update

8 files changed, 72 insertions, 5 deletions

diff --git a/terminaldweller.com/cgit/bootstrap/Dockerfile b/terminaldweller.com/cgit/bootstrap/Dockerfile
index fe212dd..2467f36 100644
--- a/terminaldweller.com/cgit/bootstrap/Dockerfile
+++ b/terminaldweller.com/cgit/bootstrap/Dockerfile
@@ -4,4 +4,5 @@ RUN apk update && apk add --no-cache git cronie busybox-initscripts
 COPY ./bootstrap.sh /bootstrap.sh 
 COPY ./docker-entrypoint.sh /docker-entrypoint.sh
 COPY ./crontab /etc/crontabs/root
-ENTRYPOINT ["/bootstrap.sh"]
+RUN chmod 0744 /bootstrap.sh
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/terminaldweller.com/cgit/bootstrap/bootstrap.sh b/terminaldweller.com/cgit/bootstrap/bootstrap.sh
index d504064..3481546 100755
--- a/terminaldweller.com/cgit/bootstrap/bootstrap.sh
+++ b/terminaldweller.com/cgit/bootstrap/bootstrap.sh
@@ -32,17 +32,20 @@ REPOS="cgrep \
   grpc \
   faultreiber \
   luatablegen \
+  magni \
   cfe-extra"
 
 bootstrap() {
   for REPO in ${REPOS}; do
-    (cd "${GIT_REPO_DIR}" && git clone --bare "${ORIGIN_HTTPS}/${REPO}")
+    if [ ! -d ${GIT_REPO_DIR}/${REPO}.git ]; then
+        (cd "${GIT_REPO_DIR}" && git clone --bare "${ORIGIN_HTTPS}/${REPO}")
+    fi
   done
 }
 
 update_repos() {
   for REPO in ${REPOS}; do
-    (cd "${GIT_REPO_DIR}/${REPO}".git && git fetch || true)
+    (cd "${GIT_REPO_DIR}/${REPO}".git && git fetch origin *:*)
   done
 }
 
diff --git a/terminaldweller.com/cgit/bootstrap/docker-entrypoint.sh b/terminaldweller.com/cgit/bootstrap/docker-entrypoint.sh
index 833d95b..d6d7009 100755
--- a/terminaldweller.com/cgit/bootstrap/docker-entrypoint.sh
+++ b/terminaldweller.com/cgit/bootstrap/docker-entrypoint.sh
@@ -3,5 +3,6 @@ set -e
 set -x
 
 . /bootstrap.sh
-on_startup /etc/gitrepos/
+bootstrap
+update_repos
 crond -n -s -P
diff --git a/terminaldweller.com/ejabberd/docker-compose.yaml b/terminaldweller.com/ejabberd/docker-compose.yaml
index 1ca57b2..3ba143a 100644
--- a/terminaldweller.com/ejabberd/docker-compose.yaml
+++ b/terminaldweller.com/ejabberd/docker-compose.yaml
@@ -33,5 +33,5 @@ volumes:
   mnesia_db:
   vault:
 # openssl dhparam -out dhparams.pem 4096
-# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive
+# certbot certonly --standlone -d chat.terminaldweller.com -m devi@terminaldweller.com --agree-tos --noninteractive
 # docker exec -it 6eebd16a2385 bin/ejabberdctl register admin chat.terminaldweller.com password
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index c6c9ce7..26265ae 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -46,6 +46,7 @@ frontend http
   acl git-host hdr_sub(host) -i git.terminaldweller.com
   acl cargo-host hdr_sub(host) -i cargo.terminaldweller.com
   acl browsh-host hdr_sub(host) -i browsh.terminaldweller.com
+  acl main-host hdr_sub(host) -i terminaldweller.com
   acl mila-api-acl url_beg /mila
   acl crypto-api-acl url_beg /crypto
   acl http ssl_fc,not
@@ -65,6 +66,7 @@ frontend http
   http-request redirect scheme https code 301 if http browsh-host !letsencrypt-acl
   #http-request redirect scheme https code 301 if http jabber-host !letsencrypt-acl
   http-request redirect scheme https code 301 if http rssgen-host !letsencrypt-acl
+  http-request redirect scheme https code 301 if http main-host !letsencrypt-acl
 
   #Conditions
   use_backend blog-backend-cert if letsencrypt-acl blog-host
@@ -79,6 +81,7 @@ frontend http
   use_backend searx-backend-cert if letsencrypt-acl git-host
   use_backend searx-backend-cert if letsencrypt-acl cargo-host
   use_backend vpn6-cert-backend if letsencrypt-acl browsh-host
+  use_backend searx-backend-cert if letsencrypt-acl main-host
 #  use_backend editor-backend-cert if letsencrypt-acl editor-host
   use_backend certbot-backend if letsencrypt-acl !jabber-host !blog-host !api-host
   use_backend blog-backend if blog-host
@@ -113,6 +116,7 @@ frontend https
   acl discord-host-s req.ssl_sni -i discord.terminaldweller.com
   acl rssgen-host-s req.ssl_sni -i rssgen.terminaldweller.com
   acl browsh-host-s req.ssl_sni -i browsh.terminaldweller.com
+  acl main-host-s req.ssl_sni -i terminaldweller.com
   #Conditions
   use_backend mail-backend-s if mail-host-s
   #use_backend chat-backend-s if chat-host-s
@@ -128,6 +132,7 @@ frontend https
   use_backend git-backend-s if git-host-s
   use_backend rssgen-backend-s if rssgen-host-s
   use_backend browsh-backend-s if browsh-host-s
+  use_backend main-backend-s if main-host-s
 
 #frontend jabber5222
 #  bind *:5222
@@ -393,3 +398,8 @@ backend browsh-backend-s
 backend vpn6-cert-backend
   mode http
   server vpn6-cert-host 185.130.45.46:80
+
+backend main-backend-s
+  mode tcp
+  option tcp-check
+  server main-host-s 185.130.47.208:7773
diff --git a/terminaldweller.com/main/docker-compose.yaml b/terminaldweller.com/main/docker-compose.yaml
new file mode 100644
index 0000000..2f927c0
--- /dev/null
+++ b/terminaldweller.com/main/docker-compose.yaml
@@ -0,0 +1,21 @@
+version: "3"
+services:
+  nginx:
+    image: nginx:stable
+    networks:
+      - mainnet
+    ports:
+      - "7773:8080"
+    restart: unless-stopped
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - /etc/letsencrypt/archive/terminaldweller.com/:/certs/
+      - ./srv:/srv
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
+networks:
+  mainnet:
diff --git a/terminaldweller.com/main/nginx.conf b/terminaldweller.com/main/nginx.conf
new file mode 100644
index 0000000..4007cca
--- /dev/null
+++ b/terminaldweller.com/main/nginx.conf
@@ -0,0 +1,30 @@
+events {
+  worker_connections 1024;
+}
+# curl https://fosstodon.org/.well-known/webfinger?resource=acct:terminaldweller@fosstodon.org
+http {
+  server {
+    listen 8080 ssl http2;
+    keepalive_timeout 70;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers on;
+    ssl_certificate /certs/fullchain1.pem;
+    ssl_certificate_key /certs/privkey1.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    add_header Content-Security-Policy "default-src 'self';";
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer";
+    sendfile on;
+    tcp_nopush on;
+
+    location /.well-known/webfinger {
+      add_header Access-Control-Allow-Origin "*";
+      add_header Content-Type "application/json";
+      alias /srv/.well-known/webfinger/finger.json;
+    }
+    # https://metacode.biz/openpgp/web-key-directory?
+  }
+}
diff --git a/terminaldweller.com/main/srv/.well-known/webfinger/finger.json b/terminaldweller.com/main/srv/.well-known/webfinger/finger.json
new file mode 100644
index 0000000..c7cdb78
--- /dev/null
+++ b/terminaldweller.com/main/srv/.well-known/webfinger/finger.json
@@ -0,0 +1 @@
+{"subject":"acct:terminaldweller@fosstodon.org","aliases":["https://fosstodon.org/@terminaldweller","https://fosstodon.org/users/terminaldweller"],"links":[{"rel":"http://webfinger.net/rel/profile-page","type":"text/html","href":"https://fosstodon.org/@terminaldweller"},{"rel":"self","type":"application/activity+json","href":"https://fosstodon.org/users/terminaldweller"},{"rel":"http://ostatus.org/schema/1.0/subscribe","template":"https://fosstodon.org/authorize_interaction?uri={uri}"}]}
\ No newline at end of file