From 064a1d01c5c14f5ecc032fa9b8346a4a88b893f6 Mon Sep 17 00:00:00 2001
From: Dawid Rycerz <dawid@rycerz.xyz>
Date: Thu, 22 Jan 2026 22:07:32 +0100
Subject: witryna 0.1.0 — initial release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Minimalist Git-based static site deployment orchestrator.
Webhook-triggered builds in Podman/Docker containers with atomic
symlink publishing, SIGHUP hot-reload, and zero-downtime deploys.

See README.md for usage, CHANGELOG.md for details.
---
 examples/nginx/witryna.conf | 48 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 examples/nginx/witryna.conf

(limited to 'examples/nginx/witryna.conf')

diff --git a/examples/nginx/witryna.conf b/examples/nginx/witryna.conf
new file mode 100644
index 0000000..5f56ef2
--- /dev/null
+++ b/examples/nginx/witryna.conf
@@ -0,0 +1,48 @@
+# witryna.conf — Nginx reverse proxy configuration for Witryna
+#
+# Two server blocks:
+# 1. Public site — serves the built static assets
+# 2. Webhook endpoint — proxies deploy triggers to Witryna
+#
+# TLS is not configured here — use certbot or similar to add certificates:
+#   sudo certbot --nginx -d my-site.example.com -d witryna.example.com
+
+# Public site — serves your built static files
+server {
+    listen 80;
+    server_name my-site.example.com;
+
+    root /var/lib/witryna/builds/my-site/current;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+}
+
+# Webhook endpoint — reverse proxy to Witryna
+server {
+    listen 80;
+    server_name witryna.example.com;
+
+    # Only allow POST requests
+    location / {
+        limit_except POST {
+            deny all;
+        }
+
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+}
-- 
cgit v1.2.3