From d1d9dd17c05792a2e62f5e83802e128e3f98d6f3 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Wed, 26 Jul 2023 12:12:29 -0400
Subject: [PATCH] staging

---
 deploy-static                             |  5 +-
 nginx/nginx.conf                          | 56 +++--------------------
 nginx/snippets/security-headers-base.conf |  3 ++
 3 files changed, 11 insertions(+), 53 deletions(-)

diff --git a/deploy-static b/deploy-static
index 4bf2506f5..1fcd9025c 100755
--- a/deploy-static
+++ b/deploy-static
@@ -11,10 +11,7 @@ fi
 
 ./process-static $fd
 
-servers=({0..3}.grapheneos.org)
-
-rsync -ptcv --chmod=F755 --fsync --preallocate certbot-replicate root@${servers[0]}:/usr/local/bin/
-rsync -ptcv --chmod=F644 --fsync --preallocate replicate.conf root@${servers[0]}:/etc/systemd/system/certbot-renew.service.d/
+servers=(staging.grapheneos.org)
 
 for server in ${servers[@]}; do
     echo $server
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 7f6ccae29..a81142659 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -55,8 +55,8 @@ http {
     ssl_prefer_server_ciphers on;
     ssl_conf_command Options PrioritizeChaCha;
 
-    ssl_certificate /etc/letsencrypt/live/grapheneos.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/grapheneos.org/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/staging.grapheneos.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.grapheneos.org/privkey.pem;
 
     # maintained by nginx-rotate-session-ticket-keys in ramfs
     ssl_session_ticket_key session-ticket-keys/4.key;
@@ -66,11 +66,11 @@ http {
     ssl_session_timeout 1d;
     ssl_buffer_size 4k;
 
-    ssl_trusted_certificate /etc/letsencrypt/live/grapheneos.org/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/staging.grapheneos.org/chain.pem;
     ssl_stapling on;
     ssl_stapling_verify on;
     # maintained by certbot-ocsp-fetcher
-    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/grapheneos.org.der;
+    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/staging.grapheneos.org.der;
 
     log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_protocol $server_protocol '
         '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
@@ -114,23 +114,7 @@ http {
     server {
         listen 80;
         listen [::]:80;
-        server_name grapheneos.org www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page  www.grapheneos.page vanadium.app www.vanadium.app;
-
-        keepalive_timeout 0;
-
-        location /.well-known/acme-challenge/ {
-            return 301 http://0.grapheneos.org$request_uri;
-        }
-
-        location / {
-            return 301 https://$host$request_uri;
-        }
-    }
-
-    server {
-        listen 80;
-        listen [::]:80;
-        server_name 0.grapheneos.org;
+        server_name staging.grapheneos.org;
 
         keepalive_timeout 0;
 
@@ -139,7 +123,7 @@ http {
         }
 
         location / {
-            return 301 https://grapheneos.org$request_uri;
+            return 301 https://$host$request_uri;
         }
     }
 
@@ -159,33 +143,7 @@ http {
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
-        server_name www.grapheneos.org grapheneos.app www.grapheneos.app grapheneos.ca www.grapheneos.ca grapheneos.com www.grapheneos.com grapheneos.dev www.grapheneos.dev grapheneos.info www.grapheneos.info grapheneos.net www.grapheneos.net grapheneos.ovh www.grapheneos.ovh grapheneos.page www.grapheneos.page;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        location / {
-            return 301 https://grapheneos.org$request_uri;
-        }
-    }
-
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name vanadium.app www.vanadium.app;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        location / {
-            return 302 https://github.com/GrapheneOS/Vanadium;
-        }
-    }
-
-    server {
-        listen 443 ssl http2;
-        listen [::]:443 ssl http2;
-        server_name grapheneos.org;
+        server_name staging.grapheneos.org;
 
         include root_grapheneos.org.conf;
         error_page 403 =404 /404;
diff --git a/nginx/snippets/security-headers-base.conf b/nginx/snippets/security-headers-base.conf
index aa13ee38a..7badb403e 100644
--- a/nginx/snippets/security-headers-base.conf
+++ b/nginx/snippets/security-headers-base.conf
@@ -1,3 +1,6 @@
+# staging site (not a security header)
+add_header X-Robots-Tag "noindex" always;
+
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header X-Content-Type-Options "nosniff" always;
 add_header Referrer-Policy "no-referrer" always;