propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

commit 27e58c0a90c4b44dd0a232f4defed1aca1441a99
parent 093742f67aa4c1d678dafd4580a6c2e4b37cf037
Author: rsiddharth <s@ricketyspace.net>
Date:   Thu, 25 Jan 2018 13:09:15 +0000

propellor spin

Diffstat:
config.hs | 65+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 63 insertions(+), 2 deletions(-)

diff --git a/config.hs b/config.hs @@ -641,8 +641,7 @@ lyra = host "lyra.ricketyspace.net" $props & Apt.stdSourcesList & Apt.unattendedUpgrades & Apt.safeUpgrade - & Apt.installed ["nginx-full" - , "git", "etckeeper" + & Apt.installed ["git", "etckeeper" , "htop", "sudo", "zsh", "screen" , "emacs", "rsync", "git-annex" ] @@ -650,6 +649,8 @@ lyra = host "lyra.ricketyspace.net" $props & Ssh.passwordAuthentication False -- system & Fail2Ban.installed + & Nginx.installed + & Nginx.siteEnabled "ricketyspace.net" ricketspaceNetNginx -- root config & Ssh.authorizedKey (User "root") sCanonicalSshPubKey -- w config @@ -662,3 +663,63 @@ lyra = host "lyra.ricketyspace.net" $props & User.hasLoginShell (User "s") "/usr/bin/zsh" & Sudo.enabledFor (User "s") & Ssh.authorizedKey (User "s") sCanonicalSshPubKey + +ricketspaceNetNginx :: [String] +ricketspaceNetNginx = [ + "# Adapted from https://gist.github.com/konklone/6532544" + , "" + , "server {" + , " listen 80;" + , " listen [::]:80;" + , " server_name ricketyspace.net;" + , " return 301 https://$host$request_uri;" + , "}" + , "" + , "# The 'spdy' at the end of the listen command below turns on SPDY support." + , "" + , "server {" + , " listen 443 ssl spdy;" + , " listen [::]:443 ssl spdy;" + , " server_name ricketyspace.net;" + , "" + , " root /home/s/rs_pub;" + , " error_page 404 /404.html;" + , " error_page 403 /403.html;" + , " default_type text/plain;" + , "" + , " location /git-difme/releases/ {" + , " autoindex on;" + , " }" + , "" + , " location /nsfw/ {" + , " autoindex on;" + , " }" + , "" + , " # Path to certificate and private key." + , " # The .crt may omit the root CA cert, if it's a standard CA that ships with clients." + , " ssl_certificate /etc/ssl/certs/rs.net.chained.le.pem;" + , " ssl_certificate_key /etc/ssl/private/rs.net.d.le.key;" + , "" + , " add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';" + , "" + , " ssl_prefer_server_ciphers on;" + , " ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';" + , "" + , " ssl_protocols TLSv1.2 TLSv1.1 TLSv1;" + , "" + , " # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html" + , " ssl_session_cache shared:SSL:10m;" + , " ssl_session_timeout 10m;" + , " keepalive_timeout 70;" + , "" + , " # nginx 1.5.9+ ONLY" + , " ssl_buffer_size 1400; " + , "" + , " spdy_headers_comp 0;" + , "" + , " #" + , " # Generated by OpenSSL with the following command:" + , " # openssl dhparam -outform pem -out dhparam2048.pem 2048" + , " ssl_dhparam /etc/ssl/certs/dhparam4096.pem;" + , "}" + ]