ProjectSegfault/ansible
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use dns01 auth for everything

Browse Source
This commit is contained in:
Arya 2023-11-23 15:55:00 +05:30
parent b261aa00a5
commit cf9f55f906
Signed by: arya
GPG Key ID: 842D12BDA50DF120
5 changed files with 30 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
privfrontends/templates/Caddyfile.j2
View File

@ -53,9 +53,7 @@
defer defer
} }
{% if inventory_hostname == 'in' %}
import acmedns import acmedns
{% endif %}
} }
import ./*.Caddyfile import ./*.Caddyfile
@ -85,8 +83,6 @@ nitter.{{ server_prefix }}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{
format json format json
} }
header { header {
X-Permitted-Cross-Domain-Policies none
Permissions-Policy "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; script-src-attr 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'" header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; script-src-attr 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"
} }
reverse_proxy :8065 reverse_proxy :8065
@ -105,7 +101,9 @@ teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{
import torloc teddit import torloc teddit
} }
inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt { inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt {
reverse_proxy :7573 reverse_proxy :7573 {
header_up Host "inv.{{server_prefix}}.projectsegfau.lt"
}
@pipedproxy { @pipedproxy {
path /videoplayback path /videoplayback
path /videoplayback/* path /videoplayback/*
@ -123,30 +121,9 @@ inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt {
uri @jpgRedirect replace /maxres.jpg /maxres2.jpg uri @jpgRedirect replace /maxres.jpg /maxres2.jpg
rewrite /vi/* ?host=i.ytimg.com rewrite /vi/* ?host=i.ytimg.com
} }
header { header -X-Frame-Options
# disable FLoC tracking import def
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
-Content-Security-Policy
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
import torloc inv import torloc inv
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
} }
gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt { gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt {
reverse_proxy :1024 reverse_proxy :1024
@ -238,6 +215,7 @@ search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{
# Remove Server header # Remove Server header
-Server -Server
} }
import acmedns
header @api { header @api {
Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*" Access-Control-Allow-Origin "*"
@ -263,50 +241,13 @@ search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{
} }
piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt { piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :6970 reverse_proxy :6970
header { header -X-Frame-Options
# disable FLoC tracking import def
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
} }
pi.{{ server_prefix }}.psf.lt { pi.{{ server_prefix }}.psf.lt {
reverse_proxy :6970 { reverse_proxy :6970 {
header_up Host "{% if server_prefix == 'eu' %}piped.projectsegfau.lt{%else%}piped.{{ server_prefix }}.projectsegfau.lt{%endif%}" header_up Host "{% if server_prefix == 'eu' %}piped.projectsegfau.lt{%else%}piped.{{ server_prefix }}.projectsegfau.lt{%endif%}"
} }
header { header -X-Frame-Options
# disable FLoC tracking import def
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
} }

68
privfrontends/templates/eu/misc.Caddyfile
View File

@ -3,7 +3,9 @@ sl.projectsegfau.lt sl.psf.lt {
import def import def
} }
inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt { inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt {
reverse_proxy localhost:7573 reverse_proxy localhost:7573 {
header_up Hpst "invidious.projectsegfau.lt"
}
@pipedproxy { @pipedproxy {
path /videoplayback path /videoplayback
path /videoplayback/* path /videoplayback/*
@ -12,7 +14,7 @@ inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectseg
} }
handle @pipedproxy { handle @pipedproxy {
reverse_proxy :6970 { reverse_proxy :6970 {
header_up Host "pipedproxy.{{server_prefix}}.projectsegfau.lt" header_up Host "proxy.piped.projectsegfau.lt"
} }
@jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg @jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg
@thumbnailRedirect path /ggpht/* @thumbnailRedirect path /ggpht/*
@ -21,71 +23,22 @@ inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectseg
uri @jpgRedirect replace /maxres.jpg /maxres2.jpg uri @jpgRedirect replace /maxres.jpg /maxres2.jpg
rewrite /vi/* ?host=i.ytimg.com rewrite /vi/* ?host=i.ytimg.com
} }
header { import def
# disable FLoC tracking header -X-Frame-Options
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
-Content-Security-Policy
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
import torloc invbp import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
} }
piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt { piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt {
reverse_proxy :6970 reverse_proxy :6970
header { header -X-Frame-Options
# disable FLoC tracking import def
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
import acmedns
} }
pi.psf.lt { pi.psf.lt {
reverse_proxy :6970 { reverse_proxy :6970 {
header_up Host "piped.projectsegfau.lt" header_up Host "piped.projectsegfau.lt"
} }
header { header -X-Frame-Options
# disable FLoC tracking import def
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
} }
proxy.lbry.projectsegfau.lt { proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001 reverse_proxy localhost:3001
@ -98,6 +51,7 @@ aryak.me {
} }
arya.projectsegfau.lt { arya.projectsegfau.lt {
redir https://aryak.me{uri} redir https://aryak.me{uri}
import acmedns
} }
## OLD URL REDIRECTS ## OLD URL REDIRECTS
bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt { bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt {

1
privfrontends/templates/eu/pubnix.Caddyfile
View File

@ -16,6 +16,7 @@
# Redirect base subdomain to the pubnix homepage # Redirect base subdomain to the pubnix homepage
p.projectsegfau.lt p.psf.lt { p.projectsegfau.lt p.psf.lt {
redir https://projectsegfau.lt/pubnix redir https://projectsegfau.lt/pubnix
import acmedns
} }
# Cockpit # Cockpit

33
privfrontends/templates/in/apps.Caddyfile
View File

@ -30,7 +30,6 @@ psf.lt {
reverse_proxy :1337 reverse_proxy :1337
import def import def
import torloc www import torloc www
import acmedns
header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin * header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* { handle_path /.well-known/* {
@ -42,6 +41,7 @@ import acmedns
www.projectsegfau.lt www.psf.lt { www.projectsegfau.lt www.psf.lt {
redir https://projectsegfau.lt{uri} redir https://projectsegfau.lt{uri}
import torloc www import torloc www
import acmedns
} }
matrix.projectsegfau.lt { matrix.projectsegfau.lt {
@ -104,10 +104,12 @@ jitsi.projectsegfau.lt {
reverse_proxy :8000 { reverse_proxy :8000 {
header_up X-Real-IP {remote_host} header_up X-Real-IP {remote_host}
} }
import acmedns
} }
# Excalidraw backend for jitsi # Excalidraw backend for jitsi
excalidraw.projectsegfau.lt { excalidraw.projectsegfau.lt {
reverse_proxy :8695 reverse_proxy :8695
import acmedns
} }
# MediaWiki # MediaWiki
@ -194,32 +196,6 @@ kbin.projectsegfau.lt, kb.psf.lt {
import def import def
} }
inv.projectsegfau.lt invidious.projectsegfau.lt i.psf.lt {
reverse_proxy 192.168.1.64:7574
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
-Content-Security-Policy
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
import torloc inv
import acmedns
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt { gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy :1025 reverse_proxy :1025
import def import def
@ -227,10 +203,13 @@ gothub.dev.projectsegfau.lt gh.dev.psf.lt {
} }
ak.psf.lt { ak.psf.lt {
redir https://social.projectsegfau.lt{uri} redir https://social.projectsegfau.lt{uri}
import acmedns
} }
j.psf.lt { j.psf.lt {
redir https://jitsi.projectsegfau.lt{uri} redir https://jitsi.projectsegfau.lt{uri}
import acmedns
} }
d.psf.lt { d.psf.lt {
redir https://doc.projectsegfau.lt{uri} redir https://doc.projectsegfau.lt{uri}
import acmedns
} }

2
privfrontends/templates/in/misc.Caddyfile
View File

@ -8,10 +8,12 @@ files.perso.in.projectsegfau.lt files.perso.in.projectsegfau.lt:6942 {
browse browse
} }
root * /zfspool/files root * /zfspool/files
import acmedns
} }
tnfiles.perso.in.projectsegfau.lt { tnfiles.perso.in.projectsegfau.lt {
file_server { file_server {
browse browse
} }
root * /zfspool/files/tn-sw root * /zfspool/files/tn-sw
import acmedns
} }