webserver, webmail, and letsencrypt all seeem to be working

Signed-off-by: James Ketrenos <james_git@ketrenos.com>

.dockerignore

@@ -0,0 +1,2 @@
+www
+

.gitignore

@@ -0,0 +1,4 @@
+log
+www
+data
+keys

Dockerfile

@@ -0,0 +1,20 @@
+FROM ubuntu:jammy
+
+RUN apt-get -q update \
+  && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
+    nginx \
+    apache2 \
+    nano \
+    php8.1 libapache2-mod-php \
+    net-tools \
+		inotify-tools \
+	&& apt-get clean \
+  && rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log}
+
+RUN a2enmod php8.1 \
+	&& a2enmod rewrite
+
+COPY /Dockerfile /Dockerfile
+COPY /ketreweb.sh /ketreweb.sh
+
+ENTRYPOINT [ "/ketreweb.sh" ]

Dockerfile.cron

@@ -0,0 +1,20 @@
+FROM ubuntu:jammy
+
+RUN apt-get -q update \
+  && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
+    cron vim ssh rsync \
+    letsencrypt \
+    python3-certbot-apache \
+    python3-certbot-nginx \
+  && apt-get clean \
+  && for dir in apt dpkg cache log; do          \
+    if [[ -e /var/lib/apt/lists/${dir} ]]; then \
+      rm -rf /var/lib/apt/lists/${dir};         \
+    else                                        \
+      true ;                                    \
+    fi ;                                        \
+  done
+
+COPY /Dockerfile.cron /Dockerfile
+
+ENTRYPOINT [ "cron", "-f" ]

README.md

@@ -0,0 +1,14 @@
+# ketreweb containers
+
+## ketreweb
+
+nginx and apache2
+monitors keys from ./config/letsencrypt and restarts nginx and apache if changed
+
+## ketreweb-roundcube
+
+default container for roundcube
+
+## ketreweb-cron
+
+Runs letsencrypt via cron

config/apache2/envvars

@@ -0,0 +1,47 @@
+# envvars - default environment variables for apache2ctl
+
+# this won't be correct after changing uid
+unset HOME
+
+# for supporting multiple apache2 instances
+if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then
+	SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}"
+else
+	SUFFIX=
+fi
+
+# Since there is no sane way to get the parsed apache2 config in scripts, some
+# settings are defined via environment variables and then used in apache2ctl,
+# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
+export APACHE_RUN_USER=www-data
+export APACHE_RUN_GROUP=www-data
+# temporary state file location. This might be changed to /run in Wheezy+1
+export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid
+export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
+export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
+# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
+export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
+
+## The locale used by some modules like mod_dav
+export LANG=C
+## Uncomment the following line to use the system default locale instead:
+#. /etc/default/locale
+
+export LANG
+
+## The command to get the status for 'apache2ctl status'.
+## Some packages providing 'www-browser' need '--dump' instead of '-dump'.
+#export APACHE_LYNX='www-browser -dump'
+
+## If you need a higher file descriptor limit, uncomment and adjust the
+## following line (default is 8192):
+#APACHE_ULIMIT_MAX_FILES='ulimit -n 65536'
+
+## If you would like to pass arguments to the web server, add them below
+## to the APACHE_ARGUMENTS environment.
+#export APACHE_ARGUMENTS=''
+
+## Enable the debug mode for maintainer scripts.
+## This will produce a verbose output on package installations of web server modules and web application
+## installations which interact with Apache
+#export APACHE2_MAINTSCRIPT_DEBUG=1

config/apache2/ports.conf

@@ -0,0 +1,15 @@
+# If you just change the port or add more ports here, you will likely also
+# have to change the VirtualHost statement in
+# /etc/apache2/sites-enabled/000-default.conf
+
+Listen 8000
+
+<IfModule ssl_module>
+	Listen 4430
+</IfModule>
+
+<IfModule mod_gnutls.c>
+	Listen 4430
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

config/apache2/sites-available/000-default.conf

@@ -0,0 +1,41 @@
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/default
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+    Alias /doc/ "/usr/share/doc/"
+    <Directory "/usr/share/doc/">
+        Options Indexes MultiViews FollowSymLinks
+        AllowOverride None
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/255.0.0.0 ::1/128
+    </Directory>
+
+</VirtualHost>

config/apache2/sites-available/ApacheAmpache

@@ -0,0 +1,51 @@
+<VirtualHost *:80>
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+    Alias /doc/ "/usr/share/doc/"
+    <Directory "/usr/share/doc/">
+        Options Indexes MultiViews FollowSymLinks
+        AllowOverride None
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/255.0.0.0 ::1/128
+    </Directory>
+
+	Alias /ampache /usr/share/ampache/www
+	<Directory /usr/share/ampache/www>
+	    Options FollowSymLinks
+	    AllowOverride All
+	</Directory>
+
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =ketrenos.com [OR]
+RewriteCond %{SERVER_NAME} =www.ketrenos.com
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
+</VirtualHost>

config/apache2/sites-available/default-ssl.conf

@@ -0,0 +1,172 @@
+<IfModule mod_ssl.c>
+<VirtualHost _default_:443>
+	ServerAdmin webmaster@localhost
+
+	DocumentRoot /var/www/default
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+	<Directory "/usr/lib/cgi-bin">
+		AllowOverride None
+		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+		Order allow,deny
+		Allow from all
+	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+	Alias /doc/ "/usr/share/doc/"
+	<Directory "/usr/share/doc/">
+		Options Indexes MultiViews FollowSymLinks
+		AllowOverride None
+		Order deny,allow
+		Deny from all
+		Allow from 127.0.0.0/255.0.0.0 ::1/128
+	</Directory>
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
+	SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+	#   Server Certificate Chain:
+	#   Point SSLCertificateChainFile at a file containing the
+	#   concatenation of PEM encoded CA certificates which form the
+	#   certificate chain for the server certificate. Alternatively
+	#   the referenced file can be the same as SSLCertificateFile
+	#   when the CA certificates are directly appended to the server
+	#   certificate for convinience.
+	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+	#   Certificate Authority (CA):
+	#   Set the CA certificate verification path where to find CA
+	#   certificates for client authentication or alternatively one
+	#   huge file containing all of them (file must be PEM encoded)
+	#   Note: Inside SSLCACertificatePath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCACertificatePath /etc/ssl/certs/
+	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+	#   Certificate Revocation Lists (CRL):
+	#   Set the CA revocation path where to find CA CRLs for client
+	#   authentication or alternatively one huge file containing all
+	#   of them (file must be PEM encoded)
+	#   Note: Inside SSLCARevocationPath you need hash symlinks
+	#         to point to the certificate files. Use the provided
+	#         Makefile to update the hash symlinks after changes.
+	#SSLCARevocationPath /etc/apache2/ssl.crl/
+	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+	#   Client Authentication (Type):
+	#   Client certificate verification type and depth.  Types are
+	#   none, optional, require and optional_no_ca.  Depth is a
+	#   number which specifies how deeply to verify the certificate
+	#   issuer chain before deciding the certificate is not valid.
+	#SSLVerifyClient require
+	#SSLVerifyDepth  10
+
+	#   Access Control:
+	#   With SSLRequire you can do per-directory access control based
+	#   on arbitrary complex boolean expressions containing server
+	#   variable checks and other lookup directives.  The syntax is a
+	#   mixture between C and Perl.  See the mod_ssl documentation
+	#   for more details.
+	#<Location />
+	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+	#</Location>
+
+	#   SSL Engine Options:
+	#   Set various options for the SSL engine.
+	#   o FakeBasicAuth:
+	#     Translate the client X.509 into a Basic Authorisation.  This means that
+	#     the standard Auth/DBMAuth methods can be used for access control.  The
+	#     user name is the `one line' version of the client's X.509 certificate.
+	#     Note that no password is obtained from the user. Every entry in the user
+	#     file needs this password: `xxj31ZMTZzkVA'.
+	#   o ExportCertData:
+	#     This exports two additional environment variables: SSL_CLIENT_CERT and
+	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+	#     server (always existing) and the client (only existing when client
+	#     authentication is used). This can be used to import the certificates
+	#     into CGI scripts.
+	#   o StdEnvVars:
+	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+	#     Per default this exportation is switched off for performance reasons,
+	#     because the extraction step is an expensive operation and is usually
+	#     useless for serving static content. So one usually enables the
+	#     exportation for CGI and SSI requests only.
+	#   o StrictRequire:
+	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+	#     under a "Satisfy any" situation, i.e. when it applies access is denied
+	#     and no other module can change it.
+	#   o OptRenegotiate:
+	#     This enables optimized SSL connection renegotiation handling when SSL
+	#     directives are used in per-directory context.
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" \
+		nokeepalive ssl-unclean-shutdown \
+		downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+</VirtualHost>
+</IfModule>

config/apache2/sites-available/default-ssl.conf.dpkg-dist

@@ -0,0 +1,134 @@
+<IfModule mod_ssl.c>
+	<VirtualHost _default_:443>
+		ServerAdmin webmaster@localhost
+
+		DocumentRoot /var/www/html
+
+		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
+		# error, crit, alert, emerg.
+		# It is also possible to configure the loglevel for particular
+		# modules, e.g.
+		#LogLevel info ssl:warn
+
+		ErrorLog ${APACHE_LOG_DIR}/error.log
+		CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+		# For most configuration files from conf-available/, which are
+		# enabled or disabled at a global level, it is possible to
+		# include a line for only one particular virtual host. For example the
+		# following line enables the CGI configuration for this host only
+		# after it has been globally disabled with "a2disconf".
+		#Include conf-available/serve-cgi-bin.conf
+
+		#   SSL Engine Switch:
+		#   Enable/Disable SSL for this virtual host.
+		SSLEngine on
+
+		#   A self-signed (snakeoil) certificate can be created by installing
+		#   the ssl-cert package. See
+		#   /usr/share/doc/apache2/README.Debian.gz for more info.
+		#   If both key and certificate are stored in the same file, only the
+		#   SSLCertificateFile directive is needed.
+		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
+		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+
+		#   Server Certificate Chain:
+		#   Point SSLCertificateChainFile at a file containing the
+		#   concatenation of PEM encoded CA certificates which form the
+		#   certificate chain for the server certificate. Alternatively
+		#   the referenced file can be the same as SSLCertificateFile
+		#   when the CA certificates are directly appended to the server
+		#   certificate for convinience.
+		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+
+		#   Certificate Authority (CA):
+		#   Set the CA certificate verification path where to find CA
+		#   certificates for client authentication or alternatively one
+		#   huge file containing all of them (file must be PEM encoded)
+		#   Note: Inside SSLCACertificatePath you need hash symlinks
+		#		 to point to the certificate files. Use the provided
+		#		 Makefile to update the hash symlinks after changes.
+		#SSLCACertificatePath /etc/ssl/certs/
+		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
+
+		#   Certificate Revocation Lists (CRL):
+		#   Set the CA revocation path where to find CA CRLs for client
+		#   authentication or alternatively one huge file containing all
+		#   of them (file must be PEM encoded)
+		#   Note: Inside SSLCARevocationPath you need hash symlinks
+		#		 to point to the certificate files. Use the provided
+		#		 Makefile to update the hash symlinks after changes.
+		#SSLCARevocationPath /etc/apache2/ssl.crl/
+		#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
+
+		#   Client Authentication (Type):
+		#   Client certificate verification type and depth.  Types are
+		#   none, optional, require and optional_no_ca.  Depth is a
+		#   number which specifies how deeply to verify the certificate
+		#   issuer chain before deciding the certificate is not valid.
+		#SSLVerifyClient require
+		#SSLVerifyDepth  10
+
+		#   SSL Engine Options:
+		#   Set various options for the SSL engine.
+		#   o FakeBasicAuth:
+		#	 Translate the client X.509 into a Basic Authorisation.  This means that
+		#	 the standard Auth/DBMAuth methods can be used for access control.  The
+		#	 user name is the `one line' version of the client's X.509 certificate.
+		#	 Note that no password is obtained from the user. Every entry in the user
+		#	 file needs this password: `xxj31ZMTZzkVA'.
+		#   o ExportCertData:
+		#	 This exports two additional environment variables: SSL_CLIENT_CERT and
+		#	 SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+		#	 server (always existing) and the client (only existing when client
+		#	 authentication is used). This can be used to import the certificates
+		#	 into CGI scripts.
+		#   o StdEnvVars:
+		#	 This exports the standard SSL/TLS related `SSL_*' environment variables.
+		#	 Per default this exportation is switched off for performance reasons,
+		#	 because the extraction step is an expensive operation and is usually
+		#	 useless for serving static content. So one usually enables the
+		#	 exportation for CGI and SSI requests only.
+		#   o OptRenegotiate:
+		#	 This enables optimized SSL connection renegotiation handling when SSL
+		#	 directives are used in per-directory context.
+		#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+		<FilesMatch "\.(cgi|shtml|phtml|php)$">
+				SSLOptions +StdEnvVars
+		</FilesMatch>
+		<Directory /usr/lib/cgi-bin>
+				SSLOptions +StdEnvVars
+		</Directory>
+
+		#   SSL Protocol Adjustments:
+		#   The safe and default but still SSL/TLS standard compliant shutdown
+		#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+		#   the close notify alert from client. When you need a different shutdown
+		#   approach you can use one of the following variables:
+		#   o ssl-unclean-shutdown:
+		#	 This forces an unclean shutdown when the connection is closed, i.e. no
+		#	 SSL close notify alert is send or allowed to received.  This violates
+		#	 the SSL/TLS standard but is needed for some brain-dead browsers. Use
+		#	 this when you receive I/O errors because of the standard approach where
+		#	 mod_ssl sends the close notify alert.
+		#   o ssl-accurate-shutdown:
+		#	 This forces an accurate shutdown when the connection is closed, i.e. a
+		#	 SSL close notify alert is send and mod_ssl waits for the close notify
+		#	 alert of the client. This is 100% SSL/TLS standard compliant, but in
+		#	 practice often causes hanging connections with brain-dead browsers. Use
+		#	 this only for browsers where you know that their SSL implementation
+		#	 works correctly.
+		#   Notice: Most problems of broken clients are also related to the HTTP
+		#   keep-alive facility, so you usually additionally want to disable
+		#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+		#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+		#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+		#   "force-response-1.0" for this.
+		# BrowserMatch "MSIE [2-6]" \
+		#		nokeepalive ssl-unclean-shutdown \
+		#		downgrade-1.0 force-response-1.0
+
+	</VirtualHost>
+</IfModule>
+
+# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

config/apache2/sites-available/ketrenos.com

@@ -0,0 +1,11 @@
+<VirtualHost *:8000>
+	ServerName ketrenos.com
+	ServerAlias *.ketrenos.com
+	Redirect permanent / https://ketrenos.com/
+	RewriteEngine On
+	RewriteCond %{HTTPS} off
+	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+RewriteCond %{SERVER_NAME} =ketrenos.com [OR]
+RewriteCond %{SERVER_NAME} =*.ketrenos.com
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
+</VirtualHost>

config/apache2/sites-available/ketrenos.com-le-ssl.conf

@@ -0,0 +1,34 @@
+<IfModule mod_ssl.c>
+NameVirtualHost *:80
+
+<VirtualHost *:443>
+	ServerName ketrenos.com
+	ServerAlias *.ketrenos.com
+#	Redirect permanent / https://ketrenos.com/
+#	RewriteEngine On
+# Some rewrite rules in this file were disabled on your HTTPS site,
+# because they have the potential to create redirection loops.
+# 	RewriteCond %{HTTPS} off
+# 	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+Include /etc/letsencrypt/options-ssl-apache.conf
+SSLCertificateFile /etc/letsencrypt/live/ketrenos.com/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/ketrenos.com/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</IfModule>
+<IfModule mod_ssl.c>
+<VirtualHost *:80>
+	ServerName ketrenos.com
+	ServerAlias *.ketrenos.com
+	Redirect permanent / https://ketrenos.com/
+	RewriteEngine On
+# Some rewrite rules in this file were disabled on your HTTPS site,
+# because they have the potential to create redirection loops.
+
+# 	RewriteCond %{HTTPS} off
+# 	RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+# RewriteCond %{SERVER_NAME} =ketrenos.com [OR]
+# RewriteCond %{SERVER_NAME} =*.ketrenos.com
+# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
+</VirtualHost>
+</IfModule>

config/apache2/sites-available/ketrenos.com-ssl

@@ -0,0 +1,98 @@
+<IfModule mod_ssl.c>
+	SSLPassPhraseDialog exec:/etc/apache2/ssl/passphrase
+<VirtualHost *:4430>
+	ServerAdmin james_webmaster@ketrenos.com
+	ServerName ketrenos.com
+	ServerAlias www.ketrenos.com
+
+	DocumentRoot /var/www/ketrenos.com
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride all
+		Order allow,deny
+		allow from all
+	</Directory>
+
+#	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+#	<Directory "/usr/lib/cgi-bin">
+#		AllowOverride None
+#		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+#		Order allow,deny
+#		Allow from all
+#	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+
+	Alias /doc/ "/usr/share/doc/"
+	<Directory "/usr/share/doc/">
+		Options Indexes MultiViews FollowSymLinks
+		AllowOverride None
+		Order deny,allow
+		Deny from all
+		Allow from 127.0.0.0/255.0.0.0 ::1/128
+	</Directory>
+
+	#   SSL Engine Switch:
+	#   Enable/Disable SSL for this virtual host.
+	SSLEngine on
+
+	SSLProtocol all -SSLv2 -SSLv3
+	SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
+
+
+	Include   /etc/letsencrypt/options-ssl-apache.conf
+
+
+	CustomLog  /var/log/apache2/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
+		SSLOptions +StdEnvVars
+	</FilesMatch>
+	<Directory /usr/lib/cgi-bin>
+		SSLOptions +StdEnvVars
+	</Directory>
+
+	#   SSL Protocol Adjustments:
+	#   The safe and default but still SSL/TLS standard compliant shutdown
+	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+	#   the close notify alert from client. When you need a different shutdown
+	#   approach you can use one of the following variables:
+	#   o ssl-unclean-shutdown:
+	#     This forces an unclean shutdown when the connection is closed, i.e. no
+	#     SSL close notify alert is send or allowed to received.  This violates
+	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+	#     this when you receive I/O errors because of the standard approach where
+	#     mod_ssl sends the close notify alert.
+	#   o ssl-accurate-shutdown:
+	#     This forces an accurate shutdown when the connection is closed, i.e. a
+	#     SSL close notify alert is send and mod_ssl waits for the close notify
+	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+	#     practice often causes hanging connections with brain-dead browsers. Use
+	#     this only for browsers where you know that their SSL implementation
+	#     works correctly.
+	#   Notice: Most problems of broken clients are also related to the HTTP
+	#   keep-alive facility, so you usually additionally want to disable
+	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+	#   "force-response-1.0" for this.
+	BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+	Include   /etc/letsencrypt/options-ssl-apache.conf
+	SSLCertificateFile /etc/letsencrypt/live/ketrenos.com/fullchain.pem
+SSLCertificateKeyFile /etc/letsencrypt/live/ketrenos.com/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+</IfModule>

config/apache2/sites-available/kiaoramassage.com

@@ -0,0 +1,43 @@
+<VirtualHost *:8000>
+	ServerName kiaoramassage.com
+	ServerAdmin george_webmaster@kiaoramassage.com
+	ServerAlias *.kiaoramassage.com
+
+	DocumentRoot /var/www/kiaoramassage.com
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/kiaoramassage.com>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+#	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+#	<Directory "/usr/lib/cgi-bin">
+#		AllowOverride None
+#		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+#		Order allow,deny
+#		Allow from all
+#	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+    Alias /doc/ "/usr/share/doc/"
+    <Directory "/usr/share/doc/">
+        Options Indexes MultiViews FollowSymLinks
+        AllowOverride None
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/255.0.0.0 ::1/128
+    </Directory>
+
+</VirtualHost>

config/apache2/sites-available/misty-dog.ketrenos.com

@@ -0,0 +1,31 @@
+<VirtualHost *:4430>
+	ServerAdmin james_webmaster@ketrenos.com
+	ServerName misty-dog.ketrenos.com
+	ServerAlias misty-dog.ketrenos.com
+
+	DocumentRoot /home/marina/misty-dog/
+	
+	<Location />
+		ProxyPass http://192.168.1.78:11011/
+		ProxyPassReverse http://192.168.1.78:11011/
+	</Location>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+	SSLEngine on
+	SSLProtocol all -SSLv2 -SSLv3
+	SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
+
+	CustomLog   /var/log/apache2/ssl_request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+	BrowserMatch  "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
+	# MSIE 7 and newer should be able to use keepalive
+	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+
+	SSLCertificateFile   /etc/letsencrypt/live/ketrenos.com/fullchain.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/ketrenos.com/privkey.pem
+	Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>

config/apache2/sites-available/sketchitect.com

@@ -0,0 +1,43 @@
+<VirtualHost *:8000>
+	ServerName sketchitect.com
+	ServerAdmin christopher_webmaster@sketchitect.com
+	ServerAlias *.sketchitect.com
+
+	DocumentRoot /var/www/sketchitect.com
+	<Directory />
+		Options FollowSymLinks
+		AllowOverride None
+	</Directory>
+	<Directory /var/www/sketchitect.com>
+		Options Indexes FollowSymLinks MultiViews
+		AllowOverride None
+		Order allow,deny
+		allow from all
+	</Directory>
+
+#	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+#	<Directory "/usr/lib/cgi-bin">
+#		AllowOverride None
+#		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+#		Order allow,deny
+#		Allow from all
+#	</Directory>
+
+	ErrorLog ${APACHE_LOG_DIR}/error.log
+
+	# Possible values include: debug, info, notice, warn, error, crit,
+	# alert, emerg.
+	LogLevel warn
+
+	CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+    Alias /doc/ "/usr/share/doc/"
+    <Directory "/usr/share/doc/">
+        Options Indexes MultiViews FollowSymLinks
+        AllowOverride None
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.0/255.0.0.0 ::1/128
+    </Directory>
+
+</VirtualHost>

config/apache2/sites-enabled/ketrenos.com-ssl.conf

@@ -0,0 +1 @@
+../sites-available/ketrenos.com-ssl

config/apache2/sites-enabled/ketrenos.com.conf

@@ -0,0 +1 @@
+../sites-available/ketrenos.com

config/apache2/sites-enabled/kiaoramassage.com.conf

@@ -0,0 +1 @@
+../sites-available/kiaoramassage.com

config/apache2/sites-enabled/sketchitect.com.conf

@@ -0,0 +1 @@
+../sites-available/sketchitect.com

config/cron.d/letsencrypt

@@ -0,0 +1,10 @@
+# at 1:45am, and keeps it open for 10 minutes
+47 6 * * * /usr/bin/certbot renew --quiet --no-self-upgrade --webroot -w /var/www/ketrenos.com
+#50 6 * * * /usr/bin/rsync -aprl --delete /etc/letsencrypt/ /home/jketreno/letsencrypt/ > /dev/null
+#50 7 * * * /usr/bin/rsync -aprl --delete /etc/letsencrypt/ media:/home/jketreno/letsencrypt/ > /dev/null
+#51 6 * * * /bin/chown -R jketreno: /home/jketreno/letsencrypt
+#52 6 * * * /usr/sbin/service nginx restart
+#53 6 * * * /usr/sbin/service apache2 restart
+54 6 * * * /usr/bin/scp -q -i /keys/opnsense-letsencrypt /etc/letsencrypt/live/ketrenos.com/{fullchain,privkey}.pem letsencrypt@opnsense.ketrenos.com:.
+55 6 * * * /usr/bin/ssh -i /keys/opnsense-letsencrypt letsencrypt@opnsense.ketrenos.com sudo ./update-cert.sh fullchain.pem privkey.pem
+

config/letsencrypt/.gitignore

@@ -0,0 +1,5 @@
+archive
+live
+keys
+csr
+renewal

config/letsencrypt/.updated-options-ssl-apache-conf-digest.txt

@@ -0,0 +1 @@
+c0c022ea6b8a51ecc8f1003d0a04af6c3f2bc1c3ce506b3c2dfc1f11ef931082

config/letsencrypt/.updated-options-ssl-nginx-conf-digest.txt

@@ -0,0 +1 @@
+4b16fec2bcbcd8a2f3296d886f17f9953ffdcc0af54582452ca1e52f5f776f16

config/letsencrypt/.updated-ssl-dhparams-pem-digest.txt

@@ -0,0 +1 @@
+9ba6429597aeed2d8617a7705b56e96d044f64b07971659382e426675105654b

config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/meta.json

@@ -0,0 +1 @@
+{"creation_host": "webserver.ketrenos.net", "creation_dt": "2017-02-19T01:37:32Z"}

config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/private_key.json

@@ -0,0 +1 @@
+{"e": "AQAB", "d": "iXql6y2p6w9My0NnJ1irdCHWGdJNSZjHMPuOQmyKGgdil3_hM1t_N9zhdeZSJ1_Z454yV6ZouSbNZZqkxhP6k3Ps8UwupQXsJ7WVCBWMlPfWt8uS5pHiv_0rnbZK26lv6sQ9iEzv1zjwjjx5R25I8GuyPkEdU7k4q9cnQMHunVnwmfw6Kwc1IAG81LXRa3GNjqEHqpXs1pBfZ9XWGc6TtJL4Q2jvIeroTvZOn_Y0a-jgMxtWbzAFoiyYWN4xLGHGK4VTJD_Mg_RnZOhYIAVwmQ8UyWgtkmg9pYV4uyeN1-1OJWWnBhwYJh0HMMMW27c0mAcwokUVCrKmAUsvbSuSEQ", "n": "owFqGNKgO9ghsSLeHp9aqP_HXWGxML3uWl0NUezYvwu9MMMnq267Xi1DzvFDTZrffm4p_PvXuQGwOrotfAGrnKhBA1SioDbqi5nCUQaSDR5Hc-F7WJXOc7GdeWGWd5FE0LtfSli4nHkohYVWfNgM9k384M8GXhYVriIe2F6NoIt-sMawJBhTlyYPea_CsUHwph-IVv75DE7D5791vtmIMgCsPUvjiery7yznHnUzl3Zi1oy7ant3kJe-1vqeXeeWi6XkgCM03dZ9cJU15reHwSJCM3P9fqSUNVSduYJ1RojmWZr0Eal_bEyboKhCRJxRrwXvZGg2KLPXWsUeFvugPw", "q": "wv5O29wzQhTN7SFk3EyEzv_CaGlNpWHRm16juMIqE-fjYQBw1EAlz_mLlX8rxifA74QhRiZtT1UNv-r0y7xsi_n3oyQ4azV0RJihQJAMp9ZAr9nTtEYCumNIfCBKF6MApuTMee4ZFta6iw15xXkjTYgabuHAWpPq-3_KIL7ThKM", "p": "1gEWju7ASNciHjiG5T0zNfjPfjCjS88I7VNsgIxJIPbIJ3_gd34Kab9dbsDAACuOKBRCHqLn3p55ukbaSWgoOl5--WNQWjUHKTq79YWpEMb4XlYeyRfs9r2SM7IGZ_XKhh66GL_aQsM__TBFRE4_JjAJIY71TJSz4l4VJ3O6U7U", "kty": "RSA", "qi": "bbh-F64j-Xs4AHfETb9hG_koXWsf40AqcIdqvA3-FunRl6hBVPpTtJPkdaj78ZlcEIP-1FGme10mNxKYucbeNZci7gyuDbfWPojjTXjUzomjXjs8CqCycnBU6CYmnZikJvIfHNdmmHjxYFmmNcsEI6gKlkh1ZUPd3vevMg8a-18", "dp": "EIeI_IVIaNflFLx8_tvZRsPvEuoi0sotAFe_O7aaN2eYUiS4a8Jaf4x-ZP2SVvEGS-Y0rTUb_7_x2wd5-M2IvelqmUyoei86XF7jAbXPNzKHIJI6UoH8lZpS3pdTk1gSyoU5DoxTCXEXUjEWSI5aplJzghoOrFmYA1YNAD0aGTk", "dq": "hWeBQjALrYkYPcTcAVAkiI44TkDFC4G56sc70bqdGRNL3-ByUPQ2Kmx7D-N6ak5mVDecoCbIID97cbLomb6msLlqr-Wm58ohapDVuZsT3Xvas7SefzZqxWQJgkqBBlzRpFzifATmi1aLN3kXt3-iJHgaRYQTmqSaXkhWXELR6Ws"}

config/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/d519585e86c9d382b1cdee04e5e79080/regr.json

@@ -0,0 +1 @@
+{"body": {"agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", "key": {"e": "AQAB", "kty": "RSA", "n": "owFqGNKgO9ghsSLeHp9aqP_HXWGxML3uWl0NUezYvwu9MMMnq267Xi1DzvFDTZrffm4p_PvXuQGwOrotfAGrnKhBA1SioDbqi5nCUQaSDR5Hc-F7WJXOc7GdeWGWd5FE0LtfSli4nHkohYVWfNgM9k384M8GXhYVriIe2F6NoIt-sMawJBhTlyYPea_CsUHwph-IVv75DE7D5791vtmIMgCsPUvjiery7yznHnUzl3Zi1oy7ant3kJe-1vqeXeeWi6XkgCM03dZ9cJU15reHwSJCM3P9fqSUNVSduYJ1RojmWZr0Eal_bEyboKhCRJxRrwXvZGg2KLPXWsUeFvugPw"}}, "uri": "https://acme-staging.api.letsencrypt.org/acme/reg/925336", "new_authzr_uri": "https://acme-staging.api.letsencrypt.org/acme/new-authz", "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}

config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/meta.json

@@ -0,0 +1 @@
+{"creation_host": "webserver.ketrenos.net", "creation_dt": "2017-02-19T01:35:29Z"}

config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/private_key.json

@@ -0,0 +1 @@
+{"e": "AQAB", "d": "tj1Z63cSgC7JJEBbtPQh8rb5j6h1rLbzNc_iVWYtZFRHXOxrX4p5cqLnAaAypiqCME27o_Ow-CHajojB32xrtWUdp5PH423wrk66qk7mWHbm-j6KPXv5EySWurk_j2XDef-paIzwV_3N3NoxoOp3PHwSqpqAJ6vTfIO8Z_daIy37f5r1bQ6BU7R-OpLXqAtCnakmyfBeFOnBKh-IfNK5eKS8UbraVp86o4CPLm1jxX2WBO753GbM08gSCgIjUEA_5Wlu2sSuO6MUxzSYkfICdStRXe5_ppgrUDngZudJtPgWLgEqmI5X4V3NzqrPIRirwHjtGGx4RuyNjnNhDc738Q", "n": "5vcVs9XKhSC0iItysmOH-OAvFU_5Nq6vqR9fY67DxMeG7y6INdoNvQpAO0jKNrChAdONplJaSbpwDbg6dRzVOJWaJmTcVkSlO23N0OhnXXz5kynwWKqH46vKMY4oWbsmyWVKhbUP-GMATiPxlFhMq2fk0xlV_2BKLmw7_-tqfCOeGGPHPf8FH5Sx7DXbOPBDcTPLNGZn57Y7tm8v2nRiMf8LZxY2qNPQfmiNVtTE6O6aYrhM9o7nhDHdlHGw8BMZcM-VgZwdBekNYZCcDxwNeo0Q21wvzNaWPGiJoBNX1BS2K5xSgHEt5LLczGidwN6gkz3OJMDQ97VYL-SAGU4baw", "q": "63JY7idodcSXI0Lqs3FE-H58RMDtEmxBv4YWsZuISFAy1g7ZyCnDHJ7YeO4G69BYatc_tokOEsFBou51quWjzvPX6ANYSiQxE9IV0Z5ozSRAObso11XrIgMy2-RXUQFv24UpawT9iu_EPHWL6u_Zf5JRooUWEHH7VMgUgNbLl8k", "p": "-yCWR_8J23rItwm5zMnltNtDHB3sCfv-M0Rqt9vnikdGHKYZHSBHRtKwtzCY4rh4G71oXZQHybvPX3cs_kV3vauXLK2H0K6ctbsjFlSCN_rI3qoPcimfQomSWcCqs5ZXgqIYdr-uWTB_y-1K62HlJhthTbOrZuy0ZuM7JSul25M", "kty": "RSA", "qi": "RHbb1Koh0wCo8S9aQ-uGBm2spj8HGy7LrRmQHnZzYZijItNo4aMiDsdwLHr_ZSHOLt-TQX9LFFPF66QGHmBAcQWsmyCCSriWjunM0ksNH6IhUz_vqDjuPAlAg6Q5xEMcPCcSFUzTuwoBjlCLscPiZw75NTMLNfdlKxkeIknofJo", "dp": "gLE9cl3XfltY2rwoNDNO_TTUGmeXG7LAnSM1kU0nReyqmGniOtPc0wWLvAUyhBVGr-iLwFDpAM-3QNQBAbk12MRDb4jqLd4dvt_M5leed_OT1s_NpJKB5AY-MrKSh__GjtJkuQ4X2esJwsay-xcq6DFl1vz5HIC3HnbaS30nvPM", "dq": "ld1D89sLp6KJnT0zzSI1B4LjMJQokohr1S_RdB2OwpChuxTa1IiYk7gcC-VebG1CSkdWW6ajWZa_Y6krJqti-BDIBftTEGY3Aum_T5zoEmOXqeeSmHYs44prrgGK_pnOjEkXUvJrPCtfmigr9k_S_luxMKRLpg4XLyDnxBZ0otk"}

config/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/25cdd460c4f828fec6b44768359c1e13/regr.json

@@ -0,0 +1 @@
+{"body": {"contact": ["mailto:james_letsencrypt@ketrenos.com"], "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", "key": {"e": "AQAB", "kty": "RSA", "n": "5vcVs9XKhSC0iItysmOH-OAvFU_5Nq6vqR9fY67DxMeG7y6INdoNvQpAO0jKNrChAdONplJaSbpwDbg6dRzVOJWaJmTcVkSlO23N0OhnXXz5kynwWKqH46vKMY4oWbsmyWVKhbUP-GMATiPxlFhMq2fk0xlV_2BKLmw7_-tqfCOeGGPHPf8FH5Sx7DXbOPBDcTPLNGZn57Y7tm8v2nRiMf8LZxY2qNPQfmiNVtTE6O6aYrhM9o7nhDHdlHGw8BMZcM-VgZwdBekNYZCcDxwNeo0Q21wvzNaWPGiJoBNX1BS2K5xSgHEt5LLczGidwN6gkz3OJMDQ97VYL-SAGU4baw"}}, "uri": "https://acme-v01.api.letsencrypt.org/acme/reg/9766723", "new_authzr_uri": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "terms_of_service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}

config/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory

@@ -0,0 +1 @@
+/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory

config/letsencrypt/cli.ini

@@ -0,0 +1,3 @@
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0

config/letsencrypt/options-ssl-apache.conf

@@ -0,0 +1,26 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+SSLEngine on
+
+# Intermediate configuration, tweak to your needs
+SSLProtocol             all -SSLv2 -SSLv3
+SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+SSLHonorCipherOrder     on
+SSLCompression          off
+
+SSLOptions +StrictRequire
+
+# Add vhost name to log entries:
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
+
+#CustomLog /var/log/apache2/access.log vhost_combined
+#LogLevel warn
+#ErrorLog /var/log/apache2/error.log
+
+# Always ensure Cookies have "Secure" set (JAH 2012/1)
+#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

config/letsencrypt/options-ssl-nginx.conf

@@ -0,0 +1,13 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:1m;
+ssl_session_timeout 1440m;
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+
+ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

config/letsencrypt/ssl-dhparams.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

config/nginx/sites-available/default

@@ -0,0 +1,662 @@
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+	return 301 https://$host$request_uri;
+}
+
+server {
+	listen 443 ssl;
+	root /var/www/html;
+
+	client_max_body_size 5g;
+	server_name ketrenos.com;
+
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location /keys {
+          auth_basic "Restricted";
+          auth_basic_user_file /var/www/ketrenos.com/keys/.htpasswd;
+        }
+
+        location /fsm {
+          alias /var/www/ketrenos.com/fsm;
+          autoindex on;
+        }
+
+        location /files {
+          alias /var/www/ketrenos.com/files;
+          autoindex on;
+        }
+
+        location /funeral {
+          alias /var/www/ketrenos.com/funeral;
+          autoindex on;
+        }
+
+	location /tfm/ {
+	    proxy_pass http://192.168.1.78:4205/;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location /shell/ {
+	    proxy_pass https://192.168.1.78:4200/shell/;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location /opnsense/ {
+	    proxy_pass https://192.168.1.10/;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+
+        location /valheim {
+          alias /var/www/ketrenos.com/valheim;
+          index index.html;
+        }
+
+        location ~* ^(/.well-known) {
+	    root /var/www/ketrenos.com;
+	}
+	
+	rewrite ^/ketr.ketran/games/(.*)$ /ketr.ketran/$1 permanent;
+
+	location /ketr.ketran { 
+          root /var/www/ketrenos.com;
+          index unresolvable-file-html.html;
+          try_files $uri @index;
+        }
+    
+        # This seperate location is so the no cache policy only applies to the index and nothing else.
+        location @index {
+          root /var/www/ketrenos.com/ketr.ketran;
+          add_header Cache-Control no-cache;
+          expires 0;
+          try_files /index.html =404;
+        }
+
+	rewrite ^/ketr.test/games/(.*)$ /ketr.test/$1 permanent;
+
+	location /ketr.test { 
+          root /var/www/ketrenos.com;
+          index unresolvable-file-html.html;
+          try_files $uri @indextest;
+        }
+    
+
+        # This seperate location is so the no cache policy only applies to the index and nothing else.
+        location @indextest {
+          root /var/www/ketrenos.com/ketr.test;
+          add_header Cache-Control no-cache;
+          expires 0;
+          try_files /index.html =404;
+        }
+
+        location /splodice {
+          index index.html;
+          root /var/www/ketrenos.com;
+          add_header Last-Modified $date_gmt;
+          add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
+          if_modified_since off;
+          expires off;
+          etag off;
+	}
+
+  location /airsonic {
+    proxy_pass http://azurite.ketrenos.com:4040;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-NginX-Proxy true;
+    proxy_pass_header Set-Cookie;
+    proxy_pass_header P3P;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+
+	location /fallriver {
+	    proxy_pass http://192.168.1.78:8766;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location /chalk {
+	    proxy_pass http://192.168.1.78:8765;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location /ketr.test/api {
+	    proxy_pass http://192.168.1.78:8931;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location /ketr.ketran/api {
+	    proxy_pass http://192.168.1.78:8930;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location /roundcube {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass http://192.168.1.78:8124/;
+	}
+
+	location ~* ^(/webmail(/.*)?|/mail(/.*)?)$ {
+            root /var/www/ketrenos.com;
+	    try_files /horde-deprecated.html =404;
+	}
+
+	location ~* ^(/mailman) {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass https://localhost:4430;
+	    proxy_redirect https://localhost:4430 https://ketrenos.com;
+	}
+
+	location ~* ^(/site|/recipes|/~jketreno/.*|/~christopher) {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass https://localhost:4430;
+	    proxy_redirect https://localhost:4430 https://ketrenos.com;
+	}
+
+	location /dad {
+	    proxy_pass http://192.168.1.78:8134;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+
+	location / {
+            proxy_ssl_verify off;
+	    proxy_pass https://192.168.1.78:8123;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+}
+
+server {
+        server_name goodtime.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+	return 301 https://goodtimes.ketrenos.com$request_uri;
+}
+
+server {
+        server_name vnc.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+	location / {
+	    proxy_pass http://192.168.1.152:6081/;
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	}
+}
+
+server {
+        server_name goodtimes.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+
+	location / { 
+          root /var/www/goodtimes.ketrenos.com;
+          index unresolvable-file-html.html;
+          try_files $uri @index;
+        }
+
+        # This seperate location is so the no cache policy only applies to the index 
+        # and nothing else.
+
+        location @index {
+          root /var/www/goodtimes.ketrenos.com/;
+          add_header Cache-Control no-cache;
+          expires 0;
+          try_files /index.html =404;
+        }
+
+        location /api {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://192.168.1.69:11141;
+        }
+}
+
+server {
+        server_name git.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+
+        location / {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://192.168.1.78:8300;
+        }
+}
+
+server {
+        server_name media.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+
+        location /deluge/ {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://192.168.1.69:8112/;
+        }
+
+        location / {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://192.168.1.69:8096;
+        }
+}
+
+server {
+        server_name fallriver.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+
+        # make sure there is a trailing slash at the browser
+        # or the URLs will be wrong
+        location = /netdata {
+          return 301 /netdata/;
+        }
+
+        location ~ /netdata/(?<ndpath>.*) {
+          proxy_redirect off;
+          proxy_set_header Host $host;
+
+          proxy_set_header X-Forwarded-Host $host;
+          proxy_set_header X-Forwarded-Server $host;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_http_version 1.1;
+          proxy_pass_request_headers on;
+          proxy_set_header Connection "keep-alive";
+          proxy_store off;
+          proxy_pass http://192.168.1.78:19999/$ndpath$is_args$args;
+
+          gzip on;
+          gzip_proxied any;
+          gzip_types *;
+        }
+
+        location / {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://192.168.1.78:8767;
+        }
+}
+
+server {
+	server_name budget.ketrenos.com;
+	listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+	    root /var/www/ketrenos.com;
+	}
+
+	location / {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass http://192.168.1.78:9876;
+	}
+}
+
+server {
+	server_name mail.ketrenos.com;
+	listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+	    root /var/www/ketrenos.com;
+	}
+
+	location / {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass http://192.168.1.78:8124;
+	}
+}
+
+server {
+	server_name commento.ketrenos.com;
+	listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+	    root /var/www/ketrenos.com;
+	}
+
+	location / {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass http://192.168.1.78:2080;
+	}
+}
+
+server {
+	server_name misty-dog.ketrenos.com;
+	listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+        location ~* ^(/.well-known) {
+	    root /var/www/ketrenos.com;
+	}
+
+	location / {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass http://192.168.1.78:11011;
+	}
+}
+
+server {
+	server_name mastodon.ketrenos.com;
+	listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+
+	client_max_body_size 100M;
+
+        location ~* ^(/.well-known) {
+	    root /var/www/ketrenos.com;
+	}
+
+	location / {
+	    proxy_set_header X-Real-IP $remote_addr;
+	    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	    proxy_set_header X-Forwarded-Proto $scheme;
+	    proxy_set_header Host $http_host;
+	    proxy_set_header X-NginX-Proxy true;
+	    proxy_pass_header Set-Cookie;
+	    proxy_pass_header P3P;
+	    proxy_http_version 1.1;
+	    proxy_set_header Upgrade $http_upgrade;
+	    proxy_set_header Connection "upgrade";
+	    proxy_pass http://192.168.1.78:3500;
+	}
+}
+
+server {
+        server_name portland-werewolf.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+
+	location / { 
+          root /var/www/portland-werewolf.com/client;
+          index unresolvable-file-html.html;
+          try_files $uri @index;
+        }
+
+        # This seperate location is so the no cache policy only applies to the index 
+        # and nothing else.
+
+        location @index {
+          root /var/www/portland-werewolf.com/client;
+          add_header Cache-Control no-cache;
+          expires 0;
+          try_files /index.html =404;
+        }
+
+        location /api {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://192.168.1.69:11142;
+        }
+}
+
+
+server {
+        server_name opnsense.ketrenos.com;
+        listen 443 ssl;
+        ssl_certificate /etc/letsencrypt/live/ketrenos.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/ketrenos.com/privkey.pem;
+        location ~* ^(/.well-known) {
+            root /var/www/ketrenos.com;
+        }
+
+        location / {
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-NginX-Proxy true;
+            proxy_pass_header Set-Cookie;
+            proxy_pass_header P3P;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass https://192.168.1.10;
+        }
+}
+

config/nginx/sites-enabled/default

@@ -0,0 +1 @@
+../sites-available/default

docker-compose.yml

@@ -0,0 +1,53 @@
+version: "3.1"
+services:
+  webserver:
+    image: ketreweb
+    container_name: ketreweb
+    build:
+      context: .
+      dockerfile: Dockerfile
+    restart: always
+    volumes:
+      - ./config/nginx/sites-enabled:/etc/nginx/sites-enabled:ro
+      - ./config/nginx/sites-available:/etc/nginx/sites-available:ro
+      - ./config/apache2/envvars:/etc/apache2/envvars:ro
+      - ./config/apache2/ports.conf:/etc/apache2/ports.conf:ro
+      - ./config/apache2/sites-enabled:/etc/apache2/sites-enabled:ro
+      - ./config/apache2/sites-available:/etc/apache2/sites-available:ro
+      - ./config/letsencrypt/live:/etc/letsencrypt/live:ro
+      - ./config/letsencrypt/archive:/etc/letsencrypt/archive:ro
+      - ./run.sh:/run.sh:ro
+      - ./data/log:/var/log:rw
+      - ./www:/var/www:ro
+    ports:
+      - 80:80
+      - 443:443
+  roundcube:
+    image: roundcube/roundcubemail
+    container_name: ketreweb-roundcube
+    user: root
+    environment:
+    - ROUNDCUBEMAIL_DEFAULT_HOST=tls://ketrenos.com
+    - ROUNDCUBEMAIL_SMTP_SERVER=tls://ketrenos.com
+    - ROUNDCUBEMAIL_SMTP_PORT=587
+    ports:
+      - 8124:80
+    restart: always
+    volumes:
+      - ./config/roundcube:/var/roundcube/config:ro
+      - ./data/roundcube/db:/var/roundcube/db:rw
+      - ./data/roundcube/html:/var/www/html:rw
+  cron:
+    image: ketre-cron
+    container_name: ketreweb-cron
+    build:
+      context: .
+      dockerfile: Dockerfile.cron
+    restart: always
+    volumes:
+      - ./config/letsencrypt:/etc/letsencrypt:rw
+      - ./config/cron.d:/etc/cron.d:ro
+      - ./data/log:/var/log:rw
+      - ./keys:/keys:ro
+      - ./www:/var/www:rw
+

ketreweb.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+if [[ -d /var/run/apache2 ]]; then
+  mkdir -p /var/run/apache2
+fi
+
+while true; do
+  echo "Starting apache2"
+  . /etc/apache2/envvars
+  /usr/sbin/apache2 -D FOREGROUND
+  echo "apache2 died: $?"
+  sleep 5
+done &
+
+while true; do
+  echo "Starging nginx"
+  /usr/sbin/nginx -g 'daemon off;'
+  echo "nginx died: $?"
+  sleep 5
+done &
+
+#
+# Watch for letsencrypt changes and if they occur, restart nginx and apache2
+#
+while inotifywait -e modify /etc/letsencrypt/archive; do 
+  kill -9 "$(cat /var/run/nginx.pid)" "$(cat /var/run/apache2.pid)"
+done