Update build-certs to use verbose logging

.gitea/workflows/certificates.yaml

@@ -0,0 +1,28 @@
+name: "Build certificates"
+on:
+  workflow_dispatch:
+    inputs:
+      # Note: this doesn't work on current gitea for some reason?
+      build_certs:
+        description: "Build certificates from scratch"
+        type: "boolean"
+        required: true
+        default: false
+  schedule: "@weekly"
+env:
+  TZ: "America/Chicago"
+jobs:
+  deploy:
+    name: "Setup/Renew certificates"
+    runs-on: "homelab"
+    steps:
+      - name: "Build certificates"
+        if: inputs.build_certs
+        run: |
+          cd /home/matthew/homelab
+          bash ./build-certs.sh
+      - name: "Renew certificates"
+        run: |
+          cd /home/matthew/homelab
+          docker compose run --rm certbot renew
+          docker restart homelab-web-1

.gitea/workflows/deploy.yaml

@@ -10,6 +10,12 @@ jobs:
     name: Deploy
     runs-on: homelab
     steps:
-      - run: |
+      - name: "Pull latest code"
+        run: |
+          cd /home/matthew/homelab
+          git checkout main
+          git pull
+      - name: "Deploy containers"
+        run: |
           cd /home/matthew/homelab
           docker compose up -d --remove-orphans

README.md

@@ -0,0 +1,45 @@
+# My personal homelab setup
+
+Currently running on a Debian host
+
+## Raw data
+
+Raw data is stored in `/data`, a ZFS data set
+
+```bash
+# Install ZFS
+apt update
+apt install linux-headers-amd64
+apt install zfsutils-linux zfs-dkms
+
+zpool create hdd raidz2 <disks...>
+mkdir -p /data
+zfs create -o mountpoint=/data hdd/data
+zfs set compression=on hdd/data
+```
+
+## act_runner
+
+```bash
+pushd /tmp
+wget https://gitea.com/gitea/act_runner/releases/download/v0.2.13/act_runner-0.2.13-linux-amd64.xz
+xz -d act_runner-0.2.13-linux-amd64.xz
+mv act_runner-0.2.13-linux-amd64 /usr/bin/act_runner
+chmod +x /usr/bin/act_runner
+mkdir /home/matthew/act_runner
+```
+
+## Systemd
+
+```bash
+# Add services
+ln -s $PWD/*.service /etc/systemd/system/
+systemctl enable homelab
+systemctl start homelab
+
+cd ~/act_runner
+/usr/bin/act_runner register --config /home/matthew/homelab/host-runner.yaml
+
+systemctl enable act_runner
+systemctl start act_runner
+```

act_runner.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Gitea Actions runner
+Documentation=https://gitea.com/gitea/act_runner
+After=docker.service
+
+[Service]
+ExecStart=/usr/bin/act_runner daemon --config /home/matthew/homelab/host-runner.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+WorkingDirectory=/home/matthew/act_runner
+TimeoutSec=0
+RestartSec=10
+Restart=always
+User=matthew
+
+[Install]
+WantedBy=multi-user.target

authelia/configuration.yml

@@ -6,7 +6,7 @@ authentication_backend:
   password_change:
     disable: false
   file:
-    path: '/config/users.yml'
+    path: '/data/users.yml'
     watch: false
     search:
       email: false
@@ -37,18 +37,72 @@ session:
       remember_me: '1d'
 notifier:
   disable_startup_check: false
-  filesystem:
+  # filesystem:
-    filename: '/config/notification.txt'
+  #   filename: '/data/notification.txt'
+  smtp:
+    address: 'smtp://mail:25'
+    sender: 'Authelia <auth@loadingm.xyz>'
+    disable_require_tls: true # Determine if this is needed
+    disable_starttls: true
 storage:
   local:
-    path: '/config/db.sqlite3'
+    path: '/data/db.sqlite3'
 access_control:
   default_policy: deny
   rules:
-    - domain: '*.loadingm.xyz'
+    - domain: 'servarr.loadingm.xyz'
+      subject:
+        - 'group:admins'
       policy: one_factor
+    # - domain: '*.loadingm.xyz'
+    #   policy: one_factor
 server:
   endpoints:
     authz:
       auth-request:
         implementation: 'AuthRequest'
+identity_providers:
+  oidc:
+    # enable_client_debug_messages: false
+    # minimum_parameter_entropy: 8
+    # enforce_pkce: 'public_clients_only'
+    # enable_pkce_plain_challenge: false
+    # enable_jwt_access_token_stateless_introspection: false
+    # discovery_signed_response_alg: 'none'
+    # discovery_signed_response_key_id: ''
+    # require_pushed_authorization_requests: false
+    # authorization_policies:
+    #   policy_name:
+    #     default_policy: 'two_factor'
+    #     rules:
+    #       - policy: 'deny'
+    #         subject: 'group:services'
+    #         networks:
+    #           - '192.168.1.0/24'
+    #           - '192.168.2.51'
+    lifespans:
+      access_token: '1h'
+      authorize_code: '1m'
+      id_token: '1h'
+      refresh_token: '90m'
+    # claims_policies:
+    #   policy_name:
+    #     id_token: []
+    #     access_token: []
+    #     id_token_audience_mode: 'specification'
+    #     custom_claims:
+    #       claim_name:
+    #         name: 'claim_name'
+    #         attribute: 'attribute_name'
+    # scopes:
+    #   scope_name:
+    #     claims: []
+    # cors:
+    #   endpoints:
+    #     - 'authorization'
+    #     - 'token'
+    #     - 'revocation'
+    #     - 'introspection'
+    #   allowed_origins:
+    #     - 'https://example.com'
+    #   allowed_origins_from_client_redirect_uris: false

authelia/secret-template.yml

@@ -0,0 +1,31 @@
+# rand() {
+#   docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986
+# }
+# hash() {
+#   docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986
+# }
+identity_providers:
+  oidc:
+    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
+    ## See: https://www.authelia.com/c/oidc
+    clients:
+      - client_name: 'Gitea'
+        client_id: '$(rand 72)'
+        client_secret: '$(hash 72)'
+        public: false
+        authorization_policy: 'two_factor'
+        require_pkce: false
+        pkce_challenge_method: ''
+        redirect_uris:
+          - 'https://gitea.loadingm.xyz/user/oauth2/authelia/callback'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        access_token_signed_response_alg: 'none'
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'client_secret_basic'

build-certs.sh

@@ -1,5 +1,5 @@
 
-docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
+docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
   -d loadingm.xyz \
   -d gitea.loadingm.xyz \
   -d auth.loadingm.xyz \
@@ -7,4 +7,6 @@ docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certb
   -d jellyseerr.loadingm.xyz \
   -d servarr.loadingm.xyz \
   -d karakeep.loadingm.xyz \
-  -d ollama.loadingm.xyz
+  -d ollama.loadingm.xyz \
+  -d memos.loadingm.xyz \
+  -d gpodder.loadingm.xyz

docker-compose.yaml

@@ -3,13 +3,13 @@ include:
   - ./jellyfin-compose.yaml
 secrets:
   JWT_SECRET:
-    file: './authelia/secrets/JWT_SECRET'
+    file: '/data/authelia/secrets/JWT_SECRET'
   SESSION_SECRET:
-    file: './authelia/secrets/SESSION_SECRET'
+    file: '/data/authelia/secrets/SESSION_SECRET'
   STORAGE_PASSWORD:
-    file: './authelia/secrets/STORAGE_PASSWORD'
+    file: '/data/authelia/secrets/STORAGE_PASSWORD'
   STORAGE_ENCRYPTION_KEY:
-    file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
+    file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
 volumes:
   meilisearch:
   karakeep:
@@ -30,6 +30,12 @@ networks:
     external: false
   gitea:
     external: false
+  gpodder:
+    external: false
+  memos:
+    external: false
+  mail:
+    external: false
 services:
   web:
     image: "nginx"
@@ -50,6 +56,8 @@ services:
       - jellyfin-int
       - auth
       - gitea
+      - gpodder
+      - memos
     depends_on:
       - jellyfin
       - ollama-webui
@@ -57,6 +65,11 @@ services:
       - authelia
       - qbittorrent
       - gitea
+      - gpodder
+      - memos
+    logging: &logging
+      options:
+        max-size: "50m"
       # Optional - extra fonts to be used during transcoding with subtitle burn-in
       # - type: bind
       #   source: /usr/local/share/fonts/cu
@@ -68,20 +81,24 @@ services:
       - /data/certbot/www/:/var/www/certbot/:rw
       - /data/certbot/conf/:/etc/letsencrypt/:rw
   authelia:
-    container_name: 'authelia'
     image: 'docker.io/authelia/authelia:latest'
+    command:
+      - 'authelia'
+      - '--config=/config/configuration.yml'
+      - '--config=/data/configuration.yml'
     restart: 'unless-stopped'
     secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
     networks:
       - auth
+      - mail
     environment:
       AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
       AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
       AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
     volumes:
-      - './authelia/:/config'
+      - './authelia/:/config:ro'
-  # webdav:
+      - '/data/authelia/:/data'
-  #   image: ""
+    logging: *logging
   minecraft:
     image: itzg/minecraft-server:latest
     tty: true
@@ -104,24 +121,36 @@ services:
         187eca31-2e33-4199-97e0-2286bf35f7f8
       PAUSE_WHEN_EMPTY_SECONDS: "20"
       ENABLE_ROLLING_LOGS: "true"
+      REMOVE_OLD_MODS: "TRUE"
+    logging: *logging
     volumes:
-      - "/opt/minecraft:/data"
+      - "/data/minecraft/data:/data"
+      - "/data/mincraft/mods:/mods"
+      - "/data/mincraft/plugins:/plugins"
+      - "/data/mincraft/config:/config"
   gitea:
-    image: gitea/gitea:latest
+    image: docker.gitea.com/gitea:1.24
     environment:
-      - USER_UID=1000
+      - USER_UID=106
-      - USER_GID=1000
+      - USER_GID=110
+      - ENABLE_NOTIFY_MAIL=true
+      # - 
     restart: unless-stopped
     networks:
       - gitea
+      - mail
     volumes:
       - /data/gitea/data:/data
+      - /home/git/.ssh/:/data/git/.ssh
       - /etc/timezone:/etc/timezone:ro
       - /etc/localtime:/etc/localtime:ro
     ports:
       - "222:22"
+    logging: *logging
+    depends_on:
+      - authelia
   gitea-runner:
-    image: docker.io/gitea/act_runner:nightly
+    image: docker.gitea.com/act_runner:latest
     restart: unless-stopped
     networks:
       - gitea
@@ -133,6 +162,53 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - /data/gitea/runner/:/data
       - ./gitea-runner.yaml:/config.yaml
+    logging: *logging
+    depends_on:
+      - gitea
+  gpodder:
+    image: gitea.loadingm.xyz/the10thwiz/gpodder-rs:latest
+    restart: unless-stopped
+    environment:
+      - ROCKET_SECRET_KEY=${GPODDER_SECRET_KEY}
+    networks:
+      - gpodder
+    volumes:
+      - /data/gpodder:/data
+    logging: *logging
+  tftp:
+    image: kaczmar2/tftp-server
+    restart: unless-stopped
+    environment:
+      - ENABLE_WEB_SERVER=false
+    network_mode: host
+    volumes:
+      - /data/tftp:/srv/tftp:ro
+      - /etc/localtime:/etc/localtime:ro
+    logging: *logging
+  memos:
+    image: neosmemo/memos:stable
+    networks:
+      - memos
+    volumes:
+      - /data/memos:/var/opt/memos
+    environment:
+      - MEMOS_MODE=prod
+      - MEMOS_PORT=5230
+    restart: unless-stopped
+    logging: *logging
+  mail:
+    image: boky/postfix
+    restart: unless-stopped
+    logging: *logging
+    environment:
+      - ALLOWED_SENDER_DOMAINS=loadingm.xyz
+      - POSTFIX_myhostname=mail
+    volumes:
+      - /data/mail:/etc/opendkim/keys
+    networks:
+      - mail
+    ports:
+      - 127.0.0.1:25:25
   # calibre:
   #   image: "linuxserver/calibre-web"
   # 5d-diplomacy-frontend:

gitea-runner.yaml

@@ -45,6 +45,7 @@ runner:
     - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
     - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
     - "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
+    - "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
     - "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
     - "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
     - "rustup-nightly:docker://gitea.loadingm.xyz/the10thwiz/rustup:nightly"

homelab.service

@@ -0,0 +1,20 @@
+[Unit]
+Description=Homelab services
+Requires=docker.service
+After=docker.service
+
+[Service]
+Restart=always
+User=root
+Group=docker
+TimeoutStopSec=15
+WorkingDirectory=/home/matthew/homelab
+# Shutdown container (if running) when unit is started
+ExecStartPre=/usr/bin/docker compose -f docker-compose.yaml down
+# Start container when unit is started
+ExecStart=/usr/bin/docker compose -f docker-compose.yaml up
+# Stop container when unit is stopped
+ExecStop=/usr/bin/docker compose -f docker-compose.yaml down
+
+[Install]
+WantedBy=multi-user.target

jellyfin-compose.yaml

@@ -1,7 +1,37 @@
 services:
+  gluetun:
+    image: qmcgaw/gluetun
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - 8080:8080
+      - 51820:51820
+      - 51820:51820/udp
+      - 46931:46931
+      - 46931:46931/udp
+    networks:
+      - jellyfin-int
+    environment:
+      - VPN_SERVICE_PROVIDER=custom
+      - VPN_TYPE=wireguard
+      - VPN_ENDPOINT_IP=${ENDPOINT_IP}
+      - VPN_ENDPOINT_PORT=${ENDPOINT_PORT}
+      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR}
+      - VPN_DNS_ADDRESS=${DNS_ADDRESS}
+      - WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY}
+      - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
+      - VPN_PORT_FORWARDING=on
+      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
+      - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
+      - TZ=${TZ}
+      - UPDATER_PERIOD=24h
+    restart: always
+    volumes:
+      - /data/jellyfin:/data/jellyfin
+      - /data/jellyfin/gluetun:/tmp/gluetun
   qbittorrent:
     image: lscr.io/linuxserver/qbittorrent:latest
-    container_name: qbittorrent
+    network_mode: service:gluetun
     environment:
       - WEBUI_PORT=8080
       - PUID=0
@@ -11,17 +41,18 @@ services:
     volumes:
       - /data/jellyfin:/data/jellyfin
       - /data/jellyfin/configs/qbittorrent:/config
-      - /data/jellyfin/qbittorrent/downloads:/downloads
+      # - /data/jellyfin/qbittorrent/downloads:/data/jellyfin/qbittorrent/downloads
-    ports:
+    # ports:
-      - 8080:8080
+    #   - 8080:8080
-      - 6881:6881
+    #   - 6881:6881
-      - 6881:6881/udp
+    #   - 6881:6881/udp
-    networks:
+    # networks:
-      - jellyfin-int
+    #   - jellyfin-int
+    depends_on:
+      - gluetun
     restart: unless-stopped
   flaresolverr:
     image: ghcr.io/flaresolverr/flaresolverr:latest
-    container_name: flaresolverr
     environment:
       - LOG_LEVEL=${LOG_LEVEL:-info}
       - LOG_HTML=${LOG_HTML:-false}
@@ -36,7 +67,6 @@ services:
     restart: unless-stopped
   prowlarr:
     image: lscr.io/linuxserver/prowlarr:latest
-    container_name: prowlarr
     environment:
       - PUID=0
       - PGID=0
@@ -50,7 +80,6 @@ services:
     restart: unless-stopped
   jackett:
     image: lscr.io/linuxserver/jackett:latest
-    container_name: jackett
     environment:
       - PUID=0
       - PGID=0
@@ -64,7 +93,6 @@ services:
     restart: unless-stopped
   sonarr:
     image: lscr.io/linuxserver/sonarr:latest
-    container_name: sonarr
     environment:
       - PUID=0
       - PGID=0
@@ -81,7 +109,6 @@ services:
     restart: unless-stopped
   radarr:
     image: lscr.io/linuxserver/radarr:latest
-    container_name: radarr
     environment:
       - PUID=0
       - PGID=0
@@ -98,7 +125,6 @@ services:
     restart: unless-stopped
   jellyfin:
     image: lscr.io/linuxserver/jellyfin:latest
-    container_name: jellyfin
     environment:
       - PUID=0
       - PGID=0
@@ -121,9 +147,20 @@ services:
       - /data/jellyfin/radarr/movies:/data/movies
       - /data/jellyfin/qbittorrent/downloads:/data/media_downloads
     restart: unless-stopped
+    group_add:
+      - '993'
+    devices:
+      - /dev/dri/renderD128:/dev/dri/renderD128
+    # runtime: nvidia
+    # deploy:
+    #   resources:
+    #     reservations:
+    #       devices:
+    #         - driver: intel
+    #           count: all
+    #           capabilities: [gpu]
   jellyseerr:
     image: fallenbagel/jellyseerr:latest
-    container_name: jellyseerr
     environment:
       - LOG_LEVEL=debug
       - TZ=${TZ}

karakeep-compose.yaml

@@ -52,11 +52,10 @@ services:
     networks:
       - karakeep-int
   ollama:
-    image: docker.io/ollama/ollama:latest
+    image: docker.io/ollama/ollama:0.11.10
     volumes:
       - .:/code
       - /data/library/ollama/ollama:/root/.ollama
-    container_name: ollama
     pull_policy: always
     tty: true
     restart: always
@@ -69,7 +68,6 @@ services:
 
   ollama-webui:
     image: ghcr.io/open-webui/open-webui:main
-    container_name: ollama-webui
     volumes:
       - /data/library/ollama/ollama-webui:/app/backend/data
     depends_on:

nginx/sites-enabled/gpodder

@@ -0,0 +1,80 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name gpodder.loadingm.xyz;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Uncomment to redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# Default server configuration
+#
+server {
+
+	# SSL configuration
+	listen 443 ssl;
+	listen [::]:443 ssl;
+    http2 on;
+
+	server_name gpodder.loadingm.xyz;
+
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        # Proxy main karakeep traffic
+        proxy_pass http://gpodder:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}

nginx/sites-enabled/karakeep

@@ -40,7 +40,17 @@ server {
     # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
     # Enforces https content and restricts JS/CSS to origin
     # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+    set $CSP "default-src https: data: blob:";
+    set $CSP "$CSP; img-src 'self' https://* data:";
+    set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
+    set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
+    set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
+    set $CSP "$CSP; worker-src 'self' blob: data:";
+    set $CSP "$CSP; connect-src 'self' data:";
+    set $CSP "$CSP; object-src 'none' data:";
+    set $CSP "$CSP; frame-ancestors 'self' data:";
+    set $CSP "$CSP; font-src 'self' data:";
+    add_header Content-Security-Policy $CSP;
 
     location /.well-known/acme-challenge/ {
         root /var/www/certbot;
@@ -55,6 +65,7 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
         proxy_set_header X-Forwarded-Protocol $scheme;
         proxy_set_header X-Forwarded-Host $http_host;
+        proxy_hide_header Content-Security-Policy;
 
         # Disable buffering when the nginx proxy gets very resource heavy upon streaming
         proxy_buffering off;

nginx/sites-enabled/memos

@@ -0,0 +1,62 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name memos.loadingm.xyz;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    # Uncomment to redirect HTTP to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    # Nginx versions 1.25+
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name memos.loadingm.xyz;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 200G;
+
+    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
+    # include /etc/letsencrypt/options-ssl-nginx.conf;
+    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
+
+    # Security / XSS Mitigation Headers
+    add_header X-Content-Type-Options "nosniff";
+
+    # Permissions policy. May cause issues with some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        # Proxy main karakeep traffic
+        proxy_pass http://memos:5230;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+}

nginx/sites-enabled/servarr

@@ -13,7 +13,8 @@ server {
     location /qbt/ {
         # include /etc/nginx/snippets/proxy.conf;
         include /etc/nginx/snippets/authelia-authrequest.conf;
-        proxy_pass http://qbittorrent:8080/;
+        # proxy_pass http://qbittorrent:8080/;
+        proxy_pass http://gluetun:8080/;
         proxy_http_version 1.1;
         proxy_set_header   Host               $proxy_host;
         proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;