From 7caba5550733848e9174b35a58ebd014967f0852 Mon Sep 17 00:00:00 2001
From: Lars Gierth <larsg@systemli.org>
Date: Wed, 25 Jul 2018 19:26:30 +0200
Subject: [PATCH 1/2] ipfs: update to 0.4.17

License: MIT
Signed-off-by: Lars Gierth <larsg@systemli.org>
---
 ipfs/env.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipfs/env.sh b/ipfs/env.sh
index da0240c..d6d675a 100644
--- a/ipfs/env.sh
+++ b/ipfs/env.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 all_ipfs_git=git://github.com/ipfs/go-ipfs
-all_ipfs_ref="e7938a1834888198e8cd714fe793d715538f89f0"
+all_ipfs_ref="f4205780dc1c3b1720c668b75c1db3d0d667192f"
 
 # storage hosts, coordinate ipfs deploys with storage users (e.g. @davidar, @substack)
 biham_ipfs_ref=e7938a1834888198e8cd714fe793d715538f89f0

From a5c7ce7ecc7ebeb223966c1c3b9ee579d4eb49dd Mon Sep 17 00:00:00 2001
From: Lars Gierth <larsg@systemli.org>
Date: Wed, 25 Jul 2018 19:26:53 +0200
Subject: [PATCH 2/2] ipfs: create preload.ipfs.io gateways

License: MIT
Signed-off-by: Lars Gierth <larsg@systemli.org>
---
 ipfs/pages/build.sh       |  5 +++++
 ipfs/pages/install.sh     | 24 ++++++++++++++++++++
 ipfs/pages/nginx.conf.tpl | 46 +++++++++++++++++++++++++++++++++++++++
 secrets_secure            |  2 +-
 ssl/nginx.conf            |  2 +-
 5 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/ipfs/pages/build.sh b/ipfs/pages/build.sh
index 063dd9e..eb860f0 100755
--- a/ipfs/pages/build.sh
+++ b/ipfs/pages/build.sh
@@ -30,6 +30,11 @@ printf %s\\n "$(lookup pages_bootstrap_ssl_key)" > out/bootstrap.libp2p.io.key
 printf %s\\n "$(lookup pages_bootstrap_ssl_trustchain)" > out/bootstrap.libp2p.io.trustchain.crt
 printf %s\\n "$(lookup pages_bootstrap_ssl_dhparam)" > out/bootstrap.libp2p.io.dhparam.pem
 
+printf %s\\n "$(lookup pages_preload_ssl_cert)" > out/preload.ipfs.io.crt
+printf %s\\n "$(lookup pages_preload_ssl_key)" > out/preload.ipfs.io.key
+printf %s\\n "$(lookup pages_preload_ssl_trustchain)" > out/preload.ipfs.io.trustchain.crt
+printf %s\\n "$(lookup pages_preload_ssl_dhparam)" > out/preload.ipfs.io.dhparam.pem
+
 printf %s\\n "$(lookup pages_ipld_ssl_cert)" > out/ipld.io.crt
 printf %s\\n "$(lookup pages_ipld_ssl_key)" > out/ipld.io.key
 printf %s\\n "$(lookup pages_ipld_ssl_trustchain)" > out/ipld.io.trustchain.crt
diff --git a/ipfs/pages/install.sh b/ipfs/pages/install.sh
index 2b92d48..5190bdb 100755
--- a/ipfs/pages/install.sh
+++ b/ipfs/pages/install.sh
@@ -132,6 +132,26 @@ if [ ! -z "$(diff -Naur "$cert_dest/bootstrap.libp2p.io.dhparam.pem" "out/bootst
   reload=1
 fi
 
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.crt" "out/preload.ipfs.io.crt")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl cert changed"
+  reload=1
+fi
+
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.key" "out/preload.ipfs.io.key")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl key changed"
+  reload=1
+fi
+
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.trustchain.crt" "out/preload.ipfs.io.trustchain.crt")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl trustchain changed"
+  reload=1
+fi
+
+if [ ! -z "$(diff -Naur "$cert_dest/preload.ipfs.io.dhparam.pem" "out/preload.ipfs.io.dhparam.pem")" ]; then
+  echo "ipfs/pages *.preload.ipfs.io ssl dhparam changed"
+  reload=1
+fi
+
 if [ ! -z "$(diff -Naur "$cert_dest/ipld.io.crt" "out/ipld.io.crt")" ]; then
   echo "ipfs/pages ipld.io ssl cert changed"
   reload=1
@@ -556,6 +576,10 @@ if [ "reload$reload" == "reload1" ]; then
   cp "out/bootstrap.libp2p.io.key" "$cert_dest/bootstrap.libp2p.io.key"
   cp "out/bootstrap.libp2p.io.trustchain.crt" "$cert_dest/bootstrap.libp2p.io.trustchain.crt"
   cp "out/bootstrap.libp2p.io.dhparam.pem" "$cert_dest/bootstrap.libp2p.io.dhparam.pem"
+  cp "out/preload.ipfs.io.crt" "$cert_dest/preload.ipfs.io.crt"
+  cp "out/preload.ipfs.io.key" "$cert_dest/preload.ipfs.io.key"
+  cp "out/preload.ipfs.io.trustchain.crt" "$cert_dest/preload.ipfs.io.trustchain.crt"
+  cp "out/preload.ipfs.io.dhparam.pem" "$cert_dest/preload.ipfs.io.dhparam.pem"
   cp "out/ipld.io.crt" "$cert_dest/ipld.io.crt"
   cp "out/ipld.io.key" "$cert_dest/ipld.io.key"
   cp "out/ipld.io.trustchain.crt" "$cert_dest/ipld.io.trustchain.crt"
diff --git a/ipfs/pages/nginx.conf.tpl b/ipfs/pages/nginx.conf.tpl
index 5848b67..5e023a7 100644
--- a/ipfs/pages/nginx.conf.tpl
+++ b/ipfs/pages/nginx.conf.tpl
@@ -133,6 +133,52 @@ server {
     # 31536000 seconds = 12 months, as advised by hstspreload.org
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 
+    location / {
+        proxy_set_header Host $(var pages_bootstrap_hostname).bootstrap.libp2p.io:443;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection \$http_connection;
+        proxy_set_header Sec-WebSocket-Key \$http_sec_websocket_key;
+        proxy_set_header Sec-WebSocket-Extensions \$http_sec_websocket_extensions;
+        proxy_set_header Sec-WebSocket-Version \$http_sec_websocket_version;
+        proxy_pass http://ws_bootstrap;
+        proxy_pass_header Server;
+        proxy_read_timeout 60s;
+    }
+}
+
+server {
+    server_name *.preload.ipfs.io;
+    access_log /var/log/nginx/access.log mtail;
+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate /etc/nginx/certs/preload.ipfs.io.crt;
+    ssl_certificate_key /etc/nginx/certs/preload.ipfs.io.key;
+    ssl_dhparam /etc/nginx/certs/preload.ipfs.io.dhparam.pem;
+    ssl_trusted_certificate /etc/nginx/certs/preload.ipfs.io.trustchain.crt;
+
+    # HSTS (ngx_http_headers_module is required)
+    # 31536000 seconds = 12 months, as advised by hstspreload.org
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+    location /ipfs {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location /ipns {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
+    location /api {
+        proxy_set_header Host \$host:443;
+        proxy_set_header X-Ipfs-Gateway-Prefix "";
+        proxy_pass http://gateway;
+    }
+
     location / {
         proxy_set_header Host \$host:80;
         proxy_set_header Upgrade \$http_upgrade;
diff --git a/secrets_secure b/secrets_secure
index 7dd14c7..8834272 160000
--- a/secrets_secure
+++ b/secrets_secure
@@ -1 +1 @@
-Subproject commit 7dd14c7c73b03162e5b507704a8d62b2831015f6
+Subproject commit 88342721b8ac84fdfda490a65708dcda28a4377d
diff --git a/ssl/nginx.conf b/ssl/nginx.conf
index 4f90cb6..1c04819 100644
--- a/ssl/nginx.conf
+++ b/ssl/nginx.conf
@@ -16,7 +16,7 @@
 # 2. Obtain lets-encrypt-x3-cross-signed.pem and isrgrootx1.pem
 #
 # 3. Fetch the certificate and key from the certs host:
-#   scp 'root@earth.i.ipfs.io:/root/.caddy/acme/acme-v01.api.letsencrypt.org/sites/wikipedia-on-ipfs.org/*.{crt,key}' secrets/
+#   scp 'root@earth.i.ipfs.io:/root/.caddy/acme/acme-v02.api.letsencrypt.org/sites/wikipedia-on-ipfs.org/*.{crt,key}' secrets/
 #
 # 4. Build trustchains:
 #   cat lets-encrypt-x3-cross-signed.pem >> secrets/wikipedia-on-ipfs.org.crt