Update

Author: alopatindev

_do.cr

@@ -183,8 +183,28 @@ def build
   build_vidstack_player
   build_zapthreads
 
-  build_jekyll(MIRROR_HOST, configs: [MAIN_SITE_CONFIG, Path["_config.i2p.yml"]]) unless DEBUG
-  build_jekyll(MIRROR_HOST, configs: [MAIN_SITE_CONFIG, Path["_config.tor.yml"]]) unless DEBUG
+  unless DEBUG
+    build_jekyll(MIRROR_HOST, configs: [MAIN_SITE_CONFIG, Path["_config.i2p.yml"]])
+    build_jekyll(MIRROR_HOST, configs: [MAIN_SITE_CONFIG, Path["_config.tor.yml"]])
+    Dir
+      .glob(".build/*/var/www/*")
+      .select { |i| File.directory?(i) }
+      .map { |i| Path[i] }
+      .each { |i|
+        robots = i.join("robots.txt")
+        unless File.exists?(robots)
+          File.write(robots, <<-STRING
+            User-agent: *
+            Disallow: /
+            STRING
+          )
+        end
+
+        f = "favicon.ico"
+        favicon = i.join(f)
+        File.copy(Path["assets"].join(f), favicon) unless File.exists?(favicon)
+      }
+  end
 
   build_rust_app(
     MEDIA_HOST,

_hosts/media.codonaft/etc/nginx/http.d/default.conf

@@ -1,6 +1,6 @@
 server {
-  listen 80 default_server;
-  listen [::]:80 default_server;
+  listen 80 reuseport default_server;
+  listen [::]:80 reuseport default_server;
 
   location / {
     return 404;
@@ -21,9 +21,12 @@ server {
 }
 
 server {
-  listen 443 ssl default_server;
-  listen [::]:443 ssl default_server;
+  listen 443 ssl reuseport default_server ipv6only=off backlog=1024;
+  listen [::]:443 ssl reuseport default_server ipv6only=off backlog=1024;
+  #listen 443 quic reuseport ipv6only=off;
+  #listen [::]:443 quic reuseport ipv6only=off;
   http2 on;
+  #http3 on;
 
   ssl_certificate /etc/nginx/ssl/selfsigned/example.com.crt;
   ssl_certificate_key /etc/nginx/ssl/selfsigned/example.com.key;

_hosts/media.codonaft/etc/nginx/http.d/media.conf

@@ -17,23 +17,18 @@ map $origin_allowed $origin {
 server {
   listen 443 ssl;
   listen [::]:443 ssl;
+  #listen 443 quic;
+  #listen [::]:443 quic;
   http2 on;
+  #http3 on;
+  set $h3 'h3=":$server_port"; ma=86400';
 
-  # # HTTP/3
-  # listen 443 quic reuseport;
-  # listen [::]:443 quic reuseport;
-  # quic_retry on;
-  # quic_gso on;
-  # ssl_quic on;
-  # ssl_early_data on;
-  # add_header Alt-Svc 'h2=":$server_port"; ma=86400, h3-29=":$server_port"; ma=86400, h3=":$server_port"; ma=86400' always;
-  # #add_header Alt-Svc 'h2=":$server_port"; ma=2592000; persist=1';
-  # #add_header Alt-Svc 'h3=":$server_port"; ma=86400';
-  # ssl_early_data on;
-  # ssl_ciphers HIGH:!aNULL:!MD5;
-  # ssl_prefer_server_ciphers on;
-  # #add_header X-Early-Data $tls1_3_early_data; # Debug 0-RTT
-  # add_header x-frame-options "deny";
+  #add_header Alt-Svc 'h2=":$server_port"; ma=86400, h3-29=":$server_port"; ma=86400, h3=":$server_port"; ma=86400' always;
+  #add_header Alt-Svc 'h2=":$server_port"; ma=2592000; persist=1' always;
+  #ssl_ciphers HIGH:!aNULL:!MD5;
+  #ssl_prefer_server_ciphers on;
+  #add_header X-Early-Data $tls1_3_early_data; # Debug 0-RTT
+  #add_header x-frame-options "deny";
 
   include /etc/nginx/cloudflare.conf;
 
@@ -66,6 +61,7 @@ server {
   }
 
   location ~ \.(m3u8|mp4|ts|vtt|webp)$ {
+    #add_header Alt-Svc $h3 always;
     add_header "Access-Control-Allow-Origin" $origin always;
 
     add_header Cache-Control "public, max-age=31536000, immutable";
@@ -90,10 +86,12 @@ server {
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
 
+    #add_header Alt-Svc $h3 always;
     proxy_pass http://tracker/announce;
   }
 
   location /ip {
+    #add_header Alt-Svc $h3 always;
     add_header "Access-Control-Allow-Origin" $origin always;
 
     add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
@@ -104,8 +102,9 @@ server {
   }
 
   location /torbulkexitlist {
-    resolver 9.9.9.9 1.1.1.1 ipv6=off valid=300s;
+    #add_header Alt-Svc $h3 always;
 
+    resolver 9.9.9.9 1.1.1.1 ipv6=off valid=300s;
     proxy_hide_header "Host";
     proxy_set_header "Host" "check.torproject.org";
     proxy_hide_header "Access-Control-Allow-Origin";

_hosts/media.codonaft/etc/nginx/http.d/nostr.conf

@@ -1,7 +1,10 @@
 server {
   listen 443 ssl;
   listen [::]:443 ssl;
+  #listen 443 quic;
+  #listen [::]:443 quic;
   http2 on;
+  #http3 on;
 
   include /etc/nginx/cloudflare.conf;
 

_hosts/media.codonaft/etc/nginx/http.d/omv.conf

@@ -16,7 +16,10 @@ server {
 server {
   listen 443 ssl;
   listen [::]:443 ssl;
+  #listen 443 quic;
+  #listen [::]:443 quic;
   http2 on;
+  #http3 on;
 
   include /etc/nginx/cloudflare.conf;
 

_hosts/media.codonaft/etc/nginx/http.d/test.conf

@@ -1,7 +1,10 @@
 #server {
 #  listen 443 ssl;
 #  listen [::]:443 ssl;
+#  #listen 443 quic;
+#  #listen [::]:443 quic;
 #  http2 on;
+#  #http3 on;
 #
 #  server_name .codonaft.star.is;
 #  ssl_certificate /etc/nginx/ssl/codonaft.star.is/fullchain.pem;

_hosts/media.codonaft/etc/periodic/hourly/probe-upstreams.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env sh
+
+get () {
+  sudo -u nobody curl --silent "$@" >>/dev/null
+}
+
+for view in events pubkeys ; do
+  path="/nostr/spam.nostr.band/spam_api?method=get_current_spam&view=${view}"
+  get --insecure --socks5-hostname '127.0.0.1:9050' --header 'origin: http://codonaftbvv4j5k7nsrdivbdblycqrng5ls2qkng6lm77svepqjyxgid.onion' "http://codonaftct3jsouvfyrjq4yumyngzv3el2msndf5oddccktgghnw7eyd.onion${path}"
+  get --proxy '127.0.0.1:4444' --header 'origin: http://codonaft.i2p' "http://codnaft43k7ncna2hfsxrzi2nqoxieu22vbyjkmhkwdrrta2ghlq.b32.i2p${path}"
+done
+
+get --header 'origin: https://codonaft.com' 'https://media.codonaft.com/torbulkexitlist'

_hosts/media.codonaft/var/www/media.codonaft.com/robots.txt

@@ -16,7 +16,7 @@ tcp_nodelay on;
 ignore_invalid_headers on;
 
 server {
-  listen 127.0.0.1:80;
+  listen 127.0.0.1:80 reuseport default_server;
   server_name codonaft.i2p;
   root /var/www/$server_name;
   index index.html;

_hosts/mirror.codonaft/etc/nginx/http.d/mirror.conf

@@ -89,7 +89,7 @@ I wish the third step was less esoteric and more reliable.
 Most likely this installation method will stop working after few ISO image releases.
 
 ## netboot.xyz
-Another [approach](https://netboot.xyz/docs/booting/grub#on-debianubuntu), which is actually pretty user-friendly, is `grub-imageboot` + `netboot.xyz`.
+Another [approach](https://web.archive.org/web/20250321221414/https://netboot.xyz/docs/booting/grub#on-debianubuntu), which is actually pretty user-friendly, is `grub-imageboot` + `netboot.xyz`.
 It works. However, I'm personally *very* uneasy about the
 {% include span_with_tooltip.html large="true" body="security" tooltip="Due to implementation limitations, it downloads everything over untrusted HTTP, not HTTPS. Any compromised router/ISP may easily replace OS you're trying to install with a modified backdoored/malicious version. Untrusted protocol <i>could</i> be okay, however I have serious concerns about whether netboot.xyz actually correctly checks all required signatures that relate <i>specifically</i> to <span class='no-wrap'>Alpine Linux.</span>" %}
 of this approach and have less time to verify it.