refactor: restructure nginx config into per-app files #1

Merged

naomi merged 13 commits from feat/restructure into main 2026-03-07 02:05:29 -08:00

Conversation 0 Commits 13 Files Changed 79

+2800 -979

hikari commented 2026-03-03 15:48:03 -08:00

Owner

Copy Link

Copy Source

Summary

• Added push.sh script to deploy configs to prod via sudo rsync (with --delete for exact mirroring)
• Split the monolithic conf.d/server.conf (1,682 lines, 96 server blocks) into 28 per-app files under sites-available/, with corresponding symlinks in sites-enabled/
• Extracted custom nginx.conf settings (log_format directives, server_names_hash_bucket_size) into dedicated conf.d/logging.conf and conf.d/tuning.conf files, leaving nginx.conf as close to stock as possible

Test plan

• sudo nginx -t passes on prod after the sites-available restructure

✨ This PR was created with help from Hikari~ 🌸

## Summary - Added `push.sh` script to deploy configs to prod via `sudo rsync` (with `--delete` for exact mirroring) - Split the monolithic `conf.d/server.conf` (1,682 lines, 96 server blocks) into 28 per-app files under `sites-available/`, with corresponding symlinks in `sites-enabled/` - Extracted custom `nginx.conf` settings (`log_format` directives, `server_names_hash_bucket_size`) into dedicated `conf.d/logging.conf` and `conf.d/tuning.conf` files, leaving `nginx.conf` as close to stock as possible ## Test plan - [x] `sudo nginx -t` passes on prod after the sites-available restructure ✨ This PR was created with help from Hikari~ 🌸

hikari added 5 commits 2026-03-03 15:48:03 -08:00

feat: new structure 243f2d4a18

feat: add push.sh script to deploy nginx config to prod 611967fa30

feat: add --delete flag to push.sh for exact mirroring 98ecac463e

refactor: split monolithic server.conf into per-app config files ... 222e0f5a41

Moves all server blocks out of conf.d/server.conf into individual
files under sites-available/, grouped by logical application. Each
file is symlinked into sites-enabled/ to enable it. The old
server.conf is removed.

refactor: extract custom nginx.conf settings into conf.d files ... 37402ce0f4

Moves custom log formats to conf.d/logging.conf and the
server_names_hash_bucket_size tweak to conf.d/tuning.conf,
leaving nginx.conf as close to stock as possible.

hikari added 1 commit 2026-03-03 16:04:07 -08:00

chore: remove unused default files and clean up comments ... aff5a966c6

Deletes conf.d/default.conf, snippets/snakeoil.conf, and
snippets/fastcgi-php.conf (all stock example files not used in
production). Strips all commented-out lines and the mail block from
nginx.conf, and drops TLSv1/TLSv1.1 from ssl_protocols. Cleans
sites-available/default down to just the functional catch-all.

hikari added 1 commit 2026-03-03 16:06:20 -08:00

feat: add comprehensive nginx config test suite ... 55fcab69a1

Replaces the obsolete test.sh (which referenced configs/prod.conf,
a file that no longer exists) with 12 static-analysis checks:

  1.  No deprecated TLS versions (TLSv1 / TLSv1.1)
  2.  No duplicate literal server_name values
  3.  Every sites-available conf has a sites-enabled symlink
  4.  No broken symlinks in sites-enabled
  5.  No orphaned sites-enabled symlinks
  6.  No HTTP-only server blocks (port 80 without port 443)
  7.  ssl_certificate / ssl_certificate_key counts match per file
  8.  Plain-HTTP proxy_pass targets are local only
  9.  All SSL cert paths use /etc/letsencrypt/live/
  10. ssl_certificate uses fullchain.pem, key uses privkey.pem
  11. No raw IP addresses as server_name
  12. conf.d contains only expected files

Adds .gitea/workflows/test.yml with two CI jobs: static-analysis
(runs test.sh, no nginx required) and syntax-check (installs
nginx-full, copies config, generates stub SSL certs for all
referenced letsencrypt paths, then runs nginx -t).

hikari added 1 commit 2026-03-03 16:10:54 -08:00

refactor: remove port 80 listeners and enforce HTTPS-only in tests ... 493d758df8

Removes the listen 80 / listen [::]:80 blocks from cdn.conf since
port 80 is blocked at the firewall. Updates test 6 to enforce that
no custom server block listens on port 80 at all.

hikari added 1 commit 2026-03-03 16:16:20 -08:00

feat: enforce alphabetical server block ordering ... 7085845234

Adds test 13 to test.sh to verify that server blocks within each
sites-available file are sorted alphabetically by server_name
(LC_ALL=C; regex and wildcard entries excluded).

Fixes aria.conf and mommy.conf to conform: hyphenated names sort
before the bare domain in C locale ('-' < '.'), so trans-bot now
precedes trans, and mommy-slack now precedes mommy.

hikari added 1 commit 2026-03-03 16:17:57 -08:00

feat: add style.nhcarrigan.com to content sites 12687ad1a2

hikari added 1 commit 2026-03-03 16:26:52 -08:00

docs: add README and per-file header comments ... e8318215a9

- Rewrote README with full directory structure, add/remove site
  workflows, deploy instructions, and a test suite reference table
- Added a one-line header comment to each sites-available/*.conf
  explaining what category of sites belongs in that file

hikari added 1 commit 2026-03-03 16:34:53 -08:00

fix: replace absolute default symlink with relative path fbdc386449

hikari added 1 commit 2026-03-07 02:03:33 -08:00

feat: add elysium.nhcarrigan.com nginx config ... f433f3330a

✨ This issue was created with help from Hikari~ 🌸

naomi merged commit db36f98578 into main 2026-03-07 02:05:29 -08:00

naomi deleted branch feat/restructure 2026-03-07 02:05:30 -08:00

naomi referenced this issue from a commit 2026-03-07 02:05:30 -08:00

refactor: restructure nginx config into per-app files (#1)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

aspect

code

Concerns the software code in the repository

aspect

dx

Concerns developers' experience with the codebase

aspect

interface

Concerns end-users' experience with the software

aspect

text

Concerns the documentation material in the repository

contribute

good first issue

A great opportunity for a team member to learn a new codebase

contribute

help wanted

Open for anyone on our team to grab.

contribute

staff only

Restricted to our executive leadership.

goal

addition

Addition of new feature

goal

fix

Bug fix

goal

improvement

Improvement to an existing feature

points

1

Very simple issue requiring minimal effort and complexity.

points

13

Extremely complex issue representing major undertakings. Should be broken down into smaller pieces.

points

2

Simple issue that requires a bit more thought or investigation.

points

3

Moderate complexity issue requiring more substantial work.

points

5

Complex issue requiring significant effort and expertise.

points

8

Very complex issue requiring extensive work and deep expertise.

priority

critical

1

Must be fixed ASAP

priority

high

2

Stalls work on the project or its dependents

priority

low

4

Low priority and doesn't need to be rushed

priority

medium

3

Not blocking but should be fixed soon

priority

none

5

No priority, should only be performed when a developer is available

status

awaiting triage

Has not been triaged & therefore, not ready for work

status

blocked

Blocked and therefore not ready for work

status

discarded

Will not be worked on

status

discontinued

Not suitable for work as repo is in maintenance

status

label work required

Needs proper labelling before it can be worked on

status

ready for dev

Ready for work

status

ticket work required

Needs more details before it can be worked on

talk

discussion

Open for discussions and feedback

talk

question

Can be resolved with an answer

time

1 day

Approximately one full day of development work.

time

1-2 weeks

One to two weeks of focused development effort.

time

2-3 days

Two to three days of development effort.

time

4-5 days

Approximately one week of development work.

time

<1 day

Less than one day of focused work. Quick fixes or simple tasks.

time

>2 weeks

More than two weeks of development work. Must be broken down into smaller pieces.

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

gurkirat hanna (Hanna Rose) hikari (Hikari) minori (Minori) naomi (Naomi Carrigan) rain teklu tim

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: nhcarrigan/nginx-configs#1