diff --git a/inventory.yml b/inventory.yml index f478a90..8f95b09 100644 --- a/inventory.yml +++ b/inventory.yml @@ -8,6 +8,8 @@ all: ansible_port: 22 port: 22 ansible_become: true # Run everything as root + wiki_page: Soleil_Levant + server_prefix: eu docker: ansible_host: docker.vpn.projectsegfau.lt ansible_user: ansiblerunner @@ -17,6 +19,7 @@ all: country: France isp: Orange S.A. wiki_page: Soleil_Levant + server_prefix: eu ansible_become: true # Run everything as root lxc: ansible_host: lxc.vpn.projectsegfau.lt @@ -44,6 +47,7 @@ all: ansible_port: 222 port: 222 docker_dir: /opt/docker-privfrontends + server_prefix: eu ansible_become: true # Run everything as root caddy_extras_config: templates/1-extras.Caddyfile country: Luxembourg @@ -61,6 +65,7 @@ all: country: United States isp: Digital Ocean wiki_page: US_Node + server_prefix: us watchtower_mtrx_username: watchtower-us in: ansible_host: in.vpn.projectsegfau.lt @@ -69,6 +74,7 @@ all: port: 22 ansible_become: true # Run everything as root docker_dir: /opt/docker-privfrontends + server_prefix: in caddy_extras_config: templates/3-extras.Caddyfile country: India isp: Bharti Airtel diff --git a/privfrontends/playbook.yaml b/privfrontends/playbook.yaml index 1d92bf9..7a10fec 100644 --- a/privfrontends/playbook.yaml +++ b/privfrontends/playbook.yaml @@ -1,8 +1,7 @@ --- - name: Setup Caddy - hosts: privfrontends + hosts: privfrontends,core tasks: - # This is run again so config still updates even if i dont run the role which isnt needed most of the time - name: Copy Caddyfile ansible.builtin.template: src: ./templates/Caddyfile.j2 @@ -26,18 +25,9 @@ hosts: privfrontends vars: docker_services: - - anonymousoverflow - - breezewiki - - gothub - - gothub-dev - - hyperpipe - librarian - libreddit - nitter - - rimgo - - safetwitch - - scribe - - simplytranslate - teddit - watchtower tasks: @@ -47,11 +37,20 @@ ansible.builtin.include_tasks: docker-tasks.yaml with_items: "{{ docker_services }}" tags: docker -- name: Setup docker compose for privacy frontends (non-pizza1) - hosts: in,us +- name: Setup docker compose for privacy frontends (soleil+normal) + hosts: in,us,docker vars: non_pizza_docker_services: + - anonymousoverflow + - breezewiki + - gothub + - gothub-dev - searxng + - hyperpipe + - rimgo + - safetwitch + - scribe + - simplytranslate tasks: # community.docker does not support compose 2.0 right now. # https://github.com/ansible-collections/community.docker/issues/216 diff --git a/privfrontends/templates/Caddyfile.j2 b/privfrontends/templates/Caddyfile.j2 index b316184..2c36259 100644 --- a/privfrontends/templates/Caddyfile.j2 +++ b/privfrontends/templates/Caddyfile.j2 @@ -33,7 +33,7 @@ (def) { header { # disable FLoC tracking - Permissions-Policy interest-cohort=() + Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; # enable HSTS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" @@ -60,245 +60,25 @@ import acmedns {% endif %} } -:80 {{inventory_hostname}}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} { - redir https://wiki.projectsegfau.lt/index.php?title={{wiki_page}} +:80 {{ inventory_hostname }}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} {% if inventory_hostname == 'core' %} soleil.projectsegfau.lt {% endif %} { + redir https://wiki.projectsegfau.lt/index.php?title={{ wiki_page }} } -cdn.projectsegfau.lt cdn.{{inventory_hostname}}.projectsegfau.lt { +# PIZZA + US + IN +{% if inventory_hostname == 'eu' or inventory_hostname == 'us' or inventory_hostname == 'in' %} +cdn.projectsegfau.lt cdn.{{ server_prefix }}.projectsegfau.lt { encode zstd gzip root * /var/cdn file_server { browse } } -{% if inventory_hostname == 'eu' %} -inv.bp.projectsegfau.lt { - reverse_proxy localhost:7573 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - - # enable HSTS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade - - X-XSS-Protection "1; mode=block" - defer - } - log { - output discard - format filter { - wrap console - fields { - request>remote_ip replace REDACTED - request>headers>X-Forwarded-For replace REDACTED - } - } - } - import torloc invbp - import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p -} -i.bp.psf.lt { - reverse_proxy localhost:7573 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - -Content-Security-Policy - # enable HSTS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade - - X-XSS-Protection "1; mode=block" - defer - } - log { - output discard - format filter { - wrap console - fields { - request>remote_ip replace REDACTED - request>headers>X-Forwarded-For replace REDACTED - } - } - } - import torloc invbp - import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p -} -proxy.lbry.projectsegfau.lt { - reverse_proxy localhost:3001 - import def -} -gothub.dev.projectsegfau.lt gh.dev.psf.lt { - reverse_proxy localhost:1025 - import def -} -{% else %} -inv.{{inventory_hostname}}.projectsegfau.lt { - reverse_proxy localhost:7573 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - - # enable HSTS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade - - X-XSS-Protection "1; mode=block" - defer - } - log { - output discard - format filter { - wrap console - fields { - request>remote_ip replace REDACTED - request>headers>X-Forwarded-For replace REDACTED - } - } - } - {% if inventory_hostname == 'in' %} - import acmedns - {% endif %} -} -i.{{inventory_hostname}}.psf.lt { - reverse_proxy localhost:7573 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - -Content-Security-Policy - # enable HSTS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade - - X-XSS-Protection "1; mode=block" - defer - } - log { - output discard - format filter { - wrap console - fields { - request>remote_ip replace REDACTED - request>headers>X-Forwarded-For replace REDACTED - } - } - } - {% if inventory_hostname == 'in' %} - import acmedns - {% endif %} -} -piped.{{inventory_hostname}}.projectsegfau.lt pipedproxy.{{inventory_hostname}}.projectsegfau.lt pipedapi.{{inventory_hostname}}.projectsegfau.lt { - reverse_proxy :6970 - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - - # enable HSTS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade - - X-XSS-Protection "1; mode=block" - defer - } - log { - output discard - format filter { - wrap console - fields { - request>remote_ip replace REDACTED - request>headers>X-Forwarded-For replace REDACTED - } - } - } - {% if inventory_hostname == 'in' %} - import acmedns - {% endif %} -} -pi.{{inventory_hostname}}.psf.lt { - reverse_proxy :6970 { - header_up Host "piped.{{inventory_hostname}}.projectsegfau.lt" - } - header { - # disable FLoC tracking - Permissions-Policy interest-cohort=() - - # enable HSTS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # disable clients from sniffing the media type - X-Content-Type-Options nosniff - - # keep referrer data off of HTTP connections - Referrer-Policy no-referrer-when-downgrade - - X-XSS-Protection "1; mode=block" - defer - } - log { - output discard - format filter { - wrap console - fields { - request>remote_ip replace REDACTED - request>headers>X-Forwarded-For replace REDACTED - } - } - } -} -{% endif %} -lbry.{{inventory_hostname}}.projectsegfau.lt lbry.projectsegfau.lt { +lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt { reverse_proxy :3550 import def import torloc lbry import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p } -gothub.{{inventory_hostname}}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{inventory_hostname}}.psf.lt { - reverse_proxy :1024 - import def - import torloc gothub -} -overflow.{{inventory_hostname}}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{inventory_hostname}}.psf.lt { - reverse_proxy :8694 - import def - import torloc overflow -} -teddit.{{inventory_hostname}}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{inventory_hostname}}.psf.lt { - reverse_proxy :9061 - import def - import torloc teddit -} -rimgo.{{inventory_hostname}}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{inventory_hostname}}.psf.lt { - reverse_proxy :9016 - import def - import torloc rimgo -} - -libreddit.{{inventory_hostname}}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{inventory_hostname}}.psf.lt { - reverse_proxy :6464 - import def - import torloc libreddit - import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p -} - -nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{{inventory_hostname}}.psf.lt { +nitter.{{ server_prefix }}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{{ server_prefix }}.psf.lt { import def header { X-Permitted-Cross-Domain-Policies none @@ -313,48 +93,100 @@ nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt import torloc nitter import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p } -bb.{{inventory_hostname}}.projectsegfau.lt bb.projectsegfau.lt { +libreddit.{{ server_prefix }}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{ server_prefix }}.psf.lt { + reverse_proxy :6464 import def - import torloc beatbump - import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p - redir https://hyperpipe.projectsegfau.lt{uri} + import torloc libreddit + import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p } +teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{ server_prefix }}.psf.lt { + reverse_proxy :9061 + import def + import torloc teddit +} +{% endif %} +# SOLEIL + US + IN +{% if inventory_hostname == 'core' or inventory_hostname == 'us' or inventory_hostname == 'in' %} +inv.{{ server_prefix }}.projectsegfau.lt inv.projectsegfau.lt invidious.projectsegfau.lt i.{{ server_prefix }}.psf.lt i.psf.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:7573 + header { + # disable FLoC tracking + Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; -bw.{{inventory_hostname}}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{inventory_hostname}}.psf.lt { + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + -Content-Security-Policy + + X-XSS-Protection "1; mode=block" + defer + } + log { + output discard + format filter { + wrap console + fields { + request>remote_ip replace REDACTED + request>headers>X-Forwarded-For replace REDACTED + } + } + } + {% if server_prefix == 'in' %} + import acmedns + {% endif %} +} +gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:1024 + import def + import torloc gothub +} +overflow.{{ server_prefix }}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{ server_prefix }}.psf.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8694 + import def + import torloc overflow +} +rimgo.{{ server_prefix }}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{ server_prefix }}.psf.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:9016 + import def + import torloc rimgo +} +bw.{{ server_prefix }}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{ server_prefix }}.psf.lt { import def import torloc breezewiki import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p - reverse_proxy :10416 + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:10416 } -scribe.{{inventory_hostname}}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{inventory_hostname}}.psf.lt { +scribe.{{ server_prefix }}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{ server_prefix }}.psf.lt { import def import torloc scribe import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p - reverse_proxy :8006 + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8006 } -translate.{{inventory_hostname}}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{inventory_hostname}}.psf.lt { +translate.{{ server_prefix }}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{ server_prefix }}.psf.lt { import def - reverse_proxy :5046 + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5046 } -safetwitch.{{inventory_hostname}}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{inventory_hostname}}.psf.lt { +safetwitch.{{ server_prefix }}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{ server_prefix }}.psf.lt { import def - reverse_proxy :5070 + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5070 } -api.safetwitch.{{inventory_hostname}}.projectsegfau.lt { - reverse_proxy :5071 +api.safetwitch.{{ server_prefix }}.projectsegfau.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5071 } -hyperpipe.{{inventory_hostname}}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{inventory_hostname}}.psf.lt { +hyperpipe.{{ server_prefix }}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{ server_prefix }}.psf.lt { import def - reverse_proxy :8843 + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8843 } -hyperpipebackend.{{inventory_hostname}}.projectsegfau.lt { - reverse_proxy :3536 +hyperpipebackend.{{ server_prefix }}.projectsegfau.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:3536 } -{% if inventory_hostname == 'eu' %} -{% else %} -search.{{inventory_hostname}}.projectsegfau.lt s.psf.lt s.{{inventory_hostname}}.psf.lt { +search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{{ server_prefix }}.psf.lt { import def - reverse_proxy :8081 + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8081 @api { path /config path /healthz @@ -414,5 +246,67 @@ search.{{inventory_hostname}}.projectsegfau.lt s.psf.lt s.{{inventory_hostname}} Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" } } +piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:6970 + header { + # disable FLoC tracking + Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + log { + output discard + format filter { + wrap console + fields { + request>remote_ip replace REDACTED + request>headers>X-Forwarded-For replace REDACTED + } + } + } + {% if server_prefix == 'in' %} + import acmedns + {% endif %} +} +pi.{{ server_prefix }}.psf.lt { + reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:6970 { + header_up Host "piped.{{ server_prefix }}.projectsegfau.lt" + } + header { + # disable FLoC tracking + Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + log { + output discard + format filter { + wrap console + fields { + request>remote_ip replace REDACTED + request>headers>X-Forwarded-For replace REDACTED + } + } + } +} {% endif %} + import ./*.Caddyfile diff --git a/privfrontends/templates/core/apps.Caddyfile b/privfrontends/templates/core/apps.Caddyfile new file mode 100644 index 0000000..8272883 --- /dev/null +++ b/privfrontends/templates/core/apps.Caddyfile @@ -0,0 +1,287 @@ +# ---Apps Caddyfile--- + +# Akkoma +social.projectsegfau.lt { + import def + encode gzip + + # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only + # and `localhost.` resolves to [::0] on some systems: see issue #930 + reverse_proxy 192.168.5.2:4011 + + handle /media/* { + redir https://media.social.projectsegfau.lt{uri} permanent + } + handle /proxy/* { + redir https://media.social.projectsegfau.lt{uri} permanent + } +} + +# Security mitigation +# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/ +# And https://poa.st/notice/AWDToOiKAl4BPhdEB6 +# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO +media.social.projectsegfau.lt { + handle /media/* { + reverse_proxy 192.168.5.2:4011 { + transport http { + response_header_timeout 10s + read_timeout 15s + } + } + } + + handle /proxy/* { + reverse_proxy 192.168.5.2:4011 { + transport http { + response_header_timeout 10s + read_timeout 15s + } + } + } +} + +# Cinny +cinny.projectsegfau.lt cy.psf.lt { + reverse_proxy 192.168.5.2:3069 + import def +} + +# Website +projectsegfau.lt { + reverse_proxy 192.168.5.2:1337 + import def + reverse_proxy /_matrix/* 192.168.5.2:8449 { + header_up Host "matrix.projectsegfau.lt" + } + reverse_proxy /_matrix/client/* 192.168.5.2:81 { + header_up Host "matrix.projectsegfau.lt" + } + reverse_proxy /_synapse/* 192.168.5.2:81 { + header_up Host "matrix.projectsegfau.lt" + } + reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380 + reverse_proxy /converse 192.168.5.5:5280 + reverse_proxy /converseemojis.js 192.168.5.5:5280 + reverse_proxy /converse/* 192.168.5.5:5280 + reverse_proxy /bosh 192.168.5.5:5280 + reverse_proxy /ws 192.168.5.5:5280 + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + handle_path /.well-known/* { + root * /var/www/well-known + file_server + } + header /.well-known/host-meta Content-Type application/xrd+xml + header /.well-known/host-meta.json Content-Type application/json + header /.well-known/host-meta.json Access-Control-Allow-Origin * + header /.well-known/host-meta Access-Control-Allow-Origin * + import torloc www +} +psf.lt { + reverse_proxy 192.168.5.2:1337 + import def + import torloc www + header /.well-known/matrix/* Content-Type application/json + header /.well-known/matrix/* Access-Control-Allow-Origin * + handle_path /.well-known/* { + root * /var/www/psf-well-known + file_server + } +} +ssync.projectsegfau.lt { + reverse_proxy 192.168.5.2:3333 +} + +www.projectsegfau.lt www.psf.lt { + redir https://projectsegfau.lt{uri} + import torloc www +} + +matrix.projectsegfau.lt { + reverse_proxy /_matrix/* 192.168.5.2:8449 { + header_up Host "matrix.projectsegfau.lt" + } + reverse_proxy /_matrix/client/* 192.168.5.2:81 { + header_up Host "matrix.projectsegfau.lt" + } + reverse_proxy /_synapse/* 192.168.5.2:81 { + header_up Host "matrix.projectsegfau.lt" + } + #reverse_proxy /_synapse/client/* 192.168.5.2:81 { + # header_up Host "matrix.projectsegfau.lt" + #} + handle_path / { + redir https://wiki.projectsegfau.lt/Matrix + } +} + +# Directus +cms.projectsegfau.lt { + reverse_proxy 192.168.5.2:9456 + import def +} + +# Element +chat.projectsegfau.lt el.psf.lt { + reverse_proxy 192.168.5.2:3070 + import def +} + +# Gitea +git.projectsegfau.lt { + reverse_proxy 192.168.5.5:3444 + respond /metrics 403 + import def + request_body { + max_size 500MB + } + header { + Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';" + } + import torloc git +} +git.psf.lt { + reverse_proxy 192.168.5.5:3444 { + header_up Host "git.projectsegfau.lt" + } + respond /metrics 403 + import def + request_body { + max_size 500MB + } + header { + Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';" + } + import torloc git +} +# HedgeDoc +doc.projectsegfau.lt { + reverse_proxy 192.168.5.2:2069 { + header_up X-Real-IP {remote_host} + } + import def +} + +# Hydrogen +h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt { + reverse_proxy 192.168.5.2:3071 + import def +} + +# Jitsi +jitsi.projectsegfau.lt { + reverse_proxy 192.168.5.5:8000 { + header_up X-Real-IP {remote_host} + } +} +# Excalidraw backend for jitsi +excalidraw.projectsegfau.lt { + reverse_proxy 192.168.5.5:8694 +} + +# Maubot +mau.projectsegfau.lt { + reverse_proxy 192.168.5.2:29316 + import def +} + +# MediaWiki +wiki.projectsegfau.lt w.psf.lt { + reverse_proxy 192.168.5.3:8000 { + header_up X-Real-IP {remote_host} + } + import def + encode gzip + import torloc wiki +} + +# Vikunja +todo.projectsegfau.lt vi.psf.lt { + reverse_proxy 192.168.5.2:3456 + import def + import torloc todo +} + +# Vaultwarden +pass.projectsegfau.lt vw.psf.lt { + reverse_proxy 192.168.5.2:6980 { + header_up X-Real-IP {remote_host} + } + import def + reverse_proxy /notifications/hub 192.168.5.2:3012 { + header_up X-Real-IP {remote_host} + } + import torloc pass +} + +# XMPP +xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt { + reverse_proxy 192.168.5.5:5280 { + header_up X-Real-IP {remote_host} + } + reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380 + @register { + path /new/ + path /change_password/ + path /delete/ + path /new + path /change_password + path /delete + } + redir @register /register{uri} + import def + header /.well-known/host-meta Content-Type application/xrd+xml + header /.well-known/host-meta.json Content-Type application/json + header /.well-known/host-meta.json Access-Control-Allow-Origin * + header /.well-known/host-meta Access-Control-Allow-Origin * + handle_path /.well-known/* { + root * /var/www/well-known + file_server + } + handle_path / { + redir https://wiki.projectsegfau.lt/XMPP + } +} +xmpp-web.projectsegfau.lt, x.psf.lt { + import def + reverse_proxy 192.168.5.2:3072 +} +healthchecks.projectsegfau.lt, hc.psf.lt { + import def + reverse_proxy 192.168.5.2:8450 +} +# Pubthentik +auth.p.projectsegfau.lt { + reverse_proxy 192.168.5.2:7444 { + transport http { + tls_insecure_skip_verify + } + header_up X-Real-IP {remote_host} + } + import def +} +# kbin +kbin.projectsegfau.lt, kb.psf.lt { + reverse_proxy kbin.projectsegfau.lt:443 { + transport http { + tls_insecure_skip_verify + } + header_up X-Real-IP {remote_host} + } + #reverse_proxy 192.168.5.2:8643 + import def +} +gothub.dev.projectsegfau.lt gh.dev.psf.lt { + reverse_proxy localhost:1025 + import def +} +ak.psf.lt { + redir https://social.projectsegfau.lt{uri} +} +j.psf.lt { + redir https://jitsi.projectsegfau.lt{uri} +} +d.psf.lt { + redir https://doc.projectsegfau.lt{uri} +} diff --git a/privfrontends/templates/core/internal.Caddyfile b/privfrontends/templates/core/internal.Caddyfile new file mode 100644 index 0000000..457cb4e --- /dev/null +++ b/privfrontends/templates/core/internal.Caddyfile @@ -0,0 +1,101 @@ +# ---Internal Caddyfile--- + +# Authentik +sekuritee.projectsegfau.lt { + reverse_proxy https://192.168.5.2:7443 { + transport http { + tls_insecure_skip_verify + } + header_up X-Real-IP {remote_host} + } + import def +} +# Grafana +grafana.projectsegfau.lt { + reverse_proxy 192.168.5.2:3169 + handle_path /api/live { + reverse_proxy 192.168.5.2:3169 + } + import def +} + +# MailU +mail.projectsegfau.lt { + log { + output file /var/log/caddy/mail.projectsegfau.lt.log { + roll_disabled + roll_size 512M + roll_uncompressed + roll_local_time + roll_keep 3 + roll_keep_for 48h + } + } + import def + reverse_proxy 192.168.5.5:8082 +} + +# Plausible +analytics.projectsegfau.lt { + reverse_proxy 192.168.5.2:8001 + import def +} + +# Website dev +web.dev.projectsegfau.lt { + reverse_proxy 192.168.5.2:1339 + import def +} + +blog.projectsegfau.lt { + reverse_proxy 192.168.5.2:2368 { + header_up X-Forwarded-Proto https + header_up X-Real-IP {remote_host} + } + import def +} +prometheus.projectsegfau.lt { + reverse_proxy 192.168.5.2:9090 + basicauth /* { + admin $2a$14$1asDwG2gbyJ3.SungtdOyeqBlW1IiKQ//qI3ienQCTldaosx1qzSC + } + import def +} + +# Midou PersoVM +matrix.midou.dev { + reverse_proxy /_matrix/* 192.168.5.6:8008 +} + +file.midou.dev { + reverse_proxy 192.168.5.6:8080 +} + +c.midou.dev { + reverse_proxy 192.168.5.6:8978 +} + +# Headscale (tailscale control server) +hs.projectsegfau.lt { + reverse_proxy /web* https://192.168.5.5:9443 { + transport http { + tls_insecure_skip_verify + } + } + reverse_proxy * 192.168.5.5:8089 +} + +# Caddy daily build (for ansible) +cb.projectsegfau.lt { + root * /var/www/caddy-build + file_server browse + encode gzip +} +# GotHub +docs.gothub.app { + redir https://gothub.app/docs{uri} +} +# OLD URLs +http://mutahar.rocks, http://*.mutahar.rocks { + redir https://projectsegfau.lt +} diff --git a/privfrontends/templates/eu/misc.Caddyfile b/privfrontends/templates/eu/misc.Caddyfile index 210fa14..197b600 100644 --- a/privfrontends/templates/eu/misc.Caddyfile +++ b/privfrontends/templates/eu/misc.Caddyfile @@ -5,6 +5,41 @@ stats.eu.projectsegfau.lt { reverse_proxy localhost:9100 import def } +inv.bp.projectsegfau.lt, i.bp.psf.lt { + reverse_proxy localhost:7573 + header { + # disable FLoC tracking + Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + -Content-Security-Policy + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + log { + output discard + format filter { + wrap console + fields { + request>remote_ip replace REDACTED + request>headers>X-Forwarded-For replace REDACTED + } + } + } + import torloc invbp + import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p +} +proxy.lbry.projectsegfau.lt { + reverse_proxy localhost:3001 + import def +} aryak.me { reverse_proxy https://prox-arya.p.projectsegfau.lt { header_up Host prox-arya.p.projectsegfau.lt @@ -14,6 +49,12 @@ arya.projectsegfau.lt { redir https://aryak.me{uri} } ## OLD URL REDIRECTS +bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt { + import def + import torloc beatbump + import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p + redir https://hyperpipe.projectsegfau.lt{uri} +} invidious.mutahar.rocks { redir https://inv.bp.projectsegfau.lt{uri} permanent }