potluck-nginx 0.0.1 → 0.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 599537fcab6df50b0126d73460295be4b366101667ad4c2317199b361153a5c1
-  data.tar.gz: 6a38b16b915efa971b1b93361dd1b995937b67a61031376879cf0aae857438be
+  metadata.gz: b5dc3bb7d62e4244f719abe5110cdb80a972b10f56f13d35844918a3eaa875df
+  data.tar.gz: b971afa507788f9bf2261df078e7df83df963928dba62dcca2e1cbf80a10cd6a
 SHA512:
-  metadata.gz: f007969613094559c4b68707b8bf87f570def7da9b5122673de84ca2a4c45409450ba348f7d8ff522191188afacdf1cf1a94c15f1a0b4cc36419e446ca921644
-  data.tar.gz: 6c3672941908c91d9151e7863ed0cb93c7e7ebf4463bcc2b7c8d997ac3baf529ef124bad4a1733c33ee3221a12cfad0cd41c60f72f85f9f2c1921f4d2646a436
+  metadata.gz: d6b3f68bf12bce2e2035689d9c07bd76af04d0f5c8ad596c1dfafb2c5faca4551e9a9d8c64e51fd6fb614f2b7e5dc4746a8f36137b5f416ecd78dffab961c6db
+  data.tar.gz: 3885228d15374b68b7af5d86050aea5bab688e4de24fa4cb18a54599bdece7baa0e6495487b707547be70646eefe4099184b69c60128370151b069153f5b2136

data/lib/potluck/nginx/ssl.rb

@@ -3,16 +3,22 @@
 require('time')
 
 module Potluck
-  class Nginx < Dish
+  class Nginx < Service
+    ##
+    # SSL-specific configuration for Nginx. Provides self-signed certificate generation for use in
+    # developemnt.
+    #
     class SSL
-      # Based on https://hackernoon.com/how-properly-configure-nginx-server-for-tls-sg1d3udt
+      # Reference: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&guideline=5.6
       DEFAULT_CONFIG = {
-        'ssl_ciphers' => 'ECDH+AESGCM:ECDH+AES256-CBC:ECDH+AES128-CBC:DH+3DES:!ADH:!AECDH:!MD5',
-        'ssl_prefer_server_ciphers' => 'on',
+        'ssl_ciphers' => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM'\
+          '-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:D'\
+          'HE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
+        'ssl_prefer_server_ciphers' => 'off',
         'ssl_protocols' => 'TLSv1.2 TLSv1.3',
-        'ssl_session_cache' => 'shared:SSL:40m',
-        'ssl_session_tickets' => 'on',
-        'ssl_session_timeout' => '4h',
+        'ssl_session_cache' => 'shared:SSL:10m',
+        'ssl_session_tickets' => 'off',
+        'ssl_session_timeout' => '1d',
         'add_header' => {
           repeat: true,
           'Strict-Transport-Security' => '\'max-age=31536000; includeSubDomains\' always',
@@ -24,8 +30,18 @@ module Potluck
 
       attr_reader(:csr_file, :key_file, :crt_file, :dhparam_file, :config)
 
-      def initialize(nginx, dir, host, crt_file: nil, key_file: nil, dhparam_file: nil,
-          config: {})
+      ##
+      # Creates a new instance. Providing no SSL files will cue generation of a self-signed certificate.
+      #
+      # * +nginx+ - Nginx instance.
+      # * +dir+ - Directory where SSL files are located or should be written to.
+      # * +host+ - Name of the host for determining file names and generating a self-signed certificate.
+      # * +crt_file+ - Path to the CRT file (optional).
+      # * +key_file+ - Path to the KEY file (optional).
+      # * +dhparam_file+ - Path to the DH parameters file (optional).
+      # * +config+ - Nginx configuration hash (optional).
+      #
+      def initialize(nginx, dir, host, crt_file: nil, key_file: nil, dhparam_file: nil, config: {})
         @nginx = nginx
         @dir = dir
         @host = host
@@ -33,7 +49,8 @@ module Potluck
         @auto_generated = !crt_file && !key_file && !dhparam_file
 
         if !@auto_generated && (!crt_file || !key_file || !dhparam_file)
-          raise('Must supply values for all three or none: crt_file, key_file, dhparam_file')
+          raise(ArgumentError.new('Must supply values for all three or none: crt_file, key_file, '\
+            'dhparam_file'))
         end
 
         @csr_file = File.join(@dir, "#{@host}.csr").freeze
@@ -41,15 +58,20 @@ module Potluck
         @key_file = key_file || File.join(@dir, "#{@host}.key").freeze
         @dhparam_file = dhparam_file || File.join(@dir, 'dhparam.pem').freeze
 
-        @config = {
+        @config = Util.deep_merge({
           'ssl_certificate' => @crt_file,
           'ssl_certificate_key' => @key_file,
           'ssl_dhparam' => @dhparam_file,
           'ssl_stapling' => ('on' unless @auto_generated),
           'ssl_stapling_verify' => ('on' unless @auto_generated),
-        }.merge!(DEFAULT_CONFIG).merge!(config)
+        }, DEFAULT_CONFIG, config)
       end
 
+      ##
+      # If SSL files were passed to SSL.new, does nothing. Otherwise checks if auto-generated SSL files
+      # exist and generates them if not. If they do exist, the expiration for the certificate is checked and
+      # the certificate regenerated if the expiration date is soon or in the past.
+      #
       def ensure_files
         return if !@auto_generated || (
           File.exists?(@csr_file) &&
@@ -86,6 +108,9 @@ module Potluck
 
       private
 
+      ##
+      # OpenSSL configuration content used when auto-generating an SSL certificate.
+      #
       def openssl_config
         <<~EOS
           [ req ]

data/lib/potluck/nginx/util.rb

@@ -1,17 +1,45 @@
 # frozen_string_literal: true
 
 module Potluck
-  class Nginx
+  class Nginx < Service
+    ##
+    # Utility methods for Nginx class.
+    #
     class Util
-      def self.deep_merge!(*hashes, arrays: false)
-        hash = hashes[0]
+      ##
+      # Merges N hashes by merging nested hashes rather than overwriting them as is the case with
+      # <tt>Hash#merge</tt>.
+      #
+      # * +hashes+ - Hashes to deep merge.
+      # * +arrays+ - True if arrays should be merged rather than overwritten (optional, default: false).
+      #
+      # Example:
+      #
+      #   h1 = {hello: {item1: 'world'}}
+      #   h2 = {hello: {item2: 'friend'}}
+      #
+      #   Util.deep_merge(h1, h2)
+      #   # => {hello: {item1: 'world', item2: 'friend'}}
+      #
+      # By default only hashes are merged and arrays are still overwritten as they are with
+      # <tt>Hash#merge</tt>. Passing <tt>arrays: true</tt> will result in arrays being merged similarly to
+      # hashes. Example:
+      #
+      #   h1 = {hello: {item1: ['world']}}
+      #   h2 = {hello: {item1: ['friend']}}
+      #
+      #   Util.deep_merge(h1, h2, arrays: true)
+      #   # => {hello: {item1: ['world', 'friend']}}
+      #
+      def self.deep_merge(*hashes, arrays: false)
+        hash = hashes[0].dup
 
         hashes[1..-1].each do |other_hash|
           other_hash.each do |key, other_value|
             this_value = hash[key]
 
             if this_value.kind_of?(Hash) && other_value.kind_of?(Hash)
-              deep_merge!(this_value, other_value, arrays: arrays)
+              hash[key] = deep_merge(this_value, other_value, arrays: arrays)
             elsif arrays && this_value.kind_of?(Array)
               hash[key] |= Array(other_value)
             else

data/lib/potluck/nginx.rb

@@ -6,7 +6,14 @@ require_relative('nginx/ssl')
 require_relative('nginx/util')
 
 module Potluck
-  class Nginx < Dish
+  ##
+  # A Ruby interface for configuring and controlling Nginx. Each instance of this class manages a separate
+  # Nginx configuration file, which is loaded and unloaded from the base Nginx configuration when #start and
+  # #stop are called, respectively. Any number of Ruby processes can thus each manage their own Nginx
+  # configuration and control whether or not it is active without interfering with any other instances or
+  # non-Ruby processes leveraging Nginx.
+  #
+  class Nginx < Service
     CONFIG_NAME_ACTIVE = 'nginx.conf'
     CONFIG_NAME_INACTIVE = 'nginx-stopped.conf'
     ACTIVE_CONFIG_PATTERN = File.join(DIR, '*', CONFIG_NAME_ACTIVE).freeze
@@ -14,8 +21,45 @@ module Potluck
     TEST_CONFIG_REGEX = /nginx: configuration file (?<config>.+) test (failed|is successful)/.freeze
     INCLUDE_REGEX = /^ *include +#{Regexp.escape(ACTIVE_CONFIG_PATTERN)} *;/.freeze
 
+    NON_LAUNCHCTL_COMMANDS = {
+      status: 'ps aux | grep \'[n]ginx: master process\'',
+      start: 'nginx',
+      stop: 'nginx -s stop',
+    }.freeze
+
+    ##
+    # Creates a new instance.
+    #
+    # * +hosts+ - One or more hosts.
+    # * +port+ - Port that the upstream (Ruby web server) is running on.
+    # * +subdomains+ - One or more subdomains (optional).
+    # * +ssl+ - SSL configuration arguments to pass to SSL.new (optional).
+    # * +one_host+ - True if URLs should be normalized to the first host in +hosts+ (optional, default:
+    #   false).
+    # * +www+ - +true+ if URLs should be normalized to include 'www.' prefix, +false+ to exclude 'www.', and
+    #   +nil+ if either is acceptable (optional, default: +nil+).
+    # * +multiple_slashes+ - +false+ if any occurrence of multiple slashes in the path portion of the URL
+    #   should be normalized to a single slash (optional, default: +nil+).
+    # * +multiple_question_marks+ - +false+ if multiple question marks in the URL signifying the start of
+    #   the query string should be normalized to a single question mark (optional, default: +nil+).
+    # * +trailing_slash+ - +true+ if URLs should be normalized to include a trailing slash at the end of the
+    #   path portion, +false+ to strip any trailing slash, and +nil+ if either is acceptable (optional,
+    #   default: +nil+).
+    # * +trailing_question_mark+ - +true+ if URLs should be normalized to include a trailing question mark
+    #   when the query string is empty, +false+ to strip any trailing question mark, and +nil+ if either is
+    #   acceptable (optional, default: +nil+).
+    # * +config+ - Nginx configuration hash; see #config (optional).
+    # * +ensure_host_entries+ - True if +hosts+ should be added to system /etc/hosts file as mappings to
+    #   localhost (optional, default: false).
+    # * +args+ - Arguments to pass to Potluck::Service.new (optional).
+    #
     def initialize(hosts, port, subdomains: nil, ssl: nil, one_host: false, www: nil, multiple_slashes: nil,
-        multiple_question_marks: nil, trailing_slash: nil, trailing_question_mark: nil, config: {}, **args)
+        multiple_question_marks: nil, trailing_slash: nil, trailing_question_mark: nil, config: {},
+        ensure_host_entries: false, **args)
+      if args[:manage] && !args[:manage].kind_of?(Hash) && !launchctl?
+        args[:manage] = NON_LAUNCHCTL_COMMANDS
+      end
+
       super(**args)
 
       @hosts = Array(hosts).map { |h| h.sub(/^www\./, '') }.uniq
@@ -23,6 +67,7 @@ module Potluck
       @host = @hosts.first
       @port = port
 
+      @ensure_host_entries = ensure_host_entries
       @dir = File.join(DIR, @host)
       @ssl = SSL.new(self, @dir, @host, **ssl) if ssl
 
@@ -37,16 +82,21 @@ module Potluck
       @trailing_question_mark = trailing_question_mark
       @additional_config = config
 
-      FileUtils.mkdir_p(DIR)
       FileUtils.mkdir_p(@dir)
 
       @config_file_active = File.join(@dir, CONFIG_NAME_ACTIVE).freeze
       @config_file_inactive = File.join(@dir, CONFIG_NAME_INACTIVE).freeze
     end
 
+    ##
+    # Ensures this instance's configuration file is active and starts Nginx if it's managed. If Nginx is
+    # already running, a reload signal is sent to the process after activating the configuration file.
+    #
     def start
+      return unless manage?
+
       @ssl&.ensure_files
-      ensure_host_entries
+      ensure_host_entries if @ensure_host_entries
       ensure_include
 
       write_config
@@ -57,18 +107,44 @@ module Potluck
       status == :active ? reload : super
     end
 
+    ##
+    # Ensures this instance's configuration file is inactive and optionally stops the Nginx process if it's
+    # managed.
+    #
+    # * +hard+ - True if the Nginx process should be stopped, false to just inactivate this instance's
+    #   configuration file and leave Nginx running (optional, default: false).
+    #
     def stop(hard = false)
+      return unless manage?
+
       deactivate_config
 
       hard || status != :active ? super() : reload
     end
 
+    ##
+    # Reloads Nginx if it's managed.
+    #
     def reload
+      return unless manage?
+
       run('nginx -s reload')
     end
 
+    ##
+    # Returns the content for the Nginx configuration file as a string.
+    #
+    def config_file_content
+      self.class.to_nginx_config(config)
+    end
+
     private
 
+    ##
+    # Returns a hash representation of the Nginx configuration file content. Any configuration passed to
+    # Nginx.new is deep-merged into a base configuration hash, meaning nested hashes are merged rather than
+    # overwritten (see Util.deep_merge).
+    #
     def config
       host_subdomains_regex = ([@host] + @subdomains).join('|')
       hosts_subdomains_regex = (@hosts + @subdomains).join('|')
@@ -78,113 +154,134 @@ module Potluck
           'server' => "127.0.0.1:#{@port}",
         },
 
-        'server' => Util.deep_merge!({
-          'charset' => 'UTF-8',
-          'access_log' => File.join(@dir, 'nginx-access.log'),
-          'error_log' => File.join(@dir, 'nginx-error.log'),
-
-          'listen' => {
-            repeat: true,
-            '8080' => true,
-            '[::]:8080' => true,
-            '4433 ssl http2' => @ssl ? true : nil,
-            '[::]:4433 ssl http2' => @ssl ? true : nil,
-          },
-          'server_name' => (@hosts + @subdomains).join(' '),
+        'server' => Util.deep_merge(
+          {
+            'charset' => 'UTF-8',
+            'access_log' => File.join(@dir, 'nginx-access.log'),
+            'error_log' => File.join(@dir, 'nginx-error.log'),
+
+            'listen' => {
+              repeat: true,
+              '8080' => true,
+              '[::]:8080' => true,
+              '4433 ssl http2' => @ssl ? true : nil,
+              '[::]:4433 ssl http2' => @ssl ? true : nil,
+            },
+            'server_name' => (@hosts + @subdomains).join(' '),
 
-          'gzip' => 'on',
-          'gzip_types' => 'application/javascript application/json text/css text/plain',
+            'gzip' => 'on',
+            'gzip_types' => 'application/javascript application/json application/xml text/css '\
+              'text/javascript text/plain',
 
-          'add_header' => {
-            repeat: true,
-            'Referrer-Policy' => 'same-origin',
-            'X-Frame-Options' => 'DENY',
-            'X-XSS-Protection' => '\'1; mode=block\'',
-            'X-Content-Type-Options' => 'nosniff',
-          },
-        }, @ssl ? @ssl.config : {}).merge!(
-          'location /' => {
-            raw: """
-              if ($host !~ ^#{hosts_subdomains_regex}$) { return 404; }
-
-              set $r 0;
-              set $s $scheme;
-              set $h $host;
-              set $p '';
-              set $u '';
-              set $q '';
-
-              #{if @www.nil? && @one_host == false
-                nil
-              elsif @www.nil? && @one_host == true
-                "if ($host !~ ^(www.)?#{host_subdomains_regex}$) { set $h $1#{@host}; set $r 1; }"
-              elsif @www == false && @one_host == false
-                "if ($host ~ ^www.(.+)$) { set $h $1; set $r 1; }"
-              elsif @www == false && @one_host == true
-                "if ($host !~ ^#{host_subdomains_regex}$) { set $h #{@host}; set $r 1; }"
-              elsif @www == true && @one_host == false
-                "if ($host !~ ^www.(.+)$) { set $h $1; set $r 1; }"
-              elsif @www == true && @one_host == true
-                "if ($host !~ ^www.#{host_subdomains_regex}$) { set $h www.#{@host}; set $r 1; }"
-              end}
-
-              if ($scheme = #{@other_scheme}) { set $s #{@scheme}; set $r 1; }
-              if ($http_host ~ :[0-9]+$) { set $p :#{@ssl ? '4433' : '8080'}; }
-              if ($request_uri ~ ^([^\\?]+)(\\?+.*)?$) { set $u $1; set $q $2; }
-
-              #{'if ($u ~ //) { set $u $uri; set $r 1; }' if @multiple_slashes == false}
-              #{'if ($q ~ ^\?\?+(.*)$) { set $q ?$1; set $r 1; }' if @multiple_question_marks == false}
-
-              #{if @trailing_question_mark == false
-                'if ($q ~ \?+$) { set $q \'\'; set $r 1; }'
-              elsif @trailing_question_mark == true
-                'if ($q !~ .) { set $q ?; set $r 1; }'
-              end}
-              #{if @trailing_slash == false
-                'if ($u ~ (.+?)/+$) { set $u $1; set $r 1; }'
-              elsif @trailing_slash == true
-                'if ($u ~ [^/]$) { set $u $u/; set $r 1; }'
-              end}
-
-              set $mr $request_method$r;
-
-              if ($mr ~ ^(GET|HEAD)1$) { return 301 $s://$h$p$u$q; }
-              if ($mr ~ 1$) { return 308 $s://$h$p$u$q; }
-            """.strip.gsub(/^ +/, '').gsub(/\n{3,}/, "\n\n"),
-
-            'proxy_pass' => "http://#{@host}",
-            'proxy_redirect' => 'off',
-            'proxy_set_header' => {
+            'add_header' => {
               repeat: true,
-              'Host' => @host,
-              'X-Real-IP' => '$remote_addr',
-              'X-Forwarded-For' => '$proxy_add_x_forwarded_for',
-              'X-Forwarded-Proto' => @ssl ? 'https' : 'http',
-              'X-Forwarded-Port' => @ssl ? '443' : '80',
+              'Referrer-Policy' => '\'same-origin\' always',
+              'X-Frame-Options' => '\'DENY\' always',
+              'X-XSS-Protection' => '\'1; mode=block\' always',
+              'X-Content-Type-Options' => '\'nosniff\' always',
             },
           },
-        ),
-      }
 
-      Util.deep_merge!(config['server'], @additional_config)
+          @ssl ? @ssl.config : {},
+
+          {
+            'location /' => {
+              raw: """
+                if ($host !~ ^#{hosts_subdomains_regex}$) { return 404; }
+
+                set $r 0;
+                set $s $scheme;
+                set $h $host;
+                set $port #{@ssl ? '443' : '80'};
+                set $p '';
+                set $u '';
+                set $q '';
+
+                #{if @www.nil? && @one_host == false
+                  nil
+                elsif @www.nil? && @one_host == true
+                  "if ($host !~ ^(www.)?#{host_subdomains_regex}$) { set $h $1#{@host}; set $r 1; }"
+                elsif @www == false && @one_host == false
+                  "if ($host ~ ^www.(.+)$) { set $h $1; set $r 1; }"
+                elsif @www == false && @one_host == true
+                  "if ($host !~ ^#{host_subdomains_regex}$) { set $h #{@host}; set $r 1; }"
+                elsif @www == true && @one_host == false
+                  "if ($host !~ ^www.(.+)$) { set $h $1; set $r 1; }"
+                elsif @www == true && @one_host == true
+                  "if ($host !~ ^www.#{host_subdomains_regex}$) { set $h www.#{@host}; set $r 1; }"
+                end}
+
+                if ($scheme = #{@other_scheme}) { set $s #{@scheme}; set $r 1; }
+                if ($http_host ~ :([0-9]+)$) { set $p :$1; set $port $1; }
+                if ($request_uri ~ ^([^\\?]+)(\\?+.*)?$) { set $u $1; set $q $2; }
+
+                #{'if ($u ~ //) { set $u $uri; set $r 1; }' if @multiple_slashes == false}
+                #{'if ($q ~ ^\?\?+(.*)$) { set $q ?$1; set $r 1; }' if @multiple_question_marks == false}
+
+                #{if @trailing_question_mark == false
+                  'if ($q ~ \?+$) { set $q \'\'; set $r 1; }'
+                elsif @trailing_question_mark == true
+                  'if ($q !~ .) { set $q ?; set $r 1; }'
+                end}
+                #{if @trailing_slash == false
+                  'if ($u ~ (.+?)/+$) { set $u $1; set $r 1; }'
+                elsif @trailing_slash == true
+                  'if ($u ~ [^/]$) { set $u $u/; set $r 1; }'
+                end}
+
+                set $mr $request_method$r;
+
+                if ($mr ~ ^(GET|HEAD)1$) { return 301 $s://$h$p$u$q; }
+                if ($mr ~ 1$) { return 308 $s://$h$p$u$q; }
+              """.strip.gsub(/^ +/, '').gsub(/\n{3,}/, "\n\n"),
+
+              'proxy_pass' => "http://#{@host}",
+              'proxy_redirect' => 'off',
+              'proxy_set_header' => {
+                repeat: true,
+                'Host' => '$http_host',
+                'X-Real-IP' => '$remote_addr',
+                'X-Forwarded-For' => '$proxy_add_x_forwarded_for',
+                'X-Forwarded-Proto' => @ssl ? 'https' : 'http',
+                'X-Forwarded-Port' => '$port',
+              },
+            },
+          },
+
+          @additional_config,
+        )
+      }
 
       config
     end
 
+    ##
+    # Writes the Nginx configuration to the (inactive) configuration file.
+    #
     def write_config
       File.open(@config_file_inactive, 'w') do |file|
-        file.write(self.class.to_nginx_config(config))
+        file.write(config_file_content)
       end
     end
 
+    ##
+    # Renames the inactive Nginx configuration file to its active name.
+    #
     def activate_config
       FileUtils.mv(@config_file_inactive, @config_file_active)
     end
 
+    ##
+    # Renames the active Nginx configuration file to its inactive name.
+    #
     def deactivate_config
       FileUtils.mv(@config_file_active, @config_file_inactive) if File.exists?(@config_file_active)
     end
 
+    ##
+    # Ensures hosts are mapped to localhost in the system /etc/hosts file. Useful in development. Uses sudo
+    # to perform the write, which will prompt for the system user's password.
+    #
     def ensure_host_entries
       content = File.read('/etc/hosts')
       missing_entries = (@hosts + @subdomains).each_with_object([]) do |h, a|
@@ -204,6 +301,11 @@ module Potluck
       )
     end
 
+    ##
+    # Ensures Nginx's base configuration file contains an include statement for Potluck's Nginx
+    # configuration files. Sudo is not used, so Nginx's base configuration file must be writable by the
+    # system user running this Ruby process.
+    #
     def ensure_include
       config_file = `nginx -t 2>&1`[TEST_CONFIG_REGEX, :config]
       config_content = File.read(config_file)
@@ -214,6 +316,57 @@ module Potluck
       end
     end
 
+    ##
+    # Converts a hash to an Nginx configuration file content string. Keys should be strings and values
+    # either strings or hashes. A +nil+ value in a hash will result in that key-value pair being omitted.
+    #
+    # * +hash+ - Hash to convert to the string content of an Nginx configuration file.
+    # * +indent+ - Number of spaces to indent; used when the method is called recursively and should not be
+    #   set explicitly (optional, default: 0).
+    # * +repeat+ - Value to prepend to each entry of the hash; used when the method is called recursively
+    #   and should not be set explicitly (optional).
+    #
+    # Symbol keys in hashes are used as special directives. Including <tt>repeat: true</tt> will cause the
+    # parent hash's key for the child hash to be prefixed to each line of the output. Example:
+    #
+    #   {
+    #     # ...
+    #
+    #     'add_header' => {
+    #       repeat: true,
+    #       'X-Frame-Options' => 'DENY',
+    #       'X-Content-Type-Options' => 'nosniff',
+    #     }
+    #   }
+    #
+    # Result:
+    #
+    #   # ...
+    #
+    #   add_header X-Frame-Options DENY;
+    #   add_header X-Content-Type-Options nosniff;
+    #
+    # A hash containing <tt>raw: '...'</tt> can be used to include a raw chunk of text rather than key-value
+    # pairs. Example:
+    #
+    #   {
+    #     # ...
+    #
+    #     'location /' => {
+    #       raw: """
+    #         if ($scheme = https) { ... }
+    #         if ($host ~ ^www.) { ... }
+    #       """,
+    #     }
+    #   }
+    #
+    # Result:
+    #
+    #   location / {
+    #     if ($scheme = https) { ... }
+    #     if ($host ~ ^www.) { ... }
+    #   }
+    #
     def self.to_nginx_config(hash, indent: 0, repeat: nil)
       hash.each_with_object(+'') do |(k, v), config|
         next if v.nil?
@@ -235,6 +388,9 @@ module Potluck
       end
     end
 
+    ##
+    # Content of the launchctl plist file.
+    #
     def self.plist
       super(
         <<~EOS

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: potluck-nginx
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.5
 platform: ruby
 authors:
 - Nate Pickens
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-27 00:00:00.000000000 Z
+date: 2021-12-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: potluck
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.0.1
+        version: 0.0.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.0.1
+        version: 0.0.5
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -92,7 +92,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.32
 signing_key:
 specification_version: 4
 summary: A Ruby manager for Nginx.