blob: c229214961a611226104dbbd5195ca99cb0bdd21 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
nginx_default_cert_name: lovelace.box.pydis.wtf
nginx_configs:
stats-stub.conf: |
server {
listen 127.0.0.1;
listen [::1];
server_name localhost;
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
allow ::1;
deny all;
}
}
prometheus.lovelace.box.wtf.conf: |
server {
listen 443;
listen [::]:443;
server_name prometheus.lovelace.box.pydis.wtf;
ssl_certificate /etc/letsencrypt/live/prometheus.lovelace.box.pydis.wtf/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/prometheus.lovelace.box.pydis.wtf/privkey.pem;
ssl_client_certificate /opt/pydis/ca.pem;
ssl_verify_client on;
location / {
if ($reject) { return 403; }
proxy_pass http://localhost:9090;
}
}
map $ssl_client_s_dn $reject {
default 1;
CN=sudo.access.tls.pydis.wtf 0;
CN=prometheus.access.tls.pydis.wtf 0;
}
files.pydis.wtf.conf: |
server {
listen 443;
listen [::]:443;
server_name files.pydis.wtf cloud.native.is.fun.and.easy.pydis.wtf;
root /var/www/files.pydis.wtf;
ssl_certificate /etc/letsencrypt/live/pydis.wtf/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pydis.wtf/privkey.pem;
location / {
try_files $uri $uri/ =404;
}
}
propaganda.pydis.wtf.conf: |
server {
listen 443;
listen [::]:443;
server_name propaganda.pydis.wtf;
root /var/www/propaganda.pydis.wtf;
ssl_certificate /etc/letsencrypt/live/pydis.wtf/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pydis.wtf/privkey.pem;
add_header "X-Robots-Tag" "noindex" always;
}
munin.pydis.wtf.conf: |
server {
listen 443;
listen [::]:443;
server_name munin.pydis.wtf;
ssl_certificate /etc/letsencrypt/live/pydis.wtf/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pydis.wtf/privkey.pem;
root /var/cache/munin;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
access_log /var/log/nginx/munin-access.log;
error_log /var/log/nginx/munin-errors.log;
location / {
return 302 /munin;
}
location /munin/static/ {
alias /etc/munin/static/;
expires 31d;
}
location /munin/ {
fastcgi_split_path_info ^(/munin)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME /usr/lib/munin/cgi/munin-cgi-html;
fastcgi_pass unix:/run/fcgiwrap.socket;
include fastcgi_params;
}
location ^~ /munin-cgi/munin-cgi-graph/ {
fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*);
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME /usr/lib/munin/cgi/munin-cgi-graph;
fastcgi_pass unix:/run/fcgiwrap.socket;
include fastcgi_params;
}
}
|
