gdamjan/soju-config

## soju-config
# /etc/soju/config
# only accept connections from nginx, so insecure is fine
…
accept-proxy-ip localhost
listen irc+insecure://127.0.0.1:12000
listen ws+insecure://127.0.0.1:12001
hostname <my-hostname>
…

## soju-gamja-http.conf
# /etc/nginx/sites-enabled/52-soju.conf
# nginx http server for gamja files and proxy to the soju websocket
server {
  server_name  <my-hostname>;

  root /srv/gamja/;

  location /socket {
    proxy_pass http://127.0.0.1:12001;
    proxy_read_timeout 600s;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $host;
  }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/<my-hostname>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<my-hostname>/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
  server_name  <my-hostname>;
    if ($host = <my-hostname>) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 80;
  listen [::]:80;
    return 404; # managed by Certbot
}

## soju-stream.conf
# /etc/nginx/streams-enabled/52-soju.conf
# use nginx stream tcp proxy to access soju from an irc client
# nginx does the TLS termination and certbot integration
server {
    listen      1667 ssl;
    listen      [::]:1667 ssl;
    ssl_certificate /etc/letsencrypt/live/<my-hostname>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<my-hostname>/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    proxy_pass 127.0.0.1:12000;
    proxy_protocol on;
}
	# /etc/soju/config
	# only accept connections from nginx, so insecure is fine
	…
	accept-proxy-ip localhost
	listen irc+insecure://127.0.0.1:12000
	listen ws+insecure://127.0.0.1:12001
	hostname <my-hostname>
	…
	# /etc/nginx/sites-enabled/52-soju.conf
	# nginx http server for gamja files and proxy to the soju websocket
	server {
	server_name <my-hostname>;

	root /srv/gamja/;

	location /socket {
	proxy_pass http://127.0.0.1:12001;
	proxy_read_timeout 600s;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Host $host;
	}

	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/<my-hostname>/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/<my-hostname>/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	}
	server {
	server_name <my-hostname>;
	if ($host = <my-hostname>) {
	return 301 https://$host$request_uri;
	} # managed by Certbot

	listen 80;
	listen [::]:80;
	return 404; # managed by Certbot
	}
	# /etc/nginx/streams-enabled/52-soju.conf
	# use nginx stream tcp proxy to access soju from an irc client
	# nginx does the TLS termination and certbot integration
	server {
	listen 1667 ssl;
	listen [::]:1667 ssl;
	ssl_certificate /etc/letsencrypt/live/<my-hostname>/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/<my-hostname>/privkey.pem; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	proxy_pass 127.0.0.1:12000;
	proxy_protocol on;
	}