From 2840da13b5690b0a834a4395168ef450df6ae7fe Mon Sep 17 00:00:00 2001 From: DasSkelett Date: Wed, 19 Jul 2023 22:43:29 +0200 Subject: [PATCH] Serve FFMUC's freifunk.net subdomains with Bind and request LE certificates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add the following zones to our authoriative servers: - muenchen.freifunk.net - münchen.freifunk.net - augsburg.freifunk.net (not delegated by freifunk.net yet) - wertingen.freifunk.net - donau-ries.freifunk.net * Forward DNS requests for these domains to the auth servers in dnsdist * Set up certbot for a second certificate which includes above mentioned domains (except augsburg.freifunk.net for now). We use the DNS-01 ACME challenge, interfacing with our own auth servers using DDNS. This is implemented using a cmd.run state as Salt's `acme` module interface doesn't support custom actions. * Restructure nginx config for ffmuc.net to handle these additional domains with a separate certificate. Co-authored-by: GoliathLabs <8057646+GoliathLabs@users.noreply.github.com> --- _modules/ddns.py | 6 +- _modules/netbox_vms.py | 27 ++++++ certs/files/cleanup-dns.sh.jinja | 24 +++++ certs/files/dns_plugin_credentials.ini | 1 + certs/files/update-dns.sh.jinja | 34 +++++++ certs/init.sls | 50 ++++++++++- cloudflare/init.sls | 1 - dns-server/auth/db.x.freifunk.net.jinja | 19 ++++ dns-server/auth/init.sls | 56 +++++++++--- dns-server/auth/named.conf.local | 14 ++- nebula/files/config.yml.jinja | 4 + nginx/domains/ffmuc.net.conf | 115 ++++-------------------- nginx/domains/ffmuc.net.include | 93 +++++++++++++++++++ nginx/files/nginx.conf.jinja | 2 +- nginx/init.sls | 10 +++ 15 files changed, 341 insertions(+), 115 deletions(-) create mode 100644 _modules/netbox_vms.py create mode 100644 certs/files/cleanup-dns.sh.jinja create mode 100644 certs/files/dns_plugin_credentials.ini create mode 100644 certs/files/update-dns.sh.jinja create mode 100644 dns-server/auth/db.x.freifunk.net.jinja create mode 100644 nginx/domains/ffmuc.net.include diff --git a/_modules/ddns.py b/_modules/ddns.py index 81d93435..99eaf74c 100644 --- a/_modules/ddns.py +++ b/_modules/ddns.py @@ -231,9 +231,9 @@ def update( replace = True # If there is no entry usual dns_update.add() happens - dns_update = dns.update.Update( - zone, keyring=keyring, keyname=keyname, keyalgorithm=keyalgorithm - ) + dns_update = dns.update.Update( + zone, keyring=keyring, keyname=keyname, keyalgorithm=keyalgorithm + ) if replace: dns_update.replace(name, ttl, rdata) elif not is_exist: diff --git a/_modules/netbox_vms.py b/_modules/netbox_vms.py new file mode 100644 index 00000000..992ac2e0 --- /dev/null +++ b/_modules/netbox_vms.py @@ -0,0 +1,27 @@ +#!/usr/bin/python +'''WIP module to get virtual machine data from netbox, e.g. to get all VMs with a certain tag.. +''' + +import requests +import logging + +log = logging.getLogger(__name__) + + +def get_vms_by_filter(netbox_api, netbox_token, filter): + # Example filter: 'tag=authorative-dns' + headers = {"Authorization": "Token {}".format(netbox_token), "Accept": "application/json"} + url = f'{netbox_api}/virtualization/virtual-machines/?{filter}' + auth_servers = [] + try: + response = requests.get(url, headers=headers) + response.raise_for_status() + response = response.json() + log.info(response) + for auth in response["results"]: + auth_servers.append(auth["name"]) + except Exception as e: + log.error(str(e)) + __context__["retcode"] = 1 + return e + return auth_servers diff --git a/certs/files/cleanup-dns.sh.jinja b/certs/files/cleanup-dns.sh.jinja new file mode 100644 index 00000000..1685342f --- /dev/null +++ b/certs/files/cleanup-dns.sh.jinja @@ -0,0 +1,24 @@ +#!/bin/bash + +# Script to nsupdate all our authoritative servers, supposed to be run by certbot. +# Requires bind9-utils installed. + +# The following environment variables are passed to the script by certbot: +# CERTBOT_DOMAIN, CERTBOT_VALIDATION, CERTBOT_TOKEN (HTTP-01 only), CERTBOT_REMAINING_CHALLENGES, CERTBOT_ALL_DOMAINS, CERTBOT_AUTH_OUTPUT + +HOST="_acme-challenge" + +{%- set update_key = salt['pillar.get']('netbox:config_context:dns_zones:update_keys:letsencrypt:key') %} +UPDATE_KEY="{{ update_key }}" + +AUTH_SERVERS=("webfrontend03.ov.ffmuc.net" "webfrontend04.ov.ffmuc.net" "webfrontend05.ov.ffmuc.net" "webfrontend06.ov.ffmuc.net") + +for AUTH in ${AUTH_SERVERS[@]}; do + nsupdate -y "hmac-sha512:letsencrypt:${UPDATE_KEY}" << EOM +server ${AUTH} 553 +zone ${CERTBOT_DOMAIN} +update delete ${HOST}.${CERTBOT_DOMAIN} TXT "${CERTBOT_VALIDATION}" +send +EOM + echo "" +done diff --git a/certs/files/dns_plugin_credentials.ini b/certs/files/dns_plugin_credentials.ini new file mode 100644 index 00000000..9b069ee7 --- /dev/null +++ b/certs/files/dns_plugin_credentials.ini @@ -0,0 +1 @@ +dns_cloudflare_api_token = {{ cloudflare_token }} diff --git a/certs/files/update-dns.sh.jinja b/certs/files/update-dns.sh.jinja new file mode 100644 index 00000000..3161e1db --- /dev/null +++ b/certs/files/update-dns.sh.jinja @@ -0,0 +1,34 @@ +#!/bin/bash + +# Script to nsupdate all our authoritative servers, supposed to be run by certbot. +# Requires bind-tools installed. + +# The following environment variables are passed to the script by certbot: +# CERTBOT_DOMAIN, CERTBOT_VALIDATION, CERTBOT_TOKEN (HTTP-01 only), CERTBOT_REMAINING_CHALLENGES, CERTBOT_ALL_DOMAINS + +HOST="_acme-challenge" + +{%- set update_key = salt['pillar.get']('netbox:config_context:dns_zones:update_keys:letsencrypt:key') %} +UPDATE_KEY="{{ update_key }}" + +{#- TODO: use netbox_vms:get_vms_by_filter to get authoritative DNS servers +{%- set auth_servers = salt['netbox_vms:get_vms_by_filter']( + salt['pillar.get']('netbox:config_context:netbox:api_url'), + salt['pillar.get']('netbox:config_context:dns_zones:netbox_token'), + 'tag=authorative-dns' +) %} +AUTH_SERVERS=({{ auth_servers | join(" ") }}) +#} + +AUTH_SERVERS=("webfrontend03.ov.ffmuc.net" "webfrontend04.ov.ffmuc.net" "webfrontend05.ov.ffmuc.net" "webfrontend06.ov.ffmuc.net") + +for AUTH in ${AUTH_SERVERS[@]}; do + nsupdate -y "hmac-sha512:letsencrypt:${UPDATE_KEY}" << EOM +server ${AUTH} 553 +zone ${CERTBOT_DOMAIN} +{#- Don't delete existing records as they might be of other webfrontends renewing simultaneously. #} +update add ${HOST}.${CERTBOT_DOMAIN} 5 TXT "${CERTBOT_VALIDATION}" +send +EOM + echo "" +done diff --git a/certs/init.sls b/certs/init.sls index 883aa191..8976bfb4 100644 --- a/certs/init.sls +++ b/certs/init.sls @@ -17,7 +17,7 @@ update_ca_certificates: generate-dhparam: cmd.run: - - name: openssl dhparam -out /etc/ssl/dhparam.pem 2048 + - name: openssl dhparam -out /etc/ssl/dhparam.pem 4096 - creates: /etc/ssl/dhparam.pem # Install FFMUC internal CA into Debian CA certificate mangling mechanism so @@ -129,9 +129,12 @@ certbot-dns-cloudflare: dns_credentials: file.managed: - name: /var/lib/cache/salt/dns_plugin_credentials.ini + - source: salt://certs/files/dns_plugin_credentials.ini - makedirs: True - - contents: "dns_cloudflare_api_token = {{ cloudflare_token }}" - mode: "0600" + - template: jinja + - defaults: + cloudflare_token: {{ cloudflare_token }} ffmuc-wildcard-cert: acme.cert: @@ -173,6 +176,49 @@ ffmuc-wildcard-cert: - pip: acme-client - file: dns_credentials + +{% if "webserver-external" in role %} +# Required for running nsupdate with certbot +bind9-utils: + pkg.installed + +update-dns.sh: + file.managed: + - name: /var/lib/cache/salt/update-dns.sh + - source: salt://certs/files/update-dns.sh.jinja + - makedirs: True + - mode: "0700" + - template: jinja + +cleanup-dns.sh: + file.managed: + - name: /var/lib/cache/salt/cleanup-dns.sh + - source: salt://certs/files/cleanup-dns.sh.jinja + - makedirs: True + - mode: "0700" + - template: jinja + +# Salt's acme module doesn't support any DNS plugin besides Cloudflare, not even manual. Thus use cmd.run. +# TODO add 'unless' condition which checks whether cert needs renewal. +# Expiration date is not enough, should check revocation status as well. As of 2023-06 Cerbot has no command exposed for this. +muenchen.freifunk.net-wildcard-cert: + cmd.run: + - name: > + certbot certonly -n --agree-tos -m hilfe@ffmuc.net + --manual --manual-auth-hook /var/lib/cache/salt/update-dns.sh --manual-cleanup-hook /var/lib/cache/salt/cleanup-dns.sh + --preferred-challenges dns --expand + -d "muenchen.freifunk.net" -d "*.muenchen.freifunk.net" + -d "xn--mnchen-3ya.freifunk.net" -d "*.xn--mnchen-3ya.freifunk.net" + -d "wertingen.freifunk.net" -d "*.wertingen.freifunk.net" + -d "donau-ries.freifunk.net" -d "*.donau-ries.freifunk.net" +{#- -d "augsburg.freifunk.net" -d "*.augsburg.freifunk.net" #} + - require: + - cmd: certbot + - pip: acme-client + - file: update-dns.sh +{% endif %} + + /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh: file.managed: - contents: | diff --git a/cloudflare/init.sls b/cloudflare/init.sls index 8da10106..a050c0aa 100644 --- a/cloudflare/init.sls +++ b/cloudflare/init.sls @@ -6,7 +6,6 @@ # Get all nodes for DNS records {% set nodes = salt['mine.get']('netbox:platform:slug:linux', 'minion_id', tgt_type='pillar') %} {% set cnames = salt['pillar.get']('netbox:config_context:dns_zones:cnames') %} -{% set custom_records = salt['pillar.get']('netbox:config_context:dns_zones:custom_records', []) %} ffmuc.net: cloudflare.manage_zone_records: diff --git a/dns-server/auth/db.x.freifunk.net.jinja b/dns-server/auth/db.x.freifunk.net.jinja new file mode 100644 index 00000000..cb4a1f1a --- /dev/null +++ b/dns-server/auth/db.x.freifunk.net.jinja @@ -0,0 +1,19 @@ +$ORIGIN . +$TTL 3600 ; 1 week +{{ domain }} IN SOA anycast01.ffmuc.net. hostmaster.ffmuc.net. ( + 2023071001 ; serial + 300 ; refresh (5 minutes) + 100 ; retry (1 minute 40 seconds) + 6000 ; expire (1 hour 40 minutes) + 600 ; minimum (10 minutes) + ) + IN NS anycast01.ffmuc.net. + IN NS anycast02.ffmuc.net. + + IN AAAA 2001:678:ed0:f000:: + IN AAAA 2001:678:e68:f000:: + + IN A 5.1.66.255 + IN A 185.150.99.255 + +$ORIGIN {{domain}}. diff --git a/dns-server/auth/init.sls b/dns-server/auth/init.sls index 11e8928e..339dc5f6 100644 --- a/dns-server/auth/init.sls +++ b/dns-server/auth/init.sls @@ -53,71 +53,82 @@ python-dnspython: - pkg: bind9 -{% if not salt['file.file_exists' ]('/etc/bind/zones/db.in.ffmuc.net') %} /etc/bind/zones/db.in.ffmuc.net: file.managed: - source: salt://dns-server/auth/db.in.ffmuc.net - user: bind - group: bind - mode: "0775" + - replace: False - require: - file: /etc/bind/zones - watch_in: - cmd: rndc-reload -{% endif %} -{% if not salt['file.file_exists' ]('/etc/bind/zones/db.ov.ffmuc.net') %} /etc/bind/zones/db.ov.ffmuc.net: file.managed: - source: salt://dns-server/auth/db.ov.ffmuc.net - user: bind - group: bind - mode: "0775" + - replace: False - require: - file: /etc/bind/zones - watch_in: - cmd: rndc-reload -{% endif %} -{% if not salt['file.file_exists' ]('/etc/bind/zones/db.ext.ffmuc.net') %} /etc/bind/zones/db.ext.ffmuc.net: file.managed: - source: salt://dns-server/auth/db.ext.ffmuc.net - user: bind - group: bind - mode: "0775" + - replace: False - require: - file: /etc/bind/zones - watch_in: - cmd: rndc-reload -{% endif %} -{% if not salt['file.file_exists' ]('/etc/bind/zones/db.80.10.in-addr.arpa') %} /etc/bind/zones/db.80.10.in-addr.arpa: file.managed: - source: salt://dns-server/auth/db.80.10.in-addr.arpa - user: bind - group: bind - mode: "0775" + - replace: False - require: - file: /etc/bind/zones - watch_in: - cmd: rndc-reload -{% endif %} -{% if not salt['file.file_exists' ]('/etc/bind/zones/db.1.0.a.0.8.0.6.0.1.0.0.2.ip6.arpa') %} /etc/bind/zones/db.1.0.a.0.8.0.6.0.1.0.0.2.ip6.arpa: file.managed: - source: salt://dns-server/auth/db.1.0.a.0.8.0.6.0.1.0.0.2.ip6.arpa - user: bind - group: bind - mode: "0775" + - replace: False - require: - file: /etc/bind/zones - watch_in: - cmd: rndc-reload -{% endif %} +{% set freifunk_net_zones = salt['pillar.get']('netbox:config_context:dns_zones:freifunk_net_zones') %} +{% for domain in freifunk_net_zones %} +{% set zonefile_path = '/etc/bind/zones/db.'+domain %} +/etc/bind/zones/db.{{ domain }}: + file.managed: + - source: salt://dns-server/auth/db.x.freifunk.net.jinja + - user: bind + - group: bind + - mode: "0644" + - template: jinja + - defaults: + domain: {{ domain }} + - replace: False + - require: + - file: /etc/bind/zones +{% endfor %} dns-key: file.managed: @@ -130,6 +141,7 @@ dns-key: - require: - pkg: bind9 + # Create DNS records for each node {% for node_id in nodes %} {%- if 'meet.ffmuc.net' not in node_id and 'lighthouse' not in node_id %} @@ -388,4 +400,26 @@ record-AAAA-extra-{{ dns_entry }}: {%- endif %} {%- endfor %}{# for dns_entry in extra_dns_entries #} -{%- endif %}{# if 'dnsserver' in role #} + +# Additional DNS records +{%- set custom_records = salt['pillar.get']('netbox:config_context:dns_zones:custom_records', []) %} +{%- for record in custom_records %} +record-{{ record.get('type') }}-{{ record.get('name') }}.{{ record.get('zone') }}: + ddns.present: + - name: {{ record.get('name') }} + - zone: {{ record.get('zone') }} + - ttl: 60 + - data: {{ record.get('content') }} + - rdtype: {{ record.get('type') }} + - nameserver: 127.0.0.1 + - port: {{ listening_port }} + - keyfile: /etc/bind/salt-master.key + - keyalgorithm: hmac-sha512 + - replace_on_change: True + - require: + - pkg: python-dnspython + - file: dns-key +{%- endfor %}{# for record in custom_records #} + + +{%- endif %}{# if 'authorative-dns' in salt['pillar.get']('netbox:tag_list', []) #} diff --git a/dns-server/auth/named.conf.local b/dns-server/auth/named.conf.local index f079b399..50d1a2a0 100644 --- a/dns-server/auth/named.conf.local +++ b/dns-server/auth/named.conf.local @@ -7,6 +7,7 @@ //include "/etc/bind/zones.rfc1918"; {%- set update_keys = salt['pillar.get']('netbox:config_context:dns_zones:update_keys') %} {%- set zones = salt['pillar.get']('netbox:config_context:dns_zones:zones') %} +{%- set freifunk_net_zones = salt['pillar.get']('netbox:config_context:dns_zones:freifunk_net_zones') %} {%- for zone_key in update_keys | sort %} @@ -21,7 +22,18 @@ key "{{ zone_key }}" { zone "{{ zone }}" { type master; file "/etc/bind/zones/db.{{ zone }}"; - update-policy { + update-policy { + {%- for zone_key in update_keys | sort %} + grant {{ zone_key }} zonesub {{ update_keys[zone_key]['type'] }}; + {%- endfor %} + }; +}; +{%- endfor %} +{%- for zone in freifunk_net_zones %} +zone "{{ zone }}" { + type master; + file "/etc/bind/zones/db.{{ zone }}"; + update-policy { {%- for zone_key in update_keys | sort %} grant {{ zone_key }} zonesub {{ update_keys[zone_key]['type'] }}; {%- endfor %} diff --git a/nebula/files/config.yml.jinja b/nebula/files/config.yml.jinja index 08aa7a0a..2ecd9218 100644 --- a/nebula/files/config.yml.jinja +++ b/nebula/files/config.yml.jinja @@ -325,9 +325,13 @@ firewall: - port: 53 proto: tcp host: any + # Bind - port: 553 proto: udp host: any + - port: 553 + proto: tcp + host: any # access pdns-recursor as dnsdist is listening on 53 - port: 1653 proto: udp diff --git a/nginx/domains/ffmuc.net.conf b/nginx/domains/ffmuc.net.conf index 00e3f3fe..25487092 100644 --- a/nginx/domains/ffmuc.net.conf +++ b/nginx/domains/ffmuc.net.conf @@ -10,7 +10,7 @@ upstream wiki_upstream { } server { - listen 443 ssl http2; + listen 443 ssl http2; listen [::]:443 ssl http2; server_name ffmuc.net www.ffmuc.net @@ -19,110 +19,32 @@ server { hp.ext.ffmuc.net www.freewifi.bayern freewifi.bayern www.ffmuc.bayern ffmuc.bayern - www.muenchen.freifunk.net muenchen.freifunk.net - www.münchen.freifunk.net münchen.freifunk.net - www.xn--mnchen-3ya.freifunk.net xn--mnchen-3ya.freifunk.net - www.augsburg.freifunk.net augsburg.freifunk.net www.freifunk-muenchen.de hp.freifunk-muenchen.de freifunk-muenchen.de www.freifunk-muenchen.net hp.freifunk-muenchen.net freifunk-muenchen.net www.xn--freifunk-mnchen-8vb.de xn--freifunk-mnchen-8vb.de www.freifunk-münchen.de freifunk-münchen.de; - - # Force HTTPS connection. This rules is domain agnostic - if ($scheme != "https") { - rewrite ^ https://$host$uri permanent; - } - - if ( $host = wiki.ffmuc.net ) { - return 301 https://ffmuc.net/wiki/doku.php; - } - root /srv/www/ffmuc.net/_site/; - - index index.html; - location /favicon.ico { - root /srv/www/ffmuc.net/_site/assets/; - } - - # Point SSID-URL to ffmuc.net - rewrite ^/(uml_.*|muc_.*|gauting|freising|augsburg|welt)$ https://ffmuc.net redirect; - - location ~ ^/speed(.*)$ { - return 301 https://speed.ffmuc.net$1; - } - - location /pad/ { - proxy_pass http://etherpad_upstream/; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - client_max_body_size 200M; - proxy_http_version 1.1; - proxy_request_buffering off; - } - - location /static { - rewrite /static/(.*) /static/$1 break; - proxy_pass http://wiki_upstream/; - proxy_set_header Host $host; - proxy_buffering off; - } - - location /wiki/ { - #deny all; - proxy_pass http://wiki_upstream/; - proxy_redirect off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Host $server_name; - proxy_http_version 1.1; - client_max_body_size 200M; - proxy_request_buffering off; - } + ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem; - location /draw/ { - rewrite /draw/d/(.*)/socket.io/(.*) /socket.io/$2 break; - rewrite /draw/d/(.*) /boards/$1 break; - rewrite /draw/tools/(.*) /boards/tools/$1 break; - proxy_pass http://draw_upstream/; - proxy_ssl_server_name on; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_set_header Host "wbo.ophir.dev"; - proxy_ssl_name $proxy_host; - proxy_buffering off; - } - - location /draw2 { - rewrite /draw2/d/(.*) /boards/$1 break; - proxy_pass https://wbo.ophir.dev; - proxy_ssl_server_name on; - proxy_set_header Host "wbo.ophir.dev"; - proxy_ssl_name $proxy_host; - proxy_buffering off; - } + include sites-enabled/ffmuc.net.include; +} - location /router-flashen { - return "https://ffmuc.net/wiki/doku.php?id=knb:flash"; - } - location /map { - return https://map.ffmuc.net; - } +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name + www.muenchen.freifunk.net muenchen.freifunk.net + www.münchen.freifunk.net münchen.freifunk.net + www.xn--mnchen-3ya.freifunk.net xn--mnchen-3ya.freifunk.net + www.augsburg.freifunk.net augsburg.freifunk.net + www.wertingen.freifunk.net wertingen.freifunk.net + www.donau-ries.freifunk.net donau-ries.freifunk.net; - location /podcast/ { - deny all; - } - ssl_certificate /etc/letsencrypt/live/ffmuc.net/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/ffmuc.net/privkey.pem; + ssl_certificate /etc/letsencrypt/live/muenchen.freifunk.net/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/muenchen.freifunk.net/privkey.pem; - access_log /var/log/nginx/hp.ffmuc.net_access.log json_normal; - error_log /var/log/nginx/hp.ffmuc.net_error.log; + include sites-enabled/ffmuc.net.include; } server { @@ -143,5 +65,6 @@ server { www.freifunk-muenchen.net hp.freifunk-muenchen.net freifunk-muenchen.net www.xn--freifunk-mnchen-8vb.de xn--freifunk-mnchen-8vb.de www.freifunk-münchen.de freifunk-münchen.de; + return 301 https://$host$request_uri; } diff --git a/nginx/domains/ffmuc.net.include b/nginx/domains/ffmuc.net.include new file mode 100644 index 00000000..75e32b47 --- /dev/null +++ b/nginx/domains/ffmuc.net.include @@ -0,0 +1,93 @@ +# Force HTTPS connection. This rules is domain agnostic +if ($scheme != "https") { + rewrite ^ https://$host$uri permanent; +} + +if ( $host = wiki.ffmuc.net ) { + return 301 https://ffmuc.net/wiki/doku.php; +} +root /srv/www/ffmuc.net/_site/; + +index index.html; + +location /favicon.ico { + root /srv/www/ffmuc.net/_site/assets/; +} + +# Point SSID-URL to ffmuc.net +rewrite ^/(uml_.*|muc_.*|gauting|freising|augsburg|welt)$ https://ffmuc.net redirect; + +location ~ ^/speed(.*)$ { + return 301 https://speed.ffmuc.net$1; +} + +location /pad/ { + proxy_pass http://etherpad_upstream/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + client_max_body_size 200M; + proxy_http_version 1.1; + proxy_request_buffering off; +} + +location /static { + rewrite /static/(.*) /static/$1 break; + proxy_pass http://wiki_upstream/; + proxy_set_header Host $host; + proxy_buffering off; +} + +location /wiki/ { +#deny all; + proxy_pass http://wiki_upstream/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_http_version 1.1; + client_max_body_size 200M; + proxy_request_buffering off; +} + +location /draw/ { + rewrite /draw/d/(.*)/socket.io/(.*) /socket.io/$2 break; + rewrite /draw/d/(.*) /boards/$1 break; + rewrite /draw/tools/(.*) /boards/tools/$1 break; + proxy_pass http://draw_upstream/; + proxy_ssl_server_name on; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host "wbo.ophir.dev"; + proxy_ssl_name $proxy_host; + proxy_buffering off; +} + +location /draw2 { + rewrite /draw2/d/(.*) /boards/$1 break; + proxy_pass https://wbo.ophir.dev; + proxy_ssl_server_name on; + proxy_set_header Host "wbo.ophir.dev"; + proxy_ssl_name $proxy_host; + proxy_buffering off; +} + +location /router-flashen { + return "https://ffmuc.net/wiki/doku.php?id=knb:flash"; +} +location /map { + return https://map.ffmuc.net; +} + +location /podcast/ { + deny all; +} + +access_log /var/log/nginx/hp.ffmuc.net_access.log json_normal; +error_log /var/log/nginx/hp.ffmuc.net_error.log; diff --git a/nginx/files/nginx.conf.jinja b/nginx/files/nginx.conf.jinja index 96a33343..a82cf6b3 100644 --- a/nginx/files/nginx.conf.jinja +++ b/nginx/files/nginx.conf.jinja @@ -94,7 +94,7 @@ http { # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + include /etc/nginx/sites-enabled/*.conf; ## # Logging Settings diff --git a/nginx/init.sls b/nginx/init.sls index 6c98110e..6bf3ec8a 100644 --- a/nginx/init.sls +++ b/nginx/init.sls @@ -115,6 +115,16 @@ nginx-module-{{ module }}: - service: nginx {% endfor %}{# config #} +/etc/nginx/sites-enabled/ffmuc.net.include: + file.managed: + - source: salt://nginx/domains/ffmuc.net.include + - makedirs: True + - template: jinja + - require: + - pkg: nginx + - require_in: + - service: nginx + /etc/logrotate.d/nginx: file.managed: - source: salt://nginx/files/logrotate.conf