summaryrefslogtreecommitdiff
path: root/images/router
diff options
context:
space:
mode:
Diffstat (limited to 'images/router')
-rw-r--r--images/router/.gitignore1
-rw-r--r--images/router/Dockerfile11
-rw-r--r--images/router/dhparams.pem13
-rw-r--r--images/router/letsencrypt/config95
-rw-r--r--images/router/letsencrypt/domains.txt1
-rw-r--r--images/router/nginx/fastcgi.conf26
-rw-r--r--images/router/nginx/http.off/matrix14
-rw-r--r--images/router/nginx/http.off/pad15
-rw-r--r--images/router/nginx/http.off/redirect10
-rw-r--r--images/router/nginx/http/git13
-rw-r--r--images/router/nginx/http/paste26
-rw-r--r--images/router/nginx/http/znc13
-rw-r--r--images/router/nginx/koi-utf109
-rw-r--r--images/router/nginx/koi-win103
-rw-r--r--images/router/nginx/mime.types89
-rw-r--r--images/router/nginx/modules/stream.conf1
-rw-r--r--images/router/nginx/nginx.conf67
-rw-r--r--images/router/nginx/snippets/fastcgi_params25
-rw-r--r--images/router/nginx/snippets/scgi_params17
-rw-r--r--images/router/nginx/snippets/ssl_ciphers4
-rw-r--r--images/router/nginx/snippets/ssl_http6
-rw-r--r--images/router/nginx/snippets/ssl_tcp4
-rw-r--r--images/router/nginx/snippets/uwsgi_params17
-rw-r--r--images/router/nginx/snippets/wellknown5
-rw-r--r--images/router/nginx/stream/znc8
-rw-r--r--images/router/nginx/win-utf126
-rw-r--r--images/router/service/letsencrypt/run19
-rw-r--r--images/router/service/nginx/run16
28 files changed, 854 insertions, 0 deletions
diff --git a/images/router/.gitignore b/images/router/.gitignore
new file mode 100644
index 0000000..5224f03
--- /dev/null
+++ b/images/router/.gitignore
@@ -0,0 +1 @@
+auth/*
diff --git a/images/router/Dockerfile b/images/router/Dockerfile
new file mode 100644
index 0000000..f7717fe
--- /dev/null
+++ b/images/router/Dockerfile
@@ -0,0 +1,11 @@
+FROM server_runit
+
+RUN apk add --no-cache nginx nginx-mod-stream bash curl git openssl
+RUN git clone --single-branch --depth=1 \
+ https://github.com/lukas2511/dehydrated /app/dehydrated
+
+ADD letsencrypt /app/letsencrypt/
+RUN rm -rf /etc/nginx/conf.d
+ADD nginx /etc/nginx/
+ADD auth /app/auth
+ADD dhparams.pem /app/
diff --git a/images/router/dhparams.pem b/images/router/dhparams.pem
new file mode 100644
index 0000000..3530d79
--- /dev/null
+++ b/images/router/dhparams.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEAj8BEpaKdrasUzeqS1KaWlOBJTaLTHHpVzkjUdPgsgKyf3sI18b5X
+r6QF4KOu0oU4V23j3Zbc6qHdIAa+HnYvw/A+ShFTC6CkFlmHE5MDgbyABmtXXqCy
+HiiGUalmReOZUhWNXI2+VqZHRjFH58ivoMJvkoyAesNjUGM1qq8oVyhUsmWYmU1A
+dwC4hGYpRnf6bOHeI0l5/b2q8jSix2UxYWrqQlg0Yi/RovVlk3SEpKclOQ4zrrxi
+BUrOpZ3Oedl4tKeIA50dAnkjh05EnYMhG0SPXY9mPyxAQl0xAByh/15aAT+XZ+Zn
+gYqh+frTciPPk5LoRZ3Ym7yRbbY8A3Y9iYe1kySEUiN5KKt0wa1RIH3rp6VYlU0J
+nYbzNLuVe9HYb9v4hoWcy4p5qPAXzO9cJHJmo3Y7JpcUY/dQBSiarT12LoPlLCHP
+72uwxWA9FQZRpI2MPYOyG1SifojX2GIY03mGL3LTnbjdmAbCDx6FpcddCZPbmOXj
+y+NhzLGZCzKGprleoY8rI9wMBbyGjE43ikOr8JkUPXc7IhOE5KmYnI8YHgkAHKhn
+c9R2k2tAGYoxCfdhh6RdaRgcT/JqtyljEYVJWzYvfKfGHaGE7u+u4AudBCbjKgXs
+Ns2e3CRprxvvK8DhcRwVYNJax6ecJqn+5EESrSJ/8EhjEm056rS3PqMCAQI=
+-----END DH PARAMETERS-----
diff --git a/images/router/letsencrypt/config b/images/router/letsencrypt/config
new file mode 100644
index 0000000..e641f19
--- /dev/null
+++ b/images/router/letsencrypt/config
@@ -0,0 +1,95 @@
+########################################################
+# This is the main config file for dehydrated #
+# #
+# This file is looked for in the following locations: #
+# $SCRIPTDIR/config (next to this script) #
+# /usr/local/etc/dehydrated/config #
+# /etc/dehydrated/config #
+# ${PWD}/config (in current working-directory) #
+# #
+# Default values of this config are in comments #
+########################################################
+
+# Resolve names to addresses of IP version only. (curl)
+# supported values: 4, 6
+# default: <unset>
+#IP_VERSION=
+
+# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
+CA="https://acme-v01.api.letsencrypt.org/directory"
+
+# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms)
+CA_TERMS="https://acme-v01.api.letsencrypt.org/terms"
+
+#CA="https://acme-staging.api.letsencrypt.org/directory"
+#CA_TERMS="https://acme-staging.api.letsencrypt.org/terms"
+
+# Path to license agreement (default: <unset>)
+#LICENSE=""
+
+# Which challenge should be used? Currently http-01 and dns-01 are supported
+CHALLENGETYPE="http-01"
+
+# Path to a directory containing additional config files, allowing to override
+# the defaults found in the main configuration file. Additional config files
+# in this directory needs to be named with a '.sh' ending.
+# default: <unset>
+#CONFIG_D=
+
+# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+#BASEDIR=$SCRIPTDIR
+
+# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
+DOMAINS_TXT="/app/letsencrypt/domains.txt"
+
+# Output directory for generated certificates
+CERTDIR="/data/certs"
+
+# Directory for account keys and registration information
+ACCOUNTDIR="/data/accounts"
+
+# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+WELLKNOWN="/data/wellknown/acme-challenge"
+
+# Default keysize for private keys (default: 4096)
+KEYSIZE="4096"
+
+# Path to openssl config file (default: <unset> - tries to figure out system default)
+#OPENSSL_CNF=
+
+# Program or function called in certain situations
+#
+# After generating the challenge-response, or after failed challenge (in this case altname is empty)
+# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
+#
+# After successfully signing certificate
+# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
+#
+# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
+# default: <unset>
+#HOOK=
+
+# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
+#HOOK_CHAIN="no"
+
+# Minimum days before expiration to automatically renew certificate (default: 30)
+#RENEW_DAYS="30"
+
+# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
+#PRIVATE_KEY_RENEW="yes"
+
+# Create an extra private key for rollover (default: no)
+#PRIVATE_KEY_ROLLOVER="no"
+
+# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+#KEY_ALGO=rsa
+
+# E-mail to use during the registration (default: <unset>)
+CONTACT_EMAIL=till@hoeppner.ws
+
+# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
+LOCKFILE="/app/letsencrypt/lock"
+
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"
+
diff --git a/images/router/letsencrypt/domains.txt b/images/router/letsencrypt/domains.txt
new file mode 100644
index 0000000..d062476
--- /dev/null
+++ b/images/router/letsencrypt/domains.txt
@@ -0,0 +1 @@
+tx0.co m.tx0.co matrix.tx0.co g.tx0.co git.tx0.co z.tx0.co znc.tx0.co p.tx0.co paste.tx0.co
diff --git a/images/router/nginx/fastcgi.conf b/images/router/nginx/fastcgi.conf
new file mode 100644
index 0000000..091738c
--- /dev/null
+++ b/images/router/nginx/fastcgi.conf
@@ -0,0 +1,26 @@
+
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/images/router/nginx/http.off/matrix b/images/router/nginx/http.off/matrix
new file mode 100644
index 0000000..cedd917
--- /dev/null
+++ b/images/router/nginx/http.off/matrix
@@ -0,0 +1,14 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name m.tx0.co;
+
+ include snippets/ssl;
+ include snippets/wellknown;
+
+ location /_matrix {
+ proxy_pass http://matrix:8008;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+}
diff --git a/images/router/nginx/http.off/pad b/images/router/nginx/http.off/pad
new file mode 100644
index 0000000..4aa0e2e
--- /dev/null
+++ b/images/router/nginx/http.off/pad
@@ -0,0 +1,15 @@
+server {
+ listen 443 ssl;
+ listen [::]:443 ssl;
+
+ server_name pad.tx0.co;
+
+ include snippets/ssl;
+ include snippets/wellknown;
+
+ location / {
+ auth_basic "pad";
+ auth_basic_user_file pad/passwd;
+ proxy_pass http://etherpad;
+ }
+}
diff --git a/images/router/nginx/http.off/redirect b/images/router/nginx/http.off/redirect
new file mode 100644
index 0000000..8548646
--- /dev/null
+++ b/images/router/nginx/http.off/redirect
@@ -0,0 +1,10 @@
+server {
+ listen 80 default_server deferred;
+ listen [::]:80 default_server deferred;
+
+ server_name _;
+
+ include snippets/wellknown;
+
+ return 301 https://$server_name$request_uri;
+}
diff --git a/images/router/nginx/http/git b/images/router/nginx/http/git
new file mode 100644
index 0000000..0b14c54
--- /dev/null
+++ b/images/router/nginx/http/git
@@ -0,0 +1,13 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name g.tx0.co git.tx0.co;
+
+ include snippets/ssl_http;
+ include snippets/wellknown;
+
+ location / {
+ proxy_pass http://git;
+ }
+}
diff --git a/images/router/nginx/http/paste b/images/router/nginx/http/paste
new file mode 100644
index 0000000..4e0c75b
--- /dev/null
+++ b/images/router/nginx/http/paste
@@ -0,0 +1,26 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name tx0.co p.tx0.co paste.tx0.co;
+
+ include snippets/ssl_http;
+ include snippets/wellknown;
+
+ location / {
+ limit_except GET HEAD {
+ auth_basic 'Restricted';
+ auth_basic_user_file /app/auth/paste;
+ }
+
+ include snippets/uwsgi_params;
+
+ uwsgi_pass paste:10002;
+
+ proxy_redirect off;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Fowarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Host $server_name;
+ }
+}
diff --git a/images/router/nginx/http/znc b/images/router/nginx/http/znc
new file mode 100644
index 0000000..6028ca9
--- /dev/null
+++ b/images/router/nginx/http/znc
@@ -0,0 +1,13 @@
+server {
+ listen 443 ssl http2;
+ listen [::]:443 ssl http2;
+
+ server_name z.tx0.co znc.tx0.co;
+
+ include snippets/ssl_http;
+ include snippets/wellknown;
+
+ location / {
+ proxy_pass http://znc;
+ }
+}
diff --git a/images/router/nginx/koi-utf b/images/router/nginx/koi-utf
new file mode 100644
index 0000000..e7974ff
--- /dev/null
+++ b/images/router/nginx/koi-utf
@@ -0,0 +1,109 @@
+
+# This map is not a full koi8-r <> utf8 map: it does not contain
+# box-drawing and some other characters. Besides this map contains
+# several koi8-u and Byelorussian letters which are not in koi8-r.
+# If you need a full and standard map, use contrib/unicode2nginx/koi-utf
+# map instead.
+
+charset_map koi8-r utf-8 {
+
+ 80 E282AC ; # euro
+
+ 95 E280A2 ; # bullet
+
+ 9A C2A0 ; # &nbsp;
+
+ 9E C2B7 ; # &middot;
+
+ A3 D191 ; # small yo
+ A4 D194 ; # small Ukrainian ye
+
+ A6 D196 ; # small Ukrainian i
+ A7 D197 ; # small Ukrainian yi
+
+ AD D291 ; # small Ukrainian soft g
+ AE D19E ; # small Byelorussian short u
+
+ B0 C2B0 ; # &deg;
+
+ B3 D081 ; # capital YO
+ B4 D084 ; # capital Ukrainian YE
+
+ B6 D086 ; # capital Ukrainian I
+ B7 D087 ; # capital Ukrainian YI
+
+ B9 E28496 ; # numero sign
+
+ BD D290 ; # capital Ukrainian soft G
+ BE D18E ; # capital Byelorussian short U
+
+ BF C2A9 ; # (C)
+
+ C0 D18E ; # small yu
+ C1 D0B0 ; # small a
+ C2 D0B1 ; # small b
+ C3 D186 ; # small ts
+ C4 D0B4 ; # small d
+ C5 D0B5 ; # small ye
+ C6 D184 ; # small f
+ C7 D0B3 ; # small g
+ C8 D185 ; # small kh
+ C9 D0B8 ; # small i
+ CA D0B9 ; # small j
+ CB D0BA ; # small k
+ CC D0BB ; # small l
+ CD D0BC ; # small m
+ CE D0BD ; # small n
+ CF D0BE ; # small o
+
+ D0 D0BF ; # small p
+ D1 D18F ; # small ya
+ D2 D180 ; # small r
+ D3 D181 ; # small s
+ D4 D182 ; # small t
+ D5 D183 ; # small u
+ D6 D0B6 ; # small zh
+ D7 D0B2 ; # small v
+ D8 D18C ; # small soft sign
+ D9 D18B ; # small y
+ DA D0B7 ; # small z
+ DB D188 ; # small sh
+ DC D18D ; # small e
+ DD D189 ; # small shch
+ DE D187 ; # small ch
+ DF D18A ; # small hard sign
+
+ E0 D0AE ; # capital YU
+ E1 D090 ; # capital A
+ E2 D091 ; # capital B
+ E3 D0A6 ; # capital TS
+ E4 D094 ; # capital D
+ E5 D095 ; # capital YE
+ E6 D0A4 ; # capital F
+ E7 D093 ; # capital G
+ E8 D0A5 ; # capital KH
+ E9 D098 ; # capital I
+ EA D099 ; # capital J
+ EB D09A ; # capital K
+ EC D09B ; # capital L
+ ED D09C ; # capital M
+ EE D09D ; # capital N
+ EF D09E ; # capital O
+
+ F0 D09F ; # capital P
+ F1 D0AF ; # capital YA
+ F2 D0A0 ; # capital R
+ F3 D0A1 ; # capital S
+ F4 D0A2 ; # capital T
+ F5 D0A3 ; # capital U
+ F6 D096 ; # capital ZH
+ F7 D092 ; # capital V
+ F8 D0AC ; # capital soft sign
+ F9 D0AB ; # capital Y
+ FA D097 ; # capital Z
+ FB D0A8 ; # capital SH
+ FC D0AD ; # capital E
+ FD D0A9 ; # capital SHCH
+ FE D0A7 ; # capital CH
+ FF D0AA ; # capital hard sign
+}
diff --git a/images/router/nginx/koi-win b/images/router/nginx/koi-win
new file mode 100644
index 0000000..72afabe
--- /dev/null
+++ b/images/router/nginx/koi-win
@@ -0,0 +1,103 @@
+
+charset_map koi8-r windows-1251 {
+
+ 80 88 ; # euro
+
+ 95 95 ; # bullet
+
+ 9A A0 ; # &nbsp;
+
+ 9E B7 ; # &middot;
+
+ A3 B8 ; # small yo
+ A4 BA ; # small Ukrainian ye
+
+ A6 B3 ; # small Ukrainian i
+ A7 BF ; # small Ukrainian yi
+
+ AD B4 ; # small Ukrainian soft g
+ AE A2 ; # small Byelorussian short u
+
+ B0 B0 ; # &deg;
+
+ B3 A8 ; # capital YO
+ B4 AA ; # capital Ukrainian YE
+
+ B6 B2 ; # capital Ukrainian I
+ B7 AF ; # capital Ukrainian YI
+
+ B9 B9 ; # numero sign
+
+ BD A5 ; # capital Ukrainian soft G
+ BE A1 ; # capital Byelorussian short U
+
+ BF A9 ; # (C)
+
+ C0 FE ; # small yu
+ C1 E0 ; # small a
+ C2 E1 ; # small b
+ C3 F6 ; # small ts
+ C4 E4 ; # small d
+ C5 E5 ; # small ye
+ C6 F4 ; # small f
+ C7 E3 ; # small g
+ C8 F5 ; # small kh
+ C9 E8 ; # small i
+ CA E9 ; # small j
+ CB EA ; # small k
+ CC EB ; # small l
+ CD EC ; # small m
+ CE ED ; # small n
+ CF EE ; # small o
+
+ D0 EF ; # small p
+ D1 FF ; # small ya
+ D2 F0 ; # small r
+ D3 F1 ; # small s
+ D4 F2 ; # small t
+ D5 F3 ; # small u
+ D6 E6 ; # small zh
+ D7 E2 ; # small v
+ D8 FC ; # small soft sign
+ D9 FB ; # small y
+ DA E7 ; # small z
+ DB F8 ; # small sh
+ DC FD ; # small e
+ DD F9 ; # small shch
+ DE F7 ; # small ch
+ DF FA ; # small hard sign
+
+ E0 DE ; # capital YU
+ E1 C0 ; # capital A
+ E2 C1 ; # capital B
+ E3 D6 ; # capital TS
+ E4 C4 ; # capital D
+ E5 C5 ; # capital YE
+ E6 D4 ; # capital F
+ E7 C3 ; # capital G
+ E8 D5 ; # capital KH
+ E9 C8 ; # capital I
+ EA C9 ; # capital J
+ EB CA ; # capital K
+ EC CB ; # capital L
+ ED CC ; # capital M
+ EE CD ; # capital N
+ EF CE ; # capital O
+
+ F0 CF ; # capital P
+ F1 DF ; # capital YA
+ F2 D0 ; # capital R
+ F3 D1 ; # capital S
+ F4 D2 ; # capital T
+ F5 D3 ; # capital U
+ F6 C6 ; # capital ZH
+ F7 C2 ; # capital V
+ F8 DC ; # capital soft sign
+ F9 DB ; # capital Y
+ FA C7 ; # capital Z
+ FB D8 ; # capital SH
+ FC DD ; # capital E
+ FD D9 ; # capital SHCH
+ FE D7 ; # capital CH
+ FF DA ; # capital hard sign
+}
diff --git a/images/router/nginx/mime.types b/images/router/nginx/mime.types
new file mode 100644
index 0000000..89be9a4
--- /dev/null
+++ b/images/router/nginx/mime.types
@@ -0,0 +1,89 @@
+
+types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ image/gif gif;
+ image/jpeg jpeg jpg;
+ application/javascript js;
+ application/atom+xml atom;
+ application/rss+xml rss;
+
+ text/mathml mml;
+ text/plain txt;
+ text/vnd.sun.j2me.app-descriptor jad;
+ text/vnd.wap.wml wml;
+ text/x-component htc;
+
+ image/png png;
+ image/tiff tif tiff;
+ image/vnd.wap.wbmp wbmp;
+ image/x-icon ico;
+ image/x-jng jng;
+ image/x-ms-bmp bmp;
+ image/svg+xml svg svgz;
+ image/webp webp;
+
+ application/font-woff woff;
+ application/java-archive jar war ear;
+ application/json json;
+ application/mac-binhex40 hqx;
+ application/msword doc;
+ application/pdf pdf;
+ application/postscript ps eps ai;
+ application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
+ application/vnd.ms-excel xls;
+ application/vnd.ms-fontobject eot;
+ application/vnd.ms-powerpoint ppt;
+ application/vnd.wap.wmlc wmlc;
+ application/vnd.google-earth.kml+xml kml;
+ application/vnd.google-earth.kmz kmz;
+ application/x-7z-compressed 7z;
+ application/x-cocoa cco;
+ application/x-java-archive-diff jardiff;
+ application/x-java-jnlp-file jnlp;
+ application/x-makeself run;
+ application/x-perl pl pm;
+ application/x-pilot prc pdb;
+ application/x-rar-compressed rar;
+ application/x-redhat-package-manager rpm;
+ application/x-sea sea;
+ application/x-shockwave-flash swf;
+ application/x-stuffit sit;
+ application/x-tcl tcl tk;
+ application/x-x509-ca-cert der pem crt;
+ application/x-xpinstall xpi;
+ application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
+ application/zip zip;
+
+ application/octet-stream bin exe dll;
+ application/octet-stream deb;
+ application/octet-stream dmg;
+ application/octet-stream iso img;
+ application/octet-stream msi msp msm;
+
+ application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
+ application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
+ application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
+
+ audio/midi mid midi kar;
+ audio/mpeg mp3;
+ audio/ogg ogg;
+ audio/x-m4a m4a;
+ audio/x-realaudio ra;
+
+ video/3gpp 3gpp 3gp;
+ video/mp2t ts;
+ video/mp4 mp4;
+ video/mpeg mpeg mpg;
+ video/quicktime mov;
+ video/webm webm;
+ video/x-flv flv;
+ video/x-m4v m4v;
+ video/x-mng mng;
+ video/x-ms-asf asx asf;
+ video/x-ms-wmv wmv;
+ video/x-msvideo avi;
+}
diff --git a/images/router/nginx/modules/stream.conf b/images/router/nginx/modules/stream.conf
new file mode 100644
index 0000000..9b0cbc3
--- /dev/null
+++ b/images/router/nginx/modules/stream.conf
@@ -0,0 +1 @@
+load_module "modules/ngx_stream_module.so";
diff --git a/images/router/nginx/nginx.conf b/images/router/nginx/nginx.conf
new file mode 100644
index 0000000..cb9b8c8
--- /dev/null
+++ b/images/router/nginx/nginx.conf
@@ -0,0 +1,67 @@
+worker_processes auto;
+pid /run/nginx.pid;
+
+include modules/stream.conf;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ #include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ include snippets/ssl_ciphers;
+ ssl_session_cache shared:SSL:25m;
+ ssl_session_timeout 10m;
+
+ # Gzip
+ gzip on;
+ gzip_disable "msie6";
+
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javasc$
+
+ # Logging
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ server_name _;
+ return 301 https://$host$request_uri;
+ }
+
+ server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ server_name _;
+ include snippets/ssl_http;
+ return 503;
+ }
+
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/http/*;
+}
+
+stream {
+ include snippets/ssl_ciphers;
+
+ ssl_session_cache shared:TCP:25m;
+ ssl_session_timeout 10m;
+
+ include /etc/nginx/stream/*;
+}
diff --git a/images/router/nginx/snippets/fastcgi_params b/images/router/nginx/snippets/fastcgi_params
new file mode 100644
index 0000000..28decb9
--- /dev/null
+++ b/images/router/nginx/snippets/fastcgi_params
@@ -0,0 +1,25 @@
+
+fastcgi_param QUERY_STRING $query_string;
+fastcgi_param REQUEST_METHOD $request_method;
+fastcgi_param CONTENT_TYPE $content_type;
+fastcgi_param CONTENT_LENGTH $content_length;
+
+fastcgi_param SCRIPT_NAME $fastcgi_script_name;
+fastcgi_param REQUEST_URI $request_uri;
+fastcgi_param DOCUMENT_URI $document_uri;
+fastcgi_param DOCUMENT_ROOT $document_root;
+fastcgi_param SERVER_PROTOCOL $server_protocol;
+fastcgi_param REQUEST_SCHEME $scheme;
+fastcgi_param HTTPS $https if_not_empty;
+
+fastcgi_param GATEWAY_INTERFACE CGI/1.1;
+fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
+
+fastcgi_param REMOTE_ADDR $remote_addr;
+fastcgi_param REMOTE_PORT $remote_port;
+fastcgi_param SERVER_ADDR $server_addr;
+fastcgi_param SERVER_PORT $server_port;
+fastcgi_param SERVER_NAME $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param REDIRECT_STATUS 200;
diff --git a/images/router/nginx/snippets/scgi_params b/images/router/nginx/snippets/scgi_params
new file mode 100644
index 0000000..6d4ce4f
--- /dev/null
+++ b/images/router/nginx/snippets/scgi_params
@@ -0,0 +1,17 @@
+
+scgi_param REQUEST_METHOD $request_method;
+scgi_param REQUEST_URI $request_uri;
+scgi_param QUERY_STRING $query_string;
+scgi_param CONTENT_TYPE $content_type;
+
+scgi_param DOCUMENT_URI $document_uri;
+scgi_param DOCUMENT_ROOT $document_root;
+scgi_param SCGI 1;
+scgi_param SERVER_PROTOCOL $server_protocol;
+scgi_param REQUEST_SCHEME $scheme;
+scgi_param HTTPS $https if_not_empty;
+
+scgi_param REMOTE_ADDR $remote_addr;
+scgi_param REMOTE_PORT $remote_port;
+scgi_param SERVER_PORT $server_port;
+scgi_param SERVER_NAME $server_name;
diff --git a/images/router/nginx/snippets/ssl_ciphers b/images/router/nginx/snippets/ssl_ciphers
new file mode 100644
index 0000000..6eefe74
--- /dev/null
+++ b/images/router/nginx/snippets/ssl_ciphers
@@ -0,0 +1,4 @@
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+ ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+ ssl_prefer_server_ciphers on;
+
diff --git a/images/router/nginx/snippets/ssl_http b/images/router/nginx/snippets/ssl_http
new file mode 100644
index 0000000..78d171e
--- /dev/null
+++ b/images/router/nginx/snippets/ssl_http
@@ -0,0 +1,6 @@
+ssl_certificate /data/certs/tx0.co/fullchain.pem;
+ssl_certificate_key /data/certs/tx0.co/privkey.pem;
+
+ssl_dhparam /app/dhparams.pem;
+
+add_header Strict-Transport-Security "max-age=31536000" always;
diff --git a/images/router/nginx/snippets/ssl_tcp b/images/router/nginx/snippets/ssl_tcp
new file mode 100644
index 0000000..b59b7bf
--- /dev/null
+++ b/images/router/nginx/snippets/ssl_tcp
@@ -0,0 +1,4 @@
+ssl_certificate /data/certs/tx0.co/fullchain.pem;
+ssl_certificate_key /data/certs/tx0.co/privkey.pem;
+
+ssl_dhparam /app/dhparams.pem;
diff --git a/images/router/nginx/snippets/uwsgi_params b/images/router/nginx/snippets/uwsgi_params
new file mode 100644
index 0000000..09c732c
--- /dev/null
+++ b/images/router/nginx/snippets/uwsgi_params
@@ -0,0 +1,17 @@
+
+uwsgi_param QUERY_STRING $query_string;
+uwsgi_param REQUEST_METHOD $request_method;
+uwsgi_param CONTENT_TYPE $content_type;
+uwsgi_param CONTENT_LENGTH $content_length;
+
+uwsgi_param REQUEST_URI $request_uri;
+uwsgi_param PATH_INFO $document_uri;
+uwsgi_param DOCUMENT_ROOT $document_root;
+uwsgi_param SERVER_PROTOCOL $server_protocol;
+uwsgi_param REQUEST_SCHEME $scheme;
+uwsgi_param HTTPS $https if_not_empty;
+
+uwsgi_param REMOTE_ADDR $remote_addr;
+uwsgi_param REMOTE_PORT $remote_port;
+uwsgi_param SERVER_PORT $server_port;
+uwsgi_param SERVER_NAME $server_name;
diff --git a/images/router/nginx/snippets/wellknown b/images/router/nginx/snippets/wellknown
new file mode 100644
index 0000000..17aacf7
--- /dev/null
+++ b/images/router/nginx/snippets/wellknown
@@ -0,0 +1,5 @@
+location ^~ /.well-known/ {
+ alias /data/wellknown/;
+ try_files $uri $uri/ =404;
+ break;
+}
diff --git a/images/router/nginx/stream/znc b/images/router/nginx/stream/znc
new file mode 100644
index 0000000..e496af7
--- /dev/null
+++ b/images/router/nginx/stream/znc
@@ -0,0 +1,8 @@
+server {
+ listen 6667 ssl;
+ listen [::]:6667 ssl;
+
+ include snippets/ssl_tcp;
+
+ proxy_pass znc:6667;
+}
diff --git a/images/router/nginx/win-utf b/images/router/nginx/win-utf
new file mode 100644
index 0000000..ed8bc00
--- /dev/null
+++ b/images/router/nginx/win-utf
@@ -0,0 +1,126 @@
+
+# This map is not a full windows-1251 <> utf8 map: it does not
+# contain Serbian and Macedonian letters. If you need a full map,
+# use contrib/unicode2nginx/win-utf map instead.
+
+charset_map windows-1251 utf-8 {
+
+ 82 E2809A ; # single low-9 quotation mark
+
+ 84 E2809E ; # double low-9 quotation mark
+ 85 E280A6 ; # ellipsis
+ 86 E280A0 ; # dagger
+ 87 E280A1 ; # double dagger
+ 88 E282AC ; # euro
+ 89 E280B0 ; # per mille
+
+ 91 E28098 ; # left single quotation mark
+ 92 E28099 ; # right single quotation mark
+ 93 E2809C ; # left double quotation mark
+ 94 E2809D ; # right double quotation mark
+ 95 E280A2 ; # bullet
+ 96 E28093 ; # en dash
+ 97 E28094 ; # em dash
+
+ 99 E284A2 ; # trade mark sign
+
+ A0 C2A0 ; # &nbsp;
+ A1 D18E ; # capital Byelorussian short U
+ A2 D19E ; # small Byelorussian short u
+
+ A4 C2A4 ; # currency sign
+ A5 D290 ; # capital Ukrainian soft G
+ A6 C2A6 ; # borken bar
+ A7 C2A7 ; # section sign
+ A8 D081 ; # capital YO
+ A9 C2A9 ; # (C)
+ AA D084 ; # capital Ukrainian YE
+ AB C2AB ; # left-pointing double angle quotation mark
+ AC C2AC ; # not sign
+ AD C2AD ; # soft hypen
+ AE C2AE ; # (R)
+ AF D087 ; # capital Ukrainian YI
+
+ B0 C2B0 ; # &deg;
+ B1 C2B1 ; # plus-minus sign
+ B2 D086 ; # capital Ukrainian I
+ B3 D196 ; # small Ukrainian i
+ B4 D291 ; # small Ukrainian soft g
+ B5 C2B5 ; # micro sign
+ B6 C2B6 ; # pilcrow sign
+ B7 C2B7 ; # &middot;
+ B8 D191 ; # small yo
+ B9 E28496 ; # numero sign
+ BA D194 ; # small Ukrainian ye
+ BB C2BB ; # right-pointing double angle quotation mark
+
+ BF D197 ; # small Ukrainian yi
+
+ C0 D090 ; # capital A
+ C1 D091 ; # capital B
+ C2 D092 ; # capital V
+ C3 D093 ; # capital G
+ C4 D094 ; # capital D
+ C5 D095 ; # capital YE
+ C6 D096 ; # capital ZH
+ C7 D097 ; # capital Z
+ C8 D098 ; # capital I
+ C9 D099 ; # capital J
+ CA D09A ; # capital K
+ CB D09B ; # capital L
+ CC D09C ; # capital M
+ CD D09D ; # capital N
+ CE D09E ; # capital O
+ CF D09F ; # capital P
+
+ D0 D0A0 ; # capital R
+ D1 D0A1 ; # capital S
+ D2 D0A2 ; # capital T
+ D3 D0A3 ; # capital U
+ D4 D0A4 ; # capital F
+ D5 D0A5 ; # capital KH
+ D6 D0A6 ; # capital TS
+ D7 D0A7 ; # capital CH
+ D8 D0A8 ; # capital SH
+ D9 D0A9 ; # capital SHCH
+ DA D0AA ; # capital hard sign
+ DB D0AB ; # capital Y
+ DC D0AC ; # capital soft sign
+ DD D0AD ; # capital E
+ DE D0AE ; # capital YU
+ DF D0AF ; # capital YA
+
+ E0 D0B0 ; # small a
+ E1 D0B1 ; # small b
+ E2 D0B2 ; # small v
+ E3 D0B3 ; # small g
+ E4 D0B4 ; # small d
+ E5 D0B5 ; # small ye
+ E6 D0B6 ; # small zh
+ E7 D0B7 ; # small z
+ E8 D0B8 ; # small i
+ E9 D0B9 ; # small j
+ EA D0BA ; # small k
+ EB D0BB ; # small l
+ EC D0BC ; # small m
+ ED D0BD ; # small n
+ EE D0BE ; # small o
+ EF D0BF ; # small p
+
+ F0 D180 ; # small r
+ F1 D181 ; # small s
+ F2 D182 ; # small t
+ F3 D183 ; # small u
+ F4 D184 ; # small f
+ F5 D185 ; # small kh
+ F6 D186 ; # small ts
+ F7 D187 ; # small ch
+ F8 D188 ; # small sh
+ F9 D189 ; # small shch
+ FA D18A ; # small hard sign
+ FB D18B ; # small y
+ FC D18C ; # small soft sign
+ FD D18D ; # small e
+ FE D18E ; # small yu
+ FF D18F ; # small ya
+}
diff --git a/images/router/service/letsencrypt/run b/images/router/service/letsencrypt/run
new file mode 100644
index 0000000..7fcc76d
--- /dev/null
+++ b/images/router/service/letsencrypt/run
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# wait for nginx to startup, for http challenge
+sv start nginx || exit 1
+sleep 10
+
+# half a day, 60 * 60 * 12
+INTERVAL=43200
+
+mkdir -p /data/wellknown/acme-challenge
+
+/app/dehydrated/dehydrated --register --accept-terms --config /app/letsencrypt/config
+
+while true; do
+ echo "Updating certificates"
+ /app/dehydrated/dehydrated --cron --config /app/letsencrypt/config
+ nginx -s reload # certificates might have changed
+ sleep $INTERVAL
+done
diff --git a/images/router/service/nginx/run b/images/router/service/nginx/run
new file mode 100644
index 0000000..bfc6e24
--- /dev/null
+++ b/images/router/service/nginx/run
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+ln -sf /dev/stdout /var/log/nginx/access.log
+ln -sf /dev/stderr /var/log/nginx/error.log
+
+# nginx doesn't start without certificates,
+# so generate untrusted ones for startup
+if [ ! -d "/data/certs/tx0.co" ]; then
+ echo "Generating dummy certificates"
+ mkdir -p /data/certs/tx0.co
+ openssl req -x509 -nodes -batch -newkey rsa:512 -days 0 \
+ -keyout /data/certs/tx0.co/privkey.pem \
+ -out /data/certs/tx0.co/fullchain.pem
+fi
+
+exec nginx -g 'daemon off;'