Services/VpsNginx
As of: 2026-07-05 — migrated from `services/VPS-NGINX.md`
VPS nginx — vhost management scripts
Reference for the RackNerd VPS (100.67.169.50, public-facing) that reverse-proxies every *.wilsoz.com subdomain back to stronghold over Tailscale (100.64.207.155). Read this before hand-writing an nginx vhost — as of 2026-07-05 there are scripts that do the whole thing in one command.
Scripts (on the VPS, /home/mnw/)
| Script | Purpose |
|---|---|
add-vhost.sh
|
Create a vhost, symlink it, get a cert, add security headers, reload, verify — one command |
remove-vhost.sh
|
Tear a vhost down: remove symlink, delete/revoke cert, delete vhost file, reload |
VHOST-HOWTO.md
|
Full usage doc, lives alongside the scripts on the VPS |
Add a site
<syntaxhighlight lang="bash"> sudo /home/mnw/add-vhost.sh <domain> <tailscale-ip:port>
- Example:
sudo /home/mnw/add-vhost.sh wiki.wilsoz.com 100.64.207.155:9926 </syntaxhighlight>
Does, in order: writes /etc/nginx/sites-available/<domain> with a plain HTTP proxy block → symlinks into sites-enabled/ → nginx -t + reload → certbot --nginx -d <domain> (Cloudflare DNS-01, rewrites the file with the SSL block + 80→443 redirect, same as every other cert on this VPS) → injects include /etc/nginx/snippets/security-headers.conf; right after certbot's options-ssl-nginx.conf line → final nginx -t + reload → curl status check.
Prerequisites before running: DNS A record for the domain already pointing at the VPS (100.67.169.50); the backend already up and reachable on stronghold at the given port. WebSocket backends need proxy_http_version 1.1 + Upgrade/Connection headers added manually afterward — the script doesn't detect that case.
Remove a site
<syntaxhighlight lang="bash"> sudo /home/mnw/remove-vhost.sh <domain> </syntaxhighlight>
Shows you the backend it's about to remove, asks whether to revoke the cert (y = revoke + delete, use when the domain is gone for good; default N = delete locally only, use when just moving/rebuilding), removes the sites-enabled symlink, deletes the vhost file, tests + reloads nginx.
Server topology
| Thing | Value |
|---|---|
| Public VPS | 100.67.169.50 (RackNerd) |
| Home server (stronghold) | 100.64.207.155 (Tailscale) |
| Backend ports (examples) | 9925 = Mealie, 9926 = MediaWiki |
| Cert method | Let's Encrypt via certbot + Cloudflare DNS-01 (same plugin as mymail.wilsoz.com, see CLAUDE.md)
|
| HSTS | max-age=300 — staged rollout, expect this to increase over time
|
Known nginx warnings (harmless, pre-existing)
nginx -t shows an ssl_protocols redefinition warning for pages.git.wilsoz.com and photos.wilsoz.com, and will show the same for any vhost combining options-ssl-nginx.conf (certbot) with security-headers.conf. Cosmetic only — config still loads and serves correctly.
Gotcha
add-vhost.sh aborts rather than overwriting if the vhost file already exists — safe to run repeatedly/accidentally, but means you must remove-vhost.sh first (or hand-edit) to change an existing site's backend port.