Add immich and switch to nginx-acme

build-certs.sh

@@ -1,13 +0,0 @@
-
-docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
-  -d loadingm.xyz \
-  -d gitea.loadingm.xyz \
-  -d auth.loadingm.xyz \
-  -d jellyfin.loadingm.xyz \
-  -d jellyseerr.loadingm.xyz \
-  -d servarr.loadingm.xyz \
-  -d karakeep.loadingm.xyz \
-  -d ollama.loadingm.xyz \
-  -d memos.loadingm.xyz \
-  -d bitwarden.loadingm.xyz \
-  -d gpodder.loadingm.xyz

docker-compose.yaml

@@ -1,6 +1,7 @@
 include:
   - ./karakeep-compose.yaml
   - ./jellyfin-compose.yaml
+  - ./immich-compose.yaml
 secrets:
   JWT_SECRET:
     file: '/data/authelia/secrets/JWT_SECRET'
@@ -14,34 +15,52 @@ volumes:
   meilisearch:
   karakeep:
   bitwarden:
+  immich-model-cache:
+  nginx:
 networks:
   karakeep:
     external: false
+    enable_ipv6: true
   karakeep-int:
     external: false
+    enable_ipv6: true
   ollama:
     external: false
+    enable_ipv6: true
   ollama-int:
     external: false
+    enable_ipv6: true
   jellyfin:
     external: false
+    enable_ipv6: true
   jellyfin-int:
     external: false
+    enable_ipv6: true
   auth:
     external: false
+    enable_ipv6: true
   gitea:
     external: false
+    enable_ipv6: true
   gpodder:
     external: false
+    enable_ipv6: true
   memos:
     external: false
+    enable_ipv6: true
   mail:
     external: false
+    enable_ipv6: true
   bitwarden:
     external: false
+    enable_ipv6: true
+  # host:
+  #   external: true
+  #   enable_ipv6: true
 services:
   web:
-    image: "nginx"
+    build:
+      dockerfile: ./nginx-dockerfile
     restart: unless-stopped
     ports:
       - 80:80
@@ -49,9 +68,7 @@ services:
     volumes:
       - ./nginx:/etc/nginx:ro
       - /data/site:/data/site:ro
-      - /data/certbot/www/:/var/www/certbot/:ro
+      - nginx:/var/cache/nginx/
-      # - /etc/letsencrypt:/etc/letsencrypt:ro
-      - /data/certbot/conf:/etc/letsencrypt:ro
     networks:
       - karakeep
       - ollama
@@ -79,11 +96,6 @@ services:
       #   source: /usr/local/share/fonts/cu
       #   target: /usr/local/share/fonts/custom
       #   read_only: true
-  certbot:
-    image: certbot/certbot:latest
-    volumes:
-      - /data/certbot/www/:/var/www/certbot/:rw
-      - /data/certbot/conf/:/etc/letsencrypt/:rw
   authelia:
     image: 'docker.io/authelia/authelia:latest'
     command:

immich-compose.yaml

@@ -0,0 +1,64 @@
+services:
+  immich-server:
+    image: ghcr.io/immich-app/immich-server:v2
+    # extends:
+    #   file: hwaccel.transcoding.yml
+    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
+    volumes:
+      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
+      - /data/immich/uploads:/data
+      - /etc/localtime:/etc/localtime:ro
+    environment:
+      DB_USERNAME: postgres
+      DB_PASSWORD: nVmwTyOKlcEa6VUc
+      DB_DATABASE_NAME: immich
+    # env_file:
+    #   - .env
+    ports:
+      - '2283:2283'
+    depends_on:
+      - redis
+      - database
+    restart: always
+    healthcheck:
+      disable: false
+
+  immich-machine-learning:
+    # For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
+    # Example tag: ${IMMICH_VERSION:-v2}-cuda
+    image: ghcr.io/immich-app/immich-machine-learning:v2
+    # extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
+    #   file: hwaccel.ml.yml
+    #   service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
+    volumes:
+      - immich-model-cache:/cache
+    environment:
+      DB_USERNAME: postgres
+      DB_PASSWORD: nVmwTyOKlcEa6VUc
+      DB_DATABASE_NAME: immich
+    # env_file:
+    #   - .env
+    restart: always
+    healthcheck:
+      disable: false
+
+  redis:
+    image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
+    healthcheck:
+      test: redis-cli ping || exit 1
+    restart: always
+
+  database:
+    image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc
+      POSTGRES_DB: immich
+      POSTGRES_INITDB_ARGS: '--data-checksums'
+      # Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
+      # DB_STORAGE_TYPE: 'HDD'
+    volumes:
+      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
+      - /data/immich/postgres:/var/lib/postgresql/data
+    shm_size: 128mb
+    restart: always

nginx-dockerfile

@@ -0,0 +1,2 @@
+FROM nginx
+RUN apt install nginx-module-acme

nginx/nginx.conf

@@ -3,6 +3,7 @@ worker_processes auto;
 worker_cpu_affinity auto;
 pid /run/nginx.pid;
 error_log /var/log/nginx/error.log;
+load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
 
 events {
 	worker_connections 768;
@@ -10,6 +11,14 @@ events {
 }
 
 http {
+	resolver 127.0.0.11:53;
+	acme_issuer letsencrypt { 
+	    uri         https://acme-v02.api.letsencrypt.org/directory;
+	    contact     matthew.pomes@pm.me;
+	    state_path  /var/cache/nginx/acme-letsencrypt;
+
+	    accept_terms_of_service; 
+	}
 
 	##
 	# Basic Settings
@@ -57,6 +66,12 @@ http {
 	##
 
 	include /etc/nginx/sites-enabled/*;
+	server {
+		listen 80;
+	    location / {
+	        return 301 https://$host$request_uri;
+	    }
+	}
 }
 
 

nginx/sites-available/5d-diplomacy

@@ -1,17 +1,8 @@
 server {
-    if ($host = 5d-diplomacy.loadingm.xyz) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
     listen 80;
     listen [::]:80;
     server_name 5d-diplomacy.loadingm.xyz;
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     # Uncomment to redirect HTTP to HTTPS
     location / {
         return 301 https://$host$request_uri;
@@ -25,16 +16,14 @@ server {
     http2 on;
 
     server_name 5d-diplomacy.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 

nginx/sites-enabled/auth

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name auth.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,16 +5,14 @@ server {
     http2 on;
 
     server_name auth.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
@@ -42,10 +25,6 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     location / {
         # Proxy main karakeep traffic
         proxy_pass http://authelia:9091;

nginx/sites-enabled/bitwarden

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name bitwarden.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,16 +5,14 @@ server {
     http2 on;
 
     server_name bitwarden.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
@@ -51,10 +34,6 @@ server {
     # set $CSP "$CSP; frame-ancestors 'self' data:";
     # set $CSP "$CSP; font-src 'self' data:";
     # add_header Content-Security-Policy $CSP;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
     location /notifications/hub {
         proxy_pass http://bitwarden:80;
         proxy_http_version 1.1;

nginx/sites-enabled/gitea

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name gitea.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,16 +5,14 @@ server {
     http2 on;
 
     server_name gitea.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 200G;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
@@ -42,10 +25,6 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
         add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     location / {
         # Proxy main karakeep traffic
         proxy_pass http://gitea:3000;

nginx/sites-enabled/gpodder

@@ -1,52 +1,14 @@
-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# https://www.nginx.com/resources/wiki/start/
-# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
-# https://wiki.debian.org/Nginx/DirectoryStructure
-#
-# In most cases, administrators will remove this file from sites-enabled/ and
-# leave it as reference inside of sites-available where it will continue to be
-# updated by the nginx packaging team.
-#
-# This file will automatically load configuration files provided by other
-# applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
-
 server {
-    listen 80;
-    listen [::]:80;
-    server_name gpodder.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-# Default server configuration
-#
-server {
-
 	# SSL configuration
 	listen 443 ssl;
 	listen [::]:443 ssl;
     http2 on;
 
 	server_name gpodder.loadingm.xyz;
-
+    acme_certificate      letsencrypt;
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate       $acme_certificate; 
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    ssl_certificate_key   $acme_certificate_key; 
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_certificate_cache max=2;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
 
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
@@ -60,10 +22,6 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     location / {
         # Proxy main karakeep traffic
         proxy_pass http://gpodder:8000;

nginx/sites-enabled/immich

@@ -0,0 +1,41 @@
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name immich.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 200G;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+    location / {
+        # Proxy main karakeep traffic
+        proxy_pass http://immich:2283;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}

nginx/sites-enabled/jellyfin

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name jellyfin.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,16 +5,14 @@ server {
     http2 on;
 
     server_name jellyfin.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
@@ -42,10 +25,6 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     location / {
         # Proxy main Jellyfin traffic
         proxy_pass http://jellyfin:8096;

nginx/sites-enabled/jellyseerr

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name jellyseerr.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,26 +5,20 @@ server {
     http2 on;
 
     server_name jellyseerr.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
     # Permissions policy. May cause issues with some clients
     add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     # Content Security Policy
     # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     # Enforces https content and restricts JS/CSS to origin

nginx/sites-enabled/karakeep

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name karakeep.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,16 +5,14 @@ server {
     http2 on;
 
     server_name karakeep.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
@@ -52,10 +35,6 @@ server {
     set $CSP "$CSP; font-src 'self' data:";
     add_header Content-Security-Policy $CSP;
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     location / {
         # Proxy main karakeep traffic
         proxy_pass http://karakeep-web:3000;

nginx/sites-enabled/memos

@@ -1,18 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name memos.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -20,16 +5,14 @@ server {
     http2 on;
 
     server_name memos.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 200G;
 
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
 
@@ -42,10 +25,6 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
         add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
     location / {
         # Proxy main karakeep traffic
         proxy_pass http://memos:5230;

nginx/sites-enabled/ollama

@@ -5,9 +5,11 @@ server {
     http2 on;
 
     server_name ollama.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
-    include /etc/nginx/snippets/letsencrypt.conf;
-    # include /etc/nginx/snippets/authelia-location.conf;
     location /ws/ {
         proxy_pass http://ollama-webui:8080;
         proxy_http_version 1.1;

nginx/sites-enabled/primary

@@ -1,52 +1,14 @@
-##
-# You should look at the following URL's in order to grasp a solid understanding
-# of Nginx configuration files in order to fully unleash the power of Nginx.
-# https://www.nginx.com/resources/wiki/start/
-# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
-# https://wiki.debian.org/Nginx/DirectoryStructure
-#
-# In most cases, administrators will remove this file from sites-enabled/ and
-# leave it as reference inside of sites-available where it will continue to be
-# updated by the nginx packaging team.
-#
-# This file will automatically load configuration files provided by other
-# applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
-#
-# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
-##
-
 server {
-    listen 80 default_server;
-    listen [::]:80;
-    server_name loadingm.xyz *.loadingm.xyz;
-
-    location /.well-known/acme-challenge/ {
-        root /var/www/certbot;
-    }
-
-    # Uncomment to redirect HTTP to HTTPS
-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-# Default server configuration
-#
-server {
-
 	# SSL configuration
 	listen 443 ssl default_server;
 	listen [::]:443 ssl default_server;
     http2 on;
 
 	server_name loadingm.xyz;
-
+    acme_certificate      letsencrypt;
-    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate       $acme_certificate; 
-    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    ssl_certificate_key   $acme_certificate_key; 
-    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_certificate_cache max=2;
-    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
 
 	root /data/site;
 
@@ -60,11 +22,4 @@ server {
 		# as directory, then fall back to displaying a 404.
 		try_files $uri $uri/ =404;
 	}
-
-	# deny access to .htaccess files, if Apache's document root
-	# concurs with nginx's one
-	#
-	#location ~ /\.ht {
-	#	deny all;
-	#}
 }

nginx/sites-enabled/servarr

@@ -1,13 +1,14 @@
-
 server {
-    # Nginx versions 1.25+
     listen 443 ssl;
     listen [::]:443 ssl;
     http2 on;
 
     server_name servarr.loadingm.xyz;
+    acme_certificate      letsencrypt;
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2;
 
-    include /etc/nginx/snippets/letsencrypt.conf;
     include /etc/nginx/snippets/authelia-location.conf;
 
     location /qbt/ {

nginx/snippets/letsencrypt.conf

@@ -1,25 +0,0 @@
-# Content Security Policy
-# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-# Enforces https content and restricts JS/CSS to origin
-# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
-
-## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
-client_max_body_size 20M;
-
-ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-# include /etc/letsencrypt/options-ssl-nginx.conf;
-# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
-
-# Security / XSS Mitigation Headers
-add_header X-Content-Type-Options "nosniff";
-
-# Permissions policy. May cause issues with some clients
-add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
-
-location /.well-known/acme-challenge/ {
-    root /var/www/certbot;
-}
-