From: Shane Jaroch <chown_tee@proton.me>
Date: Sat, 10 Jan 2026 19:22:00 +0000 (-0500)
Subject: update
X-Git-Url: https://git.nutra.tk/v2?a=commitdiff_plain;h=6a9a12e7a72c870882462c6e11d958d8e50e87b3;p=nutratech%2Fvps-root.git

update
---

diff --git a/.env b/.env
new file mode 100644
index 0000000..7f2e43b
--- /dev/null
+++ b/.env
@@ -0,0 +1,2 @@
+VPS_HOST=nutra.tk
+VPS_USER=gg
diff --git a/.gitignore b/.gitignore
index 49917a2..f7011c1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,5 @@
 # Ignore all
-*
+#*
 #**/*
 #**
 # Unignore all with extensions
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..e9f5083
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,24 @@
+.SHELL := /bin/bash
+# .ONESHELL:
+
+-include .env
+
+VPS_HOST ?= dev.nutra.tk
+VPS_USER ?= gg
+VPS = $(VPS_USER)@$(VPS_HOST)
+
+.PHONY: stage/nginx
+stage/nginx:
+	@echo "Staging files on $(VPS_HOST)..."
+	tar --transform 's|.*/||' -czf - etc/nginx/conf.d/*.conf scripts/deploy.sh | \
+		ssh $(VPS) "rm -rf ~/nginx-staging && mkdir -p ~/nginx-staging && tar -xzv -C ~/nginx-staging"
+
+.PHONY: diff/nginx
+diff/nginx:
+	@echo "Checking diff against $(VPS_HOST)..."
+	ssh -t $(VPS) "bash ~/nginx-staging/deploy.sh diff"
+
+.PHONY: deploy/nginx
+deploy/nginx:
+	@echo "Deploying checked-in nginx config to $(VPS_HOST)..."
+	ssh -t $(VPS) "bash ~/nginx-staging/deploy.sh"
diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index 23c9df8..2180145 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -22,7 +22,7 @@ server {
 #    proxy_request_buffering off;
 #    proxy_buffering off;
 #    # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
-#    proxy_set_header forwarded "$proxy_forwarded;secret=\"REDACTED\"";
+#    proxy_set_header forwarded "$proxy_forwarded;secret=\"$proxy_secret_key\"";
 #    # Allow websockets and keep-alive (avoid connection: close)
 #    proxy_set_header connection "upgrade";
 #    proxy_set_header upgrade $http_upgrade;
@@ -54,7 +54,7 @@ server {
   http2 on;
 
   # Advertise HTTP/3 availability to browsers
-  add_header Alt-Svc 'h3=":443"; ma=86400';
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
@@ -80,6 +80,11 @@ server {
   #  index index.html;
   #}
 
+  # CV paths - Redirect to Dev (only hosted there)
+  location ~ ^/(cv/(~?swe|swe~/resume\.pdf)|resume(\.pdf|/swe\.pdf))$ {
+    return 301 https://dev.$server_name/resume.pdf;
+  }
+
   # default favicon
   location = /favicon.ico {
     alias /var/www/favicon.gif;
@@ -95,9 +100,21 @@ server {
   ssl_certificate_key /etc/letsencrypt/live/nutra.tk/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
 
-  # TODO: better redirect based on server, not if?
-  if ($host = www.nutra.tk) {
-    return 301 https://nutra.tk$request_uri;
-  }
+# Redirect www.nutra.tk -> nutra.tk
+server {
+  listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
+  http2 on;
+  http3 on;
+  server_name www.nutra.tk;
+
+  ssl_certificate /etc/letsencrypt/live/nutra.tk/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/nutra.tk/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+  return 301 https://nutra.tk$request_uri;
 }
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
new file mode 100644
index 0000000..c587bee
--- /dev/null
+++ b/scripts/deploy.sh
@@ -0,0 +1,53 @@
+#!/bin/bash
+set -e
+
+STAGING_DIR=~/.nginx-staging
+CONF_DIR=/etc/nginx/conf.d
+echo "Deploying configuration from $STAGING_DIR to $CONF_DIR..."
+
+echo "Detected changes (diff):"
+# Diff existing vs staging. "|| true" prevents exit on diff found.
+diff -u -r --color=always "$CONF_DIR/" "$STAGING_DIR/" || true
+echo ""
+
+echo "Running pre-flight validation on staged config..."
+TMP_NGINX_CONF=$(mktemp)
+
+if sudo nginx -t -c "$TMP_NGINX_CONF"; then
+    echo "✓ Pre-flight validation passed."
+    rm "$TMP_NGINX_CONF"
+else
+    echo "✗ Pre-flight validation FAILED. Aborting."
+    rm "$TMP_NGINX_CONF"
+    exit 1
+fi
+
+# If diff subcommand, exit early.
+if [ "$1" = "diff" ]; then exit 0; fi
+
+# Create timestamped backup
+BACKUP_DIR=~/nginx_backup_$(date +%s)
+echo "Creating backup at $BACKUP_DIR..."
+mkdir -p "$BACKUP_DIR"
+
+# Backup existing configs if they exist
+if sudo ls "$CONF_DIR"/*.conf >/dev/null 2>&1; then
+    sudo cp "$CONF_DIR"/*.conf "$BACKUP_DIR/"
+fi
+
+echo "Installing new configurations..."
+sudo mv "$STAGING_DIR"/*.conf "$CONF_DIR/"
+rm -rf "$STAGING_DIR"
+
+echo "Verifying configuration..."
+if sudo nginx -t; then
+    echo "Configuration is valid. Reloading Nginx..."
+    sudo nginx -s reload
+    echo "✓ Deployment successful."
+else
+    echo "✗ Configuration failed validation! Rolling back..."
+    sudo cp "$BACKUP_DIR"/*.conf "$CONF_DIR/"
+    echo "Rollback complete. Verifying rollback..."
+    sudo nginx -t
+    exit 1
+fi