nginx: init config package

1 files changed, 107 insertions, 0 deletions

diff --git a/files/etc/nginx/sites-available/shione.net b/files/etc/nginx/sites-available/shione.net
new file mode 100644
index 0000000..28f7afe
--- /dev/null
+++ b/files/etc/nginx/sites-available/shione.net
@@ -0,0 +1,107 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+# `fancyindex` is from `nginx-extras`.
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        # SSL configuration
+        #
+        # Partially generated by https://ssl-config.mozilla.org/.
+        listen 443 ssl default_server;
+        listen [::]:443 ssl default_server;
+        #
+        # Note: You should disable gzip for SSL traffic.
+        # See: https://bugs.debian.org/773332
+        #
+        # Read up on ssl_ciphers to ensure a secure configuration.
+        # See: https://bugs.debian.org/765782
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        # include snippets/snakeoil.conf;
+        # managed by Certbot.
+        ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
+        # managed by Certbot.
+        ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;
+
+        # OCSP stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+        #
+        # See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security.
+        add_header Strict-Transport-Security "max-age=63072000" always;
+
+        # Prevent spam.
+        add_header X-Robots-Tag "noai, noimageai" always;
+
+        server_name shione.net www.shione.net;
+
+        location ~* \.(htaccess|htpasswd) {
+                deny all;
+        }
+
+        location / {
+                root /var/www/html/shione.net;
+
+                index index.html;
+
+                auth_basic off;
+                # First attempt to serve request as file, then
+                # as directory, then fall back to displaying a 404.
+                try_files $uri $uri/ =404;
+        }
+
+        location /share {
+                root /var/www;
+
+                # Enable fancy indexes.
+                fancyindex on;
+
+                # Output human-readable file sizes.
+                fancyindex_exact_size off;
+        }
+
+        location ~ ^/share/(?<dir>[^/]+) {
+                root /var/www;
+
+                # Require authentication if available.
+                set $auth_basic off;
+                set $auth_basic_user_file "";
+                if (-f /var/www/share/$dir/.htpasswd) {
+                        set $auth_basic Required;
+                        set $auth_basic_user_file /var/www/share/$dir/.htpasswd;
+                }
+
+                auth_basic $auth_basic;
+                auth_basic_user_file $auth_basic_user_file;
+
+                # Enable fancy indexes.
+                fancyindex on;
+
+                # Output human-readable file sizes.
+                fancyindex_exact_size off;
+        }
+}