From 0f70f43090a6513aab315e90b0a82d736bb7ec20 Mon Sep 17 00:00:00 2001
From: Jeremy Dormitzer <jeremy.dormitzer@gmail.com>
Date: Tue, 8 Mar 2022 11:57:29 -0500
Subject: [PATCH] Add nginx ssl termination server

Squashed commit of the following:

commit 8371367d54e5975d1ed3bd28ef56a4e8837fb3a5
Author: Jeremy Dormitzer <jeremy.dormitzer@gmail.com>
Date:   Tue Mar 8 11:56:39 2022 -0500

    Ensure that nginx restarts after cert renewal

commit f2ef1ba9f24abd795f176bc6790188616252a54b
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Tue Oct 5 21:16:44 2021 -0400

    Put syncthing behind nginx

commit 6c10b1bb97e386e24b9896b34a9a9ce8d8a3b42d
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Tue Oct 5 17:45:53 2021 -0400

    Put wallabag behind nginx proxy

commit dd29785d86eb1222fb79791b464f155acb643539
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Mon Oct 4 17:30:46 2021 -0400

    Put gitea behind the nginx proxy

commit 2d82c0ad5400dd16d63b7219aa8294ee622ddcaf
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Mon Oct 4 13:36:37 2021 -0400

    Add terraform outputs and spin up nginx droplet

commit 322449a194f51b6866ff9f6b56ab122610a5e108
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Mon Oct 4 13:29:59 2021 -0400

    Finish packer build for nginx proxy

commit aec886064a1bf78ff113e5564fefc716f5cf0ac1
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Mon Oct 4 09:28:06 2021 -0400

    [WIP] Add actual server values to nginx conf

commit 2c645d94c6e58d62b35f7433a82d43cd5c23cb15
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Mon Oct 4 09:06:02 2021 -0400

    [WIP] Use terraform to generate nginx conf file

commit 61ebc3d7af6da7093e5bd4fc85a89be64ecc3cf0
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Mon Oct 4 09:04:56 2021 -0400

    Ignore all tmp directories

commit e3feb6d3f715849c47752471b3f6778581128442
Author: Jeremy Dormitzer <jeremydormitzer@lola.com>
Date:   Sun Oct 3 12:32:42 2021 -0400

    [WIP] Begin adding packer config for centralized ssl termination
---
 .gitignore                                    |   1 +
 mgmt/do-jeremydormitzer-com/terraform/data.tf |  34 +----
 mgmt/do-jeremydormitzer-com/terraform/main.tf |   6 +-
 prod/gitea/packer/.gitignore                  |   4 +-
 prod/gitea/packer/Makefile                    |  29 +----
 prod/gitea/packer/files/gitea-nginx.conf      |  28 ----
 prod/gitea/packer/gitea.json                  |  19 ---
 prod/gitea/packer/packer-manifest.json        |  11 +-
 prod/gitea/packer/scripts/dependencies.sh     |   2 +-
 prod/gitea/packer/scripts/nginx.sh            |  16 ---
 prod/nginx/packer/Makefile                    |  24 ++++
 prod/nginx/packer/files/certbot-renew.service |   7 +
 prod/nginx/packer/files/certbot-renew.timer   |  10 ++
 prod/nginx/packer/files/nginx-restart.service |   7 +
 prod/nginx/packer/files/nginx-restart.timer   |  10 ++
 prod/nginx/packer/files/sshd_config           | 122 ++++++++++++++++++
 prod/nginx/packer/nginx.json                  |  62 +++++++++
 prod/nginx/packer/packer-manifest.json        | 104 +++++++++++++++
 prod/nginx/packer/scripts/dependencies.sh     |   9 ++
 prod/nginx/packer/scripts/nginx.sh            |  29 +++++
 .../packer/templates/do.ini.template          |   0
 .../packer/terraform/.terraform.lock.hcl      |  41 ++++++
 prod/nginx/packer/terraform/data.tf           |  59 +++++++++
 prod/nginx/packer/terraform/main.tf           |  31 +++++
 .../terraform/templates/nginx.conf.template   |  97 ++++++++++++++
 prod/nginx/packer/terraform/terraform.tf      |  18 +++
 prod/nginx/packer/terraform/variables.tf      |  11 ++
 prod/nginx/terraform/.terraform.lock.hcl      |  41 ++++++
 prod/nginx/terraform/main.tf                  |  13 ++
 prod/nginx/terraform/outputs.tf               |   7 +
 prod/nginx/terraform/terraform.tf             |  18 +++
 prod/nginx/terraform/variables.tf             |  11 ++
 prod/syncthing/packer/Makefile                |  24 +---
 prod/syncthing/packer/do.ini.template         |   1 -
 prod/syncthing/packer/packer-manifest.json    |  20 ++-
 prod/syncthing/packer/syncthing.conf          |  26 ----
 prod/syncthing/packer/syncthing.json          |  36 +-----
 prod/syncthing/packer/syncthing@.service      |   2 +-
 prod/wallabag/packer/Makefile                 |  28 +---
 .../wallabag/packer/files/wallabag-nginx.conf |  22 +---
 prod/wallabag/packer/packer-manifest.json     |  11 +-
 prod/wallabag/packer/scripts/nginx.sh         |   3 -
 .../wallabag/packer/templates/do.ini.template |   1 -
 prod/wallabag/packer/wallabag.json            |  14 +-
 44 files changed, 790 insertions(+), 279 deletions(-)
 delete mode 100644 prod/gitea/packer/files/gitea-nginx.conf
 delete mode 100644 prod/gitea/packer/scripts/nginx.sh
 create mode 100644 prod/nginx/packer/Makefile
 create mode 100644 prod/nginx/packer/files/certbot-renew.service
 create mode 100644 prod/nginx/packer/files/certbot-renew.timer
 create mode 100644 prod/nginx/packer/files/nginx-restart.service
 create mode 100644 prod/nginx/packer/files/nginx-restart.timer
 create mode 100644 prod/nginx/packer/files/sshd_config
 create mode 100644 prod/nginx/packer/nginx.json
 create mode 100644 prod/nginx/packer/packer-manifest.json
 create mode 100644 prod/nginx/packer/scripts/dependencies.sh
 create mode 100644 prod/nginx/packer/scripts/nginx.sh
 rename prod/{gitea => nginx}/packer/templates/do.ini.template (100%)
 create mode 100644 prod/nginx/packer/terraform/.terraform.lock.hcl
 create mode 100644 prod/nginx/packer/terraform/data.tf
 create mode 100644 prod/nginx/packer/terraform/main.tf
 create mode 100644 prod/nginx/packer/terraform/templates/nginx.conf.template
 create mode 100644 prod/nginx/packer/terraform/terraform.tf
 create mode 100644 prod/nginx/packer/terraform/variables.tf
 create mode 100644 prod/nginx/terraform/.terraform.lock.hcl
 create mode 100644 prod/nginx/terraform/main.tf
 create mode 100644 prod/nginx/terraform/outputs.tf
 create mode 100644 prod/nginx/terraform/terraform.tf
 create mode 100644 prod/nginx/terraform/variables.tf
 delete mode 100644 prod/syncthing/packer/do.ini.template
 delete mode 100644 prod/syncthing/packer/syncthing.conf
 delete mode 100644 prod/wallabag/packer/templates/do.ini.template

diff --git a/.gitignore b/.gitignore
index 13728e2..e27a650 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /backend-config.tf
 */**/.terraform
 *.tfstate*
+*/**/tmp/
\ No newline at end of file
diff --git a/mgmt/do-jeremydormitzer-com/terraform/data.tf b/mgmt/do-jeremydormitzer-com/terraform/data.tf
index e53cf88..e9f8da4 100644
--- a/mgmt/do-jeremydormitzer-com/terraform/data.tf
+++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf
@@ -1,4 +1,4 @@
-data "terraform_remote_state" "git_jeremydormitzer_com" {
+data "terraform_remote_state" "nginx" {
   backend = "s3"
 
   config = {
@@ -9,37 +9,7 @@ data "terraform_remote_state" "git_jeremydormitzer_com" {
     region                      = "us-east-1"
     endpoint                    = "nyc3.digitaloceanspaces.com"
     bucket                      = "jdormit-tf-state"
-    key                         = "prod/gitea.tfstate"
-  }
-}
-
-data "terraform_remote_state" "syncthing" {
-  backend = "s3"
-
-  config = {
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    access_key                  = var.spaces_access_id
-    secret_key                  = var.spaces_secret_key
-    region                      = "us-east-1"
-    endpoint                    = "nyc3.digitaloceanspaces.com"
-    bucket                      = "jdormit-tf-state"
-    key                         = "prod/syncthing.tfstate"
-  }
-}
-
-data "terraform_remote_state" "wallabag" {
-  backend = "s3"
-
-  config = {
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    access_key                  = var.spaces_access_id
-    secret_key                  = var.spaces_secret_key
-    region                      = "us-east-1"
-    endpoint                    = "nyc3.digitaloceanspaces.com"
-    bucket                      = "jdormit-tf-state"
-    key                         = "prod/wallabag.tfstate"
+    key                         = "prod/nginx.tfstate"
   }
 }
 
diff --git a/mgmt/do-jeremydormitzer-com/terraform/main.tf b/mgmt/do-jeremydormitzer-com/terraform/main.tf
index 485e2a7..67f1e77 100644
--- a/mgmt/do-jeremydormitzer-com/terraform/main.tf
+++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf
@@ -46,7 +46,7 @@ resource "digitalocean_record" "git" {
   domain = digitalocean_domain.jeremydormitzer_com.name
   type   = "A"
   name   = "git"
-  value  = data.terraform_remote_state.git_jeremydormitzer_com.outputs.gitea_ip_address
+  value  = data.terraform_remote_state.nginx.outputs.nginx_ip_address
   ttl    = 3600
 }
 
@@ -80,7 +80,7 @@ resource "digitalocean_record" "syncthing" {
   domain = digitalocean_domain.jeremydormitzer_com.name
   type   = "A"
   name   = "syncthing"
-  value  = data.terraform_remote_state.syncthing.outputs.ip_address
+  value  = data.terraform_remote_state.nginx.outputs.nginx_ip_address
   ttl    = 3600
 }
 
@@ -88,7 +88,7 @@ resource "digitalocean_record" "wallabag" {
   domain = digitalocean_domain.jeremydormitzer_com.name
   type   = "A"
   name   = "wallabag"
-  value  = data.terraform_remote_state.wallabag.outputs.ip_address
+  value  = data.terraform_remote_state.nginx.outputs.nginx_ip_address
   ttl    = 3600
 }
 
diff --git a/prod/gitea/packer/.gitignore b/prod/gitea/packer/.gitignore
index 6f7c105..0b3b071 100644
--- a/prod/gitea/packer/.gitignore
+++ b/prod/gitea/packer/.gitignore
@@ -1,3 +1 @@
-files/app.ini
-tmp/
-certbot/
\ No newline at end of file
+files/app.ini
\ No newline at end of file
diff --git a/prod/gitea/packer/Makefile b/prod/gitea/packer/Makefile
index 2975d85..92dad9d 100644
--- a/prod/gitea/packer/Makefile
+++ b/prod/gitea/packer/Makefile
@@ -5,35 +5,8 @@ packer-manifest.json: gitea.json \
                       scripts/volume.sh \
                       files/gitea.service \
                       files/app.ini \
-                      scripts/gitea.sh \
-                      files/gitea-nginx.conf \
-                      scripts/nginx.sh \
-                      certbot/live/git.jeremydormitzer.com/fullchain.pem \
-                      certbot/live/git.jeremydormitzer.com/privkey.pem
+                      scripts/gitea.sh
 	packer build gitea.json
 
 files/app.ini: templates/app.ini.template
 	sigil -p -f templates/app.ini.template > files/app.ini
-
-certbot/live/git.jeremydormitzer.com/fullchain.pem certbot/live/git.jeremydormitzer.com/privkey.pem &: tmp/do.ini
-	certbot certonly -n \
-                         --agree-tos \
-                         --email ${CERTBOT_EMAIL} \
-                         --dns-digitalocean \
-                         --dns-digitalocean-credentials tmp/do.ini \
-                         --config-dir ./certbot \
-                         --work-dir ./certbot \
-                         --logs-dir ./certbot \
-                         -d git.jeremydormitzer.com
-
-
-tmp/do.ini: templates/do.ini.template tmp
-	sigil -p -f templates/do.ini.template > tmp/do.ini
-	chmod 600 tmp/do.ini
-
-tmp:
-	mkdir tmp
-
-reissue-certs:
-	rm -rf certbot
-	make
diff --git a/prod/gitea/packer/files/gitea-nginx.conf b/prod/gitea/packer/files/gitea-nginx.conf
deleted file mode 100644
index 9353285..0000000
--- a/prod/gitea/packer/files/gitea-nginx.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-server {
-    listen [::]:443 ssl ipv6only=on;
-    listen 443 ssl;
-
-    ssl_certificate /var/www/gitea/fullchain.pem;
-    ssl_certificate_key /var/www/gitea/privkey.pem;
-
-    ssl_session_cache shared:le_nginx_SSL:1m;
-    ssl_session_timeout 1440m;
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-
-    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
-
-    error_log /var/log/nginx/gitea_error.log;
-    access_log /var/log/nginx/gitea_access.log;
-
-    location / {
-        proxy_pass http://localhost:3000;
-    }
-}
-
-server {
-       listen 80;
-       listen [::]:80;
-       return 301 https://$host$request_uri;
-}
\ No newline at end of file
diff --git a/prod/gitea/packer/gitea.json b/prod/gitea/packer/gitea.json
index a77da3e..15f9458 100644
--- a/prod/gitea/packer/gitea.json
+++ b/prod/gitea/packer/gitea.json
@@ -31,25 +31,6 @@
     {
       "type": "shell",
       "script": "scripts/gitea.sh"
-    },
-    {
-      "type": "file",
-      "source": "files/gitea-nginx.conf",
-      "destination": "/tmp/gitea-nginx.conf"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/git.jeremydormitzer.com/fullchain.pem",
-      "destination": "/tmp/fullchain.pem"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/git.jeremydormitzer.com/privkey.pem",
-      "destination": "/tmp/privkey.pem"
-    },
-    {
-      "type": "shell",
-      "script": "scripts/nginx.sh"
     }
   ],
   "post-processors": [
diff --git a/prod/gitea/packer/packer-manifest.json b/prod/gitea/packer/packer-manifest.json
index bccdab8..0e4d836 100644
--- a/prod/gitea/packer/packer-manifest.json
+++ b/prod/gitea/packer/packer-manifest.json
@@ -134,7 +134,16 @@
       "artifact_id": "nyc1:92247567",
       "packer_run_uuid": "52ad5b0e-38ad-ec89-55ab-faa672baa34a",
       "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633381649,
+      "files": null,
+      "artifact_id": "nyc1:92993522",
+      "packer_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc",
+      "custom_data": null
     }
   ],
-  "last_run_uuid": "52ad5b0e-38ad-ec89-55ab-faa672baa34a"
+  "last_run_uuid": "7adbc6f3-4862-2e30-c0d0-a604b107a1bc"
 }
\ No newline at end of file
diff --git a/prod/gitea/packer/scripts/dependencies.sh b/prod/gitea/packer/scripts/dependencies.sh
index 5955e1a..fa9ad0a 100644
--- a/prod/gitea/packer/scripts/dependencies.sh
+++ b/prod/gitea/packer/scripts/dependencies.sh
@@ -2,5 +2,5 @@
 
 set -ex
 
-sudo apt-get update
+sudo apt-get update && sleep 5
 sudo apt-get install -y git bindfs
diff --git a/prod/gitea/packer/scripts/nginx.sh b/prod/gitea/packer/scripts/nginx.sh
deleted file mode 100644
index a9d6244..0000000
--- a/prod/gitea/packer/scripts/nginx.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-
-set -ex
-
-sudo apt-get install -y nginx
-sudo mv /tmp/gitea-nginx.conf /etc/nginx/sites-available/gitea.conf
-sudo ln -s /etc/nginx/sites-available/gitea.conf \
-     /etc/nginx/sites-enabled/
-sudo unlink /etc/nginx/sites-enabled/default
-
-sudo mkdir -p /var/www/gitea
-sudo mv /tmp/fullchain.pem /var/www/gitea/fullchain.pem
-sudo mv /tmp/privkey.pem /var/www/gitea/privkey.pem
-chown www-data:www-data /var/www/gitea/{fullchain,privkey}.pem
-
-sudo systemctl enable nginx
diff --git a/prod/nginx/packer/Makefile b/prod/nginx/packer/Makefile
new file mode 100644
index 0000000..8a69548
--- /dev/null
+++ b/prod/nginx/packer/Makefile
@@ -0,0 +1,24 @@
+.PHONY: force
+
+packer-manifest.json: nginx.json \
+                      tmp/nginx.conf \
+                      tmp/do.ini \
+                      files/certbot-renew.service \
+                      files/certbot-renew.timer \
+                      files/nginx-restart.service \
+		      files/nginx-restart.timer \
+                      scripts/dependencies.sh \
+                      scripts/nginx.sh
+	packer build nginx.json
+
+tmp/nginx.conf: tmp force
+	cd terraform && terraform apply -auto-approve
+
+tmp/do.ini: templates/do.ini.template tmp
+	sigil -p -f templates/do.ini.template > tmp/do.ini
+	chmod 600 tmp/do.ini
+
+tmp:
+	mkdir tmp
+
+force:
diff --git a/prod/nginx/packer/files/certbot-renew.service b/prod/nginx/packer/files/certbot-renew.service
new file mode 100644
index 0000000..60f294a
--- /dev/null
+++ b/prod/nginx/packer/files/certbot-renew.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Renew certbot certificates
+Wants=cerbot-renew.timer
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/env certbot renew
\ No newline at end of file
diff --git a/prod/nginx/packer/files/certbot-renew.timer b/prod/nginx/packer/files/certbot-renew.timer
new file mode 100644
index 0000000..a74b0da
--- /dev/null
+++ b/prod/nginx/packer/files/certbot-renew.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Renew certbot certificates
+
+[Timer]
+OnBootSec=30s
+OnCalendar=Sat 20:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
\ No newline at end of file
diff --git a/prod/nginx/packer/files/nginx-restart.service b/prod/nginx/packer/files/nginx-restart.service
new file mode 100644
index 0000000..e0a496b
--- /dev/null
+++ b/prod/nginx/packer/files/nginx-restart.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Restart nginx
+Wants=restart-nginx.timer
+
+[Service]
+Type=simple
+ExecStart=/usr/bin/env systemctl restart nginx
\ No newline at end of file
diff --git a/prod/nginx/packer/files/nginx-restart.timer b/prod/nginx/packer/files/nginx-restart.timer
new file mode 100644
index 0000000..1d96859
--- /dev/null
+++ b/prod/nginx/packer/files/nginx-restart.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Restart nginx
+
+[Timer]
+OnBootSec=60s
+OnCalendar=Sat 20:02
+Persistent=true
+
+[Install]
+WantedBy=timers.target
\ No newline at end of file
diff --git a/prod/nginx/packer/files/sshd_config b/prod/nginx/packer/files/sshd_config
new file mode 100644
index 0000000..f82ba81
--- /dev/null
+++ b/prod/nginx/packer/files/sshd_config
@@ -0,0 +1,122 @@
+#       $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Port 222
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile     .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication no
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem       sftp    /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
diff --git a/prod/nginx/packer/nginx.json b/prod/nginx/packer/nginx.json
new file mode 100644
index 0000000..8007d4f
--- /dev/null
+++ b/prod/nginx/packer/nginx.json
@@ -0,0 +1,62 @@
+{
+  "builders": [
+    {
+      "type": "digitalocean",
+      "image": "ubuntu-18-04-x64",
+      "region": "nyc1",
+      "size": "s-1vcpu-1gb",
+      "snapshot_name": "packer-nginx-{{timestamp}}",
+      "ssh_username": "root"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "shell",
+      "script": "scripts/dependencies.sh"
+    },
+    {
+      "type": "file",
+      "source": "tmp/nginx.conf",
+      "destination": "/tmp/nginx.conf"
+    },
+    {
+      "type": "file",
+      "source": "tmp/do.ini",
+      "destination": "/tmp/do.ini"
+    },
+    {
+      "type": "file",
+      "source": "files/certbot-renew.timer",
+      "destination": "/tmp/certbot-renew.timer"
+    },
+    {
+      "type": "file",
+      "source": "files/certbot-renew.service",
+      "destination": "/tmp/certbot-renew.service"
+    },
+    {
+      "type": "file",
+      "source": "files/nginx-restart.timer",
+      "destination": "/tmp/nginx-restart.timer"
+    },
+    {
+      "type": "file",
+      "source": "files/nginx-restart.service",
+      "destination": "/tmp/nginx-restart.service"
+    },
+    {
+      "type": "file",
+      "source": "files/sshd_config",
+      "destination": "/tmp/sshd_config"
+    },
+    {
+      "type": "shell",
+      "script": "scripts/nginx.sh"
+    }
+  ],
+  "post-processors": [
+    {
+      "type": "manifest"
+    }
+  ]
+}
diff --git a/prod/nginx/packer/packer-manifest.json b/prod/nginx/packer/packer-manifest.json
new file mode 100644
index 0000000..4d6112b
--- /dev/null
+++ b/prod/nginx/packer/packer-manifest.json
@@ -0,0 +1,104 @@
+{
+  "builds": [
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633368571,
+      "files": null,
+      "artifact_id": "nyc1:92979065",
+      "packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633381985,
+      "files": null,
+      "artifact_id": "nyc1:92994055",
+      "packer_run_uuid": "3175c525-7550-f016-4b23-5b8f1b544b69",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633382771,
+      "files": null,
+      "artifact_id": "nyc1:92995027",
+      "packer_run_uuid": "7414490b-f330-d906-78e5-1b1dac89a265",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633388606,
+      "files": null,
+      "artifact_id": "nyc1:92999824",
+      "packer_run_uuid": "26369d41-f7b3-bdda-57e0-e329c1836a53",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633389351,
+      "files": null,
+      "artifact_id": "nyc1:93000183",
+      "packer_run_uuid": "7dc36fa3-25ac-fe47-0168-f90c160d3673",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633445796,
+      "files": null,
+      "artifact_id": "nyc1:93041994",
+      "packer_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633459198,
+      "files": null,
+      "artifact_id": "nyc1:93047327",
+      "packer_run_uuid": "4adb4205-6a8b-6a87-b92d-a3766eada22d",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633469746,
+      "files": null,
+      "artifact_id": "nyc1:93061502",
+      "packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633480191,
+      "files": null,
+      "artifact_id": "nyc1:93071958",
+      "packer_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633490191,
+      "files": null,
+      "artifact_id": "nyc1:93089106",
+      "packer_run_uuid": "fbff41d7-ee1a-5bcf-6859-8655dc171dd9",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1646758186,
+      "files": null,
+      "artifact_id": "nyc1:103546758",
+      "packer_run_uuid": "97c2bbc0-5cb7-ce64-ccb0-9c79813534a4",
+      "custom_data": null
+    }
+  ],
+  "last_run_uuid": "97c2bbc0-5cb7-ce64-ccb0-9c79813534a4"
+}
\ No newline at end of file
diff --git a/prod/nginx/packer/scripts/dependencies.sh b/prod/nginx/packer/scripts/dependencies.sh
new file mode 100644
index 0000000..6b8a9e8
--- /dev/null
+++ b/prod/nginx/packer/scripts/dependencies.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -xe
+
+sudo apt-get update && sleep 5
+sudo apt-get install -y \
+     nginx \
+     certbot \
+     python3-certbot-dns-digitalocean
diff --git a/prod/nginx/packer/scripts/nginx.sh b/prod/nginx/packer/scripts/nginx.sh
new file mode 100644
index 0000000..a222734
--- /dev/null
+++ b/prod/nginx/packer/scripts/nginx.sh
@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+
+set -xe
+
+sudo mv /tmp/do.ini ~/do.ini
+sudo certbot certonly \
+     -n \
+     --agree-tos \
+     -m 'jeremy.dormitzer@gmail.com' \
+     --dns-digitalocean \
+     --dns-digitalocean-credentials ~/do.ini \
+     --dns-digitalocean-propagation-seconds 30 \
+     -d '*.jeremydormitzer.com' \
+     -d 'jeremydormitzer.com'
+
+sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf
+sudo mkdir -p /var/log/nginx
+sudo systemctl enable nginx
+
+sudo mv /tmp/certbot-renew.timer /etc/systemd/system/
+sudo mv /tmp/certbot-renew.service /etc/systemd/system/
+sudo systemctl enable certbot-renew.timer
+
+sudo mv /tmp/nginx-restart.timer /etc/systemd/system/
+sudo mv /tmp/nginx-restart.service /etc/systemd/system/
+sudo systemctl enable nginx-restart.timer
+
+sudo mv /tmp/sshd_config /etc/ssh/sshd_config
+sudo systemctl restart sshd
diff --git a/prod/gitea/packer/templates/do.ini.template b/prod/nginx/packer/templates/do.ini.template
similarity index 100%
rename from prod/gitea/packer/templates/do.ini.template
rename to prod/nginx/packer/templates/do.ini.template
diff --git a/prod/nginx/packer/terraform/.terraform.lock.hcl b/prod/nginx/packer/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..fc94c5b
--- /dev/null
+++ b/prod/nginx/packer/terraform/.terraform.lock.hcl
@@ -0,0 +1,41 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.3.0"
+  constraints = "~> 2.3.0"
+  hashes = [
+    "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=",
+    "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9",
+    "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84",
+    "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca",
+    "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb",
+    "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6",
+    "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021",
+    "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907",
+    "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8",
+    "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6",
+    "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be",
+    "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5",
+    "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7",
+    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.1.0"
+  hashes = [
+    "h1:KfieWtVyGWwplSoLIB5usKAUnrIkDQBkWaR5TI+4WYg=",
+    "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2",
+    "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab",
+    "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3",
+    "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a",
+    "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe",
+    "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1",
+    "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c",
+    "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4",
+    "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b",
+    "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3",
+    "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91",
+  ]
+}
diff --git a/prod/nginx/packer/terraform/data.tf b/prod/nginx/packer/terraform/data.tf
new file mode 100644
index 0000000..e0685bd
--- /dev/null
+++ b/prod/nginx/packer/terraform/data.tf
@@ -0,0 +1,59 @@
+data "terraform_remote_state" "gitea" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/gitea.tfstate"
+  }
+}
+
+data "terraform_remote_state" "syncthing" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/syncthing.tfstate"
+  }
+}
+
+data "terraform_remote_state" "wallabag" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/wallabag.tfstate"
+  }
+}
+
+data "terraform_remote_state" "freshrss" {
+  backend = "s3"
+
+  config = {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    access_key                  = var.spaces_access_id
+    secret_key                  = var.spaces_secret_key
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/freshrss.tfstate"
+  }
+}
diff --git a/prod/nginx/packer/terraform/main.tf b/prod/nginx/packer/terraform/main.tf
new file mode 100644
index 0000000..20d8fe9
--- /dev/null
+++ b/prod/nginx/packer/terraform/main.tf
@@ -0,0 +1,31 @@
+resource "local_file" "nginx_config" {
+  filename = "${path.module}/../tmp/nginx.conf"
+  content = templatefile(
+    "${path.module}/templates/nginx.conf.template",
+    {
+      "servers" : [
+        {
+          "domain" : "git.jeremydormitzer.com",
+          "ip" : "${data.terraform_remote_state.gitea.outputs.gitea_ip_address}",
+          "port" : "3000"
+        },
+        {
+          "domain" : "wallabag.jeremydormitzer.com",
+          "ip" : "${data.terraform_remote_state.wallabag.outputs.ip_address}",
+          "port" : "80"
+        },
+        {
+          "domain" : "rss.jeremydormitzer.com",
+          "ip" : "${data.terraform_remote_state.freshrss.outputs.ip_address}",
+          "port" : "80"
+        },
+        {
+          "domain" : "syncthing.jeremydormitzer.com",
+          "ip" : "${data.terraform_remote_state.syncthing.outputs.ip_address}",
+          "port" : "8384"
+        }
+      ],
+      "gitea_ip" : "${data.terraform_remote_state.gitea.outputs.gitea_ip_address}"
+    }
+  )
+}
diff --git a/prod/nginx/packer/terraform/templates/nginx.conf.template b/prod/nginx/packer/terraform/templates/nginx.conf.template
new file mode 100644
index 0000000..be2bf6b
--- /dev/null
+++ b/prod/nginx/packer/terraform/templates/nginx.conf.template
@@ -0,0 +1,97 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+   worker_connections 768;
+   # multi_accept on;
+}
+
+http {
+    ##
+    # Basic Settings
+    ##
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    # server_tokens off;
+
+    # server_names_hash_bucket_size 64;
+    # server_name_in_redirect off;
+
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    ##
+    # SSL Settings
+    ##
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
+    ssl_prefer_server_ciphers on;
+
+    ##
+    # Logging Settings
+    ##
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    ##
+    # Gzip Settings
+    ##
+
+    gzip on;
+
+    # gzip_vary on;
+    # gzip_proxied any;
+    # gzip_comp_level 6;
+    # gzip_buffers 16 8k;
+    # gzip_http_version 1.1;
+    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    %{ for server in servers }
+    server {
+        server_name ${server.domain};
+    
+        access_log /var/log/nginx/${server.domain}_access.log;
+        error_log /var/log/nginx/${server.domain}_error.log;
+    
+        location / {
+            proxy_set_header Host $host;
+            proxy_pass http://${server.ip}:${server.port};
+        }
+    
+        listen [::]:443 ssl;
+        listen 443 ssl;
+        
+        ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem;
+        
+        ssl_session_cache shared:le_nginx_SSL:1m;
+        ssl_session_timeout 1440m;
+        
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_prefer_server_ciphers on;
+        
+        ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    
+    }
+    
+    %{ endfor ~}
+    server {
+        listen 80;
+        listen [::]:80;
+        return 301 https://$host$request_uri;
+    }
+}
+
+stream {
+    server {
+        listen 22;
+        proxy_pass ${gitea_ip}:22;
+    }
+}
\ No newline at end of file
diff --git a/prod/nginx/packer/terraform/terraform.tf b/prod/nginx/packer/terraform/terraform.tf
new file mode 100644
index 0000000..480cadb
--- /dev/null
+++ b/prod/nginx/packer/terraform/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.3.0"
+    }
+  }
+
+  backend "s3" {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    # Need to specify an AWS region to stop Terraform complaining
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/nginx-config.tfstate"
+  }
+}
diff --git a/prod/nginx/packer/terraform/variables.tf b/prod/nginx/packer/terraform/variables.tf
new file mode 100644
index 0000000..1b3748a
--- /dev/null
+++ b/prod/nginx/packer/terraform/variables.tf
@@ -0,0 +1,11 @@
+variable "do_token" {
+  type = string
+}
+
+variable "spaces_access_id" {
+  type = string
+}
+
+variable "spaces_secret_key" {
+  type = string
+}
diff --git a/prod/nginx/terraform/.terraform.lock.hcl b/prod/nginx/terraform/.terraform.lock.hcl
new file mode 100644
index 0000000..fc94c5b
--- /dev/null
+++ b/prod/nginx/terraform/.terraform.lock.hcl
@@ -0,0 +1,41 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/digitalocean/digitalocean" {
+  version     = "2.3.0"
+  constraints = "~> 2.3.0"
+  hashes = [
+    "h1:Kmcj3ajzt/lSQkbQwcjzUNK2RXXcHNDCs44LfDhZnaM=",
+    "zh:1c0f68715cf0b84ab40ab08aa59232037325cffc2896ba109cae73c81ab021e9",
+    "zh:306599aec6637c92349abb069d8fea3ebac58f52f61707956320a405f57e4a84",
+    "zh:31db532f05e55cb52d61c12c10197dca48dc8809a4f9cc4a935d3161546968ca",
+    "zh:3dba438c0167e5dcf09115f8d2c33c0a821e6b27e83ec6ccaac5fcb557a50bbb",
+    "zh:770c906ab3eeb5c24c5b8bbcca3b18f137d5ac817bd73fa5c9146eb4a9d891d6",
+    "zh:9221f2d275c776382234882d534a1147db04a8be490c023eb08c9a1e579db021",
+    "zh:a4e25e5dd2ad06de6c7148a270b1178b6298846405ce66b9b4ca51ea35b66907",
+    "zh:b3c5555e0c55efaa91de245e6d69e7140665554d2365db2f664802a36b59e0a8",
+    "zh:c510655b6c5de0227babba5a8bb66a8c3d92af94e080ec1c39bde9509a2aa1a6",
+    "zh:d04a135d9bf32c1a55abaaeb719903f4f67797434dd6d9f3219245f62a9a66be",
+    "zh:dd5b99bec9425eb670be5d19b17336d0fa9b894649dac77eac532e4c626616f5",
+    "zh:e57614fb9f3fbf774a9258a197840f40d0f343e8183eef7a842286a87cfc48d7",
+    "zh:fee52e736edc5ef4088cedae6507790f35e4ee8a078bff1ef894a51dd65d058d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/local" {
+  version = "2.1.0"
+  hashes = [
+    "h1:KfieWtVyGWwplSoLIB5usKAUnrIkDQBkWaR5TI+4WYg=",
+    "zh:0f1ec65101fa35050978d483d6e8916664b7556800348456ff3d09454ac1eae2",
+    "zh:36e42ac19f5d68467aacf07e6adcf83c7486f2e5b5f4339e9671f68525fc87ab",
+    "zh:6db9db2a1819e77b1642ec3b5e95042b202aee8151a0256d289f2e141bf3ceb3",
+    "zh:719dfd97bb9ddce99f7d741260b8ece2682b363735c764cac83303f02386075a",
+    "zh:7598bb86e0378fd97eaa04638c1a4c75f960f62f69d3662e6d80ffa5a89847fe",
+    "zh:ad0a188b52517fec9eca393f1e2c9daea362b33ae2eb38a857b6b09949a727c1",
+    "zh:c46846c8df66a13fee6eff7dc5d528a7f868ae0dcf92d79deaac73cc297ed20c",
+    "zh:dc1a20a2eec12095d04bf6da5321f535351a594a636912361db20eb2a707ccc4",
+    "zh:e57ab4771a9d999401f6badd8b018558357d3cbdf3d33cc0c4f83e818ca8e94b",
+    "zh:ebdcde208072b4b0f8d305ebf2bfdc62c926e0717599dcf8ec2fd8c5845031c3",
+    "zh:ef34c52b68933bedd0868a13ccfd59ff1c820f299760b3c02e008dc95e2ece91",
+  ]
+}
diff --git a/prod/nginx/terraform/main.tf b/prod/nginx/terraform/main.tf
new file mode 100644
index 0000000..50b8692
--- /dev/null
+++ b/prod/nginx/terraform/main.tf
@@ -0,0 +1,13 @@
+provider "digitalocean" {
+  token             = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
+
+module "packer_droplet" {
+  source            = "../../../terraform-modules/packer_droplet"
+  name              = "nginx"
+  do_token          = var.do_token
+  spaces_access_id  = var.spaces_access_id
+  spaces_secret_key = var.spaces_secret_key
+}
diff --git a/prod/nginx/terraform/outputs.tf b/prod/nginx/terraform/outputs.tf
new file mode 100644
index 0000000..30d0079
--- /dev/null
+++ b/prod/nginx/terraform/outputs.tf
@@ -0,0 +1,7 @@
+output "nginx_ip_address" {
+  value = module.packer_droplet.droplet_ip_address
+}
+
+output "nginx_urn" {
+  value = module.packer_droplet.droplet_urn
+}
diff --git a/prod/nginx/terraform/terraform.tf b/prod/nginx/terraform/terraform.tf
new file mode 100644
index 0000000..cc237b2
--- /dev/null
+++ b/prod/nginx/terraform/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    digitalocean = {
+      source  = "digitalocean/digitalocean"
+      version = "~> 2.3.0"
+    }
+  }
+
+  backend "s3" {
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    # Need to specify an AWS region to stop Terraform complaining
+    region                      = "us-east-1"
+    endpoint                    = "nyc3.digitaloceanspaces.com"
+    bucket                      = "jdormit-tf-state"
+    key                         = "prod/nginx.tfstate"
+  }
+}
diff --git a/prod/nginx/terraform/variables.tf b/prod/nginx/terraform/variables.tf
new file mode 100644
index 0000000..1b3748a
--- /dev/null
+++ b/prod/nginx/terraform/variables.tf
@@ -0,0 +1,11 @@
+variable "do_token" {
+  type = string
+}
+
+variable "spaces_access_id" {
+  type = string
+}
+
+variable "spaces_secret_key" {
+  type = string
+}
diff --git a/prod/syncthing/packer/Makefile b/prod/syncthing/packer/Makefile
index 5b76152..774fa05 100644
--- a/prod/syncthing/packer/Makefile
+++ b/prod/syncthing/packer/Makefile
@@ -2,12 +2,9 @@
 
 packer-manifest.json: syncthing-config.xml \
                       syncthing.json \
-                      syncthing.conf \
                       syncthing@.service \
                       syncthing-cert.pem \
-                      syncthing-key.pem \
-                      certbot/live/syncthing.jeremydormitzer.com/fullchain.pem \
-                      certbot/live/syncthing.jeremydormitzer.com/privkey.pem
+                      syncthing-key.pem
 	packer build syncthing.json
 
 syncthing-config.xml: syncthing-config.xml.template
@@ -18,22 +15,3 @@ syncthing-cert.pem: syncthing-cert.pem.template
 
 syncthing-key.pem: syncthing-key.pem.template
 	sigil -p -f syncthing-key.pem.template > syncthing-key.pem
-
-certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem &: do.ini
-	certbot certonly -n \
-                         --agree-tos \
-                         --email ${CERTBOT_EMAIL} \
-                         --dns-digitalocean \
-                         --dns-digitalocean-credentials do.ini \
-                         --config-dir ./certbot \
-                         --work-dir ./certbot \
-                         --logs-dir ./certbot \
-                         -d syncthing.jeremydormitzer.com
-
-do.ini: do.ini.template
-	sigil -p -f do.ini.template > do.ini
-	chmod 600 do.ini
-
-reissue-certs:
-	rm -rf certbot
-	make
diff --git a/prod/syncthing/packer/do.ini.template b/prod/syncthing/packer/do.ini.template
deleted file mode 100644
index 7c6ec3f..0000000
--- a/prod/syncthing/packer/do.ini.template
+++ /dev/null
@@ -1 +0,0 @@
-dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
\ No newline at end of file
diff --git a/prod/syncthing/packer/packer-manifest.json b/prod/syncthing/packer/packer-manifest.json
index 604292e..81452cc 100644
--- a/prod/syncthing/packer/packer-manifest.json
+++ b/prod/syncthing/packer/packer-manifest.json
@@ -71,7 +71,25 @@
       "artifact_id": "nyc1:85651139",
       "packer_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae",
       "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633471355,
+      "files": null,
+      "artifact_id": "nyc1:93062577",
+      "packer_run_uuid": "27dea89d-5116-3f5b-9739-98e7f191c14c",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633489816,
+      "files": null,
+      "artifact_id": "nyc1:93087880",
+      "packer_run_uuid": "35962fce-2bc7-25d0-0372-1fc76813715c",
+      "custom_data": null
     }
   ],
-  "last_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae"
+  "last_run_uuid": "35962fce-2bc7-25d0-0372-1fc76813715c"
 }
\ No newline at end of file
diff --git a/prod/syncthing/packer/syncthing.conf b/prod/syncthing/packer/syncthing.conf
deleted file mode 100644
index 969ff5d..0000000
--- a/prod/syncthing/packer/syncthing.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-server {
-
-       location / {
-                proxy_pass http://127.0.0.1:8384;
-       }
-
-       listen [::]:443 ssl ipv6only=on;
-       listen 443 ssl;
-
-       ssl_certificate /home/syncthing/.config/syncthing/https-cert.pem;
-       ssl_certificate_key /home/syncthing/.config/syncthing/https-key.pem;
-
-       ssl_session_cache shared:le_nginx_SSL:1m;
-       ssl_session_timeout 1440m;
-
-       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-       ssl_prefer_server_ciphers on;
-
-       ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
-}
-
-server {
-       listen 80;
-       listen [::]:80;
-       return 301 https://$host$request_uri;
-}
\ No newline at end of file
diff --git a/prod/syncthing/packer/syncthing.json b/prod/syncthing/packer/syncthing.json
index b1e32cb..471c35f 100644
--- a/prod/syncthing/packer/syncthing.json
+++ b/prod/syncthing/packer/syncthing.json
@@ -14,7 +14,7 @@
       "type": "shell",
       "inline": [
         "sudo apt-get update",
-        "sudo apt-get install -y bindfs",
+        "sudo apt-get install -y bindfs ca-certificates",
         "sudo useradd -m syncthing",
         "sudo mkdir -p /mnt/syncthing-volume",
         "sudo mkdir -p /mnt/syncthing",
@@ -46,8 +46,10 @@
     {
       "type": "shell",
       "inline": [
-        "curl -s https://syncthing.net/release-key.txt | sudo apt-key add -",
-        "echo \"deb https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list",
+        "sudo update-ca-certificates",
+        "sudo curl -s -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg",
+        "echo \"deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list",
+        "printf \"Package: *\nPin: origin apt.syncthing.net\nPin-Priority: 990\n\" | sudo tee /etc/apt/preferences.d/syncthing",
         "sudo apt-get update",
         "sudo apt-get install -y syncthing",
         "sudo mkdir -p /home/syncthing/.config/syncthing",
@@ -59,34 +61,6 @@
         "sudo systemctl daemon-reload",
         "sudo systemctl enable syncthing@syncthing"
       ]
-    },
-    {
-      "type": "file",
-      "source": "syncthing.conf",
-      "destination": "/tmp/syncthing.conf"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/syncthing.jeremydormitzer.com/fullchain.pem",
-      "destination": "/tmp/https-cert.pem"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/syncthing.jeremydormitzer.com/privkey.pem",
-      "destination": "/tmp/https-key.pem"
-    },
-    {
-      "type": "shell",
-      "inline": [
-        "sudo apt-get install -y nginx",
-        "sudo mv /tmp/syncthing.conf /etc/nginx/sites-available/syncthing.conf",
-        "sudo mv /tmp/https-cert.pem /home/syncthing/.config/syncthing/https-cert.pem",
-        "sudo mv /tmp/https-key.pem /home/syncthing/.config/syncthing/https-key.pem",
-        "sudo chown -R syncthing:syncthing /home/syncthing/.config/syncthing",
-        "sudo ln -s /etc/nginx/sites-available/syncthing.conf /etc/nginx/sites-enabled/",
-        "sudo unlink /etc/nginx/sites-enabled/default",
-        "sudo systemctl enable nginx"
-      ]
     }
   ],
   "post-processors": [
diff --git a/prod/syncthing/packer/syncthing@.service b/prod/syncthing/packer/syncthing@.service
index c535536..3a4893d 100644
--- a/prod/syncthing/packer/syncthing@.service
+++ b/prod/syncthing/packer/syncthing@.service
@@ -5,7 +5,7 @@ After=network.target
 
 [Service]
 User=%i
-ExecStart=/usr/bin/syncthing -no-browser -gui-address="127.0.0.1:8384" -no-restart -logflags=0
+ExecStart=/usr/bin/syncthing -no-browser -gui-address="0.0.0.0:8384" -no-restart -logflags=0
 Restart=on-failure
 SuccessExitStatus=3 4
 RestartForceExitStatus=3 4
diff --git a/prod/wallabag/packer/Makefile b/prod/wallabag/packer/Makefile
index db2cd13..f04b32b 100644
--- a/prod/wallabag/packer/Makefile
+++ b/prod/wallabag/packer/Makefile
@@ -1,5 +1,3 @@
-.PHONY: reissue-certs
-
 packer-manifest.json: wallabag.json \
 		      scripts/dependencies.sh \
 		      scripts/nginx.sh \
@@ -8,9 +6,7 @@ packer-manifest.json: wallabag.json \
 		      files/wallabag-nginx.conf \
 		      files/entries.json \
 	              files/wallabag-params.yml \
-		      files/clients.sql \
-		      certbot/live/wallabag.jeremydormitzer.com/fullchain.pem \
-		      certbot/live/wallabag.jeremydormitzer.com/privkey.pem
+		      files/clients.sql
 	packer build wallabag.json
 
 files/wallabag-params.yml: templates/wallabag-params.yml.template
@@ -18,25 +14,3 @@ files/wallabag-params.yml: templates/wallabag-params.yml.template
 
 files/clients.sql: templates/clients.sql.template
 	sigil -p -f templates/clients.sql.template > files/clients.sql
-
-certbot/live/wallabag.jeremydormitzer.com/fullchain.pem certbot/live/wallabag.jeremydormitzer.com/privkey.pem &: tmp/do.ini
-	certbot certonly -n \
-                         --agree-tos \
-                         --email ${CERTBOT_EMAIL} \
-                         --dns-digitalocean \
-                         --dns-digitalocean-credentials tmp/do.ini \
-                         --config-dir ./certbot \
-                         --work-dir ./certbot \
-                         --logs-dir ./certbot \
-                         -d wallabag.jeremydormitzer.com
-
-tmp/do.ini: templates/do.ini.template tmp
-	sigil -p -f templates/do.ini.template > tmp/do.ini
-	chmod 600 tmp/do.ini
-
-tmp:
-	mkdir tmp
-
-reissue-certs:
-	rm -rf certbot
-	make
diff --git a/prod/wallabag/packer/files/wallabag-nginx.conf b/prod/wallabag/packer/files/wallabag-nginx.conf
index e97ac35..f7b468a 100644
--- a/prod/wallabag/packer/files/wallabag-nginx.conf
+++ b/prod/wallabag/packer/files/wallabag-nginx.conf
@@ -32,29 +32,11 @@ server {
         return 404;
     }
 
-    listen [::]:443 ssl ipv6only=on;
-    listen 443 ssl;
-
-    ssl_certificate /var/www/wallabag/fullchain.pem;
-    ssl_certificate_key /var/www/wallabag/privkey.pem;
-
-    ssl_session_cache shared:le_nginx_SSL:1m;
-    ssl_session_timeout 1440m;
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-
-    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
-
+    listen 80;
+    listen [::]:80;
 
     error_log /var/log/nginx/wallabag_error.log;
     access_log /var/log/nginx/wallabag_access.log;
 
     client_max_body_size 512M; # allows file uploads up to 512 megabytes
-}
-
-server {
-       listen 80;
-       listen [::]:80;
-       return 301 https://$host$request_uri;
 }
\ No newline at end of file
diff --git a/prod/wallabag/packer/packer-manifest.json b/prod/wallabag/packer/packer-manifest.json
index 845daca..60e891b 100644
--- a/prod/wallabag/packer/packer-manifest.json
+++ b/prod/wallabag/packer/packer-manifest.json
@@ -152,7 +152,16 @@
       "artifact_id": "nyc1:92911527",
       "packer_run_uuid": "3a30edf6-a694-103e-2bf8-68fd5d530ec5",
       "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633458464,
+      "files": null,
+      "artifact_id": "nyc1:93046881",
+      "packer_run_uuid": "def16176-d225-bf50-7611-7cde1c9e7c17",
+      "custom_data": null
     }
   ],
-  "last_run_uuid": "3a30edf6-a694-103e-2bf8-68fd5d530ec5"
+  "last_run_uuid": "def16176-d225-bf50-7611-7cde1c9e7c17"
 }
\ No newline at end of file
diff --git a/prod/wallabag/packer/scripts/nginx.sh b/prod/wallabag/packer/scripts/nginx.sh
index 6757348..5e918e7 100644
--- a/prod/wallabag/packer/scripts/nginx.sh
+++ b/prod/wallabag/packer/scripts/nginx.sh
@@ -2,9 +2,6 @@
 
 set -xe
 
-sudo mv /tmp/fullchain.pem /var/www/wallabag/fullchain.pem
-sudo mv /tmp/privkey.pem /var/www/wallabag/privkey.pem
-chown www-data:www-data /var/www/wallabag/{fullchain,privkey}.pem
 sudo mv /tmp/wallabag-nginx.conf \
      /etc/nginx/sites-available/wallabag.conf
 sudo ln -s /etc/nginx/sites-available/wallabag.conf \
diff --git a/prod/wallabag/packer/templates/do.ini.template b/prod/wallabag/packer/templates/do.ini.template
deleted file mode 100644
index 7c6ec3f..0000000
--- a/prod/wallabag/packer/templates/do.ini.template
+++ /dev/null
@@ -1 +0,0 @@
-dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
\ No newline at end of file
diff --git a/prod/wallabag/packer/wallabag.json b/prod/wallabag/packer/wallabag.json
index e7fefb0..57cbf00 100644
--- a/prod/wallabag/packer/wallabag.json
+++ b/prod/wallabag/packer/wallabag.json
@@ -35,21 +35,9 @@
     },
     {
       "type": "shell",
-      "environment_vars": [
-        "ADMIN_PASSWORD={{user `wallabag_admin_password`}}"
-      ],
+      "environment_vars": ["ADMIN_PASSWORD={{user `wallabag_admin_password`}}"],
       "script": "scripts/wallabag.sh"
     },
-    {
-      "type": "file",
-      "source": "certbot/live/wallabag.jeremydormitzer.com/fullchain.pem",
-      "destination": "/tmp/fullchain.pem"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/wallabag.jeremydormitzer.com/privkey.pem",
-      "destination": "/tmp/privkey.pem"
-    },
     {
       "type": "file",
       "source": "files/wallabag-nginx.conf",