From 429be7a31fda3045b19b15d5a83bfed296523943 Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 26 Jul 2023 12:12:29 -0400 Subject: [PATCH] staging --- deploy-static | 23 +++---- generate-sitemap | 4 +- nginx/nginx.conf | 84 ++--------------------- nginx/snippets/security-headers-base.conf | 3 + static/js/web-install.js | 2 +- 5 files changed, 21 insertions(+), 95 deletions(-) diff --git a/deploy-static b/deploy-static index 6afdedad6..55fbe086d 100755 --- a/deploy-static +++ b/deploy-static @@ -12,23 +12,20 @@ fi ./process-static $fd -servers=({0..3}.grapheneos.org) +servers=(staging.grapheneos.org) -rsync -pcv --chmod=F755 --fsync --preallocate certbot-replicate root@${servers[0]}:/usr/local/bin/ -rsync -pcv --chmod=F644 --fsync --preallocate replicate.conf root@${servers[0]}:/etc/systemd/system/certbot-renew.service.d/ - -# use last modified timestamps from 0.grapheneos.org -rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate root@${servers[0]}:/srv/grapheneos.org/ static-production -rsync -pcv --chmod=D755,F644 --fsync --preallocate static-production/sitemap.xml{,.gz,.br} static-tmp/ -rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-production -for f in static-production/**.*(br|gz); do +# use last modified timestamps from staging.grapheneos.org +rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate root@${servers[0]}:/srv/grapheneos.org/ static-staging +rsync -pcv --chmod=D755,F644 --fsync --preallocate static-staging/sitemap.xml{,.gz,.br} static-tmp/ +rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-staging +for f in static-staging/**.*(br|gz); do touch -r "${f%.*}" "$f" done changed="$(./generate-sitemap)" xmllint --noblanks static-tmp/sitemap.xml --output static-tmp/sitemap.xml brotli -f static-tmp/sitemap.xml zopfli static-tmp/sitemap.xml -rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} static-production/ +rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} static-staging/ for server in ${servers[@]}; do echo $server @@ -47,7 +44,7 @@ for server in ${servers[@]}; do echo ssh $remote "rm -rf $target && cp -a $active $target" - rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate static-production/ $remote:$target + rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate static-staging/ $remote:$target ssh $remote "ln -snf $target /srv/grapheneos.org && sync /srv/grapheneos.org" echo "root $target;" > nginx-tmp/root_grapheneos.org.conf @@ -58,7 +55,3 @@ for server in ${servers[@]}; do echo active is now $target echo done - -if [[ -n "$changed" ]]; then - ./indexnow <<< "$changed" -fi diff --git a/generate-sitemap b/generate-sitemap index d1b2fab2a..ac78563e3 100755 --- a/generate-sitemap +++ b/generate-sitemap @@ -4,7 +4,7 @@ from datetime import datetime, timezone from os.path import getmtime from pathlib import Path -base = "https://grapheneos.org" +base = "https://staging.grapheneos.org" pages = [ ["/", 0.5], @@ -42,7 +42,7 @@ entries = [] for page in pages: path = page[0] loc = base + path - filepath = "static-production" + path + filepath = "static-staging" + path if path[-1] == '/': filepath += "index.html" elif "." not in path: diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 49e8d2f91..2595edd0c 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -57,8 +57,8 @@ http { ssl_prefer_server_ciphers on; ssl_conf_command Options PrioritizeChaCha; - ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem; + ssl_certificate /etc/letsencrypt/live/staging.grapheneos.org/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/staging.grapheneos.org/privkey.pem; # maintained by nginx-rotate-session-ticket-keys in noswap tmpfs ssl_session_ticket_key session-ticket-keys/4.key; @@ -68,10 +68,10 @@ http { ssl_session_timeout 1d; ssl_buffer_size 4k; - ssl_trusted_certificate /etc/letsencrypt/live/grapheneos.org/chain.pem; + ssl_trusted_certificate /etc/letsencrypt/live/staging.grapheneos.org/chain.pem; ssl_stapling on; ssl_stapling_verify on; - ssl_stapling_file /var/cache/certbot-ocsp-fetcher/grapheneos.org.der; + ssl_stapling_file /var/cache/certbot-ocsp-fetcher/staging.grapheneos.org.der; log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol ' '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent ' @@ -115,28 +115,14 @@ http { server { listen 80; listen [::]:80; - server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page vanadium.app www.vanadium.app; - - location /.well-known/acme-challenge/ { - return 301 http://0.grapheneos.org$request_uri; - } - - location / { - return 301 https://$host$request_uri; - } - } - - server { - listen 80; - listen [::]:80; - server_name 0.grapheneos.org; + server_name staging.grapheneos.org; location /.well-known/acme-challenge/ { root /srv/certbot; } location / { - return 301 https://grapheneos.org$request_uri; + return 301 https://$host$request_uri; } } @@ -156,63 +142,7 @@ http { listen 443 ssl; listen [::]:443 ssl; http2 on; - server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page; - - keepalive_timeout 3m; - - include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin" always; - - # https://trac.nginx.org/nginx/ticket/2012 - location / { - return 301 https://grapheneos.org$request_uri; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - server_name www.vanadium.app; - - keepalive_timeout 3m; - - include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin" always; - - # https://trac.nginx.org/nginx/ticket/2012 - location / { - return 301 https://vanadium.app$request_uri; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - server_name vanadium.app; - - keepalive_timeout 3m; - - include snippets/security-headers.conf; - add_header Cross-Origin-Resource-Policy "same-origin" always; - - location = / { - include snippets/security-headers.conf; - add_header Cache-Control "public, max-age=2592000"; - return 301 https://grapheneos.org/features#vanadium; - } - - location / { - return 404; - } - } - - server { - listen 443 ssl; - listen [::]:443 ssl; - http2 on; - server_name grapheneos.org; + server_name staging.grapheneos.org; include root_grapheneos.org.conf; error_page 403 =404 /404; diff --git a/nginx/snippets/security-headers-base.conf b/nginx/snippets/security-headers-base.conf index aa13ee38a..7badb403e 100644 --- a/nginx/snippets/security-headers-base.conf +++ b/nginx/snippets/security-headers-base.conf @@ -1,3 +1,6 @@ +# staging site (not a security header) +add_header X-Robots-Tag "noindex" always; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer" always; diff --git a/static/js/web-install.js b/static/js/web-install.js index 0f8353b29..87243f875 100644 --- a/static/js/web-install.js +++ b/static/js/web-install.js @@ -234,7 +234,7 @@ async function getLatestRelease() { throw new Error(`device model (${product}) is not supported by the GrapheneOS web installer`); } - let metadataResp = await fetch(`${RELEASES_URL}/${product}-stable`); + let metadataResp = await fetch(`${RELEASES_URL}/${product}-alpha`); let metadata = await metadataResp.text(); let releaseId = metadata.split(" ")[0];