propellor

propellor config for hosts.
git clone git://git.ricketyspace.net/propellor.git
Log | Files | Refs | LICENSE

commit a13adc6fbd48fc9eb814fefe30af34526d00e680
parent 27e58c0a90c4b44dd0a232f4defed1aca1441a99
Author: rsiddharth <s@ricketyspace.net>
Date:   Thu, 25 Jan 2018 13:16:50 +0000

propellor spin

Diffstat:
config.hs | 76+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 73 insertions(+), 3 deletions(-)

diff --git a/config.hs b/config.hs @@ -650,7 +650,8 @@ lyra = host "lyra.ricketyspace.net" $props -- system & Fail2Ban.installed & Nginx.installed - & Nginx.siteEnabled "ricketyspace.net" ricketspaceNetNginx + & Nginx.siteEnabled "ricketyspace.net" ricketyspaceNetNginx + & Nginx.siteEnabled "git.ricketyspace.net" gitRicketyspaceNetNginx -- root config & Ssh.authorizedKey (User "root") sCanonicalSshPubKey -- w config @@ -664,8 +665,8 @@ lyra = host "lyra.ricketyspace.net" $props & Sudo.enabledFor (User "s") & Ssh.authorizedKey (User "s") sCanonicalSshPubKey -ricketspaceNetNginx :: [String] -ricketspaceNetNginx = [ +ricketyspaceNetNginx :: [String] +ricketyspaceNetNginx = [ "# Adapted from https://gist.github.com/konklone/6532544" , "" , "server {" @@ -723,3 +724,72 @@ ricketspaceNetNginx = [ , " ssl_dhparam /etc/ssl/certs/dhparam4096.pem;" , "}" ] + +gitRicketyspaceNetNginx :: [String] +gitRicketyspaceNetNginx = [ + "# Adapted from https://gist.github.com/konklone/6532544" + , "" + , "server {" + , " listen 80;" + , " listen [::]:80;" + , " server_name git.ricketyspace.net;" + , " return 301 https://$host$request_uri;" + , "}" + , "" + , "# The 'spdy' at the end of the listen command below turns on SPDY support." + , "" + , "server {" + , " listen 443 ssl spdy;" + , " listen [::]:443 ssl spdy;" + , " server_name git.ricketyspace.net;" + , "" + , " access_log /var/log/nginx/cgit-access.log;" + , " error_log /var/log/nginx/cgit-error.log;" + , "" + , "" + , " root /home/s/public_cgit/;" + , " #error_page 404 /404.html;" + , " #error_page 403 /403.html;" + , " default_type text/plain;" + , "" + , " location / {" + , " try_files $uri @cgit;" + , " }" + , "" + , " location @cgit {" + , " include /etc/nginx/fastcgi_params;" + , " fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi;" + , " fastcgi_param PATH_INFO $uri;" + , " fastcgi_param QUERY_STRING $args;" + , " fastcgi_param HTTP_HOST $server_name;" + , " fastcgi_pass unix:/var/run/fcgiwrap.socket;" + , " }" + , "" + , " # Path to certificate and private key." + , " # The .crt may omit the root CA cert, if it's a standard CA that ships with clients." + , " ssl_certificate /etc/ssl/certs/git.rs.net.chained.le.pem;" + , " ssl_certificate_key /etc/ssl/private/git.rs.net.d.le.key;" + , "" + , " add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';" + , "" + , " ssl_prefer_server_ciphers on;" + , " ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';" + , "" + , " ssl_protocols TLSv1.2 TLSv1.1 TLSv1;" + , "" + , " # as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html" + , " ssl_session_cache shared:SSL:10m;" + , " ssl_session_timeout 10m;" + , " keepalive_timeout 70;" + , "" + , " # nginx 1.5.9+ ONLY" + , " ssl_buffer_size 1400;" + , "" + , " spdy_headers_comp 0;" + , "" + , " #" + , " # Generated by OpenSSL with the following command:" + , " # openssl dhparam -outform pem -out dhparam2048.pem 2048" + , " ssl_dhparam /etc/ssl/certs/dhparam4096.pem;" + , "}" + ]