add systemd service file and nginx config snippet

* setup considers deploying on dotya.ml but this can easily be changed
* [skip ci]

Deployment/pwt.conf

@@ -0,0 +1,99 @@
+upstream pwt {
+	server 127.0.0.1:8001;
+}
+
+server {
+	return 301 https://pwt.dotya.ml$request_uri;
+
+	listen 80;
+	listen [::]:80;
+	server_name pwt.dotya.ml;
+	return 404;
+
+	add_header Referrer-Policy "no-referrer, origin-when-cross-origin";
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-XSS-Protection "1; mode=block" always;
+	add_header X-Robots-Tag none;
+	add_header X-Real-IP $remote_addr;
+	add_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	add_header X-Forwarded-Proto $scheme;
+}
+
+server {
+	server_name pwt.dotya.ml;
+
+	access_log /var/log/nginx/pwt.dotya.ml.access.log;
+	error_log /var/log/nginx/pwt.dotya.ml.error.log;
+
+	expires $expires;
+	etag on;
+	brotli on;
+	brotli_static on;
+	brotli_types *;
+
+	if ($http_user_agent ~* SemrushBot|morfeus) {
+		return 302 your-script-kiddie-box;
+	}
+	error_page  302 @blackhole;
+
+	location @blackhole {
+		add_header MESSAGE "YOU ALL SUCK D*CK";
+		add_header Retry-after "your script dies";
+		return 200;
+	}
+
+	location / {
+		proxy_pass http://pwt;
+	}
+	location = /robots.txt {
+		allow all;
+		add_header Content-Type "text/plain; charset=utf-8";
+		add_header X-Robots-Tag "none";
+		return 200 "User-agent: *\nDisallow: /";
+	}
+
+	add_header Content-Security-Policy "default-src 'none'; manifest-src 'self'; font-src 'self' https: blob:; img-src 'self'; script-src 'self' https: 'sha256-BU6NaT/mFkOb6wlKw9aAUV4i5MFr/Z/IFLIYAVFkmxQ=' 'sha256-V1j096ud9m6h5KncKkiAplx22jz14i0avalMtHLMFPs=' 'sha256-ggCJb9MSbkFha0PX0DCP2JxSZ4Vyz95IZKhP9nHXES8='; style-src 'self' https:; object-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self';";
+	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+	add_header Feature-Policy "geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'self'; payment 'none';";
+	add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-XSS-Protection "1; mode=block" always;
+	add_header X-Robots-Tag none;
+	add_header X-Real-IP $remote_addr;
+	add_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	add_header X-Forwarded-Proto $scheme;
+
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	ssl_certificate /etc/letsencrypt/live/pwt.dotya.ml/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/pwt.dotya.ml/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+	if ($host = www.pwt.dotya.ml) {
+		return 301 https://pwt.dotya.ml$request_uri;
+	}
+	listen 80;
+	listen [::]:80;
+	server_name www.pwt.dotya.ml;
+	return 404;
+
+	add_header Referrer-Policy "no-referrer, origin-when-cross-origin, strict-origin-when-cross-origin";
+	add_header X-Frame-Options "SAMEORIGIN" always;
+	add_header X-Content-Type-Options "nosniff" always;
+	add_header X-XSS-Protection "1; mode=block" always;
+	add_header X-Robots-Tag none;
+	add_header X-Real-IP $remote_addr;
+	add_header X-Forwarded-For $remote_addr;
+
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+	ssl_certificate /etc/letsencrypt/live/pwt.dotya.ml/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/pwt.dotya.ml/privkey.pem;
+	include /etc/letsencrypt/options-ssl-nginx.conf;
+	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}

Deployment/pwt.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=pwt
+After=nginx.service docker.service
+
+[Service]
+Restart=on-failure
+ExecStart=/usr/bin/docker-compose -f /etc/pwt/pwt-0x01-ng/docker-compose.prod.yml up --remove-orphans --build --scale netcoreultimateapp-prod=2
+ExecStop=/usr/bin/docker-compose -f /etc/pwt/pwt-0x01-ng/docker-compose.prod.yml stop
+
+[Install]
+WantedBy=multi-user.target
+