Jump to content

Services/VpsNginx

From Stronghold Wiki
Revision as of 18:16, 5 July 2026 by Wikibot (talk | contribs) (Migrated from services/VPS-NGINX.md)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

As of: 2026-07-05 — migrated from `services/VPS-NGINX.md`

VPS nginx — vhost management scripts

Reference for the RackNerd VPS (100.67.169.50, public-facing) that reverse-proxies every *.wilsoz.com subdomain back to stronghold over Tailscale (100.64.207.155). Read this before hand-writing an nginx vhost — as of 2026-07-05 there are scripts that do the whole thing in one command.

Scripts (on the VPS, /home/mnw/)

Script Purpose
add-vhost.sh Create a vhost, symlink it, get a cert, add security headers, reload, verify — one command
remove-vhost.sh Tear a vhost down: remove symlink, delete/revoke cert, delete vhost file, reload
VHOST-HOWTO.md Full usage doc, lives alongside the scripts on the VPS

Add a site

<syntaxhighlight lang="bash"> sudo /home/mnw/add-vhost.sh <domain> <tailscale-ip:port>

  1. Example:

sudo /home/mnw/add-vhost.sh wiki.wilsoz.com 100.64.207.155:9926 </syntaxhighlight>

Does, in order: writes /etc/nginx/sites-available/<domain> with a plain HTTP proxy block → symlinks into sites-enabled/nginx -t + reload → certbot --nginx -d <domain> (Cloudflare DNS-01, rewrites the file with the SSL block + 80→443 redirect, same as every other cert on this VPS) → injects include /etc/nginx/snippets/security-headers.conf; right after certbot's options-ssl-nginx.conf line → final nginx -t + reload → curl status check.

Prerequisites before running: DNS A record for the domain already pointing at the VPS (100.67.169.50); the backend already up and reachable on stronghold at the given port. WebSocket backends need proxy_http_version 1.1 + Upgrade/Connection headers added manually afterward — the script doesn't detect that case.

Remove a site

<syntaxhighlight lang="bash"> sudo /home/mnw/remove-vhost.sh <domain> </syntaxhighlight>

Shows you the backend it's about to remove, asks whether to revoke the cert (y = revoke + delete, use when the domain is gone for good; default N = delete locally only, use when just moving/rebuilding), removes the sites-enabled symlink, deletes the vhost file, tests + reloads nginx.

Server topology

Thing Value
Public VPS 100.67.169.50 (RackNerd)
Home server (stronghold) 100.64.207.155 (Tailscale)
Backend ports (examples) 9925 = Mealie, 9926 = MediaWiki
Cert method Let's Encrypt via certbot + Cloudflare DNS-01 (same plugin as mymail.wilsoz.com, see CLAUDE.md)
HSTS max-age=300 — staged rollout, expect this to increase over time

Known nginx warnings (harmless, pre-existing)

nginx -t shows an ssl_protocols redefinition warning for pages.git.wilsoz.com and photos.wilsoz.com, and will show the same for any vhost combining options-ssl-nginx.conf (certbot) with security-headers.conf. Cosmetic only — config still loads and serves correctly.

Gotcha

add-vhost.sh aborts rather than overwriting if the vhost file already exists — safe to run repeatedly/accidentally, but means you must remove-vhost.sh first (or hand-edit) to change an existing site's backend port.