Move SSL stuff to /etc/nginx/nginx.conf

cockpit.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name portal.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     location / {
         # Required to proxy the connection to Cockpit
         proxy_pass https://localhost:9090;

exozyme.conf

@@ -12,11 +12,6 @@ server {
     listen [::]:443 ssl default_server;
     server_name exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     root /srv/http/exozyme;
     index index.html;
 

forgejo.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name git.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     if ($http_user_agent = "Mozilla/5.0 (Linux; Android 5.0) AppleWebKit/537.36 (KHTML, like Gecko) Mobile Safari/537.36 (compatible; Bytespider; spider-feedback@bytedance.com)") {
         return 444;
     }

guacamole.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name desk.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     location / {
         proxy_pass http://localhost:4080/guacamole/;
         proxy_buffering off;

iacore.conf

@@ -5,8 +5,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/www2.1a-insec.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/www2.1a-insec.net/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://unix:/srv/http/pages/xrablnhmov;

jupyterhub.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name hub.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     location ~ ^/user/(.*)/desk/(.*)$ {
         return 301 /hub/desk/$2;
     }

mastodon.conf

@@ -26,11 +26,6 @@ server {
     listen [::]:443 ssl;
     server_name social.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     keepalive_timeout 70;
     sendfile on;
     client_max_body_size 99m;

mdwalters.conf

@@ -5,8 +5,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://localhost:5173;
@@ -24,8 +22,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://localhost:1342;
@@ -43,8 +39,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://localhost:1341;
@@ -67,8 +61,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/mdwalters.exozy.me/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/mdwalters.exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://localhost:1351;

nextcloud.conf

@@ -22,10 +22,6 @@ server {
 
     # Use Mozilla's guidelines for SSL/TLS settings
     # https://mozilla.github.io/server-side-tls/ssl-config-generator/
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     # HSTS settings
     # WARNING: Only add the preload option once you read about
@@ -33,7 +29,7 @@ server {
     # will add the domain to a hardcoded list that is shipped
     # in all major browsers and getting removed from this list
     # could take several months.
-    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
 
     # set max upload size and increase upload timeout:
     client_max_body_size 16G;

nvpie.conf

@@ -5,8 +5,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/neovoid.is-cool.dev/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/neovoid.is-cool.dev/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://unix:/srv/http/pages/nvpie;

pages.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name ~^(\d)\.exozy\.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     index index.html;
 
     location / {
@@ -30,11 +25,6 @@ server {
     listen [::]:443 ssl;
     server_name ~^(?<page>.+)\.exozy\.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     root /srv/http/pages/$page;
     index index.html;
 

peertube.conf

@@ -11,14 +11,6 @@ server {
     listen 443 ssl;
     listen [::]:443 ssl;
     server_name tube.exozy.me;
-    ##
-    # Certificates
-    # you need a certificate to run in production. see https://letsencrypt.org/
-    ##
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     ##
     # Application

pranav.conf

@@ -5,8 +5,6 @@ server {
 
     ssl_certificate /home/pranav/.local/share/cert/karawale.in/fullchain.pem;
     ssl_certificate_key /home/pranav/.local/share/cert/karawale.in/key.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     location / {
         proxy_pass http://unix:/srv/http/pages/pranav;

redirect.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name ta180m.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     location / {
         return 301 https://a.exozy.me$request_uri;
     }

safetwitch.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name safetwitch.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     root /srv/http/pages/safetwitch;
     index index.html;
 

synapse.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name chat.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     location / {
         proxy_pass http://localhost:8008;
         proxy_set_header X-Forwarded-For $remote_addr;

woodpecker.conf

@@ -3,11 +3,6 @@ server {
     listen [::]:443 ssl;
     server_name ci.exozy.me;
 
-    ssl_certificate /etc/letsencrypt/live/exozy.me/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/exozy.me/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-
     location / {
         proxy_set_header X-Forwarded-For $remote_addr;
         proxy_set_header X-Forwarded-Proto $scheme;

xtex.conf

@@ -5,8 +5,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/xtexx.eu.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/xtexx.eu.org/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     add_header Server exozyme;
 
@@ -31,8 +29,6 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/xtexx.eu.org/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/xtexx.eu.org/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
     add_header Server exozyme;