From f0488dccb2fe3cb7fc570372926abf0a312a8af8 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 4 Jan 2024 16:39:29 +0100
Subject: Install nginx.

---
 files/etc/nginx/sites-enabled/webmap | 52 ++++++++++++++++++++++++++++++++++++
 files/etc/nginx/snippets/ssl.conf    | 16 +++++++++++
 2 files changed, 68 insertions(+)
 create mode 100644 files/etc/nginx/sites-enabled/webmap
 create mode 100644 files/etc/nginx/snippets/ssl.conf

(limited to 'files/etc/nginx')

diff --git a/files/etc/nginx/sites-enabled/webmap b/files/etc/nginx/sites-enabled/webmap
new file mode 100644
index 0000000..26df41b
--- /dev/null
+++ b/files/etc/nginx/sites-enabled/webmap
@@ -0,0 +1,52 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name hel01.guilhem.se;
+
+    include /etc/lacme/nginx.conf;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name hel01.guilhem.se;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+
+    ssl_certificate /etc/nginx/ssl/hel01.rsa.pem;
+    ssl_certificate_key /etc/nginx/ssl/hel01.rsa.key;
+    include snippets/ssl.conf;
+
+    root /var/www/webmap;
+    index index.html;
+
+    location ^~ /assets/ {
+        expires 7d;
+        gzip_static on;
+        try_files $uri =404;
+    }
+    location ^~ /tiles/ {
+        expires 1d;
+        gzip_static on;
+        try_files $uri =404;
+        error_page 404 /_.txt;
+    }
+
+    location = /_.txt {
+        internal;
+    }
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
diff --git a/files/etc/nginx/snippets/ssl.conf b/files/etc/nginx/snippets/ssl.conf
new file mode 100644
index 0000000..0bce30a
--- /dev/null
+++ b/files/etc/nginx/snippets/ssl.conf
@@ -0,0 +1,16 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+ssl_dhparam /etc/ssl/dhparams.pem;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ssl_prefer_server_ciphers off;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /usr/share/lacme/ca-certificates.crt;
+
+resolver 127.0.0.53;
-- 
cgit v1.2.3