feat: better initialization script

Rename `tools/build` → `net_services` `net_services` can be run from anywhere (previously it was not creating the fs archives in the right place). It also creates the directories specified in `.env`, generate a self-signed certificate if no certificate is available, initialize the first Radicale user if missing, and copy example configuration files if missing for cgit. `generate_self_signed_cert` has been removed (its code is in `net_services`)
author: Thomas Vanbesien <tvanbesi@proton.me> 2026-06-03 17:12:58 +0200
committer: Thomas Vanbesien <tvanbesi@proton.me> 2026-06-03 17:48:25 +0200
commit: ba3a7bc94421f93818f9196bd8a2c32eb7d9d940 (patch)
tree: 952392f7cce20e3848caefbf98ec8316894cc1ca /services/nginx/fs/etc
parent: 9d6c353c5ef82f862ad06ef84b13e65567997201 (diff)
download: net_services-ba3a7bc94421f93818f9196bd8a2c32eb7d9d940.tar.gz
net_services-ba3a7bc94421f93818f9196bd8a2c32eb7d9d940.zip
4 files changed, 102 insertions, 0 deletions
diff --git a/services/nginx/fs/etc/nginx/templates/default.conf.template b/services/nginx/fs/etc/nginx/templates/default.conf.template
new file mode 100644
index 0000000..f90b61a
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/default.conf.template
@@ -0,0 +1,46 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name ${NGINX__HOST}
+                www.${NGINX__HOST}
+                dav.${NGINX__HOST}
+                git.${NGINX__HOST}
+                sync.${NGINX__HOST};
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name ${NGINX__HOST} www.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        root /srv;
+    }
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    server_name _;
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    return 444;
+}
+
+# Docker embedded DNS server
+resolver 127.0.0.11 valid=2s;
+
+include /etc/nginx/conf.d/services/*.conf;
diff --git a/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
new file mode 100644
index 0000000..c0fa070
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/services/cgit.conf.template
@@ -0,0 +1,17 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name git.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        proxy_pass http://cgit:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
diff --git a/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
new file mode 100644
index 0000000..d6e4617
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/services/radicale.conf.template
@@ -0,0 +1,19 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name dav.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        proxy_pass        http://radicale:5232;
+        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header  X-Forwarded-Host $host;
+        proxy_set_header  X-Forwarded-Port $server_port;
+        proxy_set_header  X-Forwarded-Proto $scheme;
+        proxy_set_header  Host $http_host;
+        proxy_pass_header Authorization;
+    }
+}
diff --git a/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
new file mode 100644
index 0000000..31c90bb
--- /dev/null
+++ b/services/nginx/fs/etc/nginx/templates/services/syncthing.conf.template
@@ -0,0 +1,20 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+
+    server_name sync.${NGINX__HOST};
+
+    ssl_certificate     /run/secrets/server.crt;
+    ssl_certificate_key /run/secrets/server.key;
+
+    location / {
+        proxy_pass http://syncthing:8384;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_read_timeout      600s;
+        proxy_send_timeout      600s;
+    }
+}
author	Thomas Vanbesien <tvanbesi@proton.me>	2026-06-03 17:12:58 +0200
committer	Thomas Vanbesien <tvanbesi@proton.me>	2026-06-03 17:48:25 +0200
commit	ba3a7bc94421f93818f9196bd8a2c32eb7d9d940 (patch)
tree	952392f7cce20e3848caefbf98ec8316894cc1ca /services/nginx/fs/etc
parent	9d6c353c5ef82f862ad06ef84b13e65567997201 (diff)
download	net_services-ba3a7bc94421f93818f9196bd8a2c32eb7d9d940.tar.gz net_services-ba3a7bc94421f93818f9196bd8a2c32eb7d9d940.zip