start on hyperconverged setup

.env.example

@@ -0,0 +1 @@
+# TODO update me

README.md

@@ -1,22 +1 @@
-# Ansible & Docker homelab configurations
-
-Set up a series of machines for web hosting & data storage.
-
-# Using these files
-
-## Docker
-
-The easiest way to use these files is to copy the config of a service you want into your own `docker-compose.yaml` file. You'll need to change my domain names to your own.
-
-If you decide to use environment variables, you'll need to create a `.env` file in the same directory as your compose file. This should declare any variables used in the compose file.
-
-For example, if your compose file uses the `CONTAINERS_DIR` and `POSTGRES_PASSWORD` variables I'm using in my compose file, your `.env` file should look something like this:
-
-```
-CONTAINERS_DIR=/home/user/my-container-data
-POSTGRES_PASSWORD=mysecretpassword
-```
-
-## Ansible
-
-The hostnames & keys may be changed to set up a generic web & storage instance, ready to run docker-compose/host a NAS.
+# TODO

templates/web/compose/docker-compose.yaml → docker-compose.yml

@@ -1,30 +1,79 @@
 version: '3'
 
+networks:
+  default:
+    driver: overlay
+
 services:
-  nginx-proxy:
-    image: jwilder/nginx-proxy
-    # My internet-facing load balancer (CloudFlare) sits on 80 and 443. Therefore,
-    # I let it handle all HTTPS concerns.
-    #
-    # If this is internet-facing, enable SSL in nginx-proxy
-    # and forward both 80 and 443 directly.
+  traefik:
+    image: traefik:v2.2
     ports:
-      - "8080:80"
+      - 80:80
+      # - 443:443
+    deploy:
+      placement:
+        constraints:
+          - node.role == manager
+      labels:
+        # Enable the dashboard UI
+        - traefik.enable=true
+        - traefik.http.routers.api.rule=Host(`board.${DOMAIN}`)
+        - traefik.http.routers.api.service=api@internal
+        - traefik.http.routers.api.middlewares=auth
+        - traefik.http.middlewares.auth.basicauth.users=${TRAEFIK_API_USERS}
+        # Dummy service for Swarm port detection. The port can be any valid integer value.
+        - traefik.http.services.dummy-svc.loadbalancer.server.port=9999
+
+        - traefik.http.routers.traefik.tls=true
+        - traefik.http.routers.traefik.tls.certresolver=cloudflare
+        - traefik.http.routers.traefik.tls.domains[0].main=${DOMAIN}
+        - traefik.http.routers.traefik.tls.domains[1].sans=*.${DOMAIN}
     volumes:
-      - /var/run/docker.sock:/tmp/docker.sock:ro
-      # Helps with stability of large uploads
-      - ./conf.d/proxy_timeout.conf:/etc/nginx/conf.d/proxy_timeout.conf:ro
-      - ./conf.d/real_ip.conf:/etc/nginx/conf.d/real_ip.conf:ro
-      # Password-protect some subdomains
-      - ./htpasswd:/etc/nginx/htpasswd
-      # Certs for the top level domain & subdomains
-      # - ${TOP_DOMAIN_CERT}:/etc/nginx/certs/jibby.org.crt
-      # - ${TOP_DOMAIN_KEY}:/etc/nginx/certs/jibby.org.key
-      # - ${WC_DOMAIN_CERT}:/etc/nginx/certs/shared.crt
-      # - ${WC_DOMAIN_KEY}:/etc/nginx/certs/shared.key
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ${CONTAINERS_DIR}/traefik:/certificates
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.docker.swarmmode=true
+      - --entrypoints.web.address=:80
+      #- --entrypoints.web.redirections.entrypoint.permanent=false
+      #- --entrypoints.web.redirections.entryPoint.to=websecure
+      #- --entrypoints.web.redirections.entryPoint.scheme=https
+      #- --entrypoints.websecure.address=:443
+      #- --certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL}
+      #- --certificatesresolvers.le.acme.storage=/certificates/acme.json
+      #- --certificatesresolvers.le.acme.dnschallenge.provider=cloudflare
+      - --accesslog=true
+      - --log=true
+      - --api=true
     environment:
-      - DEFAULT_HOST=jibby.org
-    restart: always
+      # - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+      # - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
+
+  # nginx-proxy:
+  #   image: jwilder/nginx-proxy
+  #   # My internet-facing load balancer (CloudFlare) sits on 80 and 443. Therefore,
+  #   # I let it handle all HTTPS concerns.
+  #   #
+  #   # If this is internet-facing, enable SSL in nginx-proxy
+  #   # and forward both 80 and 443 directly.
+  #   ports:
+  #     - "8080:80"
+  #   volumes:
+  #     - /var/run/docker.sock:/tmp/docker.sock:ro
+  #     # Helps with stability of large uploads
+  #     - ./conf.d/proxy_timeout.conf:/etc/nginx/conf.d/proxy_timeout.conf:ro
+  #     - ./conf.d/real_ip.conf:/etc/nginx/conf.d/real_ip.conf:ro
+  #     # Password-protect some subdomains
+  #     - ./htpasswd:/etc/nginx/htpasswd
+  #     # Certs for the top level domain & subdomains
+  #     # - ${TOP_DOMAIN_CERT}:/etc/nginx/certs/jibby.org.crt
+  #     # - ${TOP_DOMAIN_KEY}:/etc/nginx/certs/jibby.org.key
+  #     # - ${WC_DOMAIN_CERT}:/etc/nginx/certs/shared.crt
+  #     # - ${WC_DOMAIN_KEY}:/etc/nginx/certs/shared.key
+  #   environment:
+  #     - DEFAULT_HOST=jibby.org
+  #   restart: always
 
   # An example of a static HTTP file hosting site
   camera:
@@ -49,19 +98,27 @@ services:
     restart: always
 
   jekyll:
-    build: https://github.com/jibby0/docker-jekyll-webhook.git
+    image: jibby0/docker-jekyll-webhook
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.services.jekyll.loadbalancer.server.port=80
+        - traefik.http.routers.jekyll.rule=Host(`${DOMAIN}`)
     environment:
       - TZ=America/New_York
       - WEBHOOK_SECRET=${WEBHOOK_SECRET}
       - REPO=https://github.com/jibby0/blog.git
-      - VIRTUAL_HOST=jibby.org
-      - VIRTUAL_PORT=80
     restart: always
     volumes:
       - ${CONTAINERS_DIR}/jekyll/vendor_cache:/vendor
 
   nextcloud:
     image: nextcloud
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.services.nextcloud.loadbalancer.server.port=80
+        - traefik.http.routers.nextcloud.rule=Host(`nextcloud.${DOMAIN}`)
     expose:
       - "80"
     links:
@@ -150,6 +207,8 @@ services:
     volumes:
       - ${CONTAINERS_DIR}/jellyfin:/config
       - ${MEDIA_DIR}:/media
+      - /dev/shm/jellyfin-transcodes:/transcodes
+      - /dev/shm/jellyfin-cache:/cache
     environment:
       - VIRTUAL_HOST=jellyfin.jibby.org
       - VIRTUAL_PORT=8096

hosts

@@ -1,9 +1,5 @@
 all:
   hosts:
-    web:
+    all:
       ansible_ssh_private_key_file: ~/.ssh/orcha_ed25519
-    nas:
-      ansible_ssh_private_key_file: ~/.ssh/orcha_ed25519
-    orcha:
-      ansible_connection: local
 

playbook.yml

@@ -2,20 +2,5 @@
 - hosts: all
   roles:
     - basic
-
-- hosts: orcha
-  roles:
-    - orcha
-
-- hosts: nas
-  roles:
-    - nas
-  vars:
-    user: josh
-
-- hosts: web
-  roles:
-    - web
   vars:
     user: josh
-

roles/basic/tasks/main.yml

@@ -1,20 +1,45 @@
 ---
-- name: Ensure QEMU tools is installed
+- name: Install apt-add-repository
   apt:
-    name: qemu-guest-agent
+    name: '{{ packages }}'
     state: present
     update_cache: yes
+  vars:
+    packages:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg2
+      - software-properties-common
 
-- name: Ensure rsync is installed
+- name: Add Docker's GPG key
+  shell: curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+  args:
+    warn: False  # Piping
+
+- name: Add Docker's apt repository
+  shell: add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
+
+- name: Install Docker
   apt:
-    name: rsync
+    name: '{{ packages }}'
     state: present
+    update_cache: yes
+  vars:
+    packages:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+
+- name: Add '{{ user }}' to docker group
+  user:
+    name: '{{ user }}'
+    groups: docker
+    append: yes
+
+- name: Install docker-compose
+  shell: curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose
+  args:
+    warn: False  # Calls to uname
 
-# Cloudinit sets this now, no need to remove it.
-# - name: Remove localhost hostname definition
-#   lineinfile:
-#     path: /etc/hosts
-#     # hostnamectl doesn't update the hostname in this entry, so we can't 
-#     # match against {{ ansible_facts['nodename'] }}.
-#     regexp: "^127\\.0\\.1\\.1[ \\t]+"
-#     state: absent
+# TODO mount the ceph cluster

roles/nas/tasks/main.yml

@@ -1,41 +0,0 @@
-- name: Create mountable dir
-  file:
-    path: /nfs
-    state: directory
-    mode: u=rwx,g=r,o=r
-    owner: '{{ user }}'
-    group: '{{ user }}'
-
-- name: Ensure NFS utilities are installed.
-  apt:
-    name: '{{ packages }}'
-    state: present
-    update_cache: yes
-  vars:
-    packages:
-      - nfs-common
-      - nfs-kernel-server
-
-- name: Format the data drive
-  filesystem:
-    fstype: ext4
-    dev: /dev/sdb1
-
-- name: Mount the data drive
-  mount:
-    src: /dev/sdb1
-    path: /nfs
-    fstype: ext4
-    state: mounted
-
-- name: copy /etc/exports
-  template:
-    src: templates/nas/etc/exports.j2
-    dest: /etc/exports
-    owner: root
-    group: root
-
-- name: restart nfs server
-  service:
-    name: nfs-kernel-server
-    state: restarted

roles/orcha/tasks/main.yml

@@ -1,26 +0,0 @@
----
-
-# dnsmasq installer: currently using pihole for DNS/DHCP, so this is disabled
-# - name: Install dnsmasq
-#   apt:
-#    name: dnsmasq
-#    state: present
-#    update_cache: yes
-#
-# - name: Write dnsmasq config
-#   template:
-#     src: templates/orcha/etc/dnsmasq.conf
-#     dest: /etc/dnsmasq.conf
-#     owner: root
-#     group: root
-#     mode: u=rw,g=r,o=r
-#
-# - name: Start & enable dnsmasq service
-#   service:
-#     name: dnsmasq
-#     state: started
-#     enabled: yes
-#     daemon_reload: yes
-
-# - name: Set default route to outward-facing NIC
-#   command: ip route add default via

roles/web/tasks/main.yml

@@ -1,120 +0,0 @@
----
-- name: Install apt-add-repository
-  apt:
-    name: '{{ packages }}'
-    state: present
-    update_cache: yes
-  vars:
-    packages:
-      - apt-transport-https
-      - ca-certificates
-      - curl
-      - gnupg2
-      - software-properties-common
-
-- name: Add Docker's GPG key
-  shell: curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
-  args:
-    warn: False  # Piping
-
-- name: Add Docker's apt repository
-  shell: add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
-
-- name: Install Docker
-  apt:
-    name: '{{ packages }}'
-    state: present
-    update_cache: yes
-  vars:
-    packages:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-
-- name: Add '{{ user }}' to docker group
-  user:
-    name: '{{ user }}'
-    groups: docker
-    append: yes
-
-- name: Install docker-compose
-  shell: curl -L "https://github.com/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose
-  args:
-    warn: False  # Calls to uname
-
-- name: Copy compose config
-  copy:
-    src: templates/web/compose
-    dest: '/home/{{ user }}'
-    owner: '{{ user }}'
-    group: '{{ user }}'
-    mode: "600"
-
-- name: Install NFS common
-  apt:
-    name: nfs-common
-    state: present
-    update_cache: yes
-
-- name: Create mountable dir
-  file:
-    path: /nfs
-    state: directory
-    mode: u=rwx,g=r,o=r
-    owner: '{{ user }}'
-    group: '{{ user }}'
-
-- name: set mountpoints
-  mount:
-    name: /nfs
-    src: 172.20.69.1:/nfs
-    fstype: nfs
-    state: mounted
-
-# TODO the certbot installation process probably needs fixing
-- name: Install pip
-  apt:
-    name: python-pip
-    state: present
-
-- name: Install certbot's cloudflare plugin
-  pip:
-    name: certbot-dns-cloudflare
-    extra_args: --user
-
-- name: Write example cloudflare secrets file
-  copy:
-    src: templates/web/cloudflare.ini.example
-    dest: /root/cloudflare.ini.example
-    mode: "0700"
-    owner: root
-    group: root
-
-- name: Run certbot
-  shell: /root/.local/bin/certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini -d jibby.org,\*.jibby.org --preferred-challenges dns-01
-  ignore_errors: yes  # This fails if the certs already exist
-
-- name: Schedule certbot renewal cronjob
-  cron:
-    name: "renew certs"
-    special_time: weekly
-    job: '/root/.local/bin/certbot renew'
-
-- name: Set outward facing nginx server
-  copy:
-    src: templates/web/docker.conf
-    dest: /etc/nginx/conf.d/docker.conf
-    mode: "0644"
-    owner: root
-    group: root
-
-- name: Remove default nginx site
-  file:
-    path: /etc/nginx/sites-enabled/default
-    state: absent
-
-- name: Start and enable Nginx
-  service:
-    name: nginx
-    state: started
-    enabled: yes

templates/nas/etc/exports.j2

@@ -1,11 +0,0 @@
-# /etc/exports: the access control list for filesystems which may be exported
-#               to NFS clients.  See exports(5).
-#
-# Example for NFSv2 and NFSv3:
-# /srv/homes       hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
-#
-# Example for NFSv4:
-# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
-# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
-#
-/nfs            172.20.69.1/30(rw,sync,no_root_squash,no_subtree_check)

templates/orcha/etc/dnsmasq.conf

@@ -1,5 +0,0 @@
-local=/internal/
-
-dhcp-range=172.21.69.3,172.21.69.253,12h
-
-dhcp-option=3,172.21.69.1

templates/web/cloudflare.ini.example

@@ -1,2 +0,0 @@
-dns_cloudflare_email = [email protected]
-dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

templates/web/compose/.env.example

@@ -1,11 +0,0 @@
-# Locations
-MEDIA_DIR=/Media
-CONTAINERS_DIR=/data
-
-# Secrets
-POSTGRES_USER=pg
-POSTGRES_PASSWORD=password
-MARIADB_USER=maria
-MARIADB_PASSWORD=password
[email protected]
-SMTP_PASS=password

templates/web/compose/conf.d/forward.conf

@@ -1,65 +0,0 @@
-# SeCuRiTy
-server {
-        server_name _;
-	return 302 https://$host$request_uri;
-	listen 80;
-}
-
-# jibby.org
-server {
-        server_name jibby.org;
-
-        location / {
-                access_log off;
-
-                proxy_set_header Host jibby.org;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                #proxy_set_header X-Scheme $scheme;
-                #proxy_set_header X-Forwarded-Proto $scheme;
-                #proxy_set_header X-Nginx-Scheme $scheme;
-                #proxy_set_header X-Forwarded-Port $server_port;
-                #proxy_redirect    off;
-                proxy_pass https://192.168.69.1:443;
-        }
-
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/jibby.org/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/jibby.org/privkey.pem; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-
-}
-
-# *.jibby.org
-server {
-        server_name ~^(?<subdomain>.+)\.jibby\.org$;
-
-        location / {
-            access_log off;
-
-            proxy_set_header Host $subdomain.jibby.org;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            #proxy_set_header X-Scheme $scheme;
-            #proxy_set_header X-Forwarded-Proto $scheme;
-            #proxy_set_header X-Nginx-Scheme $scheme;
-            #proxy_set_header X-Forwarded-Port $server_port;
-            #proxy_redirect    off;
-
-            # For proxmox
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
-            proxy_read_timeout 86400;
-
-            proxy_pass https://192.168.69.1:443;
-    }
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/jibby.org-0001/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/jibby.org-0001/privkey.pem; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-}

templates/web/compose/conf.d/proxy_timeout.conf

@@ -1,11 +0,0 @@
-client_max_body_size 16000m;
-proxy_max_temp_file_size 0;
-
-proxy_connect_timeout       3000;
-proxy_send_timeout          3000;
-proxy_read_timeout          3000;
-send_timeout                3000;
-
-rewrite_log on;
-
-error_log /var/log/nginx/localhost.error_log warn;

templates/web/compose/conf.d/real_ip.conf

@@ -1,3 +0,0 @@
-set_real_ip_from  172.0.0.0/8;
-real_ip_header    X-Forwarded-For;
-real_ip_recursive on;

templates/web/docker.conf

@@ -1,194 +0,0 @@
-# jibby.org
-server {
-        server_name jibby.org;
-
-        location / {
-
-                set $temp $request;
-                if ($temp ~ (.*)password=[^&]*(.*)) {
-                    set $temp $1password=****$2;
-                }
-                access_log /var/log/nginx/access.log filter;
-
-                proxy_set_header Host jibby.org;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Scheme $scheme;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_set_header X-Nginx-Scheme $scheme;
-                proxy_set_header X-Forwarded-Port $server_port;
-                proxy_redirect    off;
-                proxy_pass http://localhost:8080;
-        }
-
-        # Used to try and trick matrix into routing jibby.org traffic to matrix
-        # location /_matrix {
-        #     proxy_pass http://localhost:8008;
-        #     proxy_set_header X-Forwarded-For $remote_addr;
-        # }
-        #
-        location /.well-known/matrix/ {
-            root /var/www/;
-            default_type application/json;
-            add_header Access-Control-Allow-Origin  *;
-        }
-
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/jibby.org/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/jibby.org/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-
-}
-
-server {
-    if ($host = jibby.org) {
-        return 302 https://$host$request_uri;
-    } # managed by Certbot
-
-
-        server_name jibby.org;
-        listen 80;
-    return 404; # managed by Certbot
-
-
-}
-
-
-# *.jibby.org
-server {
-        server_name ~^(?<subdomain>.+)\.jibby\.org$;
-
-        location / {
-            set $temp $request;
-            if ($temp ~ (.*)password=[^&]*(.*)) {
-                set $temp $1password=****$2;
-            }
-            access_log /var/log/nginx/access.log filter;
-
-            proxy_set_header Host $subdomain.jibby.org;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Scheme $scheme;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header X-Nginx-Scheme $scheme;
-            proxy_set_header X-Forwarded-Port $server_port;
-            proxy_redirect    off;
-            proxy_pass http://localhost:8080;
-    }
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/jibby.org-0001/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/jibby.org-0001/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-}
-
-server {
-
-    if ($host ~* (?<subdomain>.+)\.jibby\.org) {
-        return 302 https://$host$request_uri;
-    } # managed by Certbot
-
-
-        server_name ~^(?<subdomain>.+)\.jibby\.org$;
-        listen 80;
-    return 404; # managed by Certbot
-
-
-}
-
-
-# jossh.us
-# server {
-#         server_name jossh.us;
-#
-#         location / {
-#                 set $temp $request;
-#                 if ($temp ~ (.*)password=[^&]*(.*)) {
-#                     set $temp $1password=****$2;
-#                 }
-#                 access_log /var/log/nginx/access.log filter;
-#
-#                 proxy_set_header Host jossh.us;
-#                 proxy_set_header X-Real-IP $remote_addr;
-#                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#                 proxy_set_header X-Scheme $scheme;
-#                 proxy_set_header X-Forwarded-Proto $scheme;
-#                 proxy_set_header X-Nginx-Scheme $scheme;
-#                 proxy_set_header X-Forwarded-Port $server_port;
-#                 proxy_redirect    off;
-#                 proxy_pass http://localhost:8080;
-#         }
-#
-#
-#     listen 443 ssl; # managed by Certbot
-#     ssl_certificate /etc/letsencrypt/live/jossh.us/fullchain.pem; # managed by Certbot
-#     ssl_certificate_key /etc/letsencrypt/live/jossh.us/privkey.pem; # managed by Certbot
-#     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-#     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-#
-#
-# }
-#
-# server {
-#     if ($host = jossh.us) {
-#         return 302 https://$host$request_uri;
-#     } # managed by Certbot
-#
-#
-#         server_name jossh.us;
-#       listen 80;
-#     return 404; # managed by Certbot
-#
-#
-# }
-#
-#
-# # *.jossh.us
-# server {
-#         server_name ~^(?<subdomain>.+)\.jossh\.us$;
-#
-#         location / {
-#
-#             set $temp $request;
-#             if ($temp ~ (.*)password=[^&]*(.*)) {
-#                 set $temp $1password=****$2;
-#             }
-#             access_log /var/log/nginx/access.log filter;
-#
-#             proxy_set_header Host $subdomain.jossh.us;
-#             proxy_set_header X-Real-IP $remote_addr;
-#             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#             proxy_set_header X-Scheme $scheme;
-#             proxy_set_header X-Forwarded-Proto $scheme;
-#             proxy_set_header X-Nginx-Scheme $scheme;
-#             proxy_set_header X-Forwarded-Port $server_port;
-#             proxy_redirect    off;
-#             proxy_pass http://localhost:8080;
-#     }
-#
-#     listen 443 ssl; # managed by Certbot
-#     ssl_certificate /etc/letsencrypt/live/jossh.us-0001/fullchain.pem; # managed by Certbot
-#     ssl_certificate_key /etc/letsencrypt/live/jossh.us-0001/privkey.pem; # managed by Certbot
-#     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-#     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-#
-# }
-#
-# server {
-#
-#     if ($host ~* (?<subdomain>.+)\.jossh\.us) {
-#         return 302 https://$host$request_uri;
-#     } # managed by Certbot
-#
-#
-#         server_name ~^(?<subdomain>.+)\.jibby\.org$;
-#       listen 80;
-#     return 404; # managed by Certbot
-#
-#
-# }