Merge branch 'master' of git.projectsegfau.lt:ProjectSegfault/ansible

This commit is contained in:
Midou36O 2023-07-21 13:20:03 +01:00
commit effb658a7e
Signed by: midou
GPG Key ID: 1D134A95FE521A7A
17 changed files with 725 additions and 348 deletions

38
cron/hourly-restarts.yaml Normal file
View File

@ -0,0 +1,38 @@
---
- name: Hourly Restarts (ALL NODES)
hosts: docker,privfrontends
vars:
services:
- invidious-invidious-1
tasks:
- name: Do thing
ansible.builtin.command: docker restart {{ item }}
register: out
changed_when: out.rc != 0
with_items: "{{ services }}"
- name: Hourly Restarts (SOLEIL+REST)
hosts: docker,us,in
vars:
services:
- breezewiki
- anonymousoverflow-anonymousoverflow-1
- simplytranslate-simplytranslate-1
- scribe
tasks:
- name: Do thing
ansible.builtin.command: docker restart {{ item }}
register: out
changed_when: out.rc != 0
with_items: "{{ services }}"
- name: Hourly Restarts (PIZZA+REST)
hosts: privfrontends
vars:
services:
- libreddit-libreddit-1
- teddit
tasks:
- name: Do thing
ansible.builtin.command: docker restart {{ item }}
register: out
changed_when: out.rc != 0
with_items: "{{ services }}"

View File

@ -0,0 +1,18 @@
$ANSIBLE_VAULT;1.1;AES256
36323339616139653231363637313635346361663831656537353462313563633963383465353564
6539633632313264643239633632333065653837396336610a313836363832646337643739383039
65316662363861653738663361353739306538376632333431353932626361316665323161333665
3065396561616463630a366530613530316161323836323334366635343839306636363837643466
61373733383764333364393938323764613065383662353034666139373133386166353062326534
30636236323037396535313133666364636163353165346638353661623731373338323232313065
62313865396433336364393536366537643338303335343830623034656236616465303164613962
65303639333461656331353636343735373965656665666634393933336333373735636165343164
36663765306239663866656661363935666661366536306331313962376330313965306336616337
32626566393166383934386264356631653430626533356263623861643765373633333938393934
35333238303335656562616336653066383163646665666465623139333333396538663834316463
32663532376165336366346336306262623637386161623937633431306235656431633366343163
33313465643730393033386532636136623033333735643638383564393330623663396361633932
66343063636132333639383931396433383635356564386639643739623632346237313363383261
37643162326165313435626165623634653730333664326665386362646364316461326630623266
30353038623137373161623661316535626462663636323165393033653266643332383862323865
3431

View File

@ -1,25 +1,17 @@
$ANSIBLE_VAULT;1.1;AES256
61326662336163633231303866656435396466623935656634393531343964323833363063663332
6261333465366566303835636162393932656561353738640a353730306361643161383637663365
30386464646566636661666631336265663831383362646463616631636264353663353739343831
3364653865616233340a383663343462653936613561323062353634313431366237396163306562
31323262616336646561613063653564666666333034323232646663366363393037313937346135
63396334383033623966343037653532353239656433616632316266346130306532373138636564
34376138346439306164323966313731363230626239643766393537663864333966343865383537
62636235643136626338616165653830666230316337383339623433323933636661303134303730
31383564636365353030313436336666666534336363313037326465653439393162303133623565
34323165643761316261636631656462373362346533623565626635663430633665393832363635
38343037333462343166333931616634623037393637343634623931366337323230653537343836
64386565383662346337326131393664343431323334346236393765616130393963306133303639
39373162663862626637336365386430366434316465363339303335346162333635383534653235
32633633626136383236396330306232363464643938393061333036376664363335663161356163
35336535366466626230643934346539633736343136646461363838333864326533666132316532
66323235656236666534333133336265643938643930666165653036393763643563653939663538
64626531386166656434383632616633323161636335623165336338333466303666623563666436
65373639653739366239313262653734396462303330636535373736373839633765646632623533
65366265313431373239363332343766373835623964343235363830653639336661643032363532
61633435626362653436653666343337396632336437346536646462373035383766396339306663
31636363626639316565326436623562323732363965656438356134323864323164663137663031
63613834393233353534613934353266353765353638633533323937363061663834333533393832
34366433353964303437616461346163363831306630356339363838313837343430333830316361
63366637336563626662
31383035323330343562373837366530633935626131633737646633663838633463623465623465
3535336536613038643534383537663866346364646365380a303939323038363036306535393033
33363439636337386437306536316663646235643430633236353935363838663264366362613463
6334663732663730610a306261626334636538363363643062643438373031366532616635613730
32626636373834613665626437653930336636323266393932616631363334316434313333353239
34663864666631303336346539303864303234353231343561653535303132366234323731623230
31656362303362653332303064396633383265323033386264613861663762386139393161666664
36393137323838653439626261373465333330383436616663303165353438343363393364393130
63376635633238336337643866303633666434383437646331333235376136313062663633396662
35323363306434363961646437646433326133346361363461316462326633366139623839366631
63353334366566303163633237366463356530323761373264333261386166346465303936316630
63353963383032346432373332363835346462313661396664336233356434373730363337663631
32383632666435326138646235316538663766383236313737633536663434616361663138333164
33623939643261353437336265633966353466313734653639396532363764653662343463643032
33376166656366396136363438383832323933366236343437333137313334336566323932336333
31343537356663326433

View File

@ -8,6 +8,8 @@ all:
ansible_port: 22
port: 22
ansible_become: true # Run everything as root
wiki_page: Soleil_Levant
server_prefix: eu
docker:
ansible_host: docker.vpn.projectsegfau.lt
ansible_user: ansiblerunner
@ -17,6 +19,7 @@ all:
country: France
isp: Orange S.A.
wiki_page: Soleil_Levant
server_prefix: eu
ansible_become: true # Run everything as root
lxc:
ansible_host: lxc.vpn.projectsegfau.lt
@ -44,6 +47,7 @@ all:
ansible_port: 222
port: 222
docker_dir: /opt/docker-privfrontends
server_prefix: eu
ansible_become: true # Run everything as root
caddy_extras_config: templates/1-extras.Caddyfile
country: Luxembourg
@ -61,6 +65,7 @@ all:
country: United States
isp: Digital Ocean
wiki_page: US_Node
server_prefix: us
watchtower_mtrx_username: watchtower-us
in:
ansible_host: in.vpn.projectsegfau.lt
@ -69,6 +74,7 @@ all:
port: 22
ansible_become: true # Run everything as root
docker_dir: /opt/docker-privfrontends
server_prefix: in
caddy_extras_config: templates/3-extras.Caddyfile
country: India
isp: Bharti Airtel

View File

@ -5,14 +5,14 @@ services:
image: codeberg.org/hyperpipe/hyperpipe:latest
container_name: hyperpipe-frontend
restart: unless-stopped
entrypoint: sh -c 'find /usr/share/nginx/html -type f -exec sed -i s/pipedapi.kavin.rocks/{% if inventory_hostname == 'eu' %}api.piped.projectsegfau.lt{%else%}pipedapi.{{inventory_hostname}}.projectsegfau.lt{%endif%}/g {} \; -exec sed -i s/hyperpipeapi.onrender.com/hyperpipebackend.{{ inventory_hostname }}.projectsegfau.lt/g {} \; && /docker-entrypoint.sh && nginx -g "daemon off;"'
entrypoint: sh -c 'find /usr/share/nginx/html -type f -exec sed -i s/pipedapi.kavin.rocks/{% if server_prefix == 'eu' %}api.piped.projectsegfau.lt{%else%}pipedapi.{{server_prefix}}.projectsegfau.lt{%endif%}/g {} \; -exec sed -i s/hyperpipeapi.onrender.com/hyperpipebackend.{{ server_prefix }}.projectsegfau.lt/g {} \; && /docker-entrypoint.sh && nginx -g "daemon off;"'
ports:
- '8843:80'
hyperpipe-backend:
image: codeberg.org/hyperpipe/hyperpipe-backend:latest
container_name: hyperpipe-backend
environment:
- HYP_PROXY={% if inventory_hostname == 'eu' %}proxy.piped.projectsegfau.lt{%else%}pipedproxy.{{inventory_hostname}}.projectsegfau.lt{%endif%}
- HYP_PROXY={% if server_prefix == 'eu' %}proxy.piped.projectsegfau.lt{%else%}pipedproxy.{{server_prefix}}.projectsegfau.lt{%endif%}
restart: unless-stopped
ports:

View File

@ -5,7 +5,7 @@ services:
ports:
- "5070:80"
environment:
- SAFETWITCH_BACKEND_DOMAIN=api.safetwitch.{{inventory_hostname}}.projectsegfau.lt
- SAFETWITCH_BACKEND_DOMAIN=api.safetwitch.{{server_prefix}}.projectsegfau.lt
- SAFETWITCH_INSTANCE_DOMAIN=safetwitch.projectsegfau.lt
- SAFETWITCH_HTTPS=true
restart: always
@ -15,5 +15,5 @@ services:
- "5071:7000"
environment:
- PORT=7000
- URL=https://api.safetwitch.{{inventory_hostname}}.projectsegfau.lt
- URL=https://api.safetwitch.{{server_prefix}}.projectsegfau.lt
restart: always

View File

@ -24,12 +24,12 @@ services:
networks:
- searxng
ports:
- "127.0.0.1:8081:8080"
- "8081:8080"
volumes:
- ./searxng:/etc/searxng:rw
- ./extras.conf:/etc/searxng/settings.yml:rw
environment:
- SEARXNG_BASE_URL=https://search.{{inventory_hostname}}.projectsegfau.lt/
- SEARXNG_BASE_URL=https://{% if server_prefix == 'eu' %}search.projectsegfau.lt{%else%}search.{{inventory_hostname}}.projectsegfau.lt{%endif%}/
cap_drop:
- ALL
cap_add:

View File

@ -3,7 +3,7 @@ services:
simplytranslate:
image: quay.io/pussthecatorg/simplytranslate:latest
ports:
- "127.0.0.1:5046:5000"
- "5046:5000"
volumes:
- "./extras.conf:/etc/simplytranslate/web.conf"
restart: always

View File

@ -4,7 +4,7 @@
path: "{{ docker_dir }}/{{ item }}"
state: directory
mode: "0755"
tags: docker
tags: docker,soleil,pizza
- name: Copy docker-compose templates for the service
ansible.builtin.template:
@ -13,14 +13,14 @@
backup: true
mode: preserve
register: check_status
tags: docker
tags: docker,soleil,pizza
- name: Check if extras file exists for the service
delegate_to: localhost
ansible.builtin.stat:
path: ./compose/{{ item }}/extras.conf.j2
register: file
tags: docker
tags: docker,soleil,pizza
- name: Copy extras file
ansible.builtin.template:
@ -29,7 +29,7 @@
backup: true
mode: preserve
when: file.stat.exists
tags: docker
tags: docker,soleil,pizza
- name: "Update docker service image"
ansible.builtin.command:
@ -38,7 +38,7 @@
when: check_status.changed
register: updateout
changed_when: updateout.rc != 0
tags: docker
tags: docker,soleil,pizza
- name: "Stop docker service"
ansible.builtin.command:
@ -47,7 +47,7 @@
when: check_status.changed
register: stopout
changed_when: stopout.rc != 0
tags: docker
tags: docker,soleil,pizza
- name: "Start docker service"
ansible.builtin.command:
@ -56,4 +56,4 @@
when: check_status.changed
register: startout
changed_when: startout.rc != 0
tags: docker
tags: docker,soleil,pizza

View File

@ -1,8 +1,7 @@
---
- name: Setup Caddy
hosts: privfrontends
hosts: privfrontends,core
tasks:
# This is run again so config still updates even if i dont run the role which isnt needed most of the time
- name: Copy Caddyfile
ansible.builtin.template:
src: ./templates/Caddyfile.j2
@ -26,18 +25,9 @@
hosts: privfrontends
vars:
docker_services:
- anonymousoverflow
- breezewiki
- gothub
- gothub-dev
- hyperpipe
- librarian
- libreddit
- nitter
- rimgo
- safetwitch
- scribe
- simplytranslate
- teddit
- watchtower
tasks:
@ -46,19 +36,28 @@
- name: Update docker compose files and restart those with changes
ansible.builtin.include_tasks: docker-tasks.yaml
with_items: "{{ docker_services }}"
tags: docker
- name: Setup docker compose for privacy frontends (non-pizza1)
hosts: in,us
tags: docker,pizza
- name: Setup docker compose for privacy frontends (soleil+normal)
hosts: in,us,docker
vars:
non_pizza_docker_services:
- anonymousoverflow
- breezewiki
- gothub
- gothub-dev
- searxng
- hyperpipe
- rimgo
- safetwitch
- scribe
- simplytranslate
tasks:
# community.docker does not support compose 2.0 right now.
# https://github.com/ansible-collections/community.docker/issues/216
- name: Update docker compose files and restart those with changes (Privacy Frontends but without Pizza1)
ansible.builtin.include_tasks: docker-tasks.yaml
with_items: "{{ non_pizza_docker_services }}"
tags: docker
tags: docker,soleil
- name: Setup cron jobs
hosts: privfrontends

View File

@ -33,7 +33,7 @@
(def) {
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@ -60,245 +60,25 @@
import acmedns
{% endif %}
}
:80 {{inventory_hostname}}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} {
redir https://wiki.projectsegfau.lt/index.php?title={{wiki_page}}
:80 {{ inventory_hostname }}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} {% if inventory_hostname == 'core' %} soleil.projectsegfau.lt {% endif %} {
redir https://wiki.projectsegfau.lt/index.php?title={{ wiki_page }}
}
cdn.projectsegfau.lt cdn.{{inventory_hostname}}.projectsegfau.lt {
# PIZZA + US + IN
{% if inventory_hostname == 'eu' or inventory_hostname == 'us' or inventory_hostname == 'in' %}
cdn.projectsegfau.lt cdn.{{ server_prefix }}.projectsegfau.lt {
encode zstd gzip
root * /var/cdn
file_server {
browse
}
}
{% if inventory_hostname == 'eu' %}
inv.bp.projectsegfau.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
i.bp.psf.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
-Content-Security-Policy
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001
import def
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy localhost:1025
import def
}
{% else %}
inv.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
i.{{inventory_hostname}}.psf.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
-Content-Security-Policy
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
piped.{{inventory_hostname}}.projectsegfau.lt pipedproxy.{{inventory_hostname}}.projectsegfau.lt pipedapi.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy :6970
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
pi.{{inventory_hostname}}.psf.lt {
reverse_proxy :6970 {
header_up Host "piped.{{inventory_hostname}}.projectsegfau.lt"
}
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
}
{% endif %}
lbry.{{inventory_hostname}}.projectsegfau.lt lbry.projectsegfau.lt {
lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt {
reverse_proxy :3550
import def
import torloc lbry
import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p
}
gothub.{{inventory_hostname}}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{inventory_hostname}}.psf.lt {
reverse_proxy :1024
import def
import torloc gothub
}
overflow.{{inventory_hostname}}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{inventory_hostname}}.psf.lt {
reverse_proxy :8694
import def
import torloc overflow
}
teddit.{{inventory_hostname}}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{inventory_hostname}}.psf.lt {
reverse_proxy :9061
import def
import torloc teddit
}
rimgo.{{inventory_hostname}}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{inventory_hostname}}.psf.lt {
reverse_proxy :9016
import def
import torloc rimgo
}
libreddit.{{inventory_hostname}}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{inventory_hostname}}.psf.lt {
reverse_proxy :6464
import def
import torloc libreddit
import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
}
nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{{inventory_hostname}}.psf.lt {
nitter.{{ server_prefix }}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{{ server_prefix }}.psf.lt {
import def
header {
X-Permitted-Cross-Domain-Policies none
@ -313,48 +93,100 @@ nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt
import torloc nitter
import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p
}
bb.{{inventory_hostname}}.projectsegfau.lt bb.projectsegfau.lt {
libreddit.{{ server_prefix }}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{ server_prefix }}.psf.lt {
reverse_proxy :6464
import def
import torloc beatbump
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p
redir https://hyperpipe.projectsegfau.lt{uri}
import torloc libreddit
import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
}
teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{ server_prefix }}.psf.lt {
reverse_proxy :9061
import def
import torloc teddit
}
{% endif %}
# SOLEIL + US + IN
{% if inventory_hostname == 'core' or inventory_hostname == 'us' or inventory_hostname == 'in' %}
inv.{{ server_prefix }}.projectsegfau.lt inv.projectsegfau.lt invidious.projectsegfau.lt i.{{ server_prefix }}.psf.lt i.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:7573
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
bw.{{inventory_hostname}}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{inventory_hostname}}.psf.lt {
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
-Content-Security-Policy
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
}
gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:1024
import def
import torloc gothub
}
overflow.{{ server_prefix }}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8694
import def
import torloc overflow
}
rimgo.{{ server_prefix }}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{ server_prefix }}.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:9016
import def
import torloc rimgo
}
bw.{{ server_prefix }}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{ server_prefix }}.psf.lt {
import def
import torloc breezewiki
import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p
reverse_proxy :10416
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:10416
}
scribe.{{inventory_hostname}}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{inventory_hostname}}.psf.lt {
scribe.{{ server_prefix }}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{ server_prefix }}.psf.lt {
import def
import torloc scribe
import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p
reverse_proxy :8006
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8006
}
translate.{{inventory_hostname}}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{inventory_hostname}}.psf.lt {
translate.{{ server_prefix }}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :5046
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5046
}
safetwitch.{{inventory_hostname}}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{inventory_hostname}}.psf.lt {
safetwitch.{{ server_prefix }}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :5070
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5070
}
api.safetwitch.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy :5071
api.safetwitch.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:5071
}
hyperpipe.{{inventory_hostname}}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{inventory_hostname}}.psf.lt {
hyperpipe.{{ server_prefix }}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :8843
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8843
}
hyperpipebackend.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy :3536
hyperpipebackend.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:3536
}
{% if inventory_hostname == 'eu' %}
{% else %}
search.{{inventory_hostname}}.projectsegfau.lt s.psf.lt s.{{inventory_hostname}}.psf.lt {
search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :8081
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:8081
@api {
path /config
path /healthz
@ -414,5 +246,67 @@ search.{{inventory_hostname}}.projectsegfau.lt s.psf.lt s.{{inventory_hostname}}
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
}
}
{% if server_prefix == 'eu' %}piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt {%else%} piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt {%endif%} {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:6970
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
}
pi.{{ server_prefix }}.psf.lt pi.psf.lt {
reverse_proxy {% if inventory_hostname == 'core' %}192.168.5.2{% endif %}:6970 {
header_up Host "{% if server_prefix == 'eu' %}piped.projectsegfau.lt{%else%}piped.{{ server_prefix }}.projectsegfau.lt{%endif%}"
}
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
}
{% endif %}
import ./*.Caddyfile

View File

@ -0,0 +1,289 @@
# ---Apps Caddyfile---
# Akkoma
social.projectsegfau.lt {
import def
encode gzip
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
# and `localhost.` resolves to [::0] on some systems: see issue #930
reverse_proxy 192.168.5.2:4011
handle /media/* {
redir https://media.social.projectsegfau.lt{uri} permanent
}
handle /proxy/* {
redir https://media.social.projectsegfau.lt{uri} permanent
}
}
# Security mitigation
# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
# And https://poa.st/notice/AWDToOiKAl4BPhdEB6
# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
media.social.projectsegfau.lt {
handle /media/* {
reverse_proxy 192.168.5.2:4011 {
transport http {
response_header_timeout 10s
read_timeout 15s
}
}
}
handle /proxy/* {
reverse_proxy 192.168.5.2:4011 {
transport http {
response_header_timeout 10s
read_timeout 15s
}
}
}
}
# Cinny
cinny.projectsegfau.lt cy.psf.lt {
reverse_proxy 192.168.5.2:3069
import def
}
# Website
projectsegfau.lt {
reverse_proxy 192.168.5.2:1337
import def
reverse_proxy /_matrix/* 192.168.5.2:8449 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_matrix/client/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_synapse/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
reverse_proxy /converse 192.168.5.5:5280
reverse_proxy /converseemojis.js 192.168.5.5:5280
reverse_proxy /converse/* 192.168.5.5:5280
reverse_proxy /bosh 192.168.5.5:5280
reverse_proxy /ws 192.168.5.5:5280
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/well-known
file_server
}
header /.well-known/host-meta Content-Type application/xrd+xml
header /.well-known/host-meta.json Content-Type application/json
header /.well-known/host-meta.json Access-Control-Allow-Origin *
header /.well-known/host-meta Access-Control-Allow-Origin *
import torloc www
}
psf.lt {
reverse_proxy 192.168.5.2:1337
import def
import torloc www
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/psf-well-known
file_server
}
}
ssync.projectsegfau.lt {
reverse_proxy 192.168.5.2:3333
import def
}
www.projectsegfau.lt www.psf.lt {
redir https://projectsegfau.lt{uri}
import torloc www
}
matrix.projectsegfau.lt {
reverse_proxy /_matrix/* 192.168.5.2:8449 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_matrix/client/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_synapse/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
import def
#reverse_proxy /_synapse/client/* 192.168.5.2:81 {
# header_up Host "matrix.projectsegfau.lt"
#}
handle_path / {
redir https://wiki.projectsegfau.lt/Matrix
}
}
# Directus
cms.projectsegfau.lt {
reverse_proxy 192.168.5.2:9456
import def
}
# Element
chat.projectsegfau.lt el.psf.lt {
reverse_proxy 192.168.5.2:3070
import def
}
# Gitea
git.projectsegfau.lt {
reverse_proxy 192.168.5.5:3444
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
git.psf.lt {
reverse_proxy 192.168.5.5:3444 {
header_up Host "git.projectsegfau.lt"
}
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
# HedgeDoc
doc.projectsegfau.lt {
reverse_proxy 192.168.5.2:2069 {
header_up X-Real-IP {remote_host}
}
import def
}
# Hydrogen
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
reverse_proxy 192.168.5.2:3071
import def
}
# Jitsi
jitsi.projectsegfau.lt {
reverse_proxy 192.168.5.5:8000 {
header_up X-Real-IP {remote_host}
}
}
# Excalidraw backend for jitsi
excalidraw.projectsegfau.lt {
reverse_proxy 192.168.5.5:8694
}
# Maubot
mau.projectsegfau.lt {
reverse_proxy 192.168.5.2:29316
import def
}
# MediaWiki
wiki.projectsegfau.lt w.psf.lt {
reverse_proxy 192.168.5.3:8000 {
header_up X-Real-IP {remote_host}
}
import def
encode gzip
import torloc wiki
}
# Vikunja
todo.projectsegfau.lt vi.psf.lt {
reverse_proxy 192.168.5.2:3456
import def
import torloc todo
}
# Vaultwarden
pass.projectsegfau.lt vw.psf.lt {
reverse_proxy 192.168.5.2:6980 {
header_up X-Real-IP {remote_host}
}
import def
reverse_proxy /notifications/hub 192.168.5.2:3012 {
header_up X-Real-IP {remote_host}
}
import torloc pass
}
# XMPP
xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {
reverse_proxy 192.168.5.5:5280 {
header_up X-Real-IP {remote_host}
}
reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
@register {
path /new/
path /change_password/
path /delete/
path /new
path /change_password
path /delete
}
redir @register /register{uri}
import def
header /.well-known/host-meta Content-Type application/xrd+xml
header /.well-known/host-meta.json Content-Type application/json
header /.well-known/host-meta.json Access-Control-Allow-Origin *
header /.well-known/host-meta Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/well-known
file_server
}
handle_path / {
redir https://wiki.projectsegfau.lt/XMPP
}
}
xmpp-web.projectsegfau.lt, x.psf.lt {
import def
reverse_proxy 192.168.5.2:3072
}
healthchecks.projectsegfau.lt, hc.psf.lt {
import def
reverse_proxy 192.168.5.2:8450
}
# Pubthentik
auth.p.projectsegfau.lt {
reverse_proxy 192.168.5.2:7444 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
import def
}
# kbin
kbin.projectsegfau.lt, kb.psf.lt {
reverse_proxy kbin.projectsegfau.lt:443 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
#reverse_proxy 192.168.5.2:8643
import def
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy 192.168.5.2:1025
import def
}
ak.psf.lt {
redir https://social.projectsegfau.lt{uri}
}
j.psf.lt {
redir https://jitsi.projectsegfau.lt{uri}
}
d.psf.lt {
redir https://doc.projectsegfau.lt{uri}
}

View File

@ -0,0 +1,104 @@
# ---Internal Caddyfile---
# Authentik
sekuritee.projectsegfau.lt {
reverse_proxy https://192.168.5.2:7443 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
import def
}
# Grafana
grafana.projectsegfau.lt {
reverse_proxy 192.168.5.2:3169
handle_path /api/live {
reverse_proxy 192.168.5.2:3169
}
import def
}
# MailU
mail.projectsegfau.lt {
log {
output file /var/log/caddy/mail.projectsegfau.lt.log {
roll_disabled
roll_size 512M
roll_uncompressed
roll_local_time
roll_keep 3
roll_keep_for 48h
}
}
import def
reverse_proxy 192.168.5.5:8082
}
# Plausible
analytics.projectsegfau.lt {
reverse_proxy 192.168.5.2:8001
import def
}
# Website dev
web.dev.projectsegfau.lt {
reverse_proxy 192.168.5.2:1339
import def
}
blog.projectsegfau.lt {
reverse_proxy 192.168.5.2:2368 {
header_up X-Forwarded-Proto https
header_up X-Real-IP {remote_host}
}
import def
}
prometheus.projectsegfau.lt {
reverse_proxy 192.168.5.2:9090
basicauth /* {
admin $2a$14$1asDwG2gbyJ3.SungtdOyeqBlW1IiKQ//qI3ienQCTldaosx1qzSC
}
import def
}
# Midou PersoVM
matrix.midou.dev {
reverse_proxy /_matrix/* 192.168.5.6:8008
import def
}
file.midou.dev {
reverse_proxy 192.168.5.6:8080
import def
}
c.midou.dev {
reverse_proxy 192.168.5.6:8978
import def
}
# Headscale (tailscale control server)
hs.projectsegfau.lt {
reverse_proxy /web* https://192.168.5.5:9443 {
transport http {
tls_insecure_skip_verify
}
}
reverse_proxy * 192.168.5.5:8089
}
# Caddy daily build (for ansible)
cb.projectsegfau.lt {
root * /var/www/caddy-build
file_server browse
encode gzip
}
# GotHub
docs.gothub.app {
redir https://gothub.app/docs{uri}
}
# OLD URLs
http://mutahar.rocks, http://*.mutahar.rocks {
redir https://projectsegfau.lt
}

View File

@ -5,6 +5,41 @@ stats.eu.projectsegfau.lt {
reverse_proxy localhost:9100
import def
}
inv.bp.projectsegfau.lt, i.bp.psf.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
-Content-Security-Policy
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
log {
output discard
format filter {
wrap console
fields {
request>remote_ip replace REDACTED
request>headers>X-Forwarded-For replace REDACTED
}
}
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001
import def
}
aryak.me {
reverse_proxy https://prox-arya.p.projectsegfau.lt {
header_up Host prox-arya.p.projectsegfau.lt
@ -14,6 +49,12 @@ arya.projectsegfau.lt {
redir https://aryak.me{uri}
}
## OLD URL REDIRECTS
bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt {
import def
import torloc beatbump
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p
redir https://hyperpipe.projectsegfau.lt{uri}
}
invidious.mutahar.rocks {
redir https://inv.bp.projectsegfau.lt{uri} permanent
}

View File

@ -5,7 +5,3 @@ stats.us.projectsegfau.lt {
reverse_proxy http://127.0.0.1:9100
import def
}
fb.us.projectsegfau.lt {
import def
reverse_proxy localhost:8065
}