diff --git a/build-certs.sh b/build-certs.sh deleted file mode 100644 index 4ae78e4..0000000 --- a/build-certs.sh +++ /dev/null @@ -1,13 +0,0 @@ - -docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \ - -d loadingm.xyz \ - -d gitea.loadingm.xyz \ - -d auth.loadingm.xyz \ - -d jellyfin.loadingm.xyz \ - -d jellyseerr.loadingm.xyz \ - -d servarr.loadingm.xyz \ - -d karakeep.loadingm.xyz \ - -d ollama.loadingm.xyz \ - -d memos.loadingm.xyz \ - -d bitwarden.loadingm.xyz \ - -d gpodder.loadingm.xyz diff --git a/docker-compose.yaml b/docker-compose.yaml index 3e263f4..4a55846 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -1,6 +1,7 @@ include: - ./karakeep-compose.yaml - ./jellyfin-compose.yaml + - ./immich-compose.yaml secrets: JWT_SECRET: file: '/data/authelia/secrets/JWT_SECRET' @@ -14,34 +15,52 @@ volumes: meilisearch: karakeep: bitwarden: + immich-model-cache: + nginx: networks: karakeep: external: false + enable_ipv6: true karakeep-int: external: false + enable_ipv6: true ollama: external: false + enable_ipv6: true ollama-int: external: false + enable_ipv6: true jellyfin: external: false + enable_ipv6: true jellyfin-int: external: false + enable_ipv6: true auth: external: false + enable_ipv6: true gitea: external: false + enable_ipv6: true gpodder: external: false + enable_ipv6: true memos: external: false + enable_ipv6: true mail: external: false + enable_ipv6: true bitwarden: external: false + enable_ipv6: true + # host: + # external: true + # enable_ipv6: true services: web: - image: "nginx" + build: + dockerfile: ./nginx-dockerfile restart: unless-stopped ports: - 80:80 @@ -49,9 +68,7 @@ services: volumes: - ./nginx:/etc/nginx:ro - /data/site:/data/site:ro - - /data/certbot/www/:/var/www/certbot/:ro - # - /etc/letsencrypt:/etc/letsencrypt:ro - - /data/certbot/conf:/etc/letsencrypt:ro + - nginx:/var/cache/nginx/ networks: - karakeep - ollama @@ -79,11 +96,6 @@ services: # source: /usr/local/share/fonts/cu # target: /usr/local/share/fonts/custom # read_only: true - certbot: - image: certbot/certbot:latest - volumes: - - /data/certbot/www/:/var/www/certbot/:rw - - /data/certbot/conf/:/etc/letsencrypt/:rw authelia: image: 'docker.io/authelia/authelia:latest' command: diff --git a/immich-compose.yaml b/immich-compose.yaml new file mode 100644 index 0000000..75c748b --- /dev/null +++ b/immich-compose.yaml @@ -0,0 +1,64 @@ +services: + immich-server: + image: ghcr.io/immich-app/immich-server:v2 + # extends: + # file: hwaccel.transcoding.yml + # service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding + volumes: + # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file + - /data/immich/uploads:/data + - /etc/localtime:/etc/localtime:ro + environment: + DB_USERNAME: postgres + DB_PASSWORD: nVmwTyOKlcEa6VUc + DB_DATABASE_NAME: immich + # env_file: + # - .env + ports: + - '2283:2283' + depends_on: + - redis + - database + restart: always + healthcheck: + disable: false + + immich-machine-learning: + # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag. + # Example tag: ${IMMICH_VERSION:-v2}-cuda + image: ghcr.io/immich-app/immich-machine-learning:v2 + # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration + # file: hwaccel.ml.yml + # service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable + volumes: + - immich-model-cache:/cache + environment: + DB_USERNAME: postgres + DB_PASSWORD: nVmwTyOKlcEa6VUc + DB_DATABASE_NAME: immich + # env_file: + # - .env + restart: always + healthcheck: + disable: false + + redis: + image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f + healthcheck: + test: redis-cli ping || exit 1 + restart: always + + database: + image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23 + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc + POSTGRES_DB: immich + POSTGRES_INITDB_ARGS: '--data-checksums' + # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs + # DB_STORAGE_TYPE: 'HDD' + volumes: + # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file + - /data/immich/postgres:/var/lib/postgresql/data + shm_size: 128mb + restart: always diff --git a/nginx-dockerfile b/nginx-dockerfile new file mode 100644 index 0000000..9bf2d08 --- /dev/null +++ b/nginx-dockerfile @@ -0,0 +1,2 @@ +FROM nginx +RUN apt install nginx-module-acme diff --git a/nginx/nginx.conf b/nginx/nginx.conf index b6ce2d2..e401de2 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -3,6 +3,7 @@ worker_processes auto; worker_cpu_affinity auto; pid /run/nginx.pid; error_log /var/log/nginx/error.log; +load_module /usr/lib/nginx/modules/ngx_http_acme_module.so; events { worker_connections 768; @@ -10,6 +11,14 @@ events { } http { + resolver 127.0.0.11:53; + acme_issuer letsencrypt { + uri https://acme-v02.api.letsencrypt.org/directory; + contact matthew.pomes@pm.me; + state_path /var/cache/nginx/acme-letsencrypt; + + accept_terms_of_service; + } ## # Basic Settings @@ -57,6 +66,12 @@ http { ## include /etc/nginx/sites-enabled/*; + server { + listen 80; + location / { + return 301 https://$host$request_uri; + } + } } diff --git a/nginx/sites-available/5d-diplomacy b/nginx/sites-available/5d-diplomacy index a5c522b..5038db3 100644 --- a/nginx/sites-available/5d-diplomacy +++ b/nginx/sites-available/5d-diplomacy @@ -1,17 +1,8 @@ server { - if ($host = 5d-diplomacy.loadingm.xyz) { - return 301 https://$host$request_uri; - } # managed by Certbot - - listen 80; listen [::]:80; server_name 5d-diplomacy.loadingm.xyz; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - # Uncomment to redirect HTTP to HTTPS location / { return 301 https://$host$request_uri; @@ -25,16 +16,14 @@ server { http2 on; server_name 5d-diplomacy.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; - ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; diff --git a/nginx/sites-enabled/auth b/nginx/sites-enabled/auth index b434d94..dc48a26 100644 --- a/nginx/sites-enabled/auth +++ b/nginx/sites-enabled/auth @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name auth.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,16 +5,14 @@ server { http2 on; server_name auth.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -42,10 +25,6 @@ server { # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { # Proxy main karakeep traffic proxy_pass http://authelia:9091; diff --git a/nginx/sites-enabled/bitwarden b/nginx/sites-enabled/bitwarden index 057fee5..ff82e06 100644 --- a/nginx/sites-enabled/bitwarden +++ b/nginx/sites-enabled/bitwarden @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name bitwarden.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,16 +5,14 @@ server { http2 on; server_name bitwarden.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -51,10 +34,6 @@ server { # set $CSP "$CSP; frame-ancestors 'self' data:"; # set $CSP "$CSP; font-src 'self' data:"; # add_header Content-Security-Policy $CSP; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } location /notifications/hub { proxy_pass http://bitwarden:80; proxy_http_version 1.1; diff --git a/nginx/sites-enabled/gitea b/nginx/sites-enabled/gitea index 27f87ea..dc4daf3 100644 --- a/nginx/sites-enabled/gitea +++ b/nginx/sites-enabled/gitea @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name gitea.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,16 +5,14 @@ server { http2 on; server_name gitea.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 200G; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -42,10 +25,6 @@ server { # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { # Proxy main karakeep traffic proxy_pass http://gitea:3000; diff --git a/nginx/sites-enabled/gpodder b/nginx/sites-enabled/gpodder index f12167e..e7ac896 100644 --- a/nginx/sites-enabled/gpodder +++ b/nginx/sites-enabled/gpodder @@ -1,52 +1,14 @@ -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# https://www.nginx.com/resources/wiki/start/ -# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ -# https://wiki.debian.org/Nginx/DirectoryStructure -# -# In most cases, administrators will remove this file from sites-enabled/ and -# leave it as reference inside of sites-available where it will continue to be -# updated by the nginx packaging team. -# -# This file will automatically load configuration files provided by other -# applications, such as Drupal or Wordpress. These applications will be made -# available underneath a path with that package name, such as /drupal8. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - server { - listen 80; - listen [::]:80; - server_name gpodder.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - -# Default server configuration -# -server { - # SSL configuration listen 443 ssl; listen [::]:443 ssl; http2 on; server_name gpodder.loadingm.xyz; - - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -60,10 +22,6 @@ server { # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { # Proxy main karakeep traffic proxy_pass http://gpodder:8000; diff --git a/nginx/sites-enabled/immich b/nginx/sites-enabled/immich new file mode 100644 index 0000000..e652f7a --- /dev/null +++ b/nginx/sites-enabled/immich @@ -0,0 +1,41 @@ +server { + # Nginx versions 1.25+ + listen 443 ssl; + listen [::]:443 ssl; + http2 on; + + server_name immich.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; + + ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. + client_max_body_size 200G; + + # Security / XSS Mitigation Headers + add_header X-Content-Type-Options "nosniff"; + + # Permissions policy. May cause issues with some clients + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; + + # Content Security Policy + # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP + # Enforces https content and restricts JS/CSS to origin + # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. + add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; + + location / { + # Proxy main karakeep traffic + proxy_pass http://immich:2283; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + } +} diff --git a/nginx/sites-enabled/jellyfin b/nginx/sites-enabled/jellyfin index b45aac8..b05c8ae 100644 --- a/nginx/sites-enabled/jellyfin +++ b/nginx/sites-enabled/jellyfin @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name jellyfin.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,16 +5,14 @@ server { http2 on; server_name jellyfin.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -42,10 +25,6 @@ server { # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { # Proxy main Jellyfin traffic proxy_pass http://jellyfin:8096; diff --git a/nginx/sites-enabled/jellyseerr b/nginx/sites-enabled/jellyseerr index e6ede31..f497ac2 100644 --- a/nginx/sites-enabled/jellyseerr +++ b/nginx/sites-enabled/jellyseerr @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name jellyseerr.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,26 +5,20 @@ server { http2 on; server_name jellyseerr.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; # Permissions policy. May cause issues with some clients add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - # Content Security Policy # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # Enforces https content and restricts JS/CSS to origin diff --git a/nginx/sites-enabled/karakeep b/nginx/sites-enabled/karakeep index 8174066..08fd7a7 100644 --- a/nginx/sites-enabled/karakeep +++ b/nginx/sites-enabled/karakeep @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name karakeep.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,16 +5,14 @@ server { http2 on; server_name karakeep.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -52,10 +35,6 @@ server { set $CSP "$CSP; font-src 'self' data:"; add_header Content-Security-Policy $CSP; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { # Proxy main karakeep traffic proxy_pass http://karakeep-web:3000; diff --git a/nginx/sites-enabled/memos b/nginx/sites-enabled/memos index 0111147..df70e84 100644 --- a/nginx/sites-enabled/memos +++ b/nginx/sites-enabled/memos @@ -1,18 +1,3 @@ -server { - listen 80; - listen [::]:80; - server_name memos.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - server { # Nginx versions 1.25+ listen 443 ssl; @@ -20,16 +5,14 @@ server { http2 on; server_name memos.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 200G; - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - # Security / XSS Mitigation Headers add_header X-Content-Type-Options "nosniff"; @@ -42,10 +25,6 @@ server { # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - location / { # Proxy main karakeep traffic proxy_pass http://memos:5230; diff --git a/nginx/sites-enabled/ollama b/nginx/sites-enabled/ollama index 1fa732d..d8a63fb 100644 --- a/nginx/sites-enabled/ollama +++ b/nginx/sites-enabled/ollama @@ -5,9 +5,11 @@ server { http2 on; server_name ollama.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; - include /etc/nginx/snippets/letsencrypt.conf; - # include /etc/nginx/snippets/authelia-location.conf; location /ws/ { proxy_pass http://ollama-webui:8080; proxy_http_version 1.1; diff --git a/nginx/sites-enabled/primary b/nginx/sites-enabled/primary index cd845d0..52cd890 100644 --- a/nginx/sites-enabled/primary +++ b/nginx/sites-enabled/primary @@ -1,52 +1,14 @@ -## -# You should look at the following URL's in order to grasp a solid understanding -# of Nginx configuration files in order to fully unleash the power of Nginx. -# https://www.nginx.com/resources/wiki/start/ -# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ -# https://wiki.debian.org/Nginx/DirectoryStructure -# -# In most cases, administrators will remove this file from sites-enabled/ and -# leave it as reference inside of sites-available where it will continue to be -# updated by the nginx packaging team. -# -# This file will automatically load configuration files provided by other -# applications, such as Drupal or Wordpress. These applications will be made -# available underneath a path with that package name, such as /drupal8. -# -# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. -## - server { - listen 80 default_server; - listen [::]:80; - server_name loadingm.xyz *.loadingm.xyz; - - location /.well-known/acme-challenge/ { - root /var/www/certbot; - } - - # Uncomment to redirect HTTP to HTTPS - location / { - return 301 https://$host$request_uri; - } -} - -# Default server configuration -# -server { - # SSL configuration listen 443 ssl default_server; listen [::]:443 ssl default_server; http2 on; server_name loadingm.xyz; - - ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; - # include /etc/letsencrypt/options-ssl-nginx.conf; - # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; root /data/site; @@ -60,11 +22,4 @@ server { # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} } diff --git a/nginx/sites-enabled/servarr b/nginx/sites-enabled/servarr index ccc2a6b..4e6d5a8 100644 --- a/nginx/sites-enabled/servarr +++ b/nginx/sites-enabled/servarr @@ -1,13 +1,14 @@ - server { - # Nginx versions 1.25+ listen 443 ssl; listen [::]:443 ssl; http2 on; server_name servarr.loadingm.xyz; + acme_certificate letsencrypt; + ssl_certificate $acme_certificate; + ssl_certificate_key $acme_certificate_key; + ssl_certificate_cache max=2; - include /etc/nginx/snippets/letsencrypt.conf; include /etc/nginx/snippets/authelia-location.conf; location /qbt/ { diff --git a/nginx/snippets/letsencrypt.conf b/nginx/snippets/letsencrypt.conf deleted file mode 100644 index 378fda5..0000000 --- a/nginx/snippets/letsencrypt.conf +++ /dev/null @@ -1,25 +0,0 @@ -# Content Security Policy -# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP -# Enforces https content and restricts JS/CSS to origin -# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. -# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; - -## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. -client_max_body_size 20M; - -ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; -# include /etc/letsencrypt/options-ssl-nginx.conf; -# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; -ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem; - -# Security / XSS Mitigation Headers -add_header X-Content-Type-Options "nosniff"; - -# Permissions policy. May cause issues with some clients -add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; - -location /.well-known/acme-challenge/ { - root /var/www/certbot; -} -