diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index e05e261..211de2f 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -30,19 +30,34 @@ server_name = node["kosmos-mastodon"]["server_name"] include_recipe "kosmos-nginx" include_recipe "tor-full" -template "#{node['nginx']['dir']}/sites-available/#{server_name}" do - source 'nginx_conf_mastodon.erb' +directory "#{node['nginx']['dir']}/snippets" do + action :create + owner 'www-data' + mode 0640 +end + +template "#{node['nginx']['dir']}/snippets/mastodon.conf" do + source 'nginx_conf_shared.erb' owner 'www-data' mode 0640 variables streaming_port: node["kosmos-mastodon"]["streaming_port"], puma_port: node["kosmos-mastodon"]["puma_port"], - server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", mastodon_path: mastodon_path notifies :reload, 'service[nginx]', :delayed end +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do + source 'nginx_conf_mastodon.erb' + owner 'www-data' + mode 0640 + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", + shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf", + onion_address: File.read("/var/lib/tor/mastodon/hostname").strip + notifies :reload, 'service[nginx]', :delayed +end + # Legacy vhost nginx_site "mastodon" do action :disable diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb index d304c97..93cfe47 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb @@ -54,3 +54,5 @@ S3_REGION=<%= @s3_region %> # Web Push API VAPID_PRIVATE_KEY=<%= @vapid_private_key %> VAPID_PUBLIC_KEY=<%= @vapid_public_key %> + +ALLOW_ACCESS_TO_HIDDEN_SERVICE=true diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index 895a81b..1feb218 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -1,3 +1,15 @@ +server { + listen 80; + server_name mastodon.<%= @onion_address %>; + include <%= @shared_config_path %>; +} + +server { + listen 80; + server_name <%= @server_name %>; + return 301 https://$server_name$request_uri; +} + map $http_upgrade $connection_upgrade { default upgrade; '' close; @@ -7,9 +19,7 @@ server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; - - access_log "/var/log/nginx/mastodon.access.log"; - error_log "/var/log/nginx/mastodon.error.log"; + include <%= @shared_config_path %>; <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> @@ -17,82 +27,5 @@ server { ssl_certificate_key <%= @ssl_key %>; <% end -%> - keepalive_timeout 70; - sendfile on; - client_max_body_size 0; - - root <%= @mastodon_path %>/public; - - gzip on; - gzip_disable "msie6"; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; - add_header Strict-Transport-Security "max-age=31536000"; - - location / { - # If the maintenance file is present, show maintenance page - if (-f <%= @mastodon_path %>/public/maintenance.html) { - return 503; - } - - try_files $uri @proxy; - } - - location /sw.js { - add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate"; - add_header Pragma "no-cache"; - } - - location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { - add_header Cache-Control "public, max-age=31536000, immutable"; - try_files $uri @proxy; - } - - location @proxy { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - proxy_pass_header Server; - - proxy_pass http://localhost:<%= @puma_port %>; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - location /api/v1/streaming { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Proxy ""; - - proxy_pass http://localhost:<%= @streaming_port %>; - proxy_buffering off; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - tcp_nodelay on; - } - - error_page 500 501 502 504 /500.html; - error_page 503 /maintenance.html; - - location = /maintenance.html { - root <%= @mastodon_path %>/public; - } - } diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb new file mode 100644 index 0000000..1a4e6c6 --- /dev/null +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb @@ -0,0 +1,79 @@ +access_log "/var/log/nginx/mastodon.access.log"; +error_log "/var/log/nginx/mastodon.error.log"; + +keepalive_timeout 70; + +sendfile on; +client_max_body_size 0; + +root <%= @mastodon_path %>/public; + +gzip on; +gzip_disable "msie6"; +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + +location / { +# If the maintenance file is present, show maintenance page + if (-f <%= @mastodon_path %>/public/maintenance.html) { + return 503; + } + + try_files $uri @proxy; +} + +location /sw.js { + add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate"; + add_header Pragma "no-cache"; +} + +location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { + add_header Cache-Control "public, max-age=31536000, immutable"; + try_files $uri @proxy; +} + +location @proxy { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + proxy_pass_header Server; + + proxy_pass http://localhost:<%= @puma_port %>; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; +} + +location /api/v1/streaming { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Proxy ""; + + proxy_pass http://localhost:<%= @streaming_port %>; + proxy_buffering off; + proxy_redirect off; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + tcp_nodelay on; +} + +error_page 500 501 502 504 /500.html; +error_page 503 /maintenance.html; + +location = /maintenance.html { + root <%= @mastodon_path %>/public; +}