From 565f467f8f1e55f3e1ff6d609b6dfe0d2475b8df Mon Sep 17 00:00:00 2001
From: Lain Iwakura <lain@lainmail.xyz>
Date: Mon, 29 Dec 2025 03:01:18 +0300
Subject: feat(all): init

---
 etc/acme-client.conf | 11 +++++++++++
 etc/httpd.conf       | 24 ++++++++++++++++++++++++
 etc/relayd.conf      | 32 ++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+)
 create mode 100644 etc/acme-client.conf
 create mode 100644 etc/httpd.conf
 create mode 100644 etc/relayd.conf

diff --git a/etc/acme-client.conf b/etc/acme-client.conf
new file mode 100644
index 0000000..913a2b2
--- /dev/null
+++ b/etc/acme-client.conf
@@ -0,0 +1,11 @@
+authority letsencrypt {
+    api url "https://acme-v02.api.letsencrypt.org/directory"
+    account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+domain iwakura.page {
+    alternative names { www.iwakura.page }
+    domain key "/etc/ssl/private/iwakura.page.key"
+    domain full chain certificate "/etc/ssl/iwakura.page.crt"
+    sign with letsencrypt
+}
diff --git a/etc/httpd.conf b/etc/httpd.conf
new file mode 100644
index 0000000..8d7cbc6
--- /dev/null
+++ b/etc/httpd.conf
@@ -0,0 +1,24 @@
+server "iwakura.page" {
+    listen on 127.0.0.1 port 8080
+    root "/htdocs/iwakura.page"
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+
+    # block return 301 "https://$SERVER_NAME$REQUEST_URI"
+}
+
+server "www.iwakura.page" {
+    listen on 127.0.0.1 port 8080
+    block return 301 "https://iwakura.page$REQUEST_URI"
+}
+
+server "iwakura.page" {
+    listen on * port 80
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    block return 301 "https://iwakura.page$REQUEST_URI"
+}
diff --git a/etc/relayd.conf b/etc/relayd.conf
new file mode 100644
index 0000000..4348d63
--- /dev/null
+++ b/etc/relayd.conf
@@ -0,0 +1,32 @@
+ip4="193.26.157.243"
+table <www> { 127.0.0.1 }
+log connection
+
+http protocol https {
+    match request header append "X-Forwarded-For" value "$REMOTE_ADDR"
+    match request header append "X-Forwarded-By" \
+        value "$SERVER_ADDR:$SERVER_PORT"
+    match request header set "Connection" value "close"
+    
+    tcp { sack, backlog 128 }
+    tls { keypair iwakura.page }
+
+    match request header "Host" value "iwakura.page" forward to <www>
+    match request header "Host" value "www.iwakura.page" forward to <www>
+
+    match response header append "Strict-Transport-Security" value "max-age=31536000; includeSubDomains; preload"
+    match response header append "Cache-Control" value "public, max-age=86400"
+    match response header append "Content-Security-Policy" value "default-src 'self'; script-src 'self'; object-src 'none';"
+    match response header append "X-Content-Type-Options" value "nosniff"
+    match response header append "X-Frame-Options" value "SAMEORIGIN"
+    match response header append "Referrer-Policy" value "no-referrer"
+    match response header append "Permissions-Policy" value "interest-cohort=()"
+    
+    match request header set "Accept-Encoding" value "gzip, deflate"
+}
+
+relay wwwtls {
+        listen on $ip4 port 443 tls
+        protocol https
+        forward to <www> port 8080 check icmp
+}
-- 
cgit 1.4.1