1 files changed, 386 insertions, 0 deletions
diff --git a/code-host/nginx.conf b/code-host/nginx.conf
new file mode 100644
index 0000000..9d61863
--- /dev/null
+++ b/code-host/nginx.conf
@@ -0,0 +1,386 @@
+daemon off;
+user nginx;
+worker_processes 1;
+error_log /dev/stdout warn;
+pid /var/run/nginx.pid;
+events {
+  worker_connections 1024;
+}
+http {
+  types {
+      text/html                                        html htm shtml;
+      text/css                                         css;
+      text/xml                                         xml;
+      image/gif                                        gif;
+      image/jpeg                                       jpeg jpg;
+      application/javascript                           js;
+      application/atom+xml                             atom;
+      application/rss+xml                              rss;
+      text/mathml                                      mml;
+      text/plain                                       txt;
+      text/vnd.sun.j2me.app-descriptor                 jad;
+      text/vnd.wap.wml                                 wml;
+      text/x-component                                 htc;
+      image/png                                        png;
+      image/svg+xml                                    svg svgz;
+      image/tiff                                       tif tiff;
+      image/vnd.wap.wbmp                               wbmp;
+      image/webp                                       webp;
+      image/x-icon                                     ico;
+      image/x-jng                                      jng;
+      image/x-ms-bmp                                   bmp;
+      font/woff                                        woff;
+      font/woff2                                       woff2;
+      application/java-archive                         jar war ear;
+      application/json                                 json;
+      application/mac-binhex40                         hqx;
+      application/msword                               doc;
+      application/pdf                                  pdf;
+      application/postscript                           ps eps ai;
+      application/rtf                                  rtf;
+      application/vnd.apple.mpegurl                    m3u8;
+      application/vnd.google-earth.kml+xml             kml;
+      application/vnd.google-earth.kmz                 kmz;
+      application/vnd.ms-excel                         xls;
+      application/vnd.ms-fontobject                    eot;
+      application/vnd.ms-powerpoint                    ppt;
+      application/vnd.oasis.opendocument.graphics      odg;
+      application/vnd.oasis.opendocument.presentation  odp;
+      application/vnd.oasis.opendocument.spreadsheet   ods;
+      application/vnd.oasis.opendocument.text          odt;
+      application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                       pptx;
+      application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                       xlsx;
+      application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                       docx;
+      application/vnd.wap.wmlc                         wmlc;
+      application/x-7z-compressed                      7z;
+      application/x-cocoa                              cco;
+      application/x-java-archive-diff                  jardiff;
+      application/x-java-jnlp-file                     jnlp;
+      application/x-makeself                           run;
+      application/x-perl                               pl pm;
+      application/x-pilot                              prc pdb;
+      application/x-rar-compressed                     rar;
+      application/x-redhat-package-manager             rpm;
+      application/x-sea                                sea;
+      application/x-shockwave-flash                    swf;
+      application/x-stuffit                            sit;
+      application/x-tcl                                tcl tk;
+      application/x-x509-ca-cert                       der pem crt;
+      application/x-xpinstall                          xpi;
+      application/xhtml+xml                            xhtml;
+      application/xspf+xml                             xspf;
+      application/zip                                  zip;
+      application/octet-stream                         bin exe dll;
+      application/octet-stream                         deb;
+      application/octet-stream                         dmg;
+      application/octet-stream                         iso img;
+      application/octet-stream                         msi msp msm;
+      audio/midi                                       mid midi kar;
+      audio/mpeg                                       mp3;
+      audio/ogg                                        ogg;
+      audio/x-m4a                                      m4a;
+      audio/x-realaudio                                ra;
+      video/3gpp                                       3gpp 3gp;
+      video/mp2t                                       ts;
+      video/mp4                                        mp4;
+      video/mpeg                                       mpeg mpg;
+      video/quicktime                                  mov;
+      video/webm                                       webm;
+      video/x-flv                                      flv;
+      video/x-m4v                                      m4v;
+      video/x-mng                                      mng;
+      video/x-ms-asf                                   asx asf;
+      video/x-ms-wmv                                   wmv;
+      video/x-msvideo                                  avi;
+  }
+  default_type application/octet-stream;
+  log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
+                           '"$request" $status $body_bytes_sent '
+                           '"$http_referer" "$http_user_agent"';
+  access_log /logs/default_server.log combined_host;
+  sendfile on;
+  tcp_nopush on;
+  server_tokens off;
+  keepalive_timeout 128;
+  # Try to avoid buffering requests to disk
+  client_body_buffer_size 1024k;
+  gzip on;
+  gzip_proxied any;
+  gzip_disable "msie6";
+  gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 10m;
+  ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
+  map $http_host $can_redirect {
+      hostnames;
+      default                            0;
+      crute.me                           1;
+      *.crute.me                         1;
+      crute.us                           1;
+      *.crute.us                         1;
+  }
+  server {
+      listen *:80 default_server;
+      listen [::]:80 default_server;
+      access_log /logs/default_http_vhost.log combined_host;
+      location / {
+          if ($can_redirect) {
+              rewrite (.*) https://$http_host$1 permanent;
+          }
+          default_type text/plain;
+          return 404 "not found";
+      }
+  }
+  # TODO: Consolidate these into one, they differ only by hostname and SSL cert
+  # This is like this because I'm not sure if redirects will work at all with
+  # git pulls and pretty much all repositories use code.crute.me not .us
+  geo $cgit_config {
+    default "/srv/code/etc/cgit-public.cfg";
+    # Global V4 Internal Network
+    172.16.0.0/16 "/srv/code/etc/cgit-private.cfg";
+    # FKL1 V4 Internal network
+    172.18.0.0/16 "/srv/code/etc/cgit-private.cfg";
+    # SEA4 V4 Internal network
+    172.19.0.0/16 "/srv/code/etc/cgit-private.cfg";
+    # ORD1 V4 Internal network
+    172.20.0.0/16 "/srv/code/etc/cgit-private.cfg";
+    # Mobile V4 Internal network
+    172.21.0.0/16 "/srv/code/etc/cgit-private.cfg";
+    # PDX1 V6 Network
+    2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg";
+    # CMH1 V6 Network
+    2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg";
+    # SEA1 Internal V6 Network
+    2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg";
+    # SEA4 Internal V6 Network
+    2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg";
+    # SEA4 Remote Access VPN V6 Network
+    2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg";
+    # ORD1 Internal V6 Network
+    2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg";
+    # FKL1 Internal V6 Network
+    2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg";
+    # Mobile V6 Internal Network
+    2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg";
+  }
+  server {
+    listen *:443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name code.crute.me;
+    access_log /logs/code.crute.me.log combined_host;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.4.4 8.8.8.8 valid=300s;
+    resolver_timeout 5s;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy "same-origin" always;
+    ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
+    ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
+    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always;
+    client_max_body_size 4G;
+    # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some
+    # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some
+    # point it's just quick and easy to put it here.
+    location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ {
+      if ($arg_go-get = "1") {
+        add_header Content-Type text/plain;
+        return 200 '<html><head>
+    <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo">
+    <meta name="go-source" content="$host/$user/$repo
+          https://$host/$user/$repo
+          https://$host/$user/$repo/tree{/dir}
+          https://$host/$user/$repo/tree{/dir}/{file}#n{line}">
+  </head></html>';
+      }
+      uwsgi_param  QUERY_STRING       $query_string;
+      uwsgi_param  REQUEST_METHOD     $request_method;
+      uwsgi_param  CONTENT_TYPE       $content_type;
+      uwsgi_param  CONTENT_LENGTH     $content_length;
+      uwsgi_param  REQUEST_URI        $request_uri;
+      uwsgi_param  PATH_INFO          $document_uri;
+      uwsgi_param  DOCUMENT_ROOT      $document_root;
+      uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+      uwsgi_param  REQUEST_SCHEME     $scheme;
+      uwsgi_param  HTTPS              $https if_not_empty;
+      uwsgi_param  REMOTE_ADDR        $remote_addr;
+      uwsgi_param  REMOTE_PORT        $remote_port;
+      uwsgi_param  SERVER_PORT        $server_port;
+      uwsgi_param  SERVER_NAME        $server_name;
+      uwsgi_param  HTTP_HOST          $host;
+      uwsgi_param  HTTP_X_FORWARDED_FOR    $proxy_add_x_forwarded_for;
+      uwsgi_modifier1 9;
+      uwsgi_param CGIT_CONFIG $cgit_config;
+      uwsgi_pass uwsgi://127.0.0.1:9000;
+    }
+    location / {
+      uwsgi_param  QUERY_STRING       $query_string;
+      uwsgi_param  REQUEST_METHOD     $request_method;
+      uwsgi_param  CONTENT_TYPE       $content_type;
+      uwsgi_param  CONTENT_LENGTH     $content_length;
+      uwsgi_param  REQUEST_URI        $request_uri;
+      uwsgi_param  PATH_INFO          $document_uri;
+      uwsgi_param  DOCUMENT_ROOT      $document_root;
+      uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+      uwsgi_param  REQUEST_SCHEME     $scheme;
+      uwsgi_param  HTTPS              $https if_not_empty;
+      uwsgi_param  REMOTE_ADDR        $remote_addr;
+      uwsgi_param  REMOTE_PORT        $remote_port;
+      uwsgi_param  SERVER_PORT        $server_port;
+      uwsgi_param  SERVER_NAME        $server_name;
+      uwsgi_param  HTTP_HOST          $host;
+      uwsgi_param  HTTP_X_FORWARDED_FOR    $proxy_add_x_forwarded_for;
+      uwsgi_modifier1 9;
+      uwsgi_param CGIT_CONFIG $cgit_config;
+      uwsgi_pass uwsgi://127.0.0.1:9000;
+    }
+  }
+  server {
+    listen *:443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name code.crute.us;
+    access_log /logs/code.crute.me.log combined_host;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 8.8.4.4 8.8.8.8 valid=300s;
+    resolver_timeout 5s;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Xss-Protection "1; mode=block" always;
+    add_header Referrer-Policy "same-origin" always;
+    ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem;
+    ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem;
+    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always;
+    client_max_body_size 4G;
+    # This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some
+    # repos exist at deeper paths than that. This should be fixed and moved out of nginx at some
+    # point it's just quick and easy to put it here.
+    location ~ ^/(?<user>[^/]*)/(?<repo>[^/]+)/?(?<subpath>.*)?$ {
+      if ($arg_go-get = "1") {
+        add_header Content-Type text/plain;
+        return 200 '<html><head>
+    <meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo">
+    <meta name="go-source" content="$host/$user/$repo
+          https://$host/$user/$repo
+          https://$host/$user/$repo/tree{/dir}
+          https://$host/$user/$repo/tree{/dir}/{file}#n{line}">
+  </head></html>';
+      }
+      uwsgi_param  QUERY_STRING       $query_string;
+      uwsgi_param  REQUEST_METHOD     $request_method;
+      uwsgi_param  CONTENT_TYPE       $content_type;
+      uwsgi_param  CONTENT_LENGTH     $content_length;
+      uwsgi_param  REQUEST_URI        $request_uri;
+      uwsgi_param  PATH_INFO          $document_uri;
+      uwsgi_param  DOCUMENT_ROOT      $document_root;
+      uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+      uwsgi_param  REQUEST_SCHEME     $scheme;
+      uwsgi_param  HTTPS              $https if_not_empty;
+      uwsgi_param  REMOTE_ADDR        $remote_addr;
+      uwsgi_param  REMOTE_PORT        $remote_port;
+      uwsgi_param  SERVER_PORT        $server_port;
+      uwsgi_param  SERVER_NAME        $server_name;
+      uwsgi_param  HTTP_HOST          $host;
+      uwsgi_param  HTTP_X_FORWARDED_FOR    $proxy_add_x_forwarded_for;
+      uwsgi_modifier1 9;
+      uwsgi_param CGIT_CONFIG $cgit_config;
+      uwsgi_pass uwsgi://127.0.0.1:9000;
+    }
+    location / {
+      uwsgi_param  QUERY_STRING       $query_string;
+      uwsgi_param  REQUEST_METHOD     $request_method;
+      uwsgi_param  CONTENT_TYPE       $content_type;
+      uwsgi_param  CONTENT_LENGTH     $content_length;
+      uwsgi_param  REQUEST_URI        $request_uri;
+      uwsgi_param  PATH_INFO          $document_uri;
+      uwsgi_param  DOCUMENT_ROOT      $document_root;
+      uwsgi_param  SERVER_PROTOCOL    $server_protocol;
+      uwsgi_param  REQUEST_SCHEME     $scheme;
+      uwsgi_param  HTTPS              $https if_not_empty;
+      uwsgi_param  REMOTE_ADDR        $remote_addr;
+      uwsgi_param  REMOTE_PORT        $remote_port;
+      uwsgi_param  SERVER_PORT        $server_port;
+      uwsgi_param  SERVER_NAME        $server_name;
+      uwsgi_param  HTTP_HOST          $host;
+      uwsgi_param  HTTP_X_FORWARDED_FOR    $proxy_add_x_forwarded_for;
+      uwsgi_modifier1 9;
+      uwsgi_param CGIT_CONFIG $cgit_config;
+      uwsgi_pass uwsgi://127.0.0.1:9000;
+    }
+  }
+}

diff --git a/code-host/nginx.conf b/code-host/nginx.conf new file mode 100644 index 0000000..9d61863 --- /dev/null +++ b/code-host/nginx.conf
@@ -0,0 +1,386 @@
	1	daemon off;
	2	user nginx;
	3	worker_processes 1;
	4
	5	error_log /dev/stdout warn;
	6	pid /var/run/nginx.pid;
	7
	8	events {
	9	worker_connections 1024;
	10	}
	11
	12	http {
	13	types {
	14	text/html html htm shtml;
	15	text/css css;
	16	text/xml xml;
	17	image/gif gif;
	18	image/jpeg jpeg jpg;
	19	application/javascript js;
	20	application/atom+xml atom;
	21	application/rss+xml rss;
	22
	23	text/mathml mml;
	24	text/plain txt;
	25	text/vnd.sun.j2me.app-descriptor jad;
	26	text/vnd.wap.wml wml;
	27	text/x-component htc;
	28
	29	image/png png;
	30	image/svg+xml svg svgz;
	31	image/tiff tif tiff;
	32	image/vnd.wap.wbmp wbmp;
	33	image/webp webp;
	34	image/x-icon ico;
	35	image/x-jng jng;
	36	image/x-ms-bmp bmp;
	37
	38	font/woff woff;
	39	font/woff2 woff2;
	40
	41	application/java-archive jar war ear;
	42	application/json json;
	43	application/mac-binhex40 hqx;
	44	application/msword doc;
	45	application/pdf pdf;
	46	application/postscript ps eps ai;
	47	application/rtf rtf;
	48	application/vnd.apple.mpegurl m3u8;
	49	application/vnd.google-earth.kml+xml kml;
	50	application/vnd.google-earth.kmz kmz;
	51	application/vnd.ms-excel xls;
	52	application/vnd.ms-fontobject eot;
	53	application/vnd.ms-powerpoint ppt;
	54	application/vnd.oasis.opendocument.graphics odg;
	55	application/vnd.oasis.opendocument.presentation odp;
	56	application/vnd.oasis.opendocument.spreadsheet ods;
	57	application/vnd.oasis.opendocument.text odt;
	58	application/vnd.openxmlformats-officedocument.presentationml.presentation
	59	pptx;
	60	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
	61	xlsx;
	62	application/vnd.openxmlformats-officedocument.wordprocessingml.document
	63	docx;
	64	application/vnd.wap.wmlc wmlc;
	65	application/x-7z-compressed 7z;
	66	application/x-cocoa cco;
	67	application/x-java-archive-diff jardiff;
	68	application/x-java-jnlp-file jnlp;
	69	application/x-makeself run;
	70	application/x-perl pl pm;
	71	application/x-pilot prc pdb;
	72	application/x-rar-compressed rar;
	73	application/x-redhat-package-manager rpm;
	74	application/x-sea sea;
	75	application/x-shockwave-flash swf;
	76	application/x-stuffit sit;
	77	application/x-tcl tcl tk;
	78	application/x-x509-ca-cert der pem crt;
	79	application/x-xpinstall xpi;
	80	application/xhtml+xml xhtml;
	81	application/xspf+xml xspf;
	82	application/zip zip;
	83
	84	application/octet-stream bin exe dll;
	85	application/octet-stream deb;
	86	application/octet-stream dmg;
	87	application/octet-stream iso img;
	88	application/octet-stream msi msp msm;
	89
	90	audio/midi mid midi kar;
	91	audio/mpeg mp3;
	92	audio/ogg ogg;
	93	audio/x-m4a m4a;
	94	audio/x-realaudio ra;
	95
	96	video/3gpp 3gpp 3gp;
	97	video/mp2t ts;
	98	video/mp4 mp4;
	99	video/mpeg mpeg mpg;
	100	video/quicktime mov;
	101	video/webm webm;
	102	video/x-flv flv;
	103	video/x-m4v m4v;
	104	video/x-mng mng;
	105	video/x-ms-asf asx asf;
	106	video/x-ms-wmv wmv;
	107	video/x-msvideo avi;
	108	}
	109
	110	default_type application/octet-stream;
	111
	112	log_format combined_host '$host $remote_addr - $remote_user [$time_local] '
	113	'"$request" $status $body_bytes_sent '
	114	'"$http_referer" "$http_user_agent"';
	115
	116	access_log /logs/default_server.log combined_host;
	117
	118	sendfile on;
	119	tcp_nopush on;
	120	server_tokens off;
	121
	122	keepalive_timeout 128;
	123
	124	# Try to avoid buffering requests to disk
	125	client_body_buffer_size 1024k;
	126
	127	gzip on;
	128	gzip_proxied any;
	129	gzip_disable "msie6";
	130	gzip_types application/javascript application/rss+xml application/x-javascript application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;
	131
	132	ssl_session_cache shared:SSL:10m;
	133	ssl_session_timeout 10m;
	134	ssl_dhparam /srv/nginx-conf/ssl/dhparam.pem;
	135
	136	map $http_host $can_redirect {
	137	hostnames;
	138
	139	default 0;
	140	crute.me 1;
	141	*.crute.me 1;
	142	crute.us 1;
	143	*.crute.us 1;
	144	}
	145
	146	server {
	147	listen *:80 default_server;
	148	listen [::]:80 default_server;
	149
	150	access_log /logs/default_http_vhost.log combined_host;
	151
	152	location / {
	153	if ($can_redirect) {
	154	rewrite (.*) https://$http_host$1 permanent;
	155	}
	156
	157	default_type text/plain;
	158	return 404 "not found";
	159	}
	160	}
	161
	162	# TODO: Consolidate these into one, they differ only by hostname and SSL cert
	163	# This is like this because I'm not sure if redirects will work at all with
	164	# git pulls and pretty much all repositories use code.crute.me not .us
	165
	166	geo $cgit_config {
	167	default "/srv/code/etc/cgit-public.cfg";
	168
	169	# Global V4 Internal Network
	170	172.16.0.0/16 "/srv/code/etc/cgit-private.cfg";
	171	# FKL1 V4 Internal network
	172	172.18.0.0/16 "/srv/code/etc/cgit-private.cfg";
	173	# SEA4 V4 Internal network
	174	172.19.0.0/16 "/srv/code/etc/cgit-private.cfg";
	175	# ORD1 V4 Internal network
	176	172.20.0.0/16 "/srv/code/etc/cgit-private.cfg";
	177	# Mobile V4 Internal network
	178	172.21.0.0/16 "/srv/code/etc/cgit-private.cfg";
	179	# PDX1 V6 Network
	180	2600:1f14:f39:e000::/56 "/srv/code/etc/cgit-private.cfg";
	181	# CMH1 V6 Network
	182	2600:1f16:33:500::/56 "/srv/code/etc/cgit-private.cfg";
	183	# SEA1 Internal V6 Network
	184	2602:0803:4070::/48 "/srv/code/etc/cgit-private.cfg";
	185	# SEA4 Internal V6 Network
	186	2602:0803:4072::/48 "/srv/code/etc/cgit-private.cfg";
	187	# SEA4 Remote Access VPN V6 Network
	188	2602:0803:4075::/48 "/srv/code/etc/cgit-private.cfg";
	189	# ORD1 Internal V6 Network
	190	2602:0803:4073::/48 "/srv/code/etc/cgit-private.cfg";
	191	# FKL1 Internal V6 Network
	192	2602:0803:4074::/48 "/srv/code/etc/cgit-private.cfg";
	193	# Mobile V6 Internal Network
	194	2602:0803:4076::/48 "/srv/code/etc/cgit-private.cfg";
	195	}
	196
	197	server {
	198	listen *:443 ssl http2;
	199	listen [::]:443 ssl http2;
	200
	201	server_name code.crute.me;
	202	access_log /logs/code.crute.me.log combined_host;
	203
	204	ssl_protocols TLSv1.2 TLSv1.3;
	205	ssl_prefer_server_ciphers on;
	206	ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
	207	ssl_stapling on;
	208	ssl_stapling_verify on;
	209	resolver 8.8.4.4 8.8.8.8 valid=300s;
	210	resolver_timeout 5s;
	211
	212	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
	213	add_header X-Frame-Options "SAMEORIGIN" always;
	214	add_header X-Content-Type-Options "nosniff" always;
	215	add_header X-Xss-Protection "1; mode=block" always;
	216	add_header Referrer-Policy "same-origin" always;
	217
	218	ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_me.pem;
	219	ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_me_key.pem;
	220
	221	add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always;
	222
	223	client_max_body_size 4G;
	224
	225	# This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some
	226	# repos exist at deeper paths than that. This should be fixed and moved out of nginx at some
	227	# point it's just quick and easy to put it here.
	228	location ~ ^/(?<user>[^/])/(?<repo>[^/]+)/?(?<subpath>.)?$ {
	229	if ($arg_go-get = "1") {
	230	add_header Content-Type text/plain;
	231	return 200 '<html><head>
	232	<meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo">
	233	<meta name="go-source" content="$host/$user/$repo
	234	https://$host/$user/$repo
	235	https://$host/$user/$repo/tree{/dir}
	236	https://$host/$user/$repo/tree{/dir}/{file}#n{line}">
	237	</head></html>';
	238	}
	239
	240	uwsgi_param QUERY_STRING $query_string;
	241	uwsgi_param REQUEST_METHOD $request_method;
	242	uwsgi_param CONTENT_TYPE $content_type;
	243	uwsgi_param CONTENT_LENGTH $content_length;
	244
	245	uwsgi_param REQUEST_URI $request_uri;
	246	uwsgi_param PATH_INFO $document_uri;
	247	uwsgi_param DOCUMENT_ROOT $document_root;
	248	uwsgi_param SERVER_PROTOCOL $server_protocol;
	249	uwsgi_param REQUEST_SCHEME $scheme;
	250	uwsgi_param HTTPS $https if_not_empty;
	251
	252	uwsgi_param REMOTE_ADDR $remote_addr;
	253	uwsgi_param REMOTE_PORT $remote_port;
	254	uwsgi_param SERVER_PORT $server_port;
	255	uwsgi_param SERVER_NAME $server_name;
	256
	257	uwsgi_param HTTP_HOST $host;
	258	uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
	259
	260	uwsgi_modifier1 9;
	261	uwsgi_param CGIT_CONFIG $cgit_config;
	262	uwsgi_pass uwsgi://127.0.0.1:9000;
	263	}
	264
	265	location / {
	266	uwsgi_param QUERY_STRING $query_string;
	267	uwsgi_param REQUEST_METHOD $request_method;
	268	uwsgi_param CONTENT_TYPE $content_type;
	269	uwsgi_param CONTENT_LENGTH $content_length;
	270
	271	uwsgi_param REQUEST_URI $request_uri;
	272	uwsgi_param PATH_INFO $document_uri;
	273	uwsgi_param DOCUMENT_ROOT $document_root;
	274	uwsgi_param SERVER_PROTOCOL $server_protocol;
	275	uwsgi_param REQUEST_SCHEME $scheme;
	276	uwsgi_param HTTPS $https if_not_empty;
	277
	278	uwsgi_param REMOTE_ADDR $remote_addr;
	279	uwsgi_param REMOTE_PORT $remote_port;
	280	uwsgi_param SERVER_PORT $server_port;
	281	uwsgi_param SERVER_NAME $server_name;
	282
	283	uwsgi_param HTTP_HOST $host;
	284	uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
	285
	286	uwsgi_modifier1 9;
	287	uwsgi_param CGIT_CONFIG $cgit_config;
	288	uwsgi_pass uwsgi://127.0.0.1:9000;
	289	}
	290	}
	291
	292	server {
	293	listen *:443 ssl http2;
	294	listen [::]:443 ssl http2;
	295
	296	server_name code.crute.us;
	297	access_log /logs/code.crute.me.log combined_host;
	298
	299	ssl_protocols TLSv1.2 TLSv1.3;
	300	ssl_prefer_server_ciphers on;
	301	ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:AES256+EECDH:AES256+EDH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!aNULL";
	302	ssl_stapling on;
	303	ssl_stapling_verify on;
	304	resolver 8.8.4.4 8.8.8.8 valid=300s;
	305	resolver_timeout 5s;
	306
	307	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
	308	add_header X-Frame-Options "SAMEORIGIN" always;
	309	add_header X-Content-Type-Options "nosniff" always;
	310	add_header X-Xss-Protection "1; mode=block" always;
	311	add_header Referrer-Policy "same-origin" always;
	312
	313	ssl_certificate /srv/nginx-conf/ssl/letsencrypt_crute_us.pem;
	314	ssl_certificate_key /srv/nginx-conf/ssl/letsencrypt_crute_us_key.pem;
	315
	316	add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src https://wiki.crute.me/ 'self';" always;
	317
	318	client_max_body_size 4G;
	319
	320	# This is somewhat ugly and naive because it doesn't allow more than host/user/repo and some
	321	# repos exist at deeper paths than that. This should be fixed and moved out of nginx at some
	322	# point it's just quick and easy to put it here.
	323	location ~ ^/(?<user>[^/])/(?<repo>[^/]+)/?(?<subpath>.)?$ {
	324	if ($arg_go-get = "1") {
	325	add_header Content-Type text/plain;
	326	return 200 '<html><head>
	327	<meta name="go-import" content="$host/$user/$repo git https://$host/$user/$repo">
	328	<meta name="go-source" content="$host/$user/$repo
	329	https://$host/$user/$repo
	330	https://$host/$user/$repo/tree{/dir}
	331	https://$host/$user/$repo/tree{/dir}/{file}#n{line}">
	332	</head></html>';
	333	}
	334
	335	uwsgi_param QUERY_STRING $query_string;
	336	uwsgi_param REQUEST_METHOD $request_method;
	337	uwsgi_param CONTENT_TYPE $content_type;
	338	uwsgi_param CONTENT_LENGTH $content_length;
	339
	340	uwsgi_param REQUEST_URI $request_uri;
	341	uwsgi_param PATH_INFO $document_uri;
	342	uwsgi_param DOCUMENT_ROOT $document_root;
	343	uwsgi_param SERVER_PROTOCOL $server_protocol;
	344	uwsgi_param REQUEST_SCHEME $scheme;
	345	uwsgi_param HTTPS $https if_not_empty;
	346
	347	uwsgi_param REMOTE_ADDR $remote_addr;
	348	uwsgi_param REMOTE_PORT $remote_port;
	349	uwsgi_param SERVER_PORT $server_port;
	350	uwsgi_param SERVER_NAME $server_name;
	351
	352	uwsgi_param HTTP_HOST $host;
	353	uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
	354
	355	uwsgi_modifier1 9;
	356	uwsgi_param CGIT_CONFIG $cgit_config;
	357	uwsgi_pass uwsgi://127.0.0.1:9000;
	358	}
	359
	360	location / {
	361	uwsgi_param QUERY_STRING $query_string;
	362	uwsgi_param REQUEST_METHOD $request_method;
	363	uwsgi_param CONTENT_TYPE $content_type;
	364	uwsgi_param CONTENT_LENGTH $content_length;
	365
	366	uwsgi_param REQUEST_URI $request_uri;
	367	uwsgi_param PATH_INFO $document_uri;
	368	uwsgi_param DOCUMENT_ROOT $document_root;
	369	uwsgi_param SERVER_PROTOCOL $server_protocol;
	370	uwsgi_param REQUEST_SCHEME $scheme;
	371	uwsgi_param HTTPS $https if_not_empty;
	372
	373	uwsgi_param REMOTE_ADDR $remote_addr;
	374	uwsgi_param REMOTE_PORT $remote_port;
	375	uwsgi_param SERVER_PORT $server_port;
	376	uwsgi_param SERVER_NAME $server_name;
	377
	378	uwsgi_param HTTP_HOST $host;
	379	uwsgi_param HTTP_X_FORWARDED_FOR $proxy_add_x_forwarded_for;
	380
	381	uwsgi_modifier1 9;
	382	uwsgi_param CGIT_CONFIG $cgit_config;
	383	uwsgi_pass uwsgi://127.0.0.1:9000;
	384	}
	385	}
	386	}