commit 0194ef4da389961e37bc233435ee97ce4d2c9cbd
Author: Alex <alex@caloyannis.xyz>
Date: Tue, 10 Mar 2026 23:24:04 +0100
first commit
Diffstat:
| A | cgit | | | 44 | ++++++++++++++++++++++++++++++++++++++++++++ |
| A | default | | | 91 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | main.conf | | | 85 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | rewrite_q | | | 8 | ++++++++ |
| A | secure | | | 67 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | security_headers | | | 8 | ++++++++ |
| A | simple | | | 24 | ++++++++++++++++++++++++ |
| A | simple_php | | | 39 | +++++++++++++++++++++++++++++++++++++++ |
8 files changed, 366 insertions(+), 0 deletions(-)
diff --git a/cgit b/cgit
@@ -0,0 +1,44 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name git.caloyannis.xyz;
+
+ return 301 https://git.caloyannis.xyz$uri;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+ server_name git.caloyannis.xyz;
+
+ root /var/www/html/cgit;
+ try_files $uri @cgit ;
+
+ ssl_certificate /etc/letsencrypt/live/caloyannis.xyz/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/caloyannis.xyz/privkey.pem;
+
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Frame-Options "DENY" always;
+ add_header Referrer-Policy "no-referrer" always;
+
+ location ~ /.+/(info/refs|git-upload-pack) {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param GIT_HTTP_EXPORT_ALL 1;
+ fastcgi_param GIT_PROJECT_ROOT /srv/git;
+ fastcgi_param HOME /srv/git;
+ fastcgi_pass unix:/run/fcgiwrap.socket;
+ }
+
+ location @cgit {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /var/www/html/cgit/cgit.cgi;
+ fastcgi_param PATH_INFO $uri;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_pass unix:/run/fcgiwrap.socket;
+ }
+}
diff --git a/default b/default
@@ -0,0 +1,91 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ # SSL configuration
+ #
+ # listen 443 ssl default_server;
+ # listen [::]:443 ssl default_server;
+ #
+ # Note: You should disable gzip for SSL traffic.
+ # See: https://bugs.debian.org/773332
+ #
+ # Read up on ssl_ciphers to ensure a secure configuration.
+ # See: https://bugs.debian.org/765782
+ #
+ # Self signed certs generated by the ssl-cert package
+ # Don't use them in a production server!
+ #
+ # include snippets/snakeoil.conf;
+
+ root /var/www/html;
+
+ # Add index.php to the list if you are using PHP
+ index index.html index.htm index.nginx-debian.html;
+
+ server_name _;
+
+ location / {
+ # First attempt to serve request as file, then
+ # as directory, then fall back to displaying a 404.
+ try_files $uri $uri/ =404;
+ }
+
+ # pass PHP scripts to FastCGI server
+ #
+ #location ~ \.php$ {
+ # include snippets/fastcgi-php.conf;
+ #
+ # # With php-fpm (or other unix sockets):
+ # fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+ # # With php-cgi (or other tcp sockets):
+ # fastcgi_pass 127.0.0.1:9000;
+ #}
+
+ # deny access to .htaccess files, if Apache's document root
+ # concurs with nginx's one
+ #
+ #location ~ /\.ht {
+ # deny all;
+ #}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+# listen 80;
+# listen [::]:80;
+#
+# server_name example.com;
+#
+# root /var/www/example.com;
+# index index.html;
+#
+# location / {
+# try_files $uri $uri/ =404;
+# }
+#}
diff --git a/main.conf b/main.conf
@@ -0,0 +1,85 @@
+user www-data;
+worker_processes auto;
+worker_cpu_affinity auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+ worker_connections 768;
+ # multi_accept on;
+}
+
+http {
+
+ ##
+ # Basic Settings
+ ##
+
+ sendfile on;
+ client_max_body_size 5M;
+ tcp_nopush on;
+ types_hash_max_size 2048;
+ server_tokens off;
+
+ # server_names_hash_bucket_size 64;
+ # server_name_in_redirect off;
+
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ ##
+ # SSL Settings
+ ##
+
+ ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3 (POODLE), TLS 1.0, 1.1
+ ssl_prefer_server_ciphers off; # Don't force server cipher order.
+
+ ##
+ # Logging Settings
+ ##
+
+ access_log /var/log/nginx/access.log;
+
+ ##
+ # Gzip Settings
+ ##
+
+ gzip on;
+
+ # gzip_vary on;
+ # gzip_proxied any;
+ # gzip_comp_level 6;
+ # gzip_buffers 16 8k;
+ # gzip_http_version 1.1;
+ # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+ ##
+ # Virtual Host Configs
+ ##
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+}
+
+
+#mail {
+# # See sample authentication script at:
+# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+# # auth_http localhost/auth.php;
+# # pop3_capabilities "TOP" "USER";
+# # imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+# server {
+# listen localhost:110;
+# protocol pop3;
+# proxy on;
+# }
+#
+# server {
+# listen localhost:143;
+# protocol imap;
+# proxy on;
+# }
+#}
diff --git a/rewrite_q b/rewrite_q
@@ -0,0 +1,8 @@
+location / {
+ #try_files $uri $uri/ =404;
+ try_files $uri $uri/ @rewrite;
+}
+
+location @rewrite {
+ rewrite ^/([^/?]+)/?$ /?q=$1 last;
+}
diff --git a/secure b/secure
@@ -0,0 +1,67 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name _;
+
+ return 301 https://www.caloyannis.xyz$uri;
+}
+
+server {
+ listen 443;
+ listen [::]:443;
+
+ server_name _;
+
+ return 301 https://www.caloyannis.xyz$uri;
+
+ ssl_certificate /etc/letsencrypt/live/caloyannis.xyz/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/caloyannis.xyz/privkey.pem;
+}
+
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name www.caloyannis.xyz;
+
+ ssl_certificate /etc/letsencrypt/live/caloyannis.xyz/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/caloyannis.xyz/privkey.pem;
+
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Frame-Options "DENY" always;
+ add_header Referrer-Policy "no-referrer" always;
+
+# add_header Content-Security-Policy "" always;
+# add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+# add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+ root /srv/http/caloyannis;
+
+ index index.php index.html index.htm;
+
+ location / {
+ #try_files $uri $uri/ =404;
+ try_files $uri $uri/ @rewrite;
+ }
+
+ location @rewrite {
+ rewrite ^/([^/?]+)/?$ /?q=$1 last;
+ }
+
+ location ~ \.php$ {
+ include snippets/fastcgi-php.conf;
+
+ # With php-fpm (or other unix sockets):
+ fastcgi_pass unix:/run/php/php8.4-fpm.sock;
+ #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ }
+
+ # deny access to .htaccess files, if Apache's document root
+ # concurs with nginx's one
+ #
+ #location ~ /\.ht {
+ # deny all;
+ #}
+}
diff --git a/security_headers b/security_headers
@@ -0,0 +1,8 @@
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "DENY" always;
+add_header Referrer-Policy "no-referrer" always;
+
+#add_header Content-Security-Policy "" always;
+#add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+#add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
diff --git a/simple b/simple
@@ -0,0 +1,24 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name _;
+
+ root /srv/http/simple;
+
+ add_header X-Frame-Options "DENY" always;
+ add_header Referrer-Policy "no-referrer" always;
+
+ access_log /var/log/nginx/simple-access.log;
+
+ index index.php index.html index.htm;
+
+ location / {
+ try_files $uri $uri/ =404;
+ #try_files $uri $uri/ @rewrite;
+ }
+
+ #location @rewrite {
+ # rewrite ^/([^/?]+)/?$ /?q=$1 last;
+ #}
+}
diff --git a/simple_php b/simple_php
@@ -0,0 +1,39 @@
+server {
+ listen 80;
+ listen [::]:80;
+
+ server_name _;
+
+ root /srv/http/simple;
+
+ add_header X-Frame-Options "DENY" always;
+ add_header Referrer-Policy "no-referrer" always;
+
+ access_log /var/log/nginx/simple-access.log;
+
+ index index.php index.html index.htm;
+
+ location / {
+ try_files $uri $uri/ =404;
+ #try_files $uri $uri/ @rewrite;
+ }
+
+ #location @rewrite {
+ # rewrite ^/([^/?]+)/?$ /?q=$1 last;
+ #}
+
+ location ~ \.php$ {
+ include snippets/fastcgi-php.conf;
+
+ # With php-fpm (or other unix sockets):
+ fastcgi_pass unix:/run/php/php8.4-fpm.sock;
+ #fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ }
+
+ # deny access to .htaccess files, if Apache's document root
+ # concurs with nginx's one
+ #
+ #location ~ /\.ht {
+ # deny all;
+ #}
+}
