From a1bddcb1de1053994fb445267ca5d1ffaecb0fb5 Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Thu, 3 Oct 2024 22:38:06 -0400
Subject: more postfix/rspamd stuff

---
 files/usr/local/etc/nginx/acme.conf.common        |  4 --
 files/usr/local/etc/nginx/nginx.conf-acme         | 55 -----------------------
 files/usr/local/etc/nginx/nginx.conf.common       | 26 ++++++++++-
 files/usr/local/etc/nginx/nginx.conf.smtp_server  |  1 -
 files/usr/local/etc/nginx/vhosts.conf.smtp_server | 13 ++++--
 5 files changed, 34 insertions(+), 65 deletions(-)
 delete mode 100644 files/usr/local/etc/nginx/acme.conf.common
 delete mode 100644 files/usr/local/etc/nginx/nginx.conf-acme
 delete mode 120000 files/usr/local/etc/nginx/nginx.conf.smtp_server

(limited to 'files/usr/local/etc/nginx')

diff --git a/files/usr/local/etc/nginx/acme.conf.common b/files/usr/local/etc/nginx/acme.conf.common
deleted file mode 100644
index 583ca98..0000000
--- a/files/usr/local/etc/nginx/acme.conf.common
+++ /dev/null
@@ -1,4 +0,0 @@
-location /.well-known/acme-challenge/ {
-  root ${acme_webroot};
-  default_type text/plain;
-}
diff --git a/files/usr/local/etc/nginx/nginx.conf-acme b/files/usr/local/etc/nginx/nginx.conf-acme
deleted file mode 100644
index d77c0de..0000000
--- a/files/usr/local/etc/nginx/nginx.conf-acme
+++ /dev/null
@@ -1,55 +0,0 @@
-worker_processes      ${nginx_worker_processes};
-worker_rlimit_nofile  ${nginx_nofile};
-
-events {
-  worker_connections  ${nginx_worker_connections};
-}
-
-http {
-  include       mime.types;
-  default_type  application/octet-stream;
-  index         index.html;
-
-  aio                   threads;
-  aio_write             on;
-  sendfile              on;
-  directio              4m;
-  tcp_nopush            on;
-  tcp_nodelay           on;
-  keepalive_timeout     65;
-  types_hash_max_size   2048;
-  server_tokens         off;
-  client_max_body_size  5m;
-  charset               utf-8;
-  gzip                  on;
-  gzip_http_version     1.0;
-  gzip_types            text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml;
-
-  proxy_buffers            64 32k;
-  proxy_busy_buffers_size  64k;
-  fastcgi_buffers          64 32k;
-
-  ssl_session_timeout        1d;
-  ssl_session_cache          shared:SSL:10m;
-  ssl_session_tickets        off;
-  ssl_protocols              TLSv1.3;
-  ssl_prefer_server_ciphers  off;
-
-  map \$http_upgrade \$connection_upgrade {
-    default upgrade;
-    '' keep-alive;
-  }
-
-  server {
-    listen       0.0.0.0:80 default_server;
-    listen       [::]:80 default_server;
-
-    include acme.conf;
-
-    location / {
-      return 301 https://\$host\$request_uri;
-    }
-  }
-
-  include vhost*.conf;
-}
diff --git a/files/usr/local/etc/nginx/nginx.conf.common b/files/usr/local/etc/nginx/nginx.conf.common
index b0a9a06..9ab993c 100644
--- a/files/usr/local/etc/nginx/nginx.conf.common
+++ b/files/usr/local/etc/nginx/nginx.conf.common
@@ -1,5 +1,6 @@
 worker_processes      ${nginx_worker_processes};
 worker_rlimit_nofile  ${nginx_nofile};
+$([ "${nginx_gssapi:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";')
 
 events {
   worker_connections  ${nginx_worker_connections};
@@ -40,5 +41,28 @@ http {
     '' keep-alive;
   }
 
-	include vhosts.conf;
+$([ "${nginx_gssapi:-}" = true ] && cat <<EOF
+  auth_gss_realm ${realm};
+  auth_gss_force_realm on;
+EOF
+)
+
+$([ "${nginx_acme:-}" = true ] && cat <<EOF
+  server {
+    listen       0.0.0.0:80 default_server;
+    listen       [::]:80 default_server;
+
+    location /.well-known/acme-challenge/ {
+      root ${acme_webroot};
+      default_type text/plain;
+    }
+
+    location / {
+      return 301 https://\$host\$request_uri;
+    }
+  }
+EOF
+)
+
+  include vhosts.conf;
 }
diff --git a/files/usr/local/etc/nginx/nginx.conf.smtp_server b/files/usr/local/etc/nginx/nginx.conf.smtp_server
deleted file mode 120000
index 53de10f..0000000
--- a/files/usr/local/etc/nginx/nginx.conf.smtp_server
+++ /dev/null
@@ -1 +0,0 @@
-nginx.conf-acme
\ No newline at end of file
diff --git a/files/usr/local/etc/nginx/vhosts.conf.smtp_server b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
index 71d6db8..4b84ede 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.smtp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.smtp_server
@@ -9,14 +9,19 @@ server {
 
   add_header Strict-Transport-Security "max-age=63072000" always;
 
+$(if [ -n "$rspamd_admin_users" ]; then
+echo   '  auth_gss on;'
+echo   "  auth_gss_keytab ${nginx_keytab};"
+printf '  auth_gss_authorized_principal %s;\n' $rspamd_admin_users
+fi)
+
   location / {
     proxy_http_version 1.1;
-
     proxy_set_header Host \$host;
-    proxy_set_header X-Real-IP \$remote_addr;
-    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto \$scheme;
-
+$(if [ -z "$rspamd_admin_users" ]; then
+echo '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'
+fi)
     proxy_pass http://127.0.0.1:${rspamd_port}/;
   }
 }
-- 
cgit v1.2.3