security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

staging

Browse Source
This commit is contained in:
Daniel Micay 2023-07-26 12:12:29 -04:00
parent dd97da343a
commit 1c70723a13
5 changed files with 19 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
deploy-static
View File

@ -12,23 +12,20 @@ fi
./process-static $fd ./process-static $fd
servers=({0..3}.grapheneos.org) servers=(staging.grapheneos.org)
rsync -pcv --chmod=F755 --fsync --preallocate certbot-replicate root@${servers[0]}:/usr/local/bin/ # use last modified timestamps from staging.grapheneos.org
rsync -pcv --chmod=F644 --fsync --preallocate replicate.conf root@${servers[0]}:/etc/systemd/system/certbot-renew.service.d/ rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate root@${servers[0]}:/srv/grapheneos.org/ static-staging
rsync -pcv --chmod=D755,F644 --fsync --preallocate static-staging/sitemap.xml{,.gz,.br} static-tmp/
# use last modified timestamps from 0.grapheneos.org rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-staging
rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate root@${servers[0]}:/srv/grapheneos.org/ static-production for f in static-staging/**.*(br|gz); do
rsync -pcv --chmod=D755,F644 --fsync --preallocate static-production/sitemap.xml{,.gz,.br} static-tmp/
rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-production
for f in static-production/**.*(br|gz); do
touch -r "${f%.*}" "$f" touch -r "${f%.*}" "$f"
done done
changed="$(./generate-sitemap)" changed="$(./generate-sitemap)"
xmllint --noblanks static-tmp/sitemap.xml --output static-tmp/sitemap.xml xmllint --noblanks static-tmp/sitemap.xml --output static-tmp/sitemap.xml
brotli -f static-tmp/sitemap.xml brotli -f static-tmp/sitemap.xml
zopfli static-tmp/sitemap.xml zopfli static-tmp/sitemap.xml
rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} static-production/ rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} static-staging/
for server in ${servers[@]}; do for server in ${servers[@]}; do
echo $server echo $server
@ -47,7 +44,7 @@ for server in ${servers[@]}; do
echo echo
ssh $remote "rm -rf $target && cp -a $active $target" ssh $remote "rm -rf $target && cp -a $active $target"
rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate static-production/ $remote:$target rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate static-staging/ $remote:$target
ssh $remote "ln -snf $target /srv/grapheneos.org && sync /srv/grapheneos.org" ssh $remote "ln -snf $target /srv/grapheneos.org && sync /srv/grapheneos.org"
echo "root $target;" > nginx-tmp/root_grapheneos.org.conf echo "root $target;" > nginx-tmp/root_grapheneos.org.conf
@ -58,7 +55,3 @@ for server in ${servers[@]}; do
echo active is now $target echo active is now $target
echo echo
done done
if [[ -n "$changed" ]]; then
./indexnow <<< "$changed"
fi

4
generate-sitemap
View File

@ -4,7 +4,7 @@ from datetime import datetime, timezone
from os.path import getmtime from os.path import getmtime
from pathlib import Path from pathlib import Path
base = "https://grapheneos.org" base = "https://staging.grapheneos.org"
pages = [ pages = [
["/", 0.5], ["/", 0.5],
@ -42,7 +42,7 @@ entries = []
for page in pages: for page in pages:
path = page[0] path = page[0]
loc = base + path loc = base + path
filepath = "static-production" + path filepath = "static-staging" + path
if path[-1] == '/': if path[-1] == '/':
filepath += "index.html" filepath += "index.html"
elif "." not in path: elif "." not in path:

80
nginx/nginx.conf
View File

@ -55,8 +55,8 @@ http {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha; ssl_conf_command Options PrioritizeChaCha;
ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem; ssl_certificate /etc/letsencrypt/live/staging.grapheneos.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/staging.grapheneos.org/privkey.pem;
# maintained by rotate-session-ticket-keys in noswap tmpfs # maintained by rotate-session-ticket-keys in noswap tmpfs
ssl_session_ticket_key /etc/session-ticket-keys/4.key; ssl_session_ticket_key /etc/session-ticket-keys/4.key;
@ -108,28 +108,14 @@ http {
server { server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page vanadium.app www.vanadium.app; server_name staging.grapheneos.org;
location /.well-known/acme-challenge/ {
return 301 http://0.grapheneos.org$request_uri;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 80;
listen [::]:80;
server_name 0.grapheneos.org;
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /srv/certbot; root /srv/certbot;
} }
location / { location / {
return 301 https://grapheneos.org$request_uri; return 301 https://$host$request_uri;
} }
} }
@ -149,63 +135,7 @@ http {
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.foundation www.grapheneos.foundation grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page; server_name staging.grapheneos.org;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 301 https://grapheneos.org$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name www.vanadium.app;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# https://trac.nginx.org/nginx/ticket/2012
location / {
return 301 https://vanadium.app$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name vanadium.app;
keepalive_timeout 3m;
include snippets/security-headers.conf;
add_header Cross-Origin-Resource-Policy "same-origin" always;
location = / {
include snippets/security-headers.conf;
add_header Cache-Control "public, max-age=2592000";
return 301 https://grapheneos.org/features#vanadium;
}
location / {
return 404;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name grapheneos.org;
include root_grapheneos.org.conf; include root_grapheneos.org.conf;
error_page 403 =404 /404; error_page 403 =404 /404;

3
nginx/snippets/security-headers-base.conf
View File

@ -1,3 +1,6 @@
# staging site (not a security header)
add_header X-Robots-Tag "noindex" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always; add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always; add_header Referrer-Policy "no-referrer" always;

2
static/js/web-install.js
View File

@ -236,7 +236,7 @@ async function getLatestRelease() {
throw new Error(`device model (${product}) is not supported by the GrapheneOS web installer`); throw new Error(`device model (${product}) is not supported by the GrapheneOS web installer`);
} }
let metadataResp = await fetch(`${RELEASES_URL}/${product}-stable`); let metadataResp = await fetch(`${RELEASES_URL}/${product}-alpha`);
let metadata = await metadataResp.text(); let metadata = await metadataResp.text();
let releaseId = metadata.split(" ")[0]; let releaseId = metadata.split(" ")[0];