diff --git a/README.md b/README.md index d848d6b..dab75b2 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ These are my NGINX configurations. They are written for Fedora CoreOS's `nginx-c 1. Install `nginx-core`, `nginx-mod-stream`, and `policycoreutils-python-utils` on Fedora. Makesure `rsync` is available on the OS. 2. Comment out the default server block in `/etc/nginx/nginx.conf`. 3. Run `setup.sh` -4. Make a dummy vhost listening on port `80` with the server_name you want. +4. Generate a certificate with your hostname with the `certbot/default-quic` example. Copy `etc/nginx/conf.d/sites_default_quic.conf` to the corresponding directory on your server and edit it approprieately. 5. Generate certificates with the example in the certbot directory. 6. Make your actual vhost config based on the `sites_.*` samples in `/etc/nginx/conf.d`. diff --git a/certbot/default-quic b/certbot/default-quic new file mode 100644 index 0000000..80b566a --- /dev/null +++ b/certbot/default-quic @@ -0,0 +1,7 @@ +certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \ + --key-type ecdsa --must-staple \ + --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ + --cert-name hostname.of.your.server \ + -d hostname.of.your.server + +restorecon -Rv /var/cache/certbot-ocsp-fetcher \ No newline at end of file diff --git a/certbot/miniflux b/certbot/miniflux new file mode 100644 index 0000000..ec9cc1e --- /dev/null +++ b/certbot/miniflux @@ -0,0 +1,7 @@ +certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \ + --key-type ecdsa --must-staple \ + --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ + --cert-name miniflux.yourdomain.tld \ + -d miniflux.yourdomain.tld + +restorecon -Rv /var/cache/certbot-ocsp-fetcher \ No newline at end of file diff --git a/certbot/uptime-kuma b/certbot/uptime-kuma index 4e60237..055fa79 100644 --- a/certbot/uptime-kuma +++ b/certbot/uptime-kuma @@ -3,3 +3,5 @@ certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \ --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \ --cert-name uptime.yourdomain.tld \ -d uptime.yourdomain.tld + +restorecon -Rv /var/cache/certbot-ocsp-fetcher \ No newline at end of file diff --git a/etc/nginx/conf.d/sites_default_quic.conf b/etc/nginx/conf.d/sites_default_quic.conf new file mode 100644 index 0000000..9d2a0f6 --- /dev/null +++ b/etc/nginx/conf.d/sites_default_quic.conf @@ -0,0 +1,17 @@ +server { + listen ipv4_1:443 quic reuseport; + listen ipv4_1:443 ssl; + listen [ipv6_1]:443 quic reuseport; + listen [ipv6_1]:443 ssl; + + server_name hostname.of.your.server; + + include snippets/universal_paths.conf; + include snippets/hsts.conf; + include snippets/quic.conf; + + ssl_certificate /etc/letsencrypt/live/hostname.of.your.server/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/hostname.of.your.server/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/hostname.of.your.server/chain.pem; + ssl_stapling_file /var/cache/certbot-ocsp-fetcher/hostname.of.your.server.der; +} \ No newline at end of file diff --git a/etc/nginx/conf.d/sites_uptime-kuma.conf b/etc/nginx/conf.d/sites_uptime-kuma.conf index a708e21..2e03760 100644 --- a/etc/nginx/conf.d/sites_uptime-kuma.conf +++ b/etc/nginx/conf.d/sites_uptime-kuma.conf @@ -1,9 +1,9 @@ # This file assumes you have an uptime kuma instance running on the server server { - listen ipv4_1:443 quic reuseport; + listen ipv4_1:443 quic; listen ipv4_1:443 ssl; - listen [ipv6_1]:443 quic reuseport; + listen [ipv6_1]:443 quic; listen [ipv6_1]:443 ssl; server_name uptime.yourdomain.tld;