prelimenary stuff for pizza -> sol privacy frontends

This commit is contained in:
Arya 2023-07-17 22:36:06 +05:30
parent a42a3f4834
commit 1f2d73edc9
Signed by: arya
GPG Key ID: 842D12BDA50DF120
6 changed files with 591 additions and 263 deletions

View File

@ -8,6 +8,8 @@ all:
ansible_port: 22 ansible_port: 22
port: 22 port: 22
ansible_become: true # Run everything as root ansible_become: true # Run everything as root
wiki_page: Soleil_Levant
server_prefix: eu
docker: docker:
ansible_host: docker.vpn.projectsegfau.lt ansible_host: docker.vpn.projectsegfau.lt
ansible_user: ansiblerunner ansible_user: ansiblerunner
@ -17,6 +19,7 @@ all:
country: France country: France
isp: Orange S.A. isp: Orange S.A.
wiki_page: Soleil_Levant wiki_page: Soleil_Levant
server_prefix: eu
ansible_become: true # Run everything as root ansible_become: true # Run everything as root
lxc: lxc:
ansible_host: lxc.vpn.projectsegfau.lt ansible_host: lxc.vpn.projectsegfau.lt
@ -44,6 +47,7 @@ all:
ansible_port: 222 ansible_port: 222
port: 222 port: 222
docker_dir: /opt/docker-privfrontends docker_dir: /opt/docker-privfrontends
server_prefix: eu
ansible_become: true # Run everything as root ansible_become: true # Run everything as root
caddy_extras_config: templates/1-extras.Caddyfile caddy_extras_config: templates/1-extras.Caddyfile
country: Luxembourg country: Luxembourg
@ -61,6 +65,7 @@ all:
country: United States country: United States
isp: Digital Ocean isp: Digital Ocean
wiki_page: US_Node wiki_page: US_Node
server_prefix: us
watchtower_mtrx_username: watchtower-us watchtower_mtrx_username: watchtower-us
in: in:
ansible_host: in.vpn.projectsegfau.lt ansible_host: in.vpn.projectsegfau.lt
@ -69,6 +74,7 @@ all:
port: 22 port: 22
ansible_become: true # Run everything as root ansible_become: true # Run everything as root
docker_dir: /opt/docker-privfrontends docker_dir: /opt/docker-privfrontends
server_prefix: in
caddy_extras_config: templates/3-extras.Caddyfile caddy_extras_config: templates/3-extras.Caddyfile
country: India country: India
isp: Bharti Airtel isp: Bharti Airtel

View File

@ -1,8 +1,7 @@
--- ---
- name: Setup Caddy - name: Setup Caddy
hosts: privfrontends hosts: privfrontends,core
tasks: tasks:
# This is run again so config still updates even if i dont run the role which isnt needed most of the time
- name: Copy Caddyfile - name: Copy Caddyfile
ansible.builtin.template: ansible.builtin.template:
src: ./templates/Caddyfile.j2 src: ./templates/Caddyfile.j2
@ -26,18 +25,9 @@
hosts: privfrontends hosts: privfrontends
vars: vars:
docker_services: docker_services:
- anonymousoverflow
- breezewiki
- gothub
- gothub-dev
- hyperpipe
- librarian - librarian
- libreddit - libreddit
- nitter - nitter
- rimgo
- safetwitch
- scribe
- simplytranslate
- teddit - teddit
- watchtower - watchtower
tasks: tasks:
@ -47,11 +37,20 @@
ansible.builtin.include_tasks: docker-tasks.yaml ansible.builtin.include_tasks: docker-tasks.yaml
with_items: "{{ docker_services }}" with_items: "{{ docker_services }}"
tags: docker tags: docker
- name: Setup docker compose for privacy frontends (non-pizza1) - name: Setup docker compose for privacy frontends (soleil+normal)
hosts: in,us hosts: in,us,docker
vars: vars:
non_pizza_docker_services: non_pizza_docker_services:
- anonymousoverflow
- breezewiki
- gothub
- gothub-dev
- searxng - searxng
- hyperpipe
- rimgo
- safetwitch
- scribe
- simplytranslate
tasks: tasks:
# community.docker does not support compose 2.0 right now. # community.docker does not support compose 2.0 right now.
# https://github.com/ansible-collections/community.docker/issues/216 # https://github.com/ansible-collections/community.docker/issues/216

View File

@ -33,7 +33,7 @@
(def) { (def) {
header { header {
# disable FLoC tracking # disable FLoC tracking
Permissions-Policy interest-cohort=() Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS # enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -60,245 +60,25 @@
import acmedns import acmedns
{% endif %} {% endif %}
} }
:80 {{inventory_hostname}}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} { :80 {{ inventory_hostname }}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} {% if inventory_hostname == 'core' %} soleil.projectsegfau.lt {% endif %} {
redir https://wiki.projectsegfau.lt/index.php?title={{ wiki_page }} redir https://wiki.projectsegfau.lt/index.php?title={{ wiki_page }}
} }
cdn.projectsegfau.lt cdn.{{inventory_hostname}}.projectsegfau.lt { # PIZZA + US + IN
{% if inventory_hostname == 'eu' or inventory_hostname == 'us' or inventory_hostname == 'in' %}
cdn.projectsegfau.lt cdn.{{ server_prefix }}.projectsegfau.lt {
encode zstd gzip encode zstd gzip
root * /var/cdn root * /var/cdn
file_server { file_server {
browse browse
} }
} }
{% if inventory_hostname == 'eu' %} lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt {
inv.bp.projectsegfau.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
i.bp.psf.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
-Content-Security-Policy
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001
import def
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy localhost:1025
import def
}
{% else %}
inv.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
i.{{inventory_hostname}}.psf.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
-Content-Security-Policy
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
piped.{{inventory_hostname}}.projectsegfau.lt pipedproxy.{{inventory_hostname}}.projectsegfau.lt pipedapi.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy :6970
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
pi.{{inventory_hostname}}.psf.lt {
reverse_proxy :6970 {
header_up Host "piped.{{inventory_hostname}}.projectsegfau.lt"
}
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
}
{% endif %}
lbry.{{inventory_hostname}}.projectsegfau.lt lbry.projectsegfau.lt {
reverse_proxy :3550 reverse_proxy :3550
import def import def
import torloc lbry import torloc lbry
import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p
} }
gothub.{{inventory_hostname}}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{inventory_hostname}}.psf.lt { nitter.{{ server_prefix }}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{{ server_prefix }}.psf.lt {
reverse_proxy :1024
import def
import torloc gothub
}
overflow.{{inventory_hostname}}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{inventory_hostname}}.psf.lt {
reverse_proxy :8694
import def
import torloc overflow
}
teddit.{{inventory_hostname}}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{inventory_hostname}}.psf.lt {
reverse_proxy :9061
import def
import torloc teddit
}
rimgo.{{inventory_hostname}}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{inventory_hostname}}.psf.lt {
reverse_proxy :9016
import def
import torloc rimgo
}
libreddit.{{inventory_hostname}}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{inventory_hostname}}.psf.lt {
reverse_proxy :6464
import def
import torloc libreddit
import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
}
nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{{inventory_hostname}}.psf.lt {
import def import def
header { header {
X-Permitted-Cross-Domain-Policies none X-Permitted-Cross-Domain-Policies none
@ -313,48 +93,100 @@ nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt
import torloc nitter import torloc nitter
import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p
} }
bb.{{inventory_hostname}}.projectsegfau.lt bb.projectsegfau.lt { libreddit.{{ server_prefix }}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{ server_prefix }}.psf.lt {
reverse_proxy :6464
import def import def
import torloc beatbump import torloc libreddit
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
redir https://hyperpipe.projectsegfau.lt{uri}
} }
teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{ server_prefix }}.psf.lt {
reverse_proxy :9061
import def
import torloc teddit
}
{% endif %}
# SOLEIL + US + IN
{% if inventory_hostname == 'core' or inventory_hostname == 'us' or inventory_hostname == 'in' %}
inv.{{ server_prefix }}.projectsegfau.lt inv.projectsegfau.lt invidious.projectsegfau.lt i.{{ server_prefix }}.psf.lt i.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:7573
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
bw.{{inventory_hostname}}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{inventory_hostname}}.psf.lt { # enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
-Content-Security-Policy
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
}
gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:1024
import def
import torloc gothub
}
overflow.{{ server_prefix }}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8694
import def
import torloc overflow
}
rimgo.{{ server_prefix }}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:9016
import def
import torloc rimgo
}
bw.{{ server_prefix }}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{ server_prefix }}.psf.lt {
import def import def
import torloc breezewiki import torloc breezewiki
import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p
reverse_proxy :10416 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:10416
} }
scribe.{{inventory_hostname}}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{inventory_hostname}}.psf.lt { scribe.{{ server_prefix }}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{ server_prefix }}.psf.lt {
import def import def
import torloc scribe import torloc scribe
import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p
reverse_proxy :8006 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8006
} }
translate.{{inventory_hostname}}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{inventory_hostname}}.psf.lt { translate.{{ server_prefix }}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{ server_prefix }}.psf.lt {
import def import def
reverse_proxy :5046 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5046
} }
safetwitch.{{inventory_hostname}}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{inventory_hostname}}.psf.lt { safetwitch.{{ server_prefix }}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{ server_prefix }}.psf.lt {
import def import def
reverse_proxy :5070 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5070
} }
api.safetwitch.{{inventory_hostname}}.projectsegfau.lt { api.safetwitch.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :5071 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5071
} }
hyperpipe.{{inventory_hostname}}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{inventory_hostname}}.psf.lt { hyperpipe.{{ server_prefix }}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{ server_prefix }}.psf.lt {
import def import def
reverse_proxy :8843 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8843
} }
hyperpipebackend.{{inventory_hostname}}.projectsegfau.lt { hyperpipebackend.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :3536 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:3536
} }
{% if inventory_hostname == 'eu' %} search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{{ server_prefix }}.psf.lt {
{% else %}
search.{{inventory_hostname}}.projectsegfau.lt s.psf.lt s.{{inventory_hostname}}.psf.lt {
import def import def
reverse_proxy :8081 reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8081
@api { @api {
path /config path /config
path /healthz path /healthz
@ -414,5 +246,67 @@ search.{{inventory_hostname}}.projectsegfau.lt s.psf.lt s.{{inventory_hostname}}
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
} }
} }
piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:6970
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if server_prefix == 'in' %}
import acmedns
{% endif %} {% endif %}
}
pi.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:6970 {
header_up Host "piped.{{ server_prefix }}.projectsegfau.lt"
}
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
}
{% endif %}
import ./*.Caddyfile import ./*.Caddyfile

View File

@ -0,0 +1,287 @@
# ---Apps Caddyfile---
# Akkoma
social.projectsegfau.lt {
import def
encode gzip
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
# and `localhost.` resolves to [::0] on some systems: see issue #930
reverse_proxy 192.168.5.2:4011
handle /media/* {
redir https://media.social.projectsegfau.lt{uri} permanent
}
handle /proxy/* {
redir https://media.social.projectsegfau.lt{uri} permanent
}
}
# Security mitigation
# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
# And https://poa.st/notice/AWDToOiKAl4BPhdEB6
# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
media.social.projectsegfau.lt {
handle /media/* {
reverse_proxy 192.168.5.2:4011 {
transport http {
response_header_timeout 10s
read_timeout 15s
}
}
}
handle /proxy/* {
reverse_proxy 192.168.5.2:4011 {
transport http {
response_header_timeout 10s
read_timeout 15s
}
}
}
}
# Cinny
cinny.projectsegfau.lt cy.psf.lt {
reverse_proxy 192.168.5.2:3069
import def
}
# Website
projectsegfau.lt {
reverse_proxy 192.168.5.2:1337
import def
reverse_proxy /_matrix/* 192.168.5.2:8449 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_matrix/client/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_synapse/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
reverse_proxy /converse 192.168.5.5:5280
reverse_proxy /converseemojis.js 192.168.5.5:5280
reverse_proxy /converse/* 192.168.5.5:5280
reverse_proxy /bosh 192.168.5.5:5280
reverse_proxy /ws 192.168.5.5:5280
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/well-known
file_server
}
header /.well-known/host-meta Content-Type application/xrd+xml
header /.well-known/host-meta.json Content-Type application/json
header /.well-known/host-meta.json Access-Control-Allow-Origin *
header /.well-known/host-meta Access-Control-Allow-Origin *
import torloc www
}
psf.lt {
reverse_proxy 192.168.5.2:1337
import def
import torloc www
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/psf-well-known
file_server
}
}
ssync.projectsegfau.lt {
reverse_proxy 192.168.5.2:3333
}
www.projectsegfau.lt www.psf.lt {
redir https://projectsegfau.lt{uri}
import torloc www
}
matrix.projectsegfau.lt {
reverse_proxy /_matrix/* 192.168.5.2:8449 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_matrix/client/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_synapse/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
#reverse_proxy /_synapse/client/* 192.168.5.2:81 {
# header_up Host "matrix.projectsegfau.lt"
#}
handle_path / {
redir https://wiki.projectsegfau.lt/Matrix
}
}
# Directus
cms.projectsegfau.lt {
reverse_proxy 192.168.5.2:9456
import def
}
# Element
chat.projectsegfau.lt el.psf.lt {
reverse_proxy 192.168.5.2:3070
import def
}
# Gitea
git.projectsegfau.lt {
reverse_proxy 192.168.5.5:3444
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
git.psf.lt {
reverse_proxy 192.168.5.5:3444 {
header_up Host "git.projectsegfau.lt"
}
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
# HedgeDoc
doc.projectsegfau.lt {
reverse_proxy 192.168.5.2:2069 {
header_up X-Real-IP {remote_host}
}
import def
}
# Hydrogen
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
reverse_proxy 192.168.5.2:3071
import def
}
# Jitsi
jitsi.projectsegfau.lt {
reverse_proxy 192.168.5.5:8000 {
header_up X-Real-IP {remote_host}
}
}
# Excalidraw backend for jitsi
excalidraw.projectsegfau.lt {
reverse_proxy 192.168.5.5:8694
}
# Maubot
mau.projectsegfau.lt {
reverse_proxy 192.168.5.2:29316
import def
}
# MediaWiki
wiki.projectsegfau.lt w.psf.lt {
reverse_proxy 192.168.5.3:8000 {
header_up X-Real-IP {remote_host}
}
import def
encode gzip
import torloc wiki
}
# Vikunja
todo.projectsegfau.lt vi.psf.lt {
reverse_proxy 192.168.5.2:3456
import def
import torloc todo
}
# Vaultwarden
pass.projectsegfau.lt vw.psf.lt {
reverse_proxy 192.168.5.2:6980 {
header_up X-Real-IP {remote_host}
}
import def
reverse_proxy /notifications/hub 192.168.5.2:3012 {
header_up X-Real-IP {remote_host}
}
import torloc pass
}
# XMPP
xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {
reverse_proxy 192.168.5.5:5280 {
header_up X-Real-IP {remote_host}
}
reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
@register {
path /new/
path /change_password/
path /delete/
path /new
path /change_password
path /delete
}
redir @register /register{uri}
import def
header /.well-known/host-meta Content-Type application/xrd+xml
header /.well-known/host-meta.json Content-Type application/json
header /.well-known/host-meta.json Access-Control-Allow-Origin *
header /.well-known/host-meta Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/well-known
file_server
}
handle_path / {
redir https://wiki.projectsegfau.lt/XMPP
}
}
xmpp-web.projectsegfau.lt, x.psf.lt {
import def
reverse_proxy 192.168.5.2:3072
}
healthchecks.projectsegfau.lt, hc.psf.lt {
import def
reverse_proxy 192.168.5.2:8450
}
# Pubthentik
auth.p.projectsegfau.lt {
reverse_proxy 192.168.5.2:7444 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
import def
}
# kbin
kbin.projectsegfau.lt, kb.psf.lt {
reverse_proxy kbin.projectsegfau.lt:443 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
#reverse_proxy 192.168.5.2:8643
import def
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy localhost:1025
import def
}
ak.psf.lt {
redir https://social.projectsegfau.lt{uri}
}
j.psf.lt {
redir https://jitsi.projectsegfau.lt{uri}
}
d.psf.lt {
redir https://doc.projectsegfau.lt{uri}
}

View File

@ -0,0 +1,101 @@
# ---Internal Caddyfile---
# Authentik
sekuritee.projectsegfau.lt {
reverse_proxy https://192.168.5.2:7443 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
import def
}
# Grafana
grafana.projectsegfau.lt {
reverse_proxy 192.168.5.2:3169
handle_path /api/live {
reverse_proxy 192.168.5.2:3169
}
import def
}
# MailU
mail.projectsegfau.lt {
log {
output file /var/log/caddy/mail.projectsegfau.lt.log {
roll_disabled
roll_size 512M
roll_uncompressed
roll_local_time
roll_keep 3
roll_keep_for 48h
}
}
import def
reverse_proxy 192.168.5.5:8082
}
# Plausible
analytics.projectsegfau.lt {
reverse_proxy 192.168.5.2:8001
import def
}
# Website dev
web.dev.projectsegfau.lt {
reverse_proxy 192.168.5.2:1339
import def
}
blog.projectsegfau.lt {
reverse_proxy 192.168.5.2:2368 {
header_up X-Forwarded-Proto https
header_up X-Real-IP {remote_host}
}
import def
}
prometheus.projectsegfau.lt {
reverse_proxy 192.168.5.2:9090
basicauth /* {
admin $2a$14$1asDwG2gbyJ3.SungtdOyeqBlW1IiKQ//qI3ienQCTldaosx1qzSC
}
import def
}
# Midou PersoVM
matrix.midou.dev {
reverse_proxy /_matrix/* 192.168.5.6:8008
}
file.midou.dev {
reverse_proxy 192.168.5.6:8080
}
c.midou.dev {
reverse_proxy 192.168.5.6:8978
}
# Headscale (tailscale control server)
hs.projectsegfau.lt {
reverse_proxy /web* https://192.168.5.5:9443 {
transport http {
tls_insecure_skip_verify
}
}
reverse_proxy * 192.168.5.5:8089
}
# Caddy daily build (for ansible)
cb.projectsegfau.lt {
root * /var/www/caddy-build
file_server browse
encode gzip
}
# GotHub
docs.gothub.app {
redir https://gothub.app/docs{uri}
}
# OLD URLs
http://mutahar.rocks, http://*.mutahar.rocks {
redir https://projectsegfau.lt
}

View File

@ -5,6 +5,41 @@ stats.eu.projectsegfau.lt {
reverse_proxy localhost:9100 reverse_proxy localhost:9100
import def import def
} }
inv.bp.projectsegfau.lt, i.bp.psf.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
-Content-Security-Policy
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001
import def
}
aryak.me { aryak.me {
reverse_proxy https://prox-arya.p.projectsegfau.lt { reverse_proxy https://prox-arya.p.projectsegfau.lt {
header_up Host prox-arya.p.projectsegfau.lt header_up Host prox-arya.p.projectsegfau.lt
@ -14,6 +49,12 @@ arya.projectsegfau.lt {
redir https://aryak.me{uri} redir https://aryak.me{uri}
} }
## OLD URL REDIRECTS ## OLD URL REDIRECTS
bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt {
import def
import torloc beatbump
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p
redir https://hyperpipe.projectsegfau.lt{uri}
}
invidious.mutahar.rocks { invidious.mutahar.rocks {
redir https://inv.bp.projectsegfau.lt{uri} permanent redir https://inv.bp.projectsegfau.lt{uri} permanent
} }