zfs autosnapshots, syncthing, pam cleanup

1 files changed, 38 insertions, 0 deletions

diff --git a/files/usr/local/etc/nginx/vhosts.conf.nfs_server b/files/usr/local/etc/nginx/vhosts.conf.nfs_server
new file mode 100644
index 0000000..e6fa55b
--- /dev/null
+++ b/files/usr/local/etc/nginx/vhosts.conf.nfs_server
@@ -0,0 +1,38 @@
+$(for user in ${syncthing_users:-}; do cat <<EOF
+upstream syncthing_${user} {
+  server unix:///var/run/syncthing/${user}/syncthing.sock;
+}
+
+EOF
+done)
+
+server {
+  listen 443      ssl default_server;
+  listen [::]:443 ssl default_server;
+  http2 on;
+
+  ssl_certificate      ${syncthing_https_cert};
+  ssl_certificate_key  ${syncthing_https_key};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  auth_gss_keytab ${nginx_keytab};
+  auth_gss_allow_basic_fallback off;
+
+$(for user in ${syncthing_users:-}; do cat <<EOF
+  location /${user}/ {
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_read_timeout 600s;
+    proxy_send_timeout 600s;
+    proxy_pass http://syncthing_${user}/;
+    auth_gss on;
+    auth_gss_authorized_principal ${user};
+  }
+EOF
+done)
+}