# ---Apps Caddyfile--- # Akkoma social.projectsegfau.lt { import def encode gzip # this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only # and `localhost.` resolves to [::0] on some systems: see issue #930 reverse_proxy 192.168.1.64:4011 handle /media/* { redir https://media.social.projectsegfau.lt{uri} permanent } handle /proxy/* { redir https://media.social.projectsegfau.lt{uri} permanent } } # Security mitigation # See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/ # And https://poa.st/notice/AWDToOiKAl4BPhdEB6 # And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO media.social.projectsegfau.lt { handle /media/* { reverse_proxy 192.168.1.64:4011 { transport http { response_header_timeout 10s read_timeout 15s } } } handle /proxy/* { reverse_proxy 192.168.1.64:4011 { transport http { response_header_timeout 10s read_timeout 15s } } } } # Cinny cinny.projectsegfau.lt cy.psf.lt { reverse_proxy :3069 import def } # Website projectsegfau.lt { reverse_proxy :1337 import def reverse_proxy /_matrix/* 192.168.1.64:8449 { header_up Host "matrix.projectsegfau.lt" } reverse_proxy /_matrix/client/* 192.168.1.64:81 { header_up Host "matrix.projectsegfau.lt" } reverse_proxy /_synapse/* 192.168.1.64:81 { header_up Host "matrix.projectsegfau.lt" } reverse_proxy /.well-known/acme-challenge/* 192.168.1.64:5380 reverse_proxy /converse 192.168.1.64:5280 reverse_proxy /converseemojis.js 192.168.1.64:5280 reverse_proxy /converse/* 192.168.1.64:5280 reverse_proxy /bosh 192.168.1.64:5280 reverse_proxy /ws 192.168.1.64:5280 header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Access-Control-Allow-Origin * handle_path /.well-known/* { root * /var/www/well-known file_server } header /.well-known/host-meta Content-Type application/xrd+xml header /.well-known/host-meta.json Content-Type application/json header /.well-known/host-meta.json Access-Control-Allow-Origin * header /.well-known/host-meta Access-Control-Allow-Origin * import torloc www } psf.lt { reverse_proxy :1337 import def import torloc www import acmedns header /.well-known/matrix/* Content-Type application/json header /.well-known/matrix/* Access-Control-Allow-Origin * handle_path /.well-known/* { root * /var/www/psf-well-known file_server } } ssync.projectsegfau.lt { reverse_proxy 192.168.1.64:3333 import def } www.projectsegfau.lt www.psf.lt { redir https://projectsegfau.lt{uri} import torloc www } matrix.projectsegfau.lt { reverse_proxy /_matrix/* 192.168.1.64:8449 { header_up Host "matrix.projectsegfau.lt" } reverse_proxy /_matrix/client/* 192.168.1.64:81 { header_up Host "matrix.projectsegfau.lt" } reverse_proxy /_synapse/* 192.168.1.64:81 { header_up Host "matrix.projectsegfau.lt" } import def #reverse_proxy /_synapse/client/* 192.168.1.64:81 { # header_up Host "matrix.projectsegfau.lt" #} handle_path / { redir https://wiki.projectsegfau.lt/Matrix } } # Element chat.projectsegfau.lt el.psf.lt { reverse_proxy :3070 import def } # Gitea git.projectsegfau.lt { reverse_proxy :3444 respond /metrics 403 import def request_body { max_size 500MB } header { Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';" } import torloc git } git.psf.lt { reverse_proxy :3444 { header_up Host "git.projectsegfau.lt" } respond /metrics 403 import def request_body { max_size 500MB } header { Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';" } import torloc git } # HedgeDoc doc.projectsegfau.lt { reverse_proxy :2069 { header_up X-Real-IP {remote_host} } import def } # Hydrogen h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt { reverse_proxy :3071 import def } # Jitsi jitsi.projectsegfau.lt { reverse_proxy 192.168.1.5:8000 { header_up X-Real-IP {remote_host} } } # Excalidraw backend for jitsi excalidraw.projectsegfau.lt { reverse_proxy :8694 } # Maubot mau.projectsegfau.lt { reverse_proxy :29316 import def } # MediaWiki wiki.projectsegfau.lt w.psf.lt { reverse_proxy 10.0.3.39:80 { header_up X-Real-IP {remote_host} } import def encode gzip import torloc wiki } # Vikunja todo.projectsegfau.lt vi.psf.lt { reverse_proxy :3456 import def import torloc todo } # Vaultwarden pass.projectsegfau.lt vw.psf.lt { reverse_proxy :6980 { header_up X-Real-IP {remote_host} } import def reverse_proxy /notifications/hub :3012 { header_up X-Real-IP {remote_host} } import torloc pass } # XMPP xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt { reverse_proxy 192.168.1.64:5280 { header_up X-Real-IP {remote_host} } reverse_proxy /.well-known/acme-challenge/* 192.168.1.64:5380 @register { path /new/ path /change_password/ path /delete/ path /new path /change_password path /delete } redir @register /register{uri} import def header /.well-known/host-meta Content-Type application/xrd+xml header /.well-known/host-meta.json Content-Type application/json header /.well-known/host-meta.json Access-Control-Allow-Origin * header /.well-known/host-meta Access-Control-Allow-Origin * handle_path /.well-known/* { root * /var/www/well-known file_server } handle_path / { redir https://wiki.projectsegfau.lt/XMPP } } xmpp-web.projectsegfau.lt, x.psf.lt { import def reverse_proxy :3072 } healthchecks.projectsegfau.lt, hc.psf.lt { import def reverse_proxy :8450 import torloc healthchecks } # Pubthentik auth.p.projectsegfau.lt { reverse_proxy :7444 { transport http { tls_insecure_skip_verify } header_up X-Real-IP {remote_host} } import def } # kbin kbin.projectsegfau.lt, kb.psf.lt { reverse_proxy 192.168.1.64:8014 { header_up X-Real-IP {remote_host} } import def } piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt { reverse_proxy 192.168.1.64:6970 header { # disable FLoC tracking Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; # enable HSTS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # disable clients from sniffing the media type X-Content-Type-Options nosniff # keep referrer data off of HTTP connections Referrer-Policy no-referrer-when-downgrade X-XSS-Protection "1; mode=block" defer } @badbots { header "User-Agent" "Go-http-client/2.0" } respond @badbots "Access to this route denied" 403 import acmedns } pi.psf.lt { reverse_proxy 192.168.1.64:6970 { header_up Host "piped.projectsegfau.lt" } header { # disable FLoC tracking Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; # enable HSTS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # disable clients from sniffing the media type X-Content-Type-Options nosniff # keep referrer data off of HTTP connections Referrer-Policy no-referrer-when-downgrade X-XSS-Protection "1; mode=block" defer } @badbots { header "User-Agent" "Go-http-client/2.0" } respond @badbots "Access to this route denied" 403 } inv.projectsegfau.lt invidious.projectsegfau.lt i.psf.lt { reverse_proxy 192.168.1.64:7573 header { # disable FLoC tracking Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()"; # enable HSTS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # disable clients from sniffing the media type X-Content-Type-Options nosniff # keep referrer data off of HTTP connections Referrer-Policy no-referrer-when-downgrade -Content-Security-Policy X-XSS-Protection "1; mode=block" defer } @badbots { header "User-Agent" "Go-http-client/2.0" } respond @badbots "Access to this route denied" 403 import torloc inv import acmedns } gothub.dev.projectsegfau.lt gh.dev.psf.lt { reverse_proxy :1025 import def import torloc gothub.dev } ak.psf.lt { redir https://social.projectsegfau.lt{uri} } j.psf.lt { redir https://jitsi.projectsegfau.lt{uri} } d.psf.lt { redir https://doc.projectsegfau.lt{uri} }