From: Shane Jaroch <chown_tee@proton.me>
Date: Mon, 19 Jan 2026 08:14:55 +0000 (-0500)
Subject: wip
X-Git-Url: https://git.nutra.tk/v1?a=commitdiff_plain;h=bd768c1ccc067401921f44b1c747e6f3313dac2a;p=nutratech%2Fvps-root.git

wip
---

diff --git a/etc/nginx/conf.d/default.dev.conf b/etc/nginx/conf.d/default.dev.conf
new file mode 100644
index 0000000..b866859
--- /dev/null
+++ b/etc/nginx/conf.d/default.dev.conf
@@ -0,0 +1,203 @@
+# API
+server {
+  # Service: API | https://api.dev.nutra.tk
+  server_name api-dev.nutra.tk api.dev.nutra.tk;
+  #listen 80;
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  # HSTS
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+  # Sanic
+  location / {
+    proxy_pass http://127.0.0.1:20000;  # API server
+    # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
+    proxy_http_version 1.1;
+    proxy_request_buffering off;
+    proxy_buffering off;
+    # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
+    # and stored in: /etc/nginx/conf.d/secrets.conf
+    proxy_set_header forwarded "$proxy_forwarded;secret=\"$proxy_secret_key\"";
+    # Allow websockets and keep-alive (avoid connection: close)
+    proxy_set_header connection "upgrade";
+    proxy_set_header upgrade $http_upgrade;
+  }
+
+  # default favicon
+  location /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+}
+
+
+# Store Front (MedusaJS)
+server {
+  # Service: Store | https://store.nutra.tk
+  server_name store.nutra.tk;
+  #listen 80;
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  location / {
+    proxy_pass http://localhost:8000;
+  }
+}
+
+# Store [Admin UI] (MedusaJS)
+server {
+  # Service: Store Admin | https://store-admin-8b56411b.nutra.tk
+  server_name store-api.nutra.tk store-admin-8b56411b.nutra.tk;
+  #listen 80;
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  location / {
+    proxy_pass http://localhost:9000;
+  }
+}
+
+
+# UI, blog, favicon, default server
+server {
+  server_name dev.nutra.tk;
+
+  # HTTP/3 (QUIC) - UDP
+  listen 443 quic reuseport default_server;
+  listen [::]:443 quic reuseport default_server;
+
+  # HTTP/2 & 1.1 (Fallback) - TCP
+  listen 443 ssl default_server;
+  listen [::]:443 ssl default_server;
+
+  # Enable protocols
+  http2 on;
+  http3 on;
+
+  # Advertise HTTP/3 availability
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+  client_max_body_size 50m;
+
+  # HSTS
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+  # OCSP stapling (NOTE: Responders disabled by letsencrypt as of Q3 2025)
+  #ssl_stapling on;
+  #ssl_stapling_verify on;
+
+  # Services Map (Homepage)
+  location / {
+    alias /var/www/homepage.html;
+    default_type text/html;
+  }
+
+#  # Blog / Sphinx
+#  location /blog {
+#    alias /var/www/blog;
+#    index index.html;
+#  }
+
+  # default favicon
+  location = /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+
+  # Other
+  location ~ /.well-known {
+    allow all;
+  }
+
+  # CV paths
+  location ~ ^/cv/(~?swe|swe~/resume\.pdf)$ {
+    alias /var/www/cv/swe/resume.pdf;
+    default_type application/pdf;
+  }
+  location ~ ^/resume(\.pdf|/swe\.pdf)$ {
+    alias /var/www/cv/swe/resume.pdf;
+    default_type application/pdf;
+  }
+
+  # public folder
+  location /public {
+    root /var/www;
+    autoindex on;
+    #index index.html index.htm;
+    #try_files $uri $uri/ /index.html =404;
+  }
+
+  # HTTPS / SSL
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Redirect www.dev.nutra.tk -> dev.nutra.tk
+server {
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  server_name www.dev.nutra.tk;
+
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem;
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  return 301 https://dev.nutra.tk$request_uri;
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Listen on 443 with matrix / synapse
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+server {
+  listen 443 ssl;
+  listen 443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  server_name matrix.nutra.tk chat.nutra.tk;
+
+  location / {
+    # Service: Matrix Chat | https://chat.nutra.tk
+    proxy_pass http://127.0.0.1:8008;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  }
+
+  location /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+}
+
+# Open matrix chat on 8448
+server {
+  listen 8448 ssl default_server;
+  listen [::]:8448 ssl default_server;
+  server_name dev.nutra.tk;
+
+  location / {
+    proxy_pass http://127.0.0.1:8008;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  }
+
+  # HTTPS / SSL
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
diff --git a/etc/nginx/conf.d/default.prod.conf b/etc/nginx/conf.d/default.prod.conf
new file mode 100644
index 0000000..b866859
--- /dev/null
+++ b/etc/nginx/conf.d/default.prod.conf
@@ -0,0 +1,203 @@
+# API
+server {
+  # Service: API | https://api.dev.nutra.tk
+  server_name api-dev.nutra.tk api.dev.nutra.tk;
+  #listen 80;
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  # HSTS
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+  # Sanic
+  location / {
+    proxy_pass http://127.0.0.1:20000;  # API server
+    # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
+    proxy_http_version 1.1;
+    proxy_request_buffering off;
+    proxy_buffering off;
+    # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
+    # and stored in: /etc/nginx/conf.d/secrets.conf
+    proxy_set_header forwarded "$proxy_forwarded;secret=\"$proxy_secret_key\"";
+    # Allow websockets and keep-alive (avoid connection: close)
+    proxy_set_header connection "upgrade";
+    proxy_set_header upgrade $http_upgrade;
+  }
+
+  # default favicon
+  location /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+}
+
+
+# Store Front (MedusaJS)
+server {
+  # Service: Store | https://store.nutra.tk
+  server_name store.nutra.tk;
+  #listen 80;
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  location / {
+    proxy_pass http://localhost:8000;
+  }
+}
+
+# Store [Admin UI] (MedusaJS)
+server {
+  # Service: Store Admin | https://store-admin-8b56411b.nutra.tk
+  server_name store-api.nutra.tk store-admin-8b56411b.nutra.tk;
+  #listen 80;
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  location / {
+    proxy_pass http://localhost:9000;
+  }
+}
+
+
+# UI, blog, favicon, default server
+server {
+  server_name dev.nutra.tk;
+
+  # HTTP/3 (QUIC) - UDP
+  listen 443 quic reuseport default_server;
+  listen [::]:443 quic reuseport default_server;
+
+  # HTTP/2 & 1.1 (Fallback) - TCP
+  listen 443 ssl default_server;
+  listen [::]:443 ssl default_server;
+
+  # Enable protocols
+  http2 on;
+  http3 on;
+
+  # Advertise HTTP/3 availability
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+  client_max_body_size 50m;
+
+  # HSTS
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+  # OCSP stapling (NOTE: Responders disabled by letsencrypt as of Q3 2025)
+  #ssl_stapling on;
+  #ssl_stapling_verify on;
+
+  # Services Map (Homepage)
+  location / {
+    alias /var/www/homepage.html;
+    default_type text/html;
+  }
+
+#  # Blog / Sphinx
+#  location /blog {
+#    alias /var/www/blog;
+#    index index.html;
+#  }
+
+  # default favicon
+  location = /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+
+  # Other
+  location ~ /.well-known {
+    allow all;
+  }
+
+  # CV paths
+  location ~ ^/cv/(~?swe|swe~/resume\.pdf)$ {
+    alias /var/www/cv/swe/resume.pdf;
+    default_type application/pdf;
+  }
+  location ~ ^/resume(\.pdf|/swe\.pdf)$ {
+    alias /var/www/cv/swe/resume.pdf;
+    default_type application/pdf;
+  }
+
+  # public folder
+  location /public {
+    root /var/www;
+    autoindex on;
+    #index index.html index.htm;
+    #try_files $uri $uri/ /index.html =404;
+  }
+
+  # HTTPS / SSL
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Redirect www.dev.nutra.tk -> dev.nutra.tk
+server {
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  server_name www.dev.nutra.tk;
+
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem;
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  return 301 https://dev.nutra.tk$request_uri;
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Listen on 443 with matrix / synapse
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+server {
+  listen 443 ssl;
+  listen 443 quic;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  server_name matrix.nutra.tk chat.nutra.tk;
+
+  location / {
+    # Service: Matrix Chat | https://chat.nutra.tk
+    proxy_pass http://127.0.0.1:8008;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  }
+
+  location /favicon.ico {
+    alias /var/www/favicon.gif;
+  }
+}
+
+# Open matrix chat on 8448
+server {
+  listen 8448 ssl default_server;
+  listen [::]:8448 ssl default_server;
+  server_name dev.nutra.tk;
+
+  location / {
+    proxy_pass http://127.0.0.1:8008;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    proxy_set_header X-Forwarded-For $remote_addr;
+  }
+
+  # HTTPS / SSL
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}