diff options
author | Jakob Odersky <jakob@odersky.com> | 2018-12-04 21:31:01 -0800 |
---|---|---|
committer | Jakob Odersky <jakob@odersky.com> | 2018-12-04 21:39:07 -0800 |
commit | 9588e9366d3455f203e5482a41f712777595bb13 (patch) | |
tree | 272aeababb1b68f477301d67198a82c80d044c01 /terraform/provision/rootfs/etc | |
parent | db27247dd7d7209ab93419eb33d2ecb21e74c1ec (diff) | |
download | infra-9588e9366d3455f203e5482a41f712777595bb13.tar.gz infra-9588e9366d3455f203e5482a41f712777595bb13.tar.bz2 infra-9588e9366d3455f203e5482a41f712777595bb13.zip |
Simplify terraform and provisioning scripts. Move away from config packages.
Diffstat (limited to 'terraform/provision/rootfs/etc')
7 files changed, 139 insertions, 0 deletions
diff --git a/terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades b/terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades new file mode 100644 index 0000000..8d6d7c8 --- /dev/null +++ b/terraform/provision/rootfs/etc/apt/apt.conf.d/20auto-upgrades @@ -0,0 +1,2 @@ +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; diff --git a/terraform/provision/rootfs/etc/cgitrc.d/crashbox b/terraform/provision/rootfs/etc/cgitrc.d/crashbox new file mode 100644 index 0000000..fdafab6 --- /dev/null +++ b/terraform/provision/rootfs/etc/cgitrc.d/crashbox @@ -0,0 +1,63 @@ +# +# cgit config +# see cgitrc(5) for details +# +# https://git.zx2c4.com/cgit/tree/cgitrc.5.txt + +favicon=/crashbox.svg +logo=/crashbox.svg +root-title=git.crashbox.io +root-desc=Git repositories hosted at crashbox.io +root-readme=/var/lib/git/www/about.md +clone-url=https://git.crashbox.io/$CGIT_REPO_URL + +## List of common mimetypes +mimetype.gif=image/gif +mimetype.html=text/html +mimetype.jpg=image/jpeg +mimetype.jpeg=image/jpeg +mimetype.pdf=application/pdf +mimetype.png=image/png +mimetype.svg=image/svg+xml +mimetype-file=/etc/mime.types + +# Don't show owner on index page +enable-index-owner=0 + +# Enable blame page and create links to it from tree page +enable-blame=1 + +# Enable ASCII art commit history graph on the log pages +enable-commit-graph=1 + +# Show extra links for each repository on the index page +enable-index-links=1 + +# Show number of affected files per commit on the log pages +enable-log-filecount=1 + +# Show number of added/removed lines per commit on the log pages +enable-log-linecount=1 + +# Allow download of tar.gz, tar.bz2 and zip-files +snapshots=tar.gz tar.bz2 zip + +# Highlight code +source-filter=/usr/lib/cgit/filters/syntax-highlighting.py + +# Format "about" files such as markdown readmes +about-filter=/usr/lib/cgit/filters/about-formatting.sh +readme=master:README.md + +# nginx handles negotiating git clones +enable-http-clone=0 + +section-from-path=-1 + +# Remove ".git" suffix in listings +remove-suffix=1 + +# Base URL +virtual-root=/ + +scan-path=/srv/git diff --git a/terraform/provision/rootfs/etc/gh-mirror b/terraform/provision/rootfs/etc/gh-mirror new file mode 100644 index 0000000..4fc987b --- /dev/null +++ b/terraform/provision/rootfs/etc/gh-mirror @@ -0,0 +1,4 @@ +users jodersky /srv/git/mirrors/github/jodersky +orgs project-condor /srv/git/mirrors/github/project-condor +orgs driver-oss /srv/git/mirrors/github/driver-oss +orgs johnandjohn /srv/git/mirrors/github/johnandjohn diff --git a/terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf b/terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf new file mode 100644 index 0000000..bb96ec7 --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/conf.d/ssl.conf @@ -0,0 +1,15 @@ +# The configuration below can be obtained with the Mozilla SSL +# Configuration Generator at +# https://mozilla.github.io/server-side-tls/ssl-config-generator/ + +ssl_certificate /etc/ssl/server.cert.pem; +ssl_certificate_key /etc/ssl/private/server.key.pem; +ssl_session_timeout 1d; +ssl_session_cache shared:SSL:50m; +ssl_session_tickets off; + +ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + +ssl_stapling on; +ssl_stapling_verify on; +ssl_trusted_certificate /etc/ssl/issuer.cert.pem; diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf new file mode 100644 index 0000000..e10725d --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/default.conf @@ -0,0 +1,9 @@ +# Default catch-all configuration, applied when no other configuration matches +server { + server_name _; + listen 80 default_server; + listen [::]:80 default_server; + + # close the connection without sending a response + return 444; +}
\ No newline at end of file diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf new file mode 100644 index 0000000..7210dbc --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/git.conf @@ -0,0 +1,33 @@ +server { + server_name git.*; + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + + root /var/lib/git/www; + + # requests that should to go to git-http-backend + location ~ ^.*/(HEAD|info/refs|objects/info/.*|git-(upload|receive)-pack)$ { + root /srv/git; + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param GIT_PROJECT_ROOT /srv/git; + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location @cgit { + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param CGIT_CONFIG /etc/cgitrc.d/crashbox; + fastcgi_param PATH_INFO $uri; + fastcgi_pass unix:/run/fcgiwrap.socket; + } + + location / { + try_files $uri @cgit; + } + +} diff --git a/terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf b/terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf new file mode 100644 index 0000000..2f3ab1e --- /dev/null +++ b/terraform/provision/rootfs/etc/nginx/sites-enabled/ip.conf @@ -0,0 +1,13 @@ +# Echo remote IP address +# https://michael.lustfield.net/nginx/simple-ip-echo +server { + server_name ip.*; + listen 80; + listen [::]:80; + listen 443 ssl; + listen [::]:443 ssl; + location = / { + default_type text/plain; + echo $remote_addr; + } +}
\ No newline at end of file |