Merge default server configs

etc/nginx/conf.d/default.conf

@@ -1,3 +1,41 @@
+# Use http2
+http2 on;
+
+# Shared TLS configuration
+
+## Use strong ciphers
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+ssl_conf_command Options PrioritizeChaCha;
+
+## Configure ssl session cache
+## Improves performance but we don't wanna keep this forever
+## Session ticket creation and rotation is handled by GrapheneOS's scripts:
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
+## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
+
+ssl_session_cache shared:SSL:10m; # About 40000 sessions
+ssl_session_timeout 1d;
+ssl_session_ticket_key session-ticket-keys/4.key;
+ssl_session_ticket_key session-ticket-keys/3.key;
+ssl_session_ticket_key session-ticket-keys/2.key;
+ssl_session_ticket_key session-ticket-keys/1.key;
+
+## Enable HSTS header
+
+proxy_hide_header Strict-Transport-Security;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+## The following settings need to be declared manually per vhost:
+# ssl_certificate
+# ssl_certificate_key
+# ssl_trusted_certificate
+# ssl_stapling_file
+
+# Disable server tokens
+server_tokens off;
+
 server {
     listen ipv4_1:80 default_server;
     listen [ipv6_1]:80 default_server;

etc/nginx/conf.d/http2.conf

@@ -1,3 +0,0 @@
-# This is all it takes to enable http2 globally
-
-http2 on;

etc/nginx/conf.d/server_tokens.conf

@@ -1 +0,0 @@
-server_tokens off;

etc/nginx/conf.d/tls.conf

@@ -1,31 +0,0 @@
-# Shared TLS configuration
-
-## Use strong ciphers
-ssl_protocols TLSv1.2 TLSv1.3;
-ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
-ssl_prefer_server_ciphers on;
-ssl_conf_command Options PrioritizeChaCha;
-
-## Configure ssl session cache
-## Improves performance but we don't wanna keep this forever
-## Session ticket creation and rotation is handled by GrapheneOS's scripts:
-## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
-## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
-
-ssl_session_cache shared:SSL:10m; # About 40000 sessions
-ssl_session_timeout 1d;
-ssl_session_ticket_key session-ticket-keys/4.key;
-ssl_session_ticket_key session-ticket-keys/3.key;
-ssl_session_ticket_key session-ticket-keys/2.key;
-ssl_session_ticket_key session-ticket-keys/1.key;
-
-# Enable HSTS header
-
-proxy_hide_header Strict-Transport-Security;
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-## The following settings need to be declared manually per vhost:
-# ssl_certificate
-# ssl_certificate_key
-# ssl_trusted_certificate
-# ssl_stapling_file

setup.sh

@@ -122,10 +122,7 @@ sudo systemctl enable --now nginx-rotate-session-ticket-keys.timer
 
 # Download NGINX configs
 
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/http2.conf | sudo tee /etc/nginx/conf.d/http2.conf > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/server_tokens.conf | sudo tee /etc/nginx/conf.d/server_tokens.conf > /dev/null
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/default.conf | sudo tee /etc/nginx/conf.d/default.conf > /dev/null
-unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/conf.d/tls.conf | sudo tee /etc/nginx/conf.d/tls.conf > /dev/null
 
 sudo mkdir -p /etc/nginx/snippets
 unpriv curl -s https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/nginx/snippets/proxy.conf | sudo tee /etc/nginx/snippets/proxy.conf > /dev/null