Current state

.gitignore

@@ -1 +1,2 @@
 .env
+authelia/secrets/

authelia/configuration.yml

@@ -0,0 +1,54 @@
+authentication_backend:
+  refresh_interval: '5m'
+  password_reset:
+    disable: false
+    custom_url: ''
+  password_change:
+    disable: false
+  file:
+    path: '/config/users.yml'
+    watch: false
+    search:
+      email: false
+      case_insensitive: false
+    password:
+      algorithm: 'argon2'
+      argon2:
+        variant: 'argon2id'
+        iterations: 3
+        memory: 65536
+        parallelism: 4
+        key_length: 32
+        salt_length: 16
+session:
+  name: 'authelia_session'
+  # same_site: 'lax'
+  inactivity: '5m'
+  expiration: '1h'
+  remember_me: '1M'
+  cookies:
+    - domain: 'loadingm.xyz'
+      authelia_url: 'https://auth.loadingm.xyz'
+      default_redirection_url: 'https://loadingm.xyz'
+      name: 'authelia_session'
+      same_site: 'lax'
+      inactivity: '5m'
+      expiration: '1h'
+      remember_me: '1d'
+notifier:
+  disable_startup_check: false
+  filesystem:
+    filename: '/config/notification.txt'
+storage:
+  local:
+    path: '/config/db.sqlite3'
+access_control:
+  default_policy: deny
+  rules:
+    - domain: '*.loadingm.xyz'
+      policy: one_factor
+server:
+  endpoints:
+    authz:
+      auth-request:
+        implementation: 'AuthRequest'

authelia/gen-secrets.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+parent_path=$( cd "$(dirname "${BASH_SOURCE[0]}")" ; pwd -P )
+cd $parent_path
+mkdir -p ./secrets
+openssl rand -base64 60 > ./secrets/JWT_SECRET
+openssl rand -base64 60 > ./secrets/SESSION_SECRET
+openssl rand -base64 60 > ./secrets/STORAGE_PASSWORD
+openssl rand -base64 60 > ./secrets/STORAGE_ENCRYPTION_KEY
+

build-certs.sh

@@ -0,0 +1,9 @@
+
+docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
+  -d loadingm.xyz \
+  -d auth.loadingm.xyz \
+  -d jellyfin.loadingm.xyz \
+  -d jellyseerr.loadingm.xyz \
+  -d servarr.loadingm.xyz \
+  -d karakeep.loadingm.xyz \
+  -d ollama.loadingm.xyz

docker-compose.yaml

@@ -1,5 +1,6 @@
 include:
   - ./karakeep-compose.yaml
+  - ./jellyfin-compose.yaml
 services:
   web:
     image: "nginx"
@@ -8,47 +9,86 @@ services:
       - 80:80
       - 443:443
     volumes:
-      - ./nginx:/etc/nginx
+      - ./nginx:/etc/nginx:ro
-      - /etc/letsencrypt:/etc/letsencrypt
+      - /data/site:/data/site:ro
-      - /data/site:/data/site
+      - /data/certbot/www/:/var/www/certbot/:ro
+      # - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /data/certbot/conf:/etc/letsencrypt:ro
     networks:
       - karakeep
       - ollama
       - jellyfin
+      - jellyfin-int
+      - auth
     depends_on:
       - jellyfin
       - ollama-webui
       - karakeep-web
-  jellyfin:
+      - authelia
-    image: "jellyfin/jellyfin"
+      - qbittorrent
-    restart: unless-stopped
-    environment:
-      - JELLYFIN_PublishedServerUrl=http://jellyfin.loadingm.xyz
-    volumes:
-      - /var/lib/jellyfin:/data
-      - /etc/jellyfin:/config
-      - /var/cache/jellyfin:/cache
-      - type: bind
-        source: /data/library/
-        target: /data/library
-        read_only: true
-    networks:
-      - jellyfin
       # Optional - extra fonts to be used during transcoding with subtitle burn-in
       # - type: bind
       #   source: /usr/local/share/fonts/cu
       #   target: /usr/local/share/fonts/custom
       #   read_only: true
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - /data/certbot/www/:/var/www/certbot/:rw
+      - /data/certbot/conf/:/etc/letsencrypt/:rw
+  authelia:
+    container_name: 'authelia'
+    image: 'docker.io/authelia/authelia:latest'
+    restart: 'unless-stopped'
+    secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
+    networks:
+      - auth
+    environment:
+      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
+      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
+      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
+    volumes:
+      - './authelia/:/config'
   # webdav:
   #   image: ""
-  # minecraft:
+  minecraft:
-  #   image: ""
+    image: itzg/minecraft-server:latest
+    tty: true
+    stdin_open: true
+    ports:
+      - "25565:25565"
+    environment:
+      EULA: "TRUE"
+      TYPE: "FABRIC"
+      MEMORY: "2048M"
+      MOTD: "Loading server..."
+      LEVEL: "world"
+      USE_MEOWICE_FLAGS: "true"
+      DIFFICULTY: "3"
+      OPS: |-
+        187eca31-2e33-4199-97e0-2286bf35f7f8
+      ENABLE_WHITELIST: "true"
+      WHITELIST: |-
+        187eca31-2e33-4199-97e0-2286bf35f7f8
+      PAUSE_WHEN_EMPTY_SECONDS: "20"
+      ENABLE_ROLLING_LOGS: "true"
+    volumes:
+      - "/opt/minecraft:/data"
   # calibre:
   #   image: "linuxserver/calibre-web"
   # 5d-diplomacy-frontend:
   #   image: ""
   # 5d-diplomacy-backend:
   #   image: ""
+secrets:
+  JWT_SECRET:
+    file: './authelia/secrets/JWT_SECRET'
+  SESSION_SECRET:
+    file: './authelia/secrets/SESSION_SECRET'
+  STORAGE_PASSWORD:
+    file: './authelia/secrets/STORAGE_PASSWORD'
+  STORAGE_ENCRYPTION_KEY:
+    file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
 volumes:
   meilisearch:
   karakeep:
@@ -63,3 +103,7 @@ networks:
     external: false
   jellyfin:
     external: false
+  jellyfin-int:
+    external: false
+  auth:
+    external: false

jellyfin-compose.yaml

@@ -0,0 +1,137 @@
+services:
+  qbittorrent:
+    image: lscr.io/linuxserver/qbittorrent:latest
+    container_name: qbittorrent
+    environment:
+      - WEBUI_PORT=8080
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+      # - DOCKER_MODS=ghcr.io/gabe565/linuxserver-mod-vuetorrent
+    volumes:
+      - /data/jellyfin:/data/jellyfin
+      - /data/jellyfin/configs/qbittorrent:/config
+      - /data/jellyfin/qbittorrent/downloads:/downloads
+    ports:
+      - 8080:8080
+      - 6881:6881
+      - 6881:6881/udp
+    networks:
+      - jellyfin-int
+    restart: unless-stopped
+  flaresolverr:
+    image: ghcr.io/flaresolverr/flaresolverr:latest
+    container_name: flaresolverr
+    environment:
+      - LOG_LEVEL=${LOG_LEVEL:-info}
+      - LOG_HTML=${LOG_HTML:-false}
+      - CAPTCHA_SOLVER=${CAPTCHA_SOLVER:-none}
+      - TZ=${TZ}
+      #- LANG=fr_FR
+      #- LANG=en_US
+    ports:
+      - 8191:8191
+    networks:
+      - jellyfin-int
+    restart: unless-stopped
+  prowlarr:
+    image: lscr.io/linuxserver/prowlarr:latest
+    container_name: prowlarr
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+    volumes:
+      - /data/jellyfin/configs/prowlarr:/config
+    ports:
+      - 9696:9696
+    networks:
+      - jellyfin-int
+    restart: unless-stopped
+  jackett:
+    image: lscr.io/linuxserver/jackett:latest
+    container_name: jackett
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+    volumes:
+      - /data/jellyfin/configs/jackett:/config
+    ports:
+      - 9117:9117
+    networks:
+      - jellyfin-int
+    restart: unless-stopped
+  sonarr:
+    image: lscr.io/linuxserver/sonarr:latest
+    container_name: sonarr
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+    volumes:
+      - /data/jellyfin:/data/jellyfin
+      - /data/jellyfin/configs/sonarr:/config
+      - /data/jellyfin/sonarr/tv:/tv
+      - /data/jellyfin/qbittorrent/downloads:/downloads
+    ports:
+      - 8989:8989
+    networks:
+      - jellyfin-int
+    restart: unless-stopped
+  radarr:
+    image: lscr.io/linuxserver/radarr:latest
+    container_name: radarr
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+    volumes:
+      - /data/jellyfin:/data/jellyfin
+      - /data/jellyfin/configs/radarr:/config
+      - /data/jellyfin/radarr/movies:/movies
+      - /data/jellyfin/qbittorrent/downloads:/downloads
+    ports:
+      - 7878:7878
+    networks:
+      - jellyfin-int
+    restart: unless-stopped
+  jellyfin:
+    image: lscr.io/linuxserver/jellyfin:latest
+    container_name: jellyfin
+    environment:
+      - PUID=0
+      - PGID=0
+      - TZ=${TZ}
+      - NVIDIA_VISIBLE_DEVICES=all
+    ports:
+      - 8096:8096
+      - 8920:8920
+      - 7359:7359/udp
+      - 1900:1900/udp
+    networks:
+      - jellyfin
+      - jellyfin-int
+    volumes:
+      - /data/library:/data/library:ro
+      - /data/jellyfin:/data/jellyfin
+      - /data/jellyfin/configs/jellyfin:/config
+      - /data/jellyfin/jellyfin/cache:/cache
+      - /data/jellyfin/sonarr/tv:/data/tvshows
+      - /data/jellyfin/radarr/movies:/data/movies
+      - /data/jellyfin/qbittorrent/downloads:/data/media_downloads
+    restart: unless-stopped
+  jellyseerr:
+    image: fallenbagel/jellyseerr:latest
+    container_name: jellyseerr
+    environment:
+      - LOG_LEVEL=debug
+      - TZ=${TZ}
+    ports:
+      - 5055:5055
+    volumes:
+      - /data/jellyfin/configs/jellyseerr:/app/config
+    restart: unless-stopped
+    networks:
+      - jellyfin
+      - jellyfin-int

nginx.dockerfile

@@ -1,4 +0,0 @@
-FROM nginx
-COPY ./nginx/nginx.conf /etc/nginx/
-COPY ./nginx/mime.types /etc/nginx/
-COPY ./nginx/sites-available /etc/nginx/

nginx/sites-available/5d-diplomacy

@@ -8,10 +8,14 @@ server {
     listen [::]:80;
     server_name 5d-diplomacy.loadingm.xyz;
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     # Uncomment to redirect HTTP to HTTPS
-    return 301 https://$host$request_uri;
+    location / {
-
+        return 301 https://$host$request_uri;
-
+    }
 }
 
 server {

nginx/sites-enabled/auth

@@ -0,0 +1,62 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name auth.loadingm.xyz;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Uncomment to redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name auth.loadingm.xyz;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 20M;
+
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        # Proxy main karakeep traffic
+        proxy_pass http://authelia:9091;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}

nginx/sites-enabled/jellyfin

@@ -3,8 +3,14 @@ server {
     listen [::]:80;
     server_name jellyfin.loadingm.xyz;
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     # Uncomment to redirect HTTP to HTTPS
-    return 301 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -18,11 +24,11 @@ server {
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/jellyfin.loadingm.xyz/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/jellyfin.loadingm.xyz/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/jellyfin.loadingm.xyz/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
 
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
@@ -36,6 +42,10 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     location / {
         # Proxy main Jellyfin traffic
         proxy_pass http://jellyfin:8096;

nginx/sites-enabled/jellyseerr

@@ -0,0 +1,62 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jellyseerr.loadingm.xyz;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Uncomment to redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name jellyseerr.loadingm.xyz;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 20M;
+
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+    location / {
+        # Proxy main jellyseerr traffic
+        proxy_pass http://jellyseerr:5055;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}

nginx/sites-enabled/karakeep

@@ -3,8 +3,14 @@ server {
     listen [::]:80;
     server_name karakeep.loadingm.xyz;
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     # Uncomment to redirect HTTP to HTTPS
-    return 301 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -18,11 +24,11 @@ server {
     ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
     client_max_body_size 20M;
 
-    ssl_certificate /etc/letsencrypt/live/karakeep.loadingm.xyz/fullchain.pem;
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/karakeep.loadingm.xyz/privkey.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/karakeep.loadingm.xyz/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
 
     # Security / XSS Mitigation Headers
     add_header X-Content-Type-Options "nosniff";
@@ -36,6 +42,10 @@ server {
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
     add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
     location / {
         # Proxy main karakeep traffic
         proxy_pass http://karakeep-web:3000;

nginx/sites-enabled/ollama

@@ -1,12 +1,3 @@
-server {
-    listen 80;
-    listen [::]:80;
-    server_name ollama.loadingm.xyz;
-
-    # Uncomment to redirect HTTP to HTTPS
-    return 301 https://$host$request_uri;
-}
-
 server {
     # Nginx versions 1.25+
     listen 443 ssl;
@@ -15,38 +6,13 @@ server {
 
     server_name ollama.loadingm.xyz;
 
-    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    include /etc/nginx/snippets/letsencrypt.conf;
-    client_max_body_size 20M;
+    # include /etc/nginx/snippets/authelia-location.conf;
-
-    ssl_certificate /etc/letsencrypt/live/ollama.loadingm.xyz/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/ollama.loadingm.xyz/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/ollama.loadingm.xyz/chain.pem;
-
-    # Security / XSS Mitigation Headers
-    add_header X-Content-Type-Options "nosniff";
-
-    # Permissions policy. May cause issues with some clients
-    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
-
-    # Content Security Policy
-    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
-    # Enforces https content and restricts JS/CSS to origin
-    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
 
     location / {
+        include /etc/nginx/snippets/proxy.conf;
+        # include /etc/nginx/snippets/authelia-authrequest.conf;
         # Proxy main ollama traffic
         proxy_pass http://ollama-webui:8080;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Protocol $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
-
-        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
-        proxy_buffering off;
     }
 }

nginx/sites-enabled/primary

@@ -16,6 +16,21 @@
 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
 ##
 
+server {
+    listen 80 default_server;
+    listen [::]:80;
+    server_name loadingm.xyz *.loadingm.xyz;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Uncomment to redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
 # Default server configuration
 #
 server {
@@ -29,8 +44,8 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
 
 	root /data/site;

nginx/sites-enabled/servarr

@@ -0,0 +1,76 @@
+
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name servarr.loadingm.xyz;
+
+    include /etc/nginx/snippets/letsencrypt.conf;
+    include /etc/nginx/snippets/authelia-location.conf;
+
+    location /qbt/ {
+        # include /etc/nginx/snippets/proxy.conf;
+        include /etc/nginx/snippets/authelia-authrequest.conf;
+        proxy_pass http://qbittorrent:8080/;
+        proxy_http_version 1.1;
+        proxy_set_header   Host               $proxy_host;
+        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Host   $http_host;
+        proxy_set_header   X-Forwarded-Proto  $scheme;
+        proxy_cookie_path  /                  "/; Secure";
+    }
+
+    location ^~ /sonarr {
+        include /etc/nginx/snippets/authelia-authrequest.conf;
+        proxy_pass http://sonarr:8989/sonarr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+    }
+    # Allow the API External Access via NGINX
+    location ^~ /sonarr/api {
+        auth_basic off;
+        include /etc/nginx/snippets/authelia-authrequest.conf;
+        proxy_pass http://sonarr:8989/sonarr/api;
+    }
+
+    location ^~ /radarr {
+        include /etc/nginx/snippets/authelia-authrequest.conf;
+        proxy_pass http://radarr:7878/radarr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+    }
+    # Allow the API External Access via NGINX
+    location ^~ /radarr/api {
+        auth_basic off;
+        include /etc/nginx/snippets/authelia-authrequest.conf;
+        proxy_pass http://radarr:7878/radarr/api;
+    }
+
+    location ^~ /jackett/ {
+        include /etc/nginx/snippets/authelia-authrequest.conf;
+        add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+        proxy_pass http://jackett:9117;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+    }
+}

nginx/snippets/authelia-authrequest.conf

@@ -0,0 +1,32 @@
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+auth_request /internal/authelia/authz;
+
+## Save the upstream metadata response headers from Authelia to variables.
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+
+## Inject the metadata response headers from the variables into the request made to the backend.
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Name $name;
+
+## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
+## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
+## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
+
+## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
+auth_request_set $redirection_url $upstream_http_location;
+
+## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
+error_page 401 =302 $redirection_url;
+
+## Legacy Method: Set $target_url to the original requested URL.
+## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
+# set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
+## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL.
+# error_page 401 =302 https://auth.example.com/?rd=$target_url;

nginx/snippets/authelia-location.conf

@@ -0,0 +1,32 @@
+set $upstream_authelia http://authelia:9091/api/authz/auth-request;
+
+## Virtual endpoint created by nginx to forward auth requests.
+location /internal/authelia/authz {
+    ## Essential Proxy Configuration
+    internal;
+    proxy_pass $upstream_authelia;
+
+    ## Headers
+    ## The headers starting with X-* are required.
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Content-Length "";
+    proxy_set_header Connection "";
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

nginx/snippets/letsencrypt.conf

@@ -0,0 +1,25 @@
+# Content Security Policy
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+# Enforces https content and restricts JS/CSS to origin
+# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+client_max_body_size 20M;
+
+ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+# include /etc/letsencrypt/options-ssl-nginx.conf;
+# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
+
+# Security / XSS Mitigation Headers
+add_header X-Content-Type-Options "nosniff";
+
+# Permissions policy. May cause issues with some clients
+add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+location /.well-known/acme-challenge/ {
+    root /var/www/certbot;
+}
+

nginx/snippets/proxy.conf

@@ -0,0 +1,34 @@
+## Headers
+proxy_set_header Host $host;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-URI $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-For $remote_addr;
+proxy_set_header X-Real-IP $remote_addr;
+
+## Basic Proxy Configuration
+client_body_buffer_size 128k;
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+## Trusted Proxies Configuration
+## Please read the following documentation before configuring this:
+##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+# set_real_ip_from 10.0.0.0/8;
+# set_real_ip_from 172.16.0.0/12;
+# set_real_ip_from 192.168.0.0/16;
+# set_real_ip_from fc00::/7;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
+## Advanced Proxy Configuration
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;

nginx/snippets/websockets.conf

@@ -0,0 +1,3 @@
+## WebSocket Example
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection "upgrade";