add docker-madone
parent
929d6796b0
commit
57c819d80e
|
@ -0,0 +1 @@
|
||||||
|
Mostly stolen from https://github.com/vtluug/docker-manifests/tree/master/sczi/nginx
|
|
@ -0,0 +1,23 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
docker run \
|
||||||
|
--name nginx \
|
||||||
|
--detach \
|
||||||
|
--restart unless-stopped \
|
||||||
|
--env PUID=1000 \
|
||||||
|
--env PGID=1000 \
|
||||||
|
--env EMAIL=sysadmin@seaturtle.pw \
|
||||||
|
--env URL=seaturtle.pw \
|
||||||
|
--env ONLY_SUBDOMAINS=true \
|
||||||
|
--env SUBDOMAINS=madone \
|
||||||
|
--env VALIDATION=html \
|
||||||
|
--env TZ=US/Eastern \
|
||||||
|
--volume $PWD/config:/config:rw \
|
||||||
|
--volume $PWD/nginx.conf:/config/nginx/nginx.conf:ro \
|
||||||
|
--volume $PWD/site-confs:/config/nginx/site-confs:ro \
|
||||||
|
--publish 51.159.29.122:80:80 \
|
||||||
|
--publish 51.159.29.122:443:443 \
|
||||||
|
--publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:80:80 \
|
||||||
|
--publish [2001:bc8:6005:19:208:a2ff:fe0c:917c]:443:443 \
|
||||||
|
--network pew-net \
|
||||||
|
linuxserver/letsencrypt:latest
|
|
@ -0,0 +1,63 @@
|
||||||
|
## Version 2018/04/07 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
|
||||||
|
|
||||||
|
user abc;
|
||||||
|
worker_processes 4;
|
||||||
|
pid /run/nginx.pid;
|
||||||
|
include /etc/nginx/modules/*.conf;
|
||||||
|
|
||||||
|
events {
|
||||||
|
worker_connections 768;
|
||||||
|
# multi_accept on;
|
||||||
|
}
|
||||||
|
|
||||||
|
http {
|
||||||
|
|
||||||
|
##
|
||||||
|
# Basic Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
sendfile on;
|
||||||
|
tcp_nopush on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
keepalive_timeout 65;
|
||||||
|
types_hash_max_size 2048;
|
||||||
|
# server_tokens off;
|
||||||
|
|
||||||
|
# server_names_hash_bucket_size 64;
|
||||||
|
# server_name_in_redirect off;
|
||||||
|
|
||||||
|
client_max_body_size 0;
|
||||||
|
|
||||||
|
include /etc/nginx/mime.types;
|
||||||
|
default_type application/octet-stream;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Logging Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
access_log /config/log/nginx/access.log;
|
||||||
|
error_log /config/log/nginx/error.log;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Gzip Settings
|
||||||
|
##
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
# gzip_vary on;
|
||||||
|
# gzip_proxied any;
|
||||||
|
# gzip_comp_level 6;
|
||||||
|
# gzip_buffers 16 8k;
|
||||||
|
# gzip_http_version 1.1;
|
||||||
|
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
||||||
|
|
||||||
|
##
|
||||||
|
# Virtual Host Configs
|
||||||
|
##
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
include /config/nginx/site-confs/default;
|
||||||
|
include /config/nginx/site-confs/*.enabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
daemon off;
|
|
@ -4,13 +4,26 @@
|
||||||
# This is the main file that will be pe present no matter what
|
# This is the main file that will be pe present no matter what
|
||||||
# Individual sites are specified in /config/nginx/sites/*.enabled
|
# Individual sites are specified in /config/nginx/sites/*.enabled
|
||||||
|
|
||||||
# Redirect HTTP traffic to HTTPS
|
# Redirect unknown HTTP traffic to https://seaturtle.pw
|
||||||
server {
|
server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
server_name _;
|
server_name _;
|
||||||
|
|
||||||
|
return 301 https://seaturtle.pw;
|
||||||
|
}
|
||||||
|
|
||||||
return 301 https://$host$request_uri;
|
# Redirect unknown HTTPS traffic to https://seaturtle.pw
|
||||||
|
# If we don't have a cert for the site the client get an error but that's fine
|
||||||
|
server {
|
||||||
|
listen 443 default_server;
|
||||||
|
listen [::]:443 default_server;
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
# ssl conf
|
||||||
|
include /config/nginx/ssl.conf;
|
||||||
|
|
||||||
|
return 301 https://seaturtle.pw;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Enabled sites are included in /config/nginx/nginx.conf
|
# Enabled sites are included in /config/nginx/nginx.conf
|
|
@ -0,0 +1,51 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name madone.seaturtle.pw;
|
||||||
|
|
||||||
|
return 301 https://seaturtle.pw$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_name madone.seaturtle.pw;
|
||||||
|
|
||||||
|
# ssl conf
|
||||||
|
include /config/nginx/ssl.conf;
|
||||||
|
|
||||||
|
client_max_body_size 1M;
|
||||||
|
|
||||||
|
# Proxy syncthing
|
||||||
|
location /syncthing/ {
|
||||||
|
auth_basic "not today buddy";
|
||||||
|
auth_basic_user_file /config/nginx/syncthing-htpasswd;
|
||||||
|
proxy_set_header X-Real_IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-proto $scheme;
|
||||||
|
proxy_pass http://syncthing:8384/;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Proxy weechat
|
||||||
|
location /weechat {
|
||||||
|
proxy_pass http://172.17.0.1:9001;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
proxy_set_header Upgrade $http_upgrade;
|
||||||
|
proxy_set_header Connection "upgrade";
|
||||||
|
proxy_read_timeout 8h;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Serve misc files
|
||||||
|
location /files {
|
||||||
|
alias /files-docker;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Serve syncthing files
|
||||||
|
location /sync {
|
||||||
|
auth_basic "nope definitely not today buddy";
|
||||||
|
auth_basic_user_file /config/nginx/sync-htpasswd;
|
||||||
|
alias /sync-docker;
|
||||||
|
autoindex on;
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,19 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Assumes pew-net exists
|
||||||
|
# Create mounted dirs (as non-root) before launching
|
||||||
|
|
||||||
|
docker run \
|
||||||
|
--name syncthing \
|
||||||
|
--detach \
|
||||||
|
--restart unless-stopped \
|
||||||
|
--env PUID=1000 \
|
||||||
|
--env PGID=1000 \
|
||||||
|
--env TZ=Europe/London \
|
||||||
|
--env UMASK_SET=022 \
|
||||||
|
--volume $PWD/config:/config:rw \
|
||||||
|
--volume $PWD/sync:/sync-docker:rw \
|
||||||
|
--publish 22000:22000 \
|
||||||
|
--publish 21027:21027/udp \
|
||||||
|
--network pew-net \
|
||||||
|
linuxserver/syncthing:latest
|
|
@ -1,3 +1,5 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
|
||||||
import json
|
import json
|
||||||
from selenium import webdriver
|
from selenium import webdriver
|
||||||
from selenium.webdriver.common.by import By
|
from selenium.webdriver.common.by import By
|
||||||
|
|
|
@ -1,3 +0,0 @@
|
||||||
[irc-etc]
|
|
||||||
# User must be changed from root to admin user after initial run
|
|
||||||
joe@madone.seaturtle.pw
|
|
|
@ -1,104 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: irc-etc
|
|
||||||
become: yes
|
|
||||||
handlers:
|
|
||||||
- name: Restart ssh
|
|
||||||
service:
|
|
||||||
name: ssh
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
- name: ping host
|
|
||||||
ping:
|
|
||||||
|
|
||||||
- name: Allow passwordless sudo
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/sudoers
|
|
||||||
state: present
|
|
||||||
regexp: '^%sudo'
|
|
||||||
line: '%sudo ALL=(ALL) NOPASSWD:ALL'
|
|
||||||
validate: 'visudo -cf %s'
|
|
||||||
|
|
||||||
- name: Create admin user
|
|
||||||
user:
|
|
||||||
name: joe
|
|
||||||
groups: sudo
|
|
||||||
shell: /bin/bash
|
|
||||||
|
|
||||||
- name: Create normal user
|
|
||||||
user:
|
|
||||||
name: pew
|
|
||||||
shell: /bin/bash
|
|
||||||
|
|
||||||
- name: Add authorized ssh key from localhost
|
|
||||||
authorized_key:
|
|
||||||
user: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
key: "{{ lookup('file', lookup('env','HOME') + '/.ssh/id_rsa.pub') }}"
|
|
||||||
with_items:
|
|
||||||
- joe
|
|
||||||
- pew
|
|
||||||
|
|
||||||
- name: Disable password ssh
|
|
||||||
lineinfile: dest=/etc/ssh/sshd_config
|
|
||||||
regexp="^PasswordAuthentication"
|
|
||||||
line="PasswordAuthentication no"
|
|
||||||
state=present
|
|
||||||
notify: Restart ssh
|
|
||||||
|
|
||||||
# May have to be done manually
|
|
||||||
- name: Disallow root SSH access
|
|
||||||
lineinfile: dest=/etc/ssh/sshd_config
|
|
||||||
regexp="^PermitRootLogin"
|
|
||||||
line="PermitRootLogin no"
|
|
||||||
state=present
|
|
||||||
notify: Restart ssh
|
|
||||||
|
|
||||||
- name: Update apt and upgrade packages
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
upgrade: yes
|
|
||||||
|
|
||||||
- name: Install packages
|
|
||||||
apt:
|
|
||||||
pkg:
|
|
||||||
- apt-transport-https
|
|
||||||
- ca-certificates
|
|
||||||
- curl
|
|
||||||
- git
|
|
||||||
- gnupg
|
|
||||||
- htop
|
|
||||||
- iodine
|
|
||||||
- mosh
|
|
||||||
- oidentd
|
|
||||||
- software-properties-common
|
|
||||||
- tmux
|
|
||||||
- weechat
|
|
||||||
- zsh
|
|
||||||
state: latest
|
|
||||||
|
|
||||||
- name: Add Docker and Syncthing GPG key
|
|
||||||
apt_key:
|
|
||||||
url: https://download.docker.com/linux/ubuntu/gpg
|
|
||||||
|
|
||||||
- name: Add Docker and Syncthing APT repository
|
|
||||||
apt_repository:
|
|
||||||
repo: deb [arch=amd64] https://download.docker.com/linux/debian {{ansible_lsb.codename}} stable
|
|
||||||
|
|
||||||
- name: Update apt
|
|
||||||
apt:
|
|
||||||
update_cache: yes
|
|
||||||
|
|
||||||
# May require a reboot
|
|
||||||
- name: Install Docker & Synthing
|
|
||||||
apt:
|
|
||||||
pkg:
|
|
||||||
- docker-ce
|
|
||||||
- docker-compose
|
|
||||||
state: latest
|
|
||||||
|
|
||||||
- name: Add admin user to docker group
|
|
||||||
user:
|
|
||||||
name: joe
|
|
||||||
groups: docker
|
|
||||||
append: yes
|
|
|
@ -1,49 +0,0 @@
|
||||||
version: '3'
|
|
||||||
|
|
||||||
services:
|
|
||||||
letsencrypt:
|
|
||||||
restart: unless-stopped
|
|
||||||
image: linuxserver/letsencrypt
|
|
||||||
cap_add:
|
|
||||||
- NET_ADMIN
|
|
||||||
environment:
|
|
||||||
PUID: 1000
|
|
||||||
PGID: 1000
|
|
||||||
EMAIL: sysadmin@seaturtle.pw
|
|
||||||
# URL field must be working since nginx only starts if letsencrypt works
|
|
||||||
URL: seaturtle.pw
|
|
||||||
SUBDOMAINS: madone
|
|
||||||
EXTRA_DOMAINS: www.paul.walko.org,paul.walko.org
|
|
||||||
VALIDATION: html # TODO Switch to dns + gandi api once pr is merged
|
|
||||||
TZ: America/New_York
|
|
||||||
volumes:
|
|
||||||
# nginx persistent storage
|
|
||||||
- /home/joe/docker/nginx/config:/config
|
|
||||||
# RO settings
|
|
||||||
- ./htpasswd:/secrets/htpasswd # Create once deployed
|
|
||||||
- ./nginx.conf:/config/nginx/nginx.conf:ro
|
|
||||||
- ./ssl.conf:/config/nginx/ssl.conf:ro
|
|
||||||
- ./site-confs:/config/nginx/site-confs:ro
|
|
||||||
- ./jail.local:/config/jail2ban/jail.local:ro
|
|
||||||
# etc files
|
|
||||||
- /home/joe/docker/syncthing/sync:/sync:ro
|
|
||||||
ports:
|
|
||||||
- 10.21.2.155:80:80
|
|
||||||
- 10.21.2.155:443:443
|
|
||||||
- 2001:bc8:4728:8d0d::1:80:80
|
|
||||||
- 2001:bc8:4728:8d0d::1:443:443
|
|
||||||
|
|
||||||
syncthing:
|
|
||||||
restart: unless-stopped
|
|
||||||
image: linuxserver/syncthing
|
|
||||||
environment:
|
|
||||||
PUID: 1000
|
|
||||||
PGID: 1000
|
|
||||||
TZ: America/Eastern
|
|
||||||
UMASK_SET: <022>
|
|
||||||
volumes:
|
|
||||||
- /home/joe/docker/syncthing/config:/config
|
|
||||||
- /home/joe/docker/syncthing/sync:/sync
|
|
||||||
ports:
|
|
||||||
- 22000:22000
|
|
||||||
- 21027:21027/udp
|
|
|
@ -1,46 +0,0 @@
|
||||||
# This is the custom version of the jail.conf for fail2ban
|
|
||||||
# Feel free to modify this and add additional filters
|
|
||||||
# Then you can drop the new filter conf files into the fail2ban-filters
|
|
||||||
# folder and restart the container
|
|
||||||
|
|
||||||
[DEFAULT]
|
|
||||||
|
|
||||||
# "bantime" is the number of seconds that a host is banned.
|
|
||||||
bantime = 600
|
|
||||||
|
|
||||||
# A host is banned if it has generated "maxretry" during the last "findtime"
|
|
||||||
# seconds.
|
|
||||||
findtime = 600
|
|
||||||
|
|
||||||
# "maxretry" is the number of failures before a host get banned.
|
|
||||||
maxretry = 5
|
|
||||||
|
|
||||||
|
|
||||||
[ssh]
|
|
||||||
|
|
||||||
enabled = false
|
|
||||||
|
|
||||||
|
|
||||||
[nginx-http-auth]
|
|
||||||
|
|
||||||
enabled = true
|
|
||||||
filter = nginx-http-auth
|
|
||||||
port = http,https
|
|
||||||
logpath = /config/log/nginx/error.log
|
|
||||||
|
|
||||||
|
|
||||||
[nginx-badbots]
|
|
||||||
|
|
||||||
enabled = true
|
|
||||||
port = http,https
|
|
||||||
filter = nginx-badbots
|
|
||||||
logpath = /config/log/nginx/access.log
|
|
||||||
maxretry = 2
|
|
||||||
|
|
||||||
|
|
||||||
[nginx-botsearch]
|
|
||||||
|
|
||||||
enabled = true
|
|
||||||
port = http,https
|
|
||||||
filter = nginx-botsearch
|
|
||||||
logpath = /config/log/nginx/access.log
|
|
|
@ -1,101 +0,0 @@
|
||||||
## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf
|
|
||||||
|
|
||||||
user abc;
|
|
||||||
worker_processes 4;
|
|
||||||
pid /run/nginx.pid;
|
|
||||||
include /etc/nginx/modules/*.conf;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 768;
|
|
||||||
# multi_accept on;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
|
|
||||||
##
|
|
||||||
# Basic Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
sendfile on;
|
|
||||||
tcp_nopush on;
|
|
||||||
tcp_nodelay on;
|
|
||||||
keepalive_timeout 65;
|
|
||||||
types_hash_max_size 2048;
|
|
||||||
# server_tokens off;
|
|
||||||
|
|
||||||
# server_names_hash_bucket_size 64;
|
|
||||||
# server_name_in_redirect off;
|
|
||||||
|
|
||||||
client_max_body_size 0;
|
|
||||||
|
|
||||||
include /etc/nginx/mime.types;
|
|
||||||
default_type application/octet-stream;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Logging Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
access_log /config/log/nginx/access.log;
|
|
||||||
error_log /config/log/nginx/error.log;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Gzip Settings
|
|
||||||
##
|
|
||||||
|
|
||||||
gzip on;
|
|
||||||
gzip_disable "msie6";
|
|
||||||
|
|
||||||
# gzip_vary on;
|
|
||||||
# gzip_proxied any;
|
|
||||||
# gzip_comp_level 6;
|
|
||||||
# gzip_buffers 16 8k;
|
|
||||||
# gzip_http_version 1.1;
|
|
||||||
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
|
|
||||||
|
|
||||||
##
|
|
||||||
# nginx-naxsi config
|
|
||||||
##
|
|
||||||
# Uncomment it if you installed nginx-naxsi
|
|
||||||
##
|
|
||||||
|
|
||||||
#include /etc/nginx/naxsi_core.rules;
|
|
||||||
|
|
||||||
##
|
|
||||||
# nginx-passenger config
|
|
||||||
##
|
|
||||||
# Uncomment it if you installed nginx-passenger
|
|
||||||
##
|
|
||||||
|
|
||||||
#passenger_root /usr;
|
|
||||||
#passenger_ruby /usr/bin/ruby;
|
|
||||||
|
|
||||||
##
|
|
||||||
# Virtual Host Configs
|
|
||||||
##
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
include /config/nginx/site-confs/default;
|
|
||||||
include /config/nginx/site-confs/*.enabled;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
#mail {
|
|
||||||
# # See sample authentication script at:
|
|
||||||
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
|
|
||||||
#
|
|
||||||
# # auth_http localhost/auth.php;
|
|
||||||
# # pop3_capabilities "TOP" "USER";
|
|
||||||
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen localhost:110;
|
|
||||||
# protocol pop3;
|
|
||||||
# proxy on;
|
|
||||||
# }
|
|
||||||
#
|
|
||||||
# server {
|
|
||||||
# listen localhost:143;
|
|
||||||
# protocol imap;
|
|
||||||
# proxy on;
|
|
||||||
# }
|
|
||||||
#}
|
|
||||||
daemon off;
|
|
|
@ -1,43 +0,0 @@
|
||||||
server {
|
|
||||||
listen 443 ssl;
|
|
||||||
listen [::]:443 ssl;
|
|
||||||
server_name seaturtle.pw paul.walko.org www.paul.walko.org;
|
|
||||||
|
|
||||||
# ssl conf
|
|
||||||
include /config/nginx/ssl.conf;
|
|
||||||
|
|
||||||
client_max_body_size 1M;
|
|
||||||
|
|
||||||
# Main site
|
|
||||||
location / {
|
|
||||||
proxy_pass https://paulwalko.github.io;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /files {
|
|
||||||
alias /files;
|
|
||||||
autoindex on;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /sync {
|
|
||||||
auth_basic "Restricted Content";
|
|
||||||
auth_basic_user_file /secrets/htpasswd;
|
|
||||||
alias /sync;
|
|
||||||
autoindex on;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /syncthing/ {
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_pass https://syncthing:8384/;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /weechat {
|
|
||||||
proxy_pass http://127.0.0.1:9001/weechat;
|
|
||||||
proxy_http_version 1.1;
|
|
||||||
proxy_set_header Upgrade $http_upgrade;
|
|
||||||
proxy_set_header Connection "Upgrade";
|
|
||||||
proxy_read_timeout 604800;
|
|
||||||
proxy_set_header X-RealIP $remote_addr;
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,36 +0,0 @@
|
||||||
## Version 2018/05/31 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/ssl.conf
|
|
||||||
|
|
||||||
# session settings
|
|
||||||
ssl_session_timeout 1d;
|
|
||||||
ssl_session_cache shared:SSL:50m;
|
|
||||||
ssl_session_tickets off;
|
|
||||||
|
|
||||||
# Diffie-Hellman parameter for DHE cipher suites
|
|
||||||
ssl_dhparam /config/nginx/dhparams.pem;
|
|
||||||
|
|
||||||
# ssl certs
|
|
||||||
#ssl_certificate /config/keys/letsencrypt/fullchain.pem;
|
|
||||||
#ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/seaturtle.pw/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/seaturtle.pw/privkey.pem;
|
|
||||||
|
|
||||||
# protocols
|
|
||||||
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
|
||||||
|
|
||||||
# HSTS, remove # from the line below to enable HSTS
|
|
||||||
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
|
||||||
|
|
||||||
# OCSP Stapling
|
|
||||||
ssl_stapling on;
|
|
||||||
ssl_stapling_verify on;
|
|
||||||
|
|
||||||
# Optional additional headers
|
|
||||||
#add_header Content-Security-Policy "upgrade-insecure-requests";
|
|
||||||
#add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
#add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
#add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
#add_header X-UA-Compatible "IE=Edge" always;
|
|
||||||
#add_header Cache-Control "no-transform" always;
|
|
||||||
#add_header Referrer-Policy "same-origin" always;
|
|
|
@ -1,13 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Weechat IRC Client (in tmux)
|
|
||||||
After=network.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
User=pew
|
|
||||||
Type=oneshot
|
|
||||||
RemainAfterExit=yes
|
|
||||||
ExecStart=/usr/bin/tmux new-session -d -s irc /usr/bin/weechat
|
|
||||||
ExecStop=/usr/bin/tmux kill-session -t irc
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
Loading…
Reference in New Issue