the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add immich and switch to nginx-acme

Browse Source
This commit is contained in:
Matthew Pomes
2026-01-25 02:15:43 -06:00
parent e269dac336
commit 4b572faf1d
19 changed files with 191 additions and 337 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
build-certs.sh
View File

@@ -1,13 +0,0 @@
docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
-d loadingm.xyz \
-d gitea.loadingm.xyz \
-d auth.loadingm.xyz \
-d jellyfin.loadingm.xyz \
-d jellyseerr.loadingm.xyz \
-d servarr.loadingm.xyz \
-d karakeep.loadingm.xyz \
-d ollama.loadingm.xyz \
-d memos.loadingm.xyz \
-d bitwarden.loadingm.xyz \
-d gpodder.loadingm.xyz

30
docker-compose.yaml
View File

@@ -1,6 +1,7 @@
include:
- ./karakeep-compose.yaml
- ./jellyfin-compose.yaml
- ./immich-compose.yaml
secrets:
JWT_SECRET:
file: '/data/authelia/secrets/JWT_SECRET'
@@ -14,34 +15,52 @@ volumes:
meilisearch:
karakeep:
bitwarden:
immich-model-cache:
nginx:
networks:
karakeep:
external: false
enable_ipv6: true
karakeep-int:
external: false
enable_ipv6: true
ollama:
external: false
enable_ipv6: true
ollama-int:
external: false
enable_ipv6: true
jellyfin:
external: false
enable_ipv6: true
jellyfin-int:
external: false
enable_ipv6: true
auth:
external: false
enable_ipv6: true
gitea:
external: false
enable_ipv6: true
gpodder:
external: false
enable_ipv6: true
memos:
external: false
enable_ipv6: true
mail:
external: false
enable_ipv6: true
bitwarden:
external: false
enable_ipv6: true
# host:
# external: true
# enable_ipv6: true
services:
web:
image: "nginx"
build:
dockerfile: ./nginx-dockerfile
restart: unless-stopped
ports:
- 80:80
@@ -49,9 +68,7 @@ services:
volumes:
- ./nginx:/etc/nginx:ro
- /data/site:/data/site:ro
- /data/certbot/www/:/var/www/certbot/:ro
# - /etc/letsencrypt:/etc/letsencrypt:ro
- /data/certbot/conf:/etc/letsencrypt:ro
- nginx:/var/cache/nginx/
networks:
- karakeep
- ollama
@@ -79,11 +96,6 @@ services:
# source: /usr/local/share/fonts/cu
# target: /usr/local/share/fonts/custom
# read_only: true
certbot:
image: certbot/certbot:latest
volumes:
- /data/certbot/www/:/var/www/certbot/:rw
- /data/certbot/conf/:/etc/letsencrypt/:rw
authelia:
image: 'docker.io/authelia/authelia:latest'
command:

64
immich-compose.yaml Normal file
View File

@@ -0,0 +1,64 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:v2
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
# Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
- /data/immich/uploads:/data
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
# env_file:
# - .env
ports:
- '2283:2283'
depends_on:
- redis
- database
restart: always
healthcheck:
disable: false
immich-machine-learning:
# For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
# Example tag: ${IMMICH_VERSION:-v2}-cuda
image: ghcr.io/immich-app/immich-machine-learning:v2
# extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- immich-model-cache:/cache
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
# env_file:
# - .env
restart: always
healthcheck:
disable: false
redis:
image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
healthcheck:
test: redis-cli ping || exit 1
restart: always
database:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: '--data-checksums'
# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
# DB_STORAGE_TYPE: 'HDD'
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- /data/immich/postgres:/var/lib/postgresql/data
shm_size: 128mb
restart: always

2
nginx-dockerfile Normal file
View File

@@ -0,0 +1,2 @@
FROM nginx
RUN apt install nginx-module-acme

15
nginx/nginx.conf
View File

@@ -3,6 +3,7 @@ worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
events {
worker_connections 768;
@@ -10,6 +11,14 @@ events {
}
http {
resolver 127.0.0.11:53;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact matthew.pomes@pm.me;
state_path /var/cache/nginx/acme-letsencrypt;
accept_terms_of_service;
}
##
# Basic Settings
@@ -57,6 +66,12 @@ http {
##
include /etc/nginx/sites-enabled/*;
server {
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
}

19
nginx/sites-available/5d-diplomacy
View File

@@ -1,17 +1,8 @@
server {
if ($host = 5d-diplomacy.loadingm.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name 5d-diplomacy.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
@@ -25,16 +16,14 @@ server {
http2 on;
server_name 5d-diplomacy.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";

29
nginx/sites-enabled/auth
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name auth.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name auth.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://authelia:9091;

29
nginx/sites-enabled/bitwarden
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name bitwarden.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name bitwarden.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -51,10 +34,6 @@ server {
# set $CSP "$CSP; frame-ancestors 'self' data:";
# set $CSP "$CSP; font-src 'self' data:";
# add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location /notifications/hub {
proxy_pass http://bitwarden:80;
proxy_http_version 1.1;

29
nginx/sites-enabled/gitea
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name gitea.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name gitea.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://gitea:3000;

50
nginx/sites-enabled/gpodder
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80;
listen [::]:80;
server_name gpodder.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gpodder.loadingm.xyz;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -60,10 +22,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://gpodder:8000;

41
nginx/sites-enabled/immich Normal file
View File

@@ -0,0 +1,41 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name immich.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location / {
# Proxy main karakeep traffic
proxy_pass http://immich:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/jellyfin
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name jellyfin.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;

29
nginx/sites-enabled/jellyseerr
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyseerr.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,26 +5,20 @@ server {
http2 on;
server_name jellyseerr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin

29
nginx/sites-enabled/karakeep
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name karakeep.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name karakeep.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -52,10 +35,6 @@ server {
set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://karakeep-web:3000;

29
nginx/sites-enabled/memos
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name memos.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name memos.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://memos:5230;

6
nginx/sites-enabled/ollama
View File

@@ -5,9 +5,11 @@ server {
http2 on;
server_name ollama.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
# include /etc/nginx/snippets/authelia-location.conf;
location /ws/ {
proxy_pass http://ollama-webui:8080;
proxy_http_version 1.1;

53
nginx/sites-enabled/primary
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80 default_server;
listen [::]:80;
server_name loadingm.xyz *.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name loadingm.xyz;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
root /data/site;
@@ -60,11 +22,4 @@ server {
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

7
nginx/sites-enabled/servarr
View File

@@ -1,13 +1,14 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name servarr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/snippets/authelia-location.conf;
location /qbt/ {

25
nginx/snippets/letsencrypt.conf
View File

@@ -1,25 +0,0 @@
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}