ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/www/templates/01-sudo.is.conf.j2

491 lines
18 KiB
Django/Jinja
Raw Permalink Blame History

# {{ ansible_managed }}
server {
server_name docs.{{ domain }};
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
listen 443 ssl http2;
{% if nginx_http2 -%}
#http2 on;
{% else -%}
#http2 off;
{% endif %}
include listen-proxy-protocol.conf;
include sec.conf;
ssl_certificate /usr/local/etc/certs/docs.{{ domain }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/docs.{{ domain }}/privkey.pem;
include conf.d/headers-{{ domain }}.conf;
add_header X-Sudo-Section "redirect" always;
add_header "Link" '<https://www.{{ domain }}/docs/>; rel="canonical">' always;
location / {
rewrite ^/(.*)$ https://www.{{ domain }}/docs/$1 permanent;
}
access_log /var/log/nginx/access_docs.{{ domain }}.log main;
error_log /var/log/nginx/error_docs.{{ domain }}.log warn;
}
server {
server_name {{ domain }} {%- for d in additional_server_names %} {{ d }} www.{{ d }}{% endfor %};
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl;
{% endif -%}
listen 443 ssl;
{% if nginx_http2 -%}
#http2 on;
{% else -%}
#http2 off;
{% endif %}
include listen-proxy-protocol.conf;
include sec.conf;
# include /.well-known/ and /.sudo-known/ urls.
include /etc/nginx/well-known.conf;
include /etc/nginx/sudo-known.conf;
charset utf-8;
ssl_certificate /usr/local/etc/certs/www.{{ domain }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/www.{{ domain }}/privkey.pem;
include /etc/nginx/authelia_internal.conf;
root /var/www/www.{{ domain }};
location / {
rewrite ^/(.*)$ https://www.{{ domain }}/$1 permanent;
}
access_log /var/log/nginx/access_www.{{ domain }}.log main;
error_log /var/log/nginx/error_www.{{ domain }}.log warn;
}
# "~/docs/(.*)/(*).html$" "https://www.{{ domain }}/docs/$1/$2.html";
map $request_uri $canonical_url {
"/docs" "https://www.{{ domain }}/docs/";
"/docs/" "https://www.{{ domain }}/docs/";
"/docs/index.html" "https://www.{{ domain }}/docs/";
"/docs/hass/building/(.*)$" "https://www.{{ domain }}/build/hass/";
"/docs/Keys/index.html" "https://www.{{ domain }}/docs/keys/";
"~/docs/(.*)/index.html$" "https://www.{{ domain }}/docs/$1/";
"~/docs/(.*)/$" "https://www.{{ domain }}/docs/$1/";
"~/docs/(.*)/(.*)\.pdf$" "https://www.{{ domain }}/docs/$1/$2.pdf";
"~/docs/(.*)/([a-zA-Z0-9]+)$" "https://www.{{ domain }}/docs/$1/$2/";
}
# "~/docs/(.*)$" "https://www.{{ domain }}/$1/";
server {
server_name www.{{ domain }};
{% if inventory_hostname in wg_clients -%}
listen {{ wg_clients[inventory_hostname].ip }}:443 ssl http2;
{% endif -%}
listen 443 ssl http2;
include listen-proxy-protocol.conf;
include sec.conf;
# include /.well-known/ and /.sudo-known/ urls.
include /etc/nginx/well-known.conf;
include /etc/nginx/sudo-known.conf;
charset utf-8;
ssl_certificate /usr/local/etc/certs/www.{{ domain }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/certs/www.{{ domain }}/privkey.pem;
include /etc/nginx/authelia_internal.conf;
root /var/www/www.{{ domain }};
location / {
error_page 401 /401.html;
error_page 403 /403.html;
error_page 404 /404.html;
sub_filter_once off;
sub_filter '<!-- request-uri -->' '$request_uri';
location ~* ^.+\.json$ {
include conf.d/headers-{{ domain }}.conf;
add_header Content-Type application/json;
}
location = /topsecret {
return 401;
}
location {{ coolcats }} {
include /etc/nginx/require_auth.conf;
add_header X-Sudo-Section "{{ coolcats }}" always;
add_header "sudo-user" $authelia_user;
}
{% for item in www_rewrite_aliases|default([]) -%}
{% set alias = item.alias.lstrip("/").rstrip("/") -%}
rewrite ^/{{ alias }}/?$ {{ item.path }}{{ " " if "flag" in item else "" }}{{ item.flag|default("") }};
{% endfor %}
autoindex on;
autoindex_exact_size off;
}
location = /cv1.pdf {
# good side effect, removes X-Robots-Tag header
include conf.d/headers-{{ domain }}.conf;
add_header "x-for-hire" "false";
add_header X-Sudo-Section "root" always;
add_header "Link" '<https://www.{{ domain }}/cv1.pdf>; rel="canonical"' always;
}
{% for item in ["ardrand.pdf", "tsense.pdf"] -%}
location = /{{ item }} {
include conf.d/headers-{{ domain }}.conf;
add_header X-Sudo-Section "root" always;
add_header "Link" '<https://www.{{ domain }}/{{ item }}>; rel="canonical"' always;
}
{% endfor %}
{#
# https://stackoverflow.com/questions/38228393/nginx-remove-html-extension
#}
sub_filter_once off;
location /myip {
sub_filter '<!-- ipv4 -->' '$remote_addr';
sub_filter '<!-- user-agent -->' '$http_user_agent';
}
location = /myip.txt {
return 200 '$remote_addr\n';
}
location /docs {
sub_filter 'href="index.html"' 'href="/docs/"';
sub_filter '/index.html' '/';
error_page 404 /docs/404.html;
location /docs/404.html {
sub_filter '/dev/404' '~$request_uri';
sub_filter 'href="index.html"' 'href="/docs/"';
sub_filter '/index.html' '/';
}
location /docs/support/ {
sub_filter '&lt;!-- ipv4 --&gt;' '$remote_addr';
sub_filter 'href="index.html"' 'href="/docs/"';
sub_filter '/index.html' '/';
}
location = /docs/highlight.js {
gzip on;
gzip_types text/plain application/javascript;
}
location = /docs/elasticlunr.min.js {
gzip on;
gzip_types text/plain application/javascript;
}
location = /docs/clipboard.min.js {
gzip on;
gzip_types text/plain application/javascript;
}
location = /docs/mark.min.js {
gzip on;
gzip_types text/plain application/javascript;
}
location = /docs/book.js {
gzip on;
gzip_types text/plain application/javascript;
}
location = /docs/searcher.js {
gzip on;
gzip_types text/plain application/javascript;
}
location = /docs/searchindex.json {
gzip on;
gzip_types text/plain application/json;
#gzip_http_version 1.0;
}
location /docs/FontAwesome/ {
gzip on;
gzip_types text/plain text/css;
}
location /docs/fonts/ {
gzip on;
gzip_types text/plain text/css application/octet-stream;
}
location /docs/theme/ {
gzip on;
gzip_types text/plain text/css;
}
location /docs/css/ {
gzip on;
gzip_types text/plain text/css;
}
# works, is copied into place by build.py
# sub_filter 'tomorrow-night.css' 'atom-one-dark.css';
sub_filter 'href="about"' 'href="about/"';
sub_filter '/docs/about' '/docs/about/';
sub_filter 'href="rain"' 'href="rain/"';
sub_filter 'href="/docs/hass/rain"' 'href="/docs/hass/rain/"';
sub_filter '/docs/hass/rain' '/docs/hass/rain/';
# results in redirect loop..?
#rewrite ^/docs/index.html /docs/ redirect;
#rewrite ^/docs/(.*)/index.html /docs/$1/ redirect;
# moved pages
rewrite ^/docs/projects/homeautomation/esphome$ /docs/esphome/ permanent;
rewrite ^/docs/projects/homeautomation/esphome/index.html$ /docs/esphome/ permanent;
rewrite ^/docs/projects/homeautomation/esphome/(.*)$ /docs/esphome/$1 permanent;
rewrite ^/docs/projects/homeautomation/(.*)$ /docs/hass/$1 permanent;
rewrite ^/docs/notes/electronics/(.*)$ /docs/electronics/$1 permanent;
rewrite ^/docs/programming.html$ /docs/rust/$1 permanent;
rewrite ^/docs/esphome/akustomat.html$ /docs/esphome/akustomat/ permanent;
rewrite ^/docs/notes/firefox.html$ /docs/notes/firefox/ permanent;
rewrite ^/docs/homeautiomation.html$ /docs/homeautomation/ permanent;
rewrite ^/docs/homeautiomation/(.*)$ /docs/homeautomation/$1 permanent;
rewrite ^/docs/homeautiomation$ /docs/homeautomation/ permanent;
rewrite ^/docs/wwwsudois(.*)$ /docs/infra/ permanent;
rewrite ^/docs/notes/electronics/nadc370.html$ /docs/electronics/nadc370.html permanent;
rewrite ^/.*/manuals/esp32_s2_mini_(.*).pdf$ /docs/esphome/boards/esp32s2mini/esp32_s2_mini_$1.pdf permanent;
rewrite ^/docs/esphome/boards/README.html /docs/esphome/boards/ permanent;
# wtf
#rewrite ^/docs/hass/appletv/(.*)$ /docs/hass/appletv.html permanent;
# new
#rewrite ^/docs/esphome/boards/(.*)\.html$ /docs/esphome/boards/$1/ redirect;
#rewrite ^/docs/esphome/boards/index(.*)$ /docs/esphome/boards/ redirect;
rewrite ^/docs/homeautomation/appletv.html$ /docs/hass/appletv redirect;
rewrite ^/docs/homeautomation/rain/index.html /docs/hass/rain/ redirect;
rewrite ^/docs/hass/appletv\.html$ /docs/hass/appletv/ redirect;
rewrite ^/docs/notes/cmds\.html$ /docs/notes/cmds/ redirect;
rewrite ^/docs/glossary/(.*)$ /docs/electronics/glossary/$1 redirect;
rewrite ^/docs/notes/vim/(.*)$ /docs/vim/$1 redirect;
rewrite ^/docs/keys/(.*)$ /docs/about/$1 redirect;
rewrite ^/docs/notes/man_pmset\.html$ /docs/macos/man_pmset.html redirect;
# fixed links
rewrite ^/docs/Keys/index.html$ /docs/keys/ permanent;
rewrite ^/docs/esphome/components/manuals/pn532ds.pdf$ /docs/esphome/components/pn532ds.pdf permanent;
rewrite ^/docs/esphome/boards/manuals/esp32_s2_mini_v1.0.0_datasheet.pdf$ /docs/esphome/boards/esp32s2/esp32_s2_mini_v1.0.0_datasheet.pdf permanent;
rewrite ^/docs/keys/ben.pub$ /ben.pub redirect;
rewrite ^/docs/keys/ben-rsa.pub$ /ben-rsa.pub redirect;
rewrite ^/docs/keys/ben.asc$ /ben.asc redirect;
rewrite ^/docs/keys/ben-signs.asc$ /ben-signs.asc redirect;
rewrite ^/docs/esphome/boards/quinled-esp32.html$ /docs/esphome/boards/quinled-esp32/ redirect;
rewrite ^/docs/esphome/boards/esp32-wt32-eth0/(.*)$ /docs/esphome/boards/esp32wt32eth01/$1 redirect;
rewrite ^/docs/esphome/boards/esp32s2/(.*)$ /docs/esphome/boards/esp32s2mini/$1 redirect;
rewrite ^/docs/esphome/boards/(esp[a-zA-Z0-9]+).html /docs/esphome/boards/$1/ redirect;
rewrite ^/docs/homeautomation/zwave-doorphone/(.*)$ /docs/hass/zwave-doorphone/$1 redirect;
rewrite ^/docs/homeautomation/zwave-doorphone/index.html /docs/hass/zwave-doorphone/ redirect;
#rewrite ^/docs/homeautomation/(.*)/index.html$ /docs/$1 redirect;
rewrite ^/docs/about/stuff.html$ /docs/about/ redirect;
rewrite ^/docs/notes/kde.html$ /docs/notes/cmds/ redirect;
rewrite ^/docs/infra/wwwsudois.html /docs/infra/ redirect;
rewrite ^/docs/infra/nullspace.html /docs/infra/ redirect;
rewrite ^/docs/infra/deadspace.html /docs/infra/ redirect;
rewrite ^/docs/hass/building/(.*)$ /docs/builds/hass/$1 redirect;
rewrite ^/docs/LICENSE(.*)$ /LICENSE.txt redirect;
rewrite ^/docs/.*/LICENSE(.*)$ /LICENSE.txt redirect;
#rewrite ^/docs/(.*)/index\.html$ /docs/$1/ redirect;
if ($canonical_url != "") {
include conf.d/headers-{{ domain }}.conf;
#add_header "Link" '<$canonical_url>; rel="canonical"; rel="preconnect"';
add_header "Link" '<$canonical_url>; rel="canonical"' always;
}
#rewrite ^/docs/LICENSE(.*)$ /LICENSE.txt redirect;
#rewrite ^/docs/.*/LICENSE(.*)$ /LICENSE.txt redirect;
include conf.d/headers-{{ domain }}.conf;
add_header X-Sudo-Section "docs" always;
}
location /cal/ {
include /etc/nginx/require_auth.conf;
include /etc/nginx/require_auth_proxy.conf;
{% set radicale_hostname = groups['radicale'][0] -%}
{% set radicale_upstream = wg_clients[radicale_hostname]['ip'] -%}
{% set radicale_port = hostvars[radicale_hostname]['radicale_port'] -%}
proxy_pass http://{{ radicale_upstream }}:{{ radicale_port }}/;
proxy_set_header X-Script-Name /cal;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-User $authelia_user;
proxy_set_header Authorization "Basic dXNlcjo=";
proxy_set_header Host $http_host;
include conf.d/headers-{{ domain }}.conf;
add_header X-Sudo-Section "cal" always;
add_header X-Remote-User $authelia_user always;
}
location /ls54/camera/ {
include /etc/nginx/require_auth.conf;
proxy_pass_request_headers on;
proxy_pass http://{{ ls54_camera_url }}/;
}
location /_media {
include conf.d/headers-{{ domain }}.conf;
include /etc/nginx/require_auth.conf;
add_header X-Sudo-Section "_media" always;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Remote-User $authelia_user;
proxy_pass https://{{ hass_url }};
}
location /esphome {
autoindex on;
autoindex_exact_size off;
add_header "X-Sudo-Section" "esphome embedded page static assets" always;
add_header "content-security-policy" "*";
}
location /api/ {
location = /api/glados/ {
return 307 /api/glados/docs/;
}
{% if groups['glados']|length>0 -%}
{% set glados_hostname = groups['glados']|first -%}
{% set glados_upstream = wg_clients[glados_hostname]['ip'] -%}
location /api/glados/ {
proxy_pass http://{{ glados_upstream }}:8125/;
}
{% endif %}
location = /api/whoami {
include /etc/nginx/require_auth.conf;
include /etc/nginx/require_auth_proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://{{ bridgewithdns.wwwsudois }}:{{ wwwsudois_api_port }};
}
#include conf.d/headers-{{ domain }}.conf;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
add_header X-Sudo-Section "api" always;
#rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://{{ bridgewithdns.wwwsudois }}:{{ wwwsudois_api_port }};
}
#location /{{ www_stream }} {
# include /etc/nginx/require_auth.conf;
# proxy_pass https://{{ owntone_url }}/{{ www_stream_owntone }};
#}
{# location = /cv.pdf {
# proxy_pass https://{{ static_host }}/cv1.pdf;
# proxy_set_header Host {{ static_url }};
# proxy_hide_header "X-Robots-Tag";
# } #}
# # sometimes clients misbehave and contact the top level domain when they
# # shouldnt so we point them to {{ matrix_url }} instead
# location ~* "^/_matrix.*" {
# return 301 https://{{ matrix_url }}$request_uri;
# }
# location = /js/insights.js {
# sub_filter_once off;
# sub_filter_types "*";
# sub_filter 'https://getinsights.io/' 'https://$http_host/';
# #proxy_set_header Referer "https://$http_host/";
# #proxy_set_header Cookie "";
# proxy_pass_request_headers off;
# proxy_set_header Host "getinsights.io";
# proxy_pass https://getinsights.io/js/insights.js;
# if_modified_since off;
# expires off;
# add_header vary "foo";
# add_header date $date_gmt always;
# add_header Cache-Control 'no-store, no-cache' always;
# add_header Clear-Site-Data "cache" always;
# }
# location = /app/tics {
# proxy_headers_hash_max_size 2048;
# proxy_headers_hash_bucket_size 256;
# proxy_pass_request_headers off;
# proxy_set_header Host "getinsights.io";
# proxy_set_header Referer "https://$http_host/";
# proxy_set_header ":authority:" "getinsights.io";
# proxy_set_header ":method:" "$request_method";
# proxy_set_header ":path:" "/app/tics";
# proxy_set_header ":scheme:" "https";
# proxy_set_header "User-Agent" "$http_user_agent";
# proxy_set_header "Accept-Encoding" "gzip, deflate, br, zstd";
# proxy_set_header "Accept-Language" "en-GB,en-US;q=0.9,en;q=0.8";
# proxy_set_header "Sec-Ch-Ua" "$http_sec_ch_ua";
# proxy_set_header "Sec-Ch-Ua-Mobile" "$http_sec_ch_ua_mobile";
# proxy_set_header "Sec-Ch-Ua-Platform" "$http_sec_ch_ua_platform";
# proxy_set_header "Sec-Fetch-Dest" "$http_sec_fetch_dest";
# proxy_set_header "Sec-Fetch-Mode" "$http_sec_fetch_mode";
# proxy_set_header "Sec-Fetch-Site" "$http_sec_fetch_site";
# proxy_pass https://getinsights.io/app/tics;
# add_header vary "foo";
# add_header date $date_gmt always;
# add_header Cache-Control 'no-store, no-cache' always;
# add_header Clear-Site-Data "cache" always;
# }
location = /js/insights.js {
sub_filter_once off;
sub_filter_types "*";
sub_filter "getinsights.io" "$http_host";
proxy_set_header Referer "https://$http_host/";
proxy_set_header Cookie "";
proxy_set_header Host "getinsights.io";
proxy_pass https://getinsights.io/js/insights.js;
}
location = /app/tics {
proxy_set_header Host "getinsights.io";
proxy_set_header Referer "https://$http_host/";
proxy_pass https://getinsights.io/app/tics;
}
access_log /var/log/nginx/access_www.{{ domain }}.log main;
error_log /var/log/nginx/error_www.{{ domain }}.log warn;
}
View Git Blame Copy Permalink