mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
Using a cert named after the primary domain with `_legacy` appended. However, the cert is only issued for the legacy domains, not the primary domain. Deploy for `ipxe.archlinux.org`. Fixes: https://gitlab.archlinux.org/archlinux/releng/-/issues/22
204 lines
6.0 KiB
Django/Jinja
204 lines
6.0 KiB
Django/Jinja
upstream archweb {
|
|
server unix:///run/uwsgi/archweb.sock;
|
|
}
|
|
|
|
{% for domain in service_alternate_domains | default([]) %}
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ domain }};
|
|
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
|
|
error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
location / {
|
|
access_log off;
|
|
return 302 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name {{ domain }};
|
|
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
|
|
error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ service_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ service_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}/chain.pem;
|
|
|
|
location / {
|
|
access_log off;
|
|
return 302 https://{{ service_domain }};
|
|
}
|
|
}
|
|
|
|
{% endfor %}
|
|
{% for domain in service_legacy_domains | default([]) %}
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ domain }};
|
|
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
|
|
error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
location / {
|
|
access_log off;
|
|
return 302 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name {{ domain }};
|
|
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
|
|
error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ service_domain }}_legacy/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ service_domain }}_legacy/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}_legacy/chain.pem;
|
|
|
|
location / {
|
|
access_log off;
|
|
return 302 https://{{ service_domain }};
|
|
}
|
|
}
|
|
|
|
{% endfor %}
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name {{ service_domain }};
|
|
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
|
|
error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
|
|
|
|
include snippets/letsencrypt.conf;
|
|
|
|
location / {
|
|
access_log off;
|
|
return 302 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
http2 on;
|
|
server_name {{ service_domain }};
|
|
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log reduced;
|
|
access_log {{ maintenance_logs_dir }}/{{ service_domain }}-access.log.json json_reduced;
|
|
error_log {{ maintenance_logs_dir }}/{{ service_domain }}-error.log;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ service_domain }}/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ service_domain }}/privkey.pem;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ service_domain }}/chain.pem;
|
|
|
|
error_page 503 /503.html;
|
|
|
|
location = /.well-known/matrix/server {
|
|
default_type application/json;
|
|
return 200 '{"m.server": "{{ matrix_domain }}:443"}';
|
|
}
|
|
|
|
location = /.well-known/matrix/client {
|
|
default_type application/json;
|
|
add_header Access-Control-Allow-Origin *;
|
|
return 200 '{"m.homeserver": {"base_url": "https://{{ matrix_domain }}"}, "m.identity_server": {"base_url": "https://matrix.org"} }';
|
|
}
|
|
|
|
location = /robots.txt {
|
|
alias {{ archweb_dir }}/archlinux.org/robots.txt;
|
|
}
|
|
|
|
location = /humans.txt {
|
|
alias {{ archweb_dir }}/archlinux.org/humans.txt;
|
|
}
|
|
|
|
location = /google7827eadf026b4a87.html {
|
|
alias {{ archweb_dir }}/archlinux.org/google7827eadf026b4a87.html;
|
|
}
|
|
|
|
location = /BingSiteAuth.xml {
|
|
alias {{ archweb_dir }}/archlinux.org/BingSiteAuth.xml;
|
|
}
|
|
|
|
location = /favicon.ico {
|
|
alias {{ archweb_dir }}/collected_static/favicon.ico;
|
|
}
|
|
|
|
location /pacman/ {
|
|
alias {{ archweb_dir }}/archlinux.org/pacman/;
|
|
}
|
|
|
|
location /netcfg/ {
|
|
alias {{ archweb_dir }}/archlinux.org/netcfg/;
|
|
}
|
|
|
|
location /logos/ {
|
|
alias {{ archweb_dir }}/archlinux.org/logos/;
|
|
}
|
|
|
|
location ~ ^/iso/(.*\.(iso|img|tar\.gz|sfs)$) {
|
|
deny all;
|
|
}
|
|
|
|
location /iso/ {
|
|
alias {{ archweb_rsync_iso_dir }};
|
|
}
|
|
|
|
# Cache django's css, js and png files.
|
|
location /static/ {
|
|
expires 30d;
|
|
add_header Pragma public;
|
|
add_header Cache-Control "public";
|
|
alias {{ archweb_dir }}/collected_static/;
|
|
}
|
|
|
|
location /img/ {
|
|
alias {{ archweb_dir }}/media/img/;
|
|
}
|
|
|
|
location /retro/ {
|
|
alias {{ archweb_retro_dir }};
|
|
}
|
|
|
|
if ($remote_addr = {{ maintenance_remote_machine }}) {
|
|
set $maintenance_remote_machine true;
|
|
}
|
|
|
|
location / {
|
|
include uwsgi_params;
|
|
|
|
if ($maintenance_remote_machine = true) {
|
|
access_log /var/log/nginx/{{ archweb_domain }}/access.log main;
|
|
access_log /var/log/nginx/{{ archweb_domain }}/access.log.json json_main;
|
|
uwsgi_pass archweb;
|
|
break;
|
|
}
|
|
|
|
return 503;
|
|
}
|
|
|
|
location = /503.html {
|
|
root {{ maintenance_http_dir }}/{{ service_domain }};
|
|
}
|
|
}
|