From 7c290e973f8ba272ecd2a3a17643f729da8d2b16 Mon Sep 17 00:00:00 2001
From: nutra-bot <nutradigest@gmail.com>
Date: Thu, 15 Jan 2026 18:09:40 +0000
Subject: [PATCH] update

---
 etc/nginx/conf.d/default.conf | 123 ++++++++++++++--------------------
 etc/postfix/main.cf           | Bin 1393 -> 1378 bytes
 2 files changed, 49 insertions(+), 74 deletions(-)

diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index 172ffb0..1836a11 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -3,7 +3,11 @@ server {
   server_name api-dev.nutra.tk api.dev.nutra.tk;
   #listen 80;
   listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
@@ -34,7 +38,11 @@ server {
   server_name store.nutra.tk;
   #listen 80;
   listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   location / {
     proxy_pass http://localhost:8000;
   }
@@ -45,7 +53,11 @@ server {
   server_name store-api.nutra.tk store-admin-8b56411b.nutra.tk;
   #listen 80;
   listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   location / {
     proxy_pass http://localhost:9000;
   }
@@ -69,7 +81,7 @@ server {
   http3 on;
 
   # Advertise HTTP/3 availability
-  add_header Alt-Svc 'h3=":443"; ma=86400';
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
   client_max_body_size 50m;
 
@@ -80,13 +92,13 @@ server {
   #ssl_stapling on;
   #ssl_stapling_verify on;
 
-#  # React app (base URL)
-#  location / {
-#    #return 302 https://$host/api$request_uri;
-#    root /var/www/app;
-#    index index.html;
-#    #try_files $uri $uri/ /index.html =404;
-#  }
+  # React app (base URL)
+  location / {
+    #return 302 https://$host/api$request_uri;
+    root /var/www/app;
+    index index.html;
+    #try_files $uri $uri/ /index.html =404;
+  }
 
 #  # Blog / Sphinx
 #  location /blog {
@@ -104,16 +116,15 @@ server {
     allow all;
   }
 
-  # resumes
-  location = /cv/swe~/resume.pdf {
+  # CV paths
+  location ~ ^/cv/(~?swe|swe~/resume\.pdf)$ {
     alias /var/www/cv/swe/resume.pdf;
+    default_type application/pdf;
+  }
+  location ~ ^/resume(\.pdf|/swe\.pdf)$ {
+    alias /var/www/cv/swe/resume.pdf;
+    default_type application/pdf;
   }
-#  location = /cv/dataeng~/resume.pdf {
-#    alias /var/www/cv/de/resume.pdf;
-#  }
-#  location = /cv/datasci~/resume.pdf {
-#    alias /var/www/cv/ds/resume.pdf;
-#  }
 
   # public folder
   location /public {
@@ -128,17 +139,35 @@ server {
   ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
 
-  # TODO: better redirect based on server, not if?
-  if ($host = www.dev.nutra.tk) {
-    return 301 https://dev.nutra.tk$request_uri;
-  }
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Redirect www.dev.nutra.tk -> dev.nutra.tk
+server {
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  server_name www.dev.nutra.tk;
+
+  ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem;
+  include /etc/letsencrypt/options-ssl-nginx.conf;
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+  return 301 https://dev.nutra.tk$request_uri;
 }
 
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # Listen on 443 with matrix / synapse
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 server {
   listen 443 ssl;
+  listen 443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   server_name matrix.nutra.tk chat.nutra.tk;
 
   location / {
@@ -158,11 +187,6 @@ server {
   listen [::]:8448 ssl default_server;
   server_name dev.nutra.tk;
 
-#  # New chat (matrix / element)
-#  location ~ /v2/chat/ {
-#    proxy_pass http://127.0.0.1:8008;
-#    proxy_set_header X-Forwarded-For $remote_addr;
-#  }
   location / {
     proxy_pass http://127.0.0.1:8008;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
@@ -175,52 +199,3 @@ server {
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
-
-
-# Chat (mattermost)
-#proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
-#server {
-#   listen 443 ssl http2;
-#   server_name chat.nutra.tk;
-#
-#   location ~ /api/v[0-9]+/(users/)?websocket$ {
-#       proxy_set_header Upgrade $http_upgrade;
-#       proxy_set_header Connection "upgrade";
-#       client_max_body_size 50M;
-#       proxy_set_header Host $http_host;
-#       proxy_set_header X-Real-IP $remote_addr;
-#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#       proxy_set_header X-Forwarded-Proto $scheme;
-#       proxy_set_header X-Frame-Options SAMEORIGIN;
-#       proxy_buffers 256 16k;
-#       proxy_buffer_size 16k;
-#       client_body_timeout 60;
-#       send_timeout 300;
-#       lingering_timeout 5;
-#       proxy_connect_timeout 90;
-#       proxy_send_timeout 300;
-#       proxy_read_timeout 90s;
-#       proxy_http_version 1.1;
-#       proxy_pass http://localhost:8065;
-#   }
-#
-#   location / {
-#       client_max_body_size 50M;
-#       proxy_set_header Connection "";
-#       proxy_set_header Host $http_host;
-#       proxy_set_header X-Real-IP $remote_addr;
-#       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#       proxy_set_header X-Forwarded-Proto $scheme;
-#       proxy_set_header X-Frame-Options SAMEORIGIN;
-#       proxy_buffers 256 16k;
-#       proxy_buffer_size 16k;
-#       proxy_read_timeout 600s;
-#       proxy_cache mattermost_cache;
-#       proxy_cache_revalidate on;
-#       proxy_cache_min_uses 2;
-#       proxy_cache_use_stale timeout;
-#       proxy_cache_lock on;
-#       proxy_http_version 1.1;
-#       proxy_pass http://localhost:8065;
-#   }
-#}
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf
index b54eeaaf88cb78ec8730962014bb7e459ef7bfff..4f67f523af3c2d2c5bf45eec2ab749388fbc6b6c 100644
GIT binary patch
literal 1378
zcmV-o1)cf;M@dveQdv+`01jq@>P?4ogAvmFJr$%XHowOXxADOZqMJv}z|J)(Qz3GZ
zs6+HAY~a`iiB4CA`Q-@6g8&i4yWo@6@#<GlS~RftTGRs<Chzy5Z+%}7!XFs)7Etbx
zsx*H%v{Va{m0igx^{yU~J6;7}jAt3I3X_*36fKujO|tL)MY>F<!{<7xb-Eq7BYu=Q
zN{A+gIuE!If$%*`(w@`&YPrq#YQbwq$;<vAk`K4Fx`AS48k9R+I3O9OVC!oLC;Xqm
zg~qDV5K~Mz@NyOdCM5_pbrMdsMjMxOqK~RIEyNAhf>q{}CTL;)5rlvKWJkE)(}~HH
zHZpYg9Ja;FdhsbusNW0xAiRyFl1THXfL?+Nfp{dtpXxnfI}qyK@lb5;TeGXBy9LY|
z;d-osUBM*ww=g<#L2I!w>Ju|rq#eXv16SW_4kuE}$1Pk+GA`Qq<=uTLo;*qH>b{^r
zZYgASirzm61h$E;+M3XZKz7@<+m>$~xO`MdXSzyq=jT#2HxyFo3+C|Vavtl}aopfv
z<^9>I6xkVVUyW1rL-ih!m(uC;lGM5`8v!{ZlOao{)$AIcU=TrIHw1>%86<}BZXvM{
zv{X@eJ8NTVU6!Ej*gi<OIIGStJ*_xq87!amMBD9EseCU=tDCRFT8gt@IYAyq;CJW%
zraD{wFec7G^OSS-&qQze@cY1hG&AL)>;#X>!xz=pVM$?h)BWnYedjPg9Cp~`@-78&
z^_4qc3T~ResAKbDRP%VFT1E^b#I@ew!~Hj5p4o1OUQqDIE?6OVi%{f-M>qy%p3(~Y
zRJy84_lru?JfJo9dIFv`28>QzmoMod<@{9rfKqGe9+~s(g`se8;Xq$-$A1-NOmvB#
zx4MJ``fsA7T7Jf|E?rdIA<QdqRAmY3>PHlmTCms3(lVoh?;Dn%{Ly&0<TSHoTqDRR
zOG)=RvBvQvXoB~?3n>^nNhEz2_(lk!UW@64)RLw{fKWYW6S7>2w+=izAi;AgY`<95
zr}zm{X)671DS!Oo28bMDivyUI5zhI0ma-QV6O>jc3Q5^$?~i;Gc%8N|z?nIk9wNSQ
z6RxHCNesm9`IKZbwhfxdj9Zk7J?5-vh-ZX?gJ>wrCiDoUB}kHj7YIHz0YrRt>IcYt
z6&(?AjsimUj){+u>i!VrZBC%kSaY_#ZUfiJ;eN75l2!<Ztm_spY7va`c$I{oRX`C@
z;w4rDGpW}8bF;%fj8IRA+}F)dVTT(p&UYQ0Eg_zQ+gE$;m0o?bsS+QhX6Ay*;XYTE
zB`F4*z|5wKj|v9ytgg^*Mii@$l$}$AYyHn>nE1lH!T*%m+L+%*f)%Pb5T+_{h}e`|
z*}7ougV2Q|zMS3Q1Lg|KfskFOkJ>gYj+X4cVLQ0D`@Q3r%F<wL(}Cw<Rk2cY@Adsd
zva>3=NU<Bww7Yg<eV%etg1bt*0`YTy{`k+9pQsR5BS(U_Ls!|+8G2eC?{pa$XSP~{
zdc%6-a$ALY7ZaYbj&4()cRkGiIZH{?{)N_peFS!$M+0}FAOY=Yq!|&9<JrVcv1DZ=
zjY8|m)RI0myJj(jquISOOdJ-e1dyhgedP0Ke?hVaZDK!5g(X*lg!gukx>tQa@y_7^
zh)Lk$t{;1TF~z29>l7cdGD+K!cY>l#uUEJ0{-Lwqv=yLDncQ()!UFrA@+bYeMRh4#
zR}3*^n^c;qsohnpdjxTivb*@%hNpoOS6X(5zRQJ#0~UvpYlDaq=<FV`gEq!|#uv`A
k*3q=py{sRh#HjyAt>gXR`pCy`-OH(s?2^sxHXmv$WTdjRx&QzG

literal 1393
zcmV-%1&;avM@dveQdv+`03nn9mE~yQYF}cBM>)6x<!K;8nVZ2E?_>I@p?b=x^)FiU
zm*p|Z&=stw^<lfs^!#V}XFdwJo*JnGUEQu(QCPr2{!AqLrYHn)iDzmL$S1FoZAfDC
zcUNZCrR=aQ`Ks-7*vf>F5=NCBxwItuOQC4ZW=QMaQmldk4#9L*8$i)byavLd@^~!5
zZMgId0N`YGsGUn}06phKwv-av5nJ-F?N3p64h4r^{`W%+$|r~VcR8ywf8N!WSLZrU
zF+3LDDPSMn8Yz$@`HCqTIAIfvu&511PzrA=BqV{FIS~Rq2_D$bcYxk&cgE{grs(&`
z?*q6EHd{_La@$aKk9WGvOGdxxEqa7Wu^{E0x=<QXkbt?55RUo}jS39>(Z&AoZz!SP
z26;(4lvOQNdC&etHY)4XJ{i4qEKK)N_SRx{nCMc<Id?ndd^gnJl<`b}t&jMJq>EZH
z0v&ame>ZagasI=v5{xeUVyt?|72kOz^#tl<8IeE<FedylyoYq%s84LFwK`~bDID}T
z+cKmFL=7JMOZC<%j>%vdZ-*52soM5#nca7{dH-nE?PmgECm}WRW56PqP3I}BWOi4M
znSrTe@GlUm3oR^x-3mq&n34x7Q{Q{hM0j|Vd<Y41tVoGyPcu>A1?55zllX2v4NRZD
zN<o~n46xwELlm_S2)OC+n5V+CYV;@yoKX-+cgCu#(6f1Y$*cGi(NuqaY->$I3Ea+^
z!~$VA(5u*6?Vsou!mOtZzH6apGB}5fKFo`L3|lPm)OT{ZFa978iorAMR8&NKE8&z?
zF~ph|(q1WPU(F34s|J4$j}t4;Mx($&{0oHdB{+Zw1Ln=8=-I@uF$N3Je9GG+grRcz
z3~_C?NKB+yz}^ipQEvRUxh>A?QdA*26;8A9XRhM);Ao_QV!U@OlU0f)(Xe5_mK`_$
z|M3kTn-5Za@tzl!d=3x(c|awUyt(6^M$k#Hx8Io!|75<<uu~tK$lrON2mNj4HnX2$
z^be?x)>pmSXGoEk+8S=d?5EaoKsCOb^%?D$TT1q4gBei3z27AJm8>ny@zv`i0P*c5
z$6io1kdLgW*LtGa3B#{rGuG}Zgxc@fBiXg_>m1&~UJ$yxM%4_IhXrSD!UGsEsu@@K
zMGa6g-CW<~nb=kPL?K9Q)&%mJ=-OKHfFZiau^)&O)}?Q}P1s7p<y#t^=hZuYOsm{J
z_F(G8S_Gy2#f5fiQ>%i_NY(s<0Nif^1POQ+bniIpg0IPT0jnQzMz4mUk0>R?d+H0)
zC~7AH)&n>Hxj5bQeucIy=HS*uETmS&8}RA0FH6IYo#xC;yIUIdg*nTUa^Ujpd@pn1
zxl7?q7~!971^2K&B+;hKb4QDvcJP8Ov^u86T*Bqa!mpzLN109O0LQ;#O0Gj!++w|p
z!0Y&+A5RnzvA%<r6T28*h1ZnDtUQiudCE^c#OiV)lii)h0JZezuDwzel%U)jGv~O2
zICznin>x~oYJpN>np}x*N9}mhk|BJFw0|q=(cT;2(Znr_M5Z<&$}Q`02im4M)}|A_
zg8}#9*`m*~ZkMhZ4)ra7>qc1ZunYCsX|l-OB~US+wT}Yt1SxsK#*K16K47mnF~%l>
zGn?!VLZQ~nV@#OSs#_|I6%QN_Jy(Hhh5%nKX#jc9Q;=R|)by>4fG(fkNNF5cEY4$n
z?_1G99yC$<9DCR}LY|JMW;pQr|F7)QkK3l$)z=5F1fF6Xw&t{?WB)bHr8jsIR}Mkt
zuuh@uk2IF=7THx!$b76f&WbA*V6u@AQRD_xkp#~;hgv|G%4gR~HPaf>pI6E7TVK8v

-- 
2.52.0