From b5015ffa076bd180621acd7683e714c34193ad7b Mon Sep 17 00:00:00 2001
From: Shane Jaroch <chown_tee@proton.me>
Date: Sat, 10 Jan 2026 12:53:23 -0500
Subject: [PATCH] http/3 with Makefile deploy

---
 .gitignore                    | 10 ++------
 Makefile                      | 22 ++++++++++++++++++
 etc/nginx/conf.d/default.conf | 31 +++++++++++++++++-------
 scripts/deploy.sh             | 44 +++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+), 16 deletions(-)
 create mode 100644 Makefile
 create mode 100755 scripts/deploy.sh

diff --git a/.gitignore b/.gitignore
index 49917a2..920a8d2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,9 +1,3 @@
-# Ignore all
-*
-#**/*
-#**
-# Unignore all with extensions
-#!*.*
-# Unignore all dirs
-# !*/
+/usr
+/bin
 
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..811c9ad
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,22 @@
+.SHELL := /bin/bash
+# .ONESHELL:
+
+VPS_HOST ?= dev.nutra.tk
+VPS_USER ?= gg
+
+.PHONY: stage/nginx
+stage/nginx:
+	@echo "Staging files on $(VPS_HOST)..."
+	ssh $(VPS_USER)@$(VPS_HOST) 'rm -rf ~/nginx-staging && mkdir -p ~/nginx-staging'
+	scp -q -r etc/nginx/conf.d/*.conf $(VPS_USER)@$(VPS_HOST):~/nginx-staging/
+	scp -q scripts/deploy.sh $(VPS_USER)@$(VPS_HOST):~/nginx-staging/
+
+.PHONY: diff/nginx
+diff/nginx:
+	@echo "Checking diff against $(VPS_HOST)..."
+	ssh -t $(VPS_USER)@$(VPS_HOST) "bash ~/nginx-staging/deploy.sh diff"
+
+.PHONY: deploy/nginx
+deploy/nginx:
+	@echo "Deploying checked-in nginx config to $(VPS_HOST)..."
+	ssh -t $(VPS_USER)@$(VPS_HOST) "bash ~/nginx-staging/deploy.sh"
diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index 172ffb0..ed321a4 100644
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -3,7 +3,11 @@ server {
   server_name api-dev.nutra.tk api.dev.nutra.tk;
   #listen 80;
   listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
@@ -34,7 +38,11 @@ server {
   server_name store.nutra.tk;
   #listen 80;
   listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   location / {
     proxy_pass http://localhost:8000;
   }
@@ -45,7 +53,11 @@ server {
   server_name store-api.nutra.tk store-admin-8b56411b.nutra.tk;
   #listen 80;
   listen 443 ssl;
+  listen 443 quic;
+  listen [::]:443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   location / {
     proxy_pass http://localhost:9000;
   }
@@ -69,7 +81,7 @@ server {
   http3 on;
 
   # Advertise HTTP/3 availability
-  add_header Alt-Svc 'h3=":443"; ma=86400';
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
 
   client_max_body_size 50m;
 
@@ -80,13 +92,13 @@ server {
   #ssl_stapling on;
   #ssl_stapling_verify on;
 
-#  # React app (base URL)
-#  location / {
-#    #return 302 https://$host/api$request_uri;
-#    root /var/www/app;
-#    index index.html;
-#    #try_files $uri $uri/ /index.html =404;
-#  }
+  # React app (base URL)
+  location / {
+    #return 302 https://$host/api$request_uri;
+    root /var/www/app;
+    index index.html;
+    #try_files $uri $uri/ /index.html =404;
+  }
 
 #  # Blog / Sphinx
 #  location /blog {
@@ -138,7 +150,10 @@ server {
 # Listen on 443 with matrix / synapse
 server {
   listen 443 ssl;
+  listen 443 quic;
   http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
   server_name matrix.nutra.tk chat.nutra.tk;
 
   location / {
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
new file mode 100755
index 0000000..3128121
--- /dev/null
+++ b/scripts/deploy.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -e
+
+# Staging directory expected to be populated by the caller (Makefile)
+STAGING_DIR=~/nginx-staging
+CONF_DIR=/etc/nginx/conf.d
+
+echo "Detected changes (diff):"
+# Diff existing vs staging. "|| true" prevents exit on diff found.
+sudo diff -u -r --color=always "$CONF_DIR/" "$STAGING_DIR/" || true
+echo ""
+
+if [ "$1" = "diff" ]; then
+    # echo "Diff check complete."
+    # rm -rf "$STAGING_DIR"
+    exit 0
+fi
+
+# Create timestamped backup
+BACKUP_DIR=~/nginx_backup_$(date +%s)
+echo "Creating backup at $BACKUP_DIR..."
+mkdir -p "$BACKUP_DIR"
+
+# Backup existing configs if they exist
+if sudo ls "$CONF_DIR"/*.conf >/dev/null 2>&1; then
+    sudo cp "$CONF_DIR"/*.conf "$BACKUP_DIR/"
+fi
+
+echo "Installing new configurations..."
+sudo mv "$STAGING_DIR"/*.conf "$CONF_DIR/"
+sudo rm -rf "$STAGING_DIR"
+
+echo "Verifying configuration..."
+if sudo nginx -t; then
+    echo "Configuration is valid. Reloading Nginx..."
+    sudo nginx -s reload
+    echo "â Deployment successful."
+else
+    echo "â Configuration failed validation! Rolling back..."
+    sudo cp "$BACKUP_DIR"/*.conf "$CONF_DIR/"
+    echo "Rollback complete. Verifying rollback..."
+    sudo nginx -t
+    exit 1
+fi
-- 
2.52.0