From b2689a62b11cf9a4423ac51af582a12a17a781a0 Mon Sep 17 00:00:00 2001
From: Christian Heller <c.heller@plomlompom.de>
Date: Sun, 27 Aug 2023 04:00:25 +0200
Subject: [PATCH] Start bookworm web server setup.

---
 bookworm/apt-mark/web                       |  4 +++
 bookworm/etc_files/web/etc/nftables.conf    | 22 ++++++++++++
 bookworm/etc_files/web/etc/nginx/nginx.conf | 38 +++++++++++++++++++++
 bookworm/setup_scripts/setup_web.sh         | 21 ++++++++++++
 4 files changed, 85 insertions(+)
 create mode 100644 bookworm/apt-mark/web
 create mode 100755 bookworm/etc_files/web/etc/nftables.conf
 create mode 100644 bookworm/etc_files/web/etc/nginx/nginx.conf
 create mode 100755 bookworm/setup_scripts/setup_web.sh

diff --git a/bookworm/apt-mark/web b/bookworm/apt-mark/web
new file mode 100644
index 0000000..4912b8a
--- /dev/null
+++ b/bookworm/apt-mark/web
@@ -0,0 +1,4 @@
+nginx-light
+# for SSL
+certbot
+python3-certbot-nginx
diff --git a/bookworm/etc_files/web/etc/nftables.conf b/bookworm/etc_files/web/etc/nftables.conf
new file mode 100755
index 0000000..ec6732a
--- /dev/null
+++ b/bookworm/etc_files/web/etc/nftables.conf
@@ -0,0 +1,22 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0; policy drop;
+		iif lo accept comment "accept localhost traffic"
+		ct state invalid drop comment "drop invalid connections"
+		ct state established, related accept comment "accept traffic originated from us"
+		tcp dport 22 accept comment "accept SSH on default port"
+		tcp dport 80 accept comment "accept HTTP on default port"
+		tcp dport 443 accept comment "accept HTTPS on default port"
+		ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+	}
+	chain forward {
+		type filter hook forward priority 0; policy drop;
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}
diff --git a/bookworm/etc_files/web/etc/nginx/nginx.conf b/bookworm/etc_files/web/etc/nginx/nginx.conf
new file mode 100644
index 0000000..8320425
--- /dev/null
+++ b/bookworm/etc_files/web/etc/nginx/nginx.conf
@@ -0,0 +1,38 @@
+# system integration
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+# is expected even if empty
+events {
+}
+
+http {
+    # define content-type headers
+    include /etc/nginx/mime.types;
+    charset utf-8;
+
+    # Some standard optimizations, i.e. Debian default. Explained in
+    # <https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765>
+    # Not that I understand it all …
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+
+    # logging deactivated due to GDPR
+    #access_log /var/log/nginx/access.log;
+    #error_log /var/log/nginx/error.log;
+    access_log off;
+    error_log off;
+
+    # virtual hosts: sites-enabled is the Debian way, conf.d the NGINX default
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+
+    # Redirect all HTTP requests to HTTPS.
+    server {
+        listen 80;
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/bookworm/setup_scripts/setup_web.sh b/bookworm/setup_scripts/setup_web.sh
new file mode 100755
index 0000000..ea4e305
--- /dev/null
+++ b/bookworm/setup_scripts/setup_web.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+set -e
+
+expect_n_args 1 "(domain name)" "$@"
+domain="$1"
+
+# Install configs, set up firewall.
+./install_for_target.sh web
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web
+nft -f /etc/nftables.conf
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+rm /etc/nginx/sites-enabled/default
+
+# Prepare NGINX.
+sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/nginx/sites-available/dumpsite.nginx
+ln -s /etc/nginx/sites-available/dumpsite.nginx /etc/nginx/sites-enabled/dumpsite.nginx
+
+service nginx restart
-- 
2.30.2