    location / {
-        return 301 https://www.charlesreid1.com$request_uri;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name git.charlesreid1.com;
-    location / {
-        return 301 https://git.charlesreid1.com$request_uri;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name pages.charlesreid1.com;
-    location / {
-        return 301 https://pages.charlesreid1.com$request_uri;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name hooks.charlesreid1.com;
-    location / {
-        return 301 https://hooks.charlesreid1.com$request_uri;
-    }
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name bots.charlesreid1.com;
-    location / {
-        return 301 https://bots.charlesreid1.com$request_uri;
-    }
-}
-
-### server {
-###     listen 80;
-###     listen [::]:80;
-###     server_name files.charlesreid1.com;
-###     location / {
-###         return 301 https://files.charlesreid1.com$request_uri;
-###     }
-### }

conf.d_examples/https.charlesreid1.com.conf

@@ -1,148 +0,0 @@
-####################
-#
-# charlesreid1.com
-# https/443
-# 
-# charlesreid1.com and www.charlesreid1.com
-# should handle the following cases:
-# - w/ and wiki/ should reverse proxy story_mw
-# - phpMyAdmin/ should reverse proxy stormy_myadmin
-#
-# git.charlesreid1.com should handle:
-# - all requests should reverse proxy stormy_gitea
-#
-####################
-
-
-# default 
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name charlesreid1.com default_server;
-
-    ssl_certificate /etc/letsencrypt/live/charlesreid1.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/charlesreid1.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-
-    client_max_body_size 100m;
-
-    location / {
-        try_files $uri $uri/ =404;
-        root /www/charlesreid1.com/htdocs;
-        index index.html;
-    }
-
-    location /wiki/ {
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://stormy_mw:8989/wiki/;
-    }
-
-    location /w/ {
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://stormy_mw:8989/w/;
-    }
-
-    #location /phpMyAdmin/ {
-    #    proxy_set_header X-Real-IP  $remote_addr;
-    #    proxy_set_header X-Forwarded-For $remote_addr;
-    #    proxy_set_header Host $host;
-    #    proxy_pass http://stormy_myadmin:80/;
-    #}
-
-    # ~ means case-sensitive regex match, rather than string literal
-    # (ignores .git, .gitignore, etc.)
-    location ~ /\.git {
-        deny all;
-    }
-}
-
-
-# www
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name www.charlesreid1.com;
-
-    ssl_certificate /etc/letsencrypt/live/www.charlesreid1.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/www.charlesreid1.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-
-    client_max_body_size 100m;
-
-    root /www/charlesreid1.com/htdocs;
-
-    location / {
-        try_files $uri $uri/ =404;
-        index index.html;
-    }
-
-    location /wiki/ {
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://stormy_mw:8989/wiki/;
-    }
-
-    location /w/ {
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://stormy_mw:8989/w/;
-    }
-
-    #location /phpMyAdmin/ {
-    #    proxy_set_header X-Real-IP  $remote_addr;
-    #    proxy_set_header X-Forwarded-For $remote_addr;
-    #    proxy_set_header Host $host;
-    #    proxy_pass http://stormy_myadmin:80/;
-    #}
-
-    location ~ /\.git {
-        deny all;
-    }
-}
-
-
-# gitea 
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name git.charlesreid1.com;
-
-    ssl_certificate /etc/letsencrypt/live/git.charlesreid1.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/git.charlesreid1.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-
-    client_max_body_size 100m;
-
-    location / {
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://stormy_gitea:3000/;
-    }
-}
-
-### # files 
-### server {
-###     listen 443 ssl;
-###     listen [::]:443 ssl;
-###     server_name files.charlesreid1.com;
-### 
-###     ssl_certificate /etc/letsencrypt/live/files.charlesreid1.com/fullchain.pem;
-###     ssl_certificate_key /etc/letsencrypt/live/files.charlesreid1.com/privkey.pem;
-###     include /etc/letsencrypt/options-ssl-nginx.conf;
-### 
-###     client_max_body_size 100m;
-### 
-###     location / {
-###         proxy_set_header X-Real-IP  $remote_addr;
-###         proxy_set_header X-Forwarded-For $remote_addr;
-###         proxy_set_header Host $host;
-###         proxy_pass http://stormy_files:8081/;
-###     }
-### }

conf.d_examples/https.charlesreid1.com.subdomains.conf

@@ -1,101 +0,0 @@
-####################
-#
-# charlesreid1.com
-# https/443
-#
-# charlesreid1.com subdomains
-# reverse-proxied by the server
-# running pod-webhooks.
-# - pages.charlesreid1.com
-# - hooks.charlesreid1.com
-# - bots.charlesreid1.com
-#
-# address of pod-webhooks server:
-# localhost
-####################
-
-
-# pages 
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name pages.charlesreid1.com;
-
-    ssl_certificate /etc/letsencrypt/live/pages.charlesreid1.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/pages.charlesreid1.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-
-    client_max_body_size 100m;
-    port_in_redirect off;
-
-    location / {
-        # https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header Host $host;
-        proxy_pass http://localhost:7777/;
-        proxy_redirect http://localhost:7777/ http://pages.charlesreid1.com/;
-    }
-}
-
-# webhooks 
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name hooks.charlesreid1.com;
-
-    ssl_certificate /etc/letsencrypt/live/hooks.charlesreid1.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/hooks.charlesreid1.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-
-    client_max_body_size 100m;
-
-    gzip              on;
-    gzip_http_version 1.0;
-    gzip_proxied      any;
-    gzip_min_length   500;
-    gzip_disable      "MSIE [1-6]\.";
-    gzip_types        text/plain text/xml text/css
-                      text/comma-separated-values
-                      text/javascript
-                      application/x-javascript
-                      application/atom+xml;
-
-    location / {
-        # / takes user to static hooks subdomain page
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://localhost:7778;
-    }
-
-    location /webhook {
-        # /webhook* anything takes user to port 5000, api
-        proxy_set_header   X-Real-IP  $remote_addr;
-        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header   Host $host;
-        proxy_pass http://localhost:5000/webhook;
-    }
-}
-
-# bots
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    server_name bots.charlesreid1.com;
-
-    ssl_certificate /etc/letsencrypt/live/bots.charlesreid1.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/bots.charlesreid1.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-
-    client_max_body_size 100m;
-    port_in_redirect off;
-
-    location / {
-        proxy_set_header X-Real-IP  $remote_addr;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header Host $host;
-        proxy_pass http://localhost:7779;
-        proxy_redirect http://localhost:7779/ http://bots.charlesreid1.com/;
-    }
-}

conf.d_templates/http.DOMAIN.conf.j2

@@ -1,72 +0,0 @@
-####################
-# 
-# {{ server_name_default }}
-# http/{{ port_default }}
-# 
-# basically, just redirects to https
-#
-####################
-
-server {
-    listen {{ port_default }};
-    listen [::]:{{ port_default }};
-    server_name {{ server_name_default }};
-    location / {
-        return 301 https://{{ server_name_default }}$request_uri;
-    }
-}
-
-server {
-    listen {{ port_default }};
-    listen [::]:{{ port_default }};
-    server_name www.{{ server_name_default }};
-    location / {
-        return 301 https://www.{{ server_name_default }}$request_uri;
-    }
-}
-
-server {
-    listen {{ port_gitea }};
-    listen [::]:{{ port_gitea }};
-    server_name git.{{ server_name_default }};
-    location / {
-        return 301 https://git.{{ server_name_default }}$request_uri;
-    }
-}
-
-#server {
-#    listen {{ port_pages }};
-#    listen [::]:{{ port_pages }};
-#    server_name pages.{{ server_name_default }};
-#    location / {
-#        return 301 https://pages.{{ server_name_default }}$request_uri;
-#    }
-#}
-
-#server {
-#    listen {{ port_hooks }};
-#    listen [::]:{{ port_hooks }};
-#    server_name hooks.{{ server_name_default }};
-#    location / {
-#        return 301 https://hooks.{{ server_name_default }}$request_uri;
-#    }
-#}
-
-#server {
-#    listen {{ port_bots }};
-#    listen [::]:{{ port_bots }};
-#    server_name bots.{{ server_name_default }};
-#    location / {
-#        return 301 https://bots.{{ server_name_default }}$request_uri;
-#    }
-#}
-
-### server {
-###     listen {{ port_files }};
-###     listen [::]:{{ port_files }};
-###     server_name files.{{ server_name_default }};
-###     location / {
-###         return 301 https://files.{{ server_name_default }}$request_uri;
-###     }
-### }
-

conf.d_templates/https.DOMAIN.subdomains.conf.j2

@@ -1,32 +0,0 @@
-####################
-#
-# {{ server_name_default }}
-# https/{{ port_ssl_default }}
-#
-# charlesreid1.com subdomains
-# reverse-proxied by the server
-####################
-
-
-# # pages 
-# server {
-#     listen {{ port_ssl_pages }} ssl;
-#     listen [::]:{{ port_ssl_pages }} ssl;
-#     server_name pages.{{ server_name_default }};
-# 
-#     ssl_certificate /etc/letsencrypt/live/pages.{{ server_name_default }}/fullchain.pem;
-#     ssl_certificate_key /etc/letsencrypt/live/pages.{{ server_name_default }}/privkey.pem;
-#     include /etc/letsencrypt/options-ssl-nginx.conf;
-# 
-#     client_max_body_size 100m;
-#     port_in_redirect off;
-# 
-#     location / {
-#         # https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
-#         proxy_set_header X-Real-IP  $remote_addr;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header Host $host;
-#         proxy_pass http://{{ nginx_subdomains_ip }}:7777/;
-#         proxy_redirect http://{{ nginx_subdomains_ip }}:7777/ http://pages.{{ server_name_default }}/;
-#     }
-# }