nginx: init config package

6 files changed, 120 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index eeedc3b..36c3b93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ shione-config (0.1.0) UNRELEASED; urgency=low
 
   * Add current openssh-server configuration.
   * Add current nftables configuration.
+  * Add current nginx configuration.
   * Initial release.
 
  -- Mohammed Amar-Bensaber <renken@shione.net>  Sun, 24 Aug 2024 16:06:00 +0200
diff --git a/debian/control b/debian/control
index 659401f..de3e38e 100644
--- a/debian/control
+++ b/debian/control
@@ -23,3 +23,12 @@ Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione nftables configuration.
   Nftables configuration for shione.net.
+
+Package: nginx-config
+Architecture: all
+Multi-Arch: foreign
+Depends: ${misc:Depends}, nginx, certbot, python3-certbot-nginx
+Provides: ${diverted-files}
+Conflicts: ${diverted-files}
+Description: Shione nginx configuration.
+  Nginx configuration for shione.net.
diff --git a/debian/nginx-config.hide b/debian/nginx-config.hide
new file mode 100644
index 0000000..065ff61
--- /dev/null
+++ b/debian/nginx-config.hide
@@ -0,0 +1 @@
+/etc/nginx/sites-enables/defaut
diff --git a/debian/nginx-config.install b/debian/nginx-config.install
new file mode 100644
index 0000000..c9123c0
--- /dev/null
+++ b/debian/nginx-config.install
@@ -0,0 +1 @@
+files/etc/nginx /etc/
diff --git a/files/etc/nginx/sites-available/shione.net b/files/etc/nginx/sites-available/shione.net
new file mode 100644
index 0000000..28f7afe
--- /dev/null
+++ b/files/etc/nginx/sites-available/shione.net
@@ -0,0 +1,107 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+# `fancyindex` is from `nginx-extras`.
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        # SSL configuration
+        #
+        # Partially generated by https://ssl-config.mozilla.org/.
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        #
+        # Note: You should disable gzip for SSL traffic.
+        # See: https://bugs.debian.org/773332
+        #
+        # Read up on ssl_ciphers to ensure a secure configuration.
+        # See: https://bugs.debian.org/765782
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        # include snippets/snakeoil.conf;
+        # managed by Certbot.
+        ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
+        # managed by Certbot.
+        ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        # OCSP stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        #
+        # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        # Prevent spam.
+        add_header X-Robots-Tag "noai, noimageai" always;
+
+        server_name shione.net www.shione.net;
+
+        location ~* \.(htaccess|htpasswd) {
+                deny all;
+        }
+
+        location / {
+                root /var/www/html/shione.net;
+
+                index index.html;
+
+                auth_basic off;
+                # First attempt to serve request as file, then
+                # as directory, then fall back to displaying a 404.
+                try_files $uri $uri/ =404;
+        }
+
+        location /share {
+                root /var/www;
+
+                # Enable fancy indexes.
+                fancyindex on;
+
+                # Output human-readable file sizes.
+                fancyindex_exact_size off;
+        }
+
+        location ~ ^/share/(?<dir>[^/]+) {
+                root /var/www;
+
+                # Require authentication if available.
+                set $auth_basic off;
+                set $auth_basic_user_file "";
+                if (-f /var/www/share/$dir/.htpasswd) {
+                        set $auth_basic Required;
+                        set $auth_basic_user_file /var/www/share/$dir/.htpasswd;
+                }
+
+                auth_basic $auth_basic;
+                auth_basic_user_file $auth_basic_user_file;
+
+                # Enable fancy indexes.
+                fancyindex on;
+
+                # Output human-readable file sizes.
+                fancyindex_exact_size off;
+        }
+}
diff --git a/files/etc/nginx/sites-enabled/shione.net b/files/etc/nginx/sites-enabled/shione.net
new file mode 120000
index 0000000..2c390bf
--- /dev/null
+++ b/files/etc/nginx/sites-enabled/shione.net
@@ -0,0 +1 @@
+../sites-available/shione.net
\ No newline at end of file