diff options
| author | maddaat <git@maddaat.org> | 2026-04-13 18:08:28 +0400 |
|---|---|---|
| committer | maddaat <git@maddaat.org> | 2026-04-13 19:27:41 +0400 |
| commit | e8318269d15a5b5f603079fa5ad045087374cb13 (patch) | |
| tree | 113e47c1bea426d5e4c913384c4b8550cef558c4 | |
| parent | 048968b8e0586eb86ad2c406fe0273670c1c1a43 (diff) | |
| download | infra-e8318269d15a5b5f603079fa5ad045087374cb13.tar infra-e8318269d15a5b5f603079fa5ad045087374cb13.tar.gz infra-e8318269d15a5b5f603079fa5ad045087374cb13.tar.bz2 infra-e8318269d15a5b5f603079fa5ad045087374cb13.tar.lz infra-e8318269d15a5b5f603079fa5ad045087374cb13.tar.xz infra-e8318269d15a5b5f603079fa5ad045087374cb13.tar.zst infra-e8318269d15a5b5f603079fa5ad045087374cb13.zip | |
| -rw-r--r-- | README.md | 12 | ||||
| -rw-r--r-- | etc/acme-client.conf | 21 | ||||
| -rw-r--r-- | etc/httpd.conf | 37 | ||||
| -rw-r--r-- | etc/httpd/_acme.conf | 4 | ||||
| -rw-r--r-- | etc/httpd/_listen443.conf | 8 | ||||
| -rw-r--r-- | etc/httpd/_listen80.conf | 1 | ||||
| -rw-r--r-- | files.sh | 50 | ||||
| -rw-r--r-- | var/cron/tabs/root | 24 |
8 files changed, 129 insertions, 28 deletions
@@ -6,11 +6,13 @@ **Domain**: `maddaat.org` -| Record | Type | Points to | -|---------|---------|-----------------| -| `@` | `A` | `159.65.207.26` | -| `git` | `CNAME` | `maddaat.org.` | -| `www` | `CNAME` | `maddaat.org.` | +| Record | Type | Points to | +|---------|---------|-----------------------------| +| `@` | `CAA` | `0 issue "letsencrypt.org"` | +| `@` | `CAA` | `0 issuewild ";"` | +| `@` | `A` | `159.65.207.26` | +| `git` | `CNAME` | `maddaat.org.` | +| `www` | `CNAME` | `maddaat.org.` | diff --git a/etc/acme-client.conf b/etc/acme-client.conf new file mode 100644 index 0000000..f97d12a --- /dev/null +++ b/etc/acme-client.conf @@ -0,0 +1,21 @@ +# +# $OpenBSD: acme-client.conf,v 1.6 2025/08/18 15:51:57 job Exp $ +# +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +domain maddaat.org { + alternative names { www.maddaat.org git.maddaat.org } + domain key "/etc/ssl/private/maddaat.org.key" + domain full chain certificate "/etc/ssl/maddaat.org.fullchain.pem" + # Test with the staging server to avoid aggressive rate-limiting. + #sign with letsencrypt-staging + sign with letsencrypt +} diff --git a/etc/httpd.conf b/etc/httpd.conf index 3defb8c..a8d1527 100644 --- a/etc/httpd.conf +++ b/etc/httpd.conf @@ -3,15 +3,48 @@ types { } server "maddaat.org" { - listen on * port 80 + include "/etc/httpd/_listen80.conf" + include "/etc/httpd/_acme.conf" + + location "*" { + # HTTP 301 Moved Permanently - enforce HTTPS + block return 301 "https://maddaat.org$REQUEST_URI" + } +} + +server "maddaat.org" { + include "/etc/httpd/_listen443.conf" + include "/etc/httpd/_acme.conf" location "*" { block return 307 "http://git.maddaat.org" } } +server "www.maddaat.org" { + include "/etc/httpd/_listen80.conf" + include "/etc/httpd/_listen443.conf" + include "/etc/httpd/_acme.conf" + + location "*" { + # HTTP 301 Moved Permanently - enforce non-www site + block return 301 "https://maddaat.org$REQUEST_URI" + } +} + +server "git.maddaat.org" { + include "/etc/httpd/_listen80.conf" + include "/etc/httpd/_acme.conf" + + location "*" { + # HTTP 301 Moved Permanently - enforce HTTPS + block return 301 "https://git.maddaat.org$REQUEST_URI" + } +} + server "git.maddaat.org" { - listen on * port 80 + include "/etc/httpd/_listen443.conf" + include "/etc/httpd/_acme.conf" location "/cgit.*" { root "/cgit" diff --git a/etc/httpd/_acme.conf b/etc/httpd/_acme.conf new file mode 100644 index 0000000..3c1a0ec --- /dev/null +++ b/etc/httpd/_acme.conf @@ -0,0 +1,4 @@ +location "/.well-known/acme-challenge/*" { + root "/acme" + request strip 2 +} diff --git a/etc/httpd/_listen443.conf b/etc/httpd/_listen443.conf new file mode 100644 index 0000000..92f270e --- /dev/null +++ b/etc/httpd/_listen443.conf @@ -0,0 +1,8 @@ +listen on * tls port 443 + +tls { + certificate "/etc/ssl/maddaat.org.fullchain.pem" + key "/etc/ssl/private/maddaat.org.key" +} + +hsts preload diff --git a/etc/httpd/_listen80.conf b/etc/httpd/_listen80.conf new file mode 100644 index 0000000..8e0f854 --- /dev/null +++ b/etc/httpd/_listen80.conf @@ -0,0 +1 @@ +listen on * port 80 @@ -1,23 +1,31 @@ -install_dir 0755 root wheel '/etc' -install_file 0600 root wheel '/etc/doas.conf' -install_file 0644 root wheel '/etc/exports' -install_file 0644 root wheel '/etc/fstab' -install_file 0644 root wheel '/etc/hosts' -install_file 0644 root wheel '/etc/httpd.conf' -install_file 0600 root wheel '/etc/pf.conf' -install_file 0644 root wheel '/etc/rc.conf.local' -install_file 0644 root wheel '/etc/shells' -install_dir 0755 root wheel '/etc/ssh' -install_file 0644 root wheel '/etc/ssh/sshd_config' +install_dir 0755 root wheel '/etc' +install_file 0644 root wheel '/etc/acme-client.conf' +install_file 0600 root wheel '/etc/doas.conf' +install_file 0644 root wheel '/etc/exports' +install_file 0644 root wheel '/etc/fstab' +install_file 0644 root wheel '/etc/hosts' +install_file 0644 root wheel '/etc/httpd.conf' +install_dir 0755 root wheel '/etc/httpd' +install_file 0644 root wheel '/etc/httpd/_acme.conf' +install_file 0644 root wheel '/etc/httpd/_listen80.conf' +install_file 0644 root wheel '/etc/httpd/_listen443.conf' +install_file 0600 root wheel '/etc/pf.conf' +install_file 0644 root wheel '/etc/rc.conf.local' +install_file 0644 root wheel '/etc/shells' +install_dir 0755 root wheel '/etc/ssh' +install_file 0644 root wheel '/etc/ssh/sshd_config' -install_dir 0755 root wheel '/home' -install_dir 0755 git git '/home/git' -install_file 0644 git git '/home/git/.gitconfig' -install_file 0600 git git '/home/git/.gitolite.rc' +install_dir 0755 root wheel '/home' +install_dir 0755 git git '/home/git' +install_file 0644 git git '/home/git/.gitconfig' +install_file 0600 git git '/home/git/.gitolite.rc' -install_dir 0755 root daemon '/var' -install_dir 0755 root daemon '/var/www' -install_dir 0755 root daemon '/var/www/conf' -install_file 0644 root wheel '/var/www/conf/cgitrc' -install_dir 0755 git git '/var/www/git' -install_dir 0755 git git '/var/www/git/repositories' +install_dir 0755 root daemon '/var' +install_dir 0555 root wheel '/var/cron' +install_dir 1730 root crontab '/var/cron/tabs' +install_file 0600 root crontab '/var/cron/tabs/root' +install_dir 0755 root daemon '/var/www' +install_dir 0755 root daemon '/var/www/conf' +install_file 0644 root wheel '/var/www/conf/cgitrc' +install_dir 0755 git git '/var/www/git' +install_dir 0755 git git '/var/www/git/repositories' diff --git a/var/cron/tabs/root b/var/cron/tabs/root new file mode 100644 index 0000000..f26a9bc --- /dev/null +++ b/var/cron/tabs/root @@ -0,0 +1,24 @@ +# $OpenBSD: crontab,v 1.28 2020/04/18 17:22:43 jmc Exp $ +# +# /var/cron/tabs/root - root's crontab +# +SHELL=/bin/sh +PATH=/bin:/sbin:/usr/bin:/usr/sbin +HOME=/var/log +# +#minute hour mday month wday [flags] command +# +# rotate log files every hour, if necessary +0 * * * * /usr/bin/newsyslog +# send log file notifications, if necessary +#1-59 * * * * /usr/bin/newsyslog -m +# +# do daily/weekly/monthly maintenance +30 1 * * * /bin/sh /etc/daily +30 3 * * 6 /bin/sh /etc/weekly +30 5 1 * * /bin/sh /etc/monthly +#~ * * * * /usr/libexec/spamd-setup + +#~ * * * * -ns rpki-client -v && bgpctl reload + +0 0 * * * (acme-client maddaat.org || true) && rcctl reload httpd |