the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: the10thwiz:aa4917ec4d045cb994e4a8bbd52e717be5e78b29
Branches Tags
the10thwiz:main
..
compare: the10thwiz:main
Branches Tags
the10thwiz:main

7 Commits
aa4917ec4d ... main

Author SHA1 Message Date
Matthew Pomes
369079de16 Update minecraft settings 2026-02-15 04:34:21 -06:00
Matthew Pomes
710722b77e Add matrix a few minor changes 2026-02-11 21:19:18 -06:00
Matthew Pomes
4b572faf1d Add immich and switch to nginx-acme 2026-01-25 02:15:43 -06:00
Matthew Pomes
e269dac336 Update karakeep config 2026-01-25 00:51:14 -06:00
Matthew Pomes
ea65ae941b Add gpu to ollama, and fix gui websocket issue 2026-01-20 00:12:07 -06:00
Matthew Pomes
437de6be67 Minor updates / tweaks 2026-01-19 18:55:02 -06:00
Matthew Pomes
bf652175f9 Fix nginx headers for vaultwarden 2026-01-19 18:54:31 -06:00
25 changed files with 397 additions and 371 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,4 +1,5 @@
.env
*.env
authelia/secrets/
authelia/notification.txt
authelia/db.sqlite3

2
authelia/configuration.yml
View File

@@ -52,7 +52,7 @@ access_control:
rules:
- domain: 'servarr.loadingm.xyz'
subject:
- 'group:admins'
- 'group:admin'
policy: one_factor
# - domain: '*.loadingm.xyz'
# policy: one_factor

13
build-certs.sh
View File

@@ -1,13 +0,0 @@
docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
-d loadingm.xyz \
-d gitea.loadingm.xyz \
-d auth.loadingm.xyz \
-d jellyfin.loadingm.xyz \
-d jellyseerr.loadingm.xyz \
-d servarr.loadingm.xyz \
-d karakeep.loadingm.xyz \
-d ollama.loadingm.xyz \
-d memos.loadingm.xyz \
-d bitwarden.loadingm.xyz \
-d gpodder.loadingm.xyz

92
docker-compose.yaml
View File

@@ -1,6 +1,8 @@
include:
- ./karakeep-compose.yaml
- ./jellyfin-compose.yaml
- ./immich-compose.yaml
- ./matrix-compose.yaml
secrets:
JWT_SECRET:
file: '/data/authelia/secrets/JWT_SECRET'
@@ -14,34 +16,55 @@ volumes:
meilisearch:
karakeep:
bitwarden:
immich-model-cache:
nginx:
networks:
karakeep:
external: false
enable_ipv6: true
karakeep-int:
external: false
enable_ipv6: true
ollama:
external: false
enable_ipv6: true
ollama-int:
external: false
enable_ipv6: true
jellyfin:
external: false
enable_ipv6: true
jellyfin-int:
external: false
enable_ipv6: true
auth:
external: false
enable_ipv6: true
gitea:
external: false
enable_ipv6: true
gpodder:
external: false
enable_ipv6: true
memos:
external: false
enable_ipv6: true
mail:
external: false
enable_ipv6: true
bitwarden:
external: false
enable_ipv6: true
immich:
external: false
enable_ipv6: true
matrix:
external: false
enable_ipv6: true
services:
web:
image: "nginx"
build:
dockerfile: ./nginx-dockerfile
restart: unless-stopped
ports:
- 80:80
@@ -49,9 +72,7 @@ services:
volumes:
- ./nginx:/etc/nginx:ro
- /data/site:/data/site:ro
- /data/certbot/www/:/var/www/certbot/:ro
# - /etc/letsencrypt:/etc/letsencrypt:ro
- /data/certbot/conf:/etc/letsencrypt:ro
- nginx:/var/cache/nginx/
networks:
- karakeep
- ollama
@@ -62,6 +83,8 @@ services:
- gpodder
- memos
- bitwarden
- matrix
- immich
depends_on:
- jellyfin
- ollama-webui
@@ -71,6 +94,7 @@ services:
- gitea
- gpodder
- memos
- matrix-server
logging: &logging
options:
max-size: "50m"
@@ -79,11 +103,6 @@ services:
# source: /usr/local/share/fonts/cu
# target: /usr/local/share/fonts/custom
# read_only: true
certbot:
image: certbot/certbot:latest
volumes:
- /data/certbot/www/:/var/www/certbot/:rw
- /data/certbot/conf/:/etc/letsencrypt/:rw
authelia:
image: 'docker.io/authelia/authelia:latest'
command:
@@ -110,14 +129,19 @@ services:
restart: unless-stopped
ports:
- "25565:25565"
- "24454:24454/udp"
environment:
EULA: "TRUE"
TYPE: "FABRIC"
MEMORY: "2048M"
MEMORY: "4G"
MOTD: "Loading server..."
LEVEL: "world"
USE_MEOWICE_FLAGS: "true"
DIFFICULTY: "3"
VERSION: "1.21.11"
# LEVEL: "world"
LEVEL: "house"
SEED: "881949285698121329"
# USE_MEOWICE_FLAGS: "true"
DIFFICULTY: "normal"
MODE: "survival"
OPS: |-
187eca31-2e33-4199-97e0-2286bf35f7f8
ENABLE_WHITELIST: "true"
@@ -129,9 +153,9 @@ services:
logging: *logging
volumes:
- "/data/minecraft/data:/data"
- "/data/mincraft/mods:/mods"
- "/data/mincraft/plugins:/plugins"
- "/data/mincraft/config:/config"
- "/data/minecraft/mods:/mods"
- "/data/minecraft/plugins:/plugins"
- "/data/minecraft/config:/config"
gitea:
image: docker.gitea.com/gitea:1.24
environment:
@@ -206,13 +230,46 @@ services:
logging: *logging
environment:
- ALLOWED_SENDER_DOMAINS=loadingm.xyz
- POSTFIX_myhostname=mail
# - POSTFIX_myhostname=mail
- POSTFIX_myhostname=loadingm.xyz
- POSTFIX_mydestination=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- MASQUERADED_DOMAINS=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- SMTPD_SASL_USERS="a:123,b:123"
volumes:
- /data/mail:/etc/opendkim/keys
networks:
- mail
ports:
- 127.0.0.1:25:25
# mail:
# image: ghcr.io/docker-mailserver/docker-mailserver:latest
# container_name: mailserver
# # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
# hostname: mail.loadingm.xyz
# env_file: mailserver.env
# # More information about the mail-server ports:
# # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
# ports:
# - "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
# - "143:143" # IMAP4 (explicit TLS => STARTTLS)
# - "465:465" # ESMTP (implicit TLS)
# - "587:587" # ESMTP (explicit TLS => STARTTLS)
# - "993:993" # IMAP4 (implicit TLS)
# volumes:
# - /data/dms/mail-data/:/var/mail/
# - /data/dms/mail-state/:/var/mail-state/
# - /data/dms/mail-logs/:/var/log/mail/
# - /data/dms/config/:/tmp/docker-mailserver/
# - /etc/localtime:/etc/localtime:ro
# restart: always
# stop_grace_period: 1m
# # Uncomment if using `ENABLE_FAIL2BAN=1`:
# # cap_add:
# # - NET_ADMIN
# healthcheck:
# test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
# timeout: 3s
# retries: 0
bitwarden:
# env_file:
# - bitwarden.env
@@ -222,6 +279,7 @@ services:
SMTP_FROM: bitwarden@loadingm.xyz
SMTP_SECURITY: off
SIGNUPS_ALLOWED: false
# ADMIN_TOKEN: "google straining barracuda prescribe augmented bucket"
networks:
- bitwarden
- mail

66
immich-compose.yaml Normal file
View File

@@ -0,0 +1,66 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:v2
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
- /data/immich/uploads:/data
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
DB_HOSTNAME: immich-db
REDIS_HOSTNAME: immich-redis
networks:
- immich
depends_on:
- immich-redis
- immich-db
restart: always
healthcheck:
disable: false
immich-machine-learning:
# For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
# Example tag: ${IMMICH_VERSION:-v2}-cuda
image: ghcr.io/immich-app/immich-machine-learning:v2
# extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- immich-model-cache:/cache
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
networks:
- immich
restart: always
healthcheck:
disable: false
immich-redis:
image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
healthcheck:
test: redis-cli ping || exit 1
networks:
- immich
restart: always
immich-db:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: '--data-checksums'
# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
# DB_STORAGE_TYPE: 'HDD'
volumes:
- /data/immich/postgres:/var/lib/postgresql/data
networks:
- immich
shm_size: 128mb
restart: always

25
jellyfin-compose.yaml
View File

@@ -24,6 +24,8 @@ services:
- VPN_PORT_FORWARDING=on
- VPN_PORT_FORWARDING_PROVIDER=protonvpn
- VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
- VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- TZ=${TZ}
- UPDATER_PERIOD=24h
restart: always
@@ -61,6 +63,8 @@ services:
- TZ=${TZ}
#- LANG=fr_FR
#- LANG=en_US
# volumes:
# - /tmp/flaresolver:/tmp
ports:
- 8191:8191
networks:
@@ -104,8 +108,8 @@ services:
- /data/jellyfin/configs/sonarr:/config
- /data/jellyfin/sonarr/tv:/tv
- /data/jellyfin/qbittorrent/downloads:/downloads
ports:
- 8989:8989
# ports:
# - 8989:8989
networks:
- jellyfin-int
restart: unless-stopped
@@ -120,8 +124,8 @@ services:
- /data/jellyfin/configs/radarr:/config
- /data/jellyfin/radarr/movies:/movies
- /data/jellyfin/qbittorrent/downloads:/downloads
ports:
- 7878:7878
# ports:
# - 7878:7878
networks:
- jellyfin-int
restart: unless-stopped
@@ -133,10 +137,9 @@ services:
- TZ=${TZ}
# - NVIDIA_VISIBLE_DEVICES=all
ports:
- 8096:8096
- 8920:8920
# - 8096:8096
# - 8920:8920
- 7359:7359/udp
- 1900:1900/udp
networks:
- jellyfin
- jellyfin-int
@@ -151,8 +154,8 @@ services:
restart: unless-stopped
group_add:
- '993'
# devices:
# - /dev/dri/renderD128:/dev/dri/renderD128
devices:
- /dev/dri/renderD128:/dev/dri/renderD128
# runtime: nvidia
# deploy:
# resources:
@@ -166,8 +169,8 @@ services:
environment:
- LOG_LEVEL=debug
- TZ=${TZ}
ports:
- 5055:5055
# ports:
# - 5055:5055
volumes:
- /data/jellyfin/configs/jellyseerr:/app/config
restart: unless-stopped

11
karakeep-compose.yaml
View File

@@ -21,7 +21,9 @@ services:
INFERENCE_OUTPUT_SCHEMA: json
INFERENCE_CONTEXT_LENGTH: 1024
INFERENCE_JOB_TIMEOUT_SEC: 120
LOG_LEVEL: debug
CRAWLER_FULL_PAGE_ARCHIVE: true
BROWSER_COOKIE_PATH: /data/cookies.json
LOG_LEVEL: info
# You almost never want to change the value of the DATA_DIR variable.
# If you want to mount a custom directory, change the volume mapping above instead.
DATA_DIR: /data # DON'T CHANGE THIS
@@ -53,11 +55,14 @@ services:
networks:
- karakeep-int
ollama:
image: docker.io/ollama/ollama:0.11.10
image: docker.io/ollama/ollama:rocm
volumes:
- .:/code
- /data/library/ollama/ollama:/root/.ollama
pull_policy: always
devices:
- /dev/dri:/dev/dri
- /dev/kfd:/dev/kfd
# pull_policy: always
tty: true
restart: always
environment:

27
matrix-compose.yaml Normal file
View File

@@ -0,0 +1,27 @@
services:
matrix-server:
image: forgejo.ellis.link/continuwuation/continuwuity
restart: unless-stopped
environment:
CONTINUWUITY_SERVER_NAME: "matrix.loadingm.xyz"
CONTINUWUITY_WELL_KNOWN__SERVER: "matrix.loadingm.xyz:443"
CONTINUWUITY_ALLOW_REGISTRATION: true
CONTINUWUITY_REGISTRATION_TOKEN: "qFz7aekKxgXdd6SpQ09llv52+S4="
CONTINUWUITY_ALLOW_FEDERATION: 'true'
CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org", "mozilla.org"]'
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_PORT: 6167
CONTINUWUITY_ADDRESS: 0.0.0.0
volumes:
- /data/matrix/db:/var/lib/continuwuity
networks:
- matrix
# ports:
# - 8448:6167
turn:
image: docker.io/coturn/coturn
restart: unless-stopped
network_mode: "host"
volumes:
- ./coturn.conf:/etc/coturn/turnserver.conf:ro

2
nginx-dockerfile Normal file
View File

@@ -0,0 +1,2 @@
FROM nginx
RUN apt install nginx-module-acme

15
nginx/nginx.conf
View File

@@ -3,6 +3,7 @@ worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
events {
worker_connections 768;
@@ -10,6 +11,14 @@ events {
}
http {
resolver 127.0.0.11:53;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact matthew.pomes@pm.me;
state_path /var/cache/nginx/acme-letsencrypt;
accept_terms_of_service;
}
##
# Basic Settings
@@ -57,6 +66,12 @@ http {
##
include /etc/nginx/sites-enabled/*;
server {
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
}

19
nginx/sites-available/5d-diplomacy
View File

@@ -1,17 +1,8 @@
server {
if ($host = 5d-diplomacy.loadingm.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name 5d-diplomacy.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
@@ -25,16 +16,14 @@ server {
http2 on;
server_name 5d-diplomacy.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";

29
nginx/sites-enabled/auth
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name auth.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name auth.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://authelia:9091;

62
nginx/sites-enabled/bitwarden
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name bitwarden.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name bitwarden.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -40,20 +23,28 @@ server {
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
set $CSP "default-src https: data: blob:";
set $CSP "$CSP; img-src 'self' https://* data:";
set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
set $CSP "$CSP; worker-src 'self' blob: data:";
set $CSP "$CSP; connect-src 'self' data:";
set $CSP "$CSP; object-src 'none' data:";
set $CSP "$CSP; frame-ancestors 'self' data:";
set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
# set $CSP "default-src https: data: blob:";
# set $CSP "$CSP; img-src 'self' https://* data:";
# set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
# set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
# set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
# set $CSP "$CSP; worker-src 'self' blob: data:";
# set $CSP "$CSP; connect-src 'self' data:";
# set $CSP "$CSP; object-src 'none' data:";
# set $CSP "$CSP; frame-ancestors 'self' data:";
# set $CSP "$CSP; font-src 'self' data:";
# add_header Content-Security-Policy $CSP;
location /notifications/hub {
proxy_pass http://bitwarden:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
@@ -65,7 +56,6 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_hide_header Content-Security-Policy;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;

29
nginx/sites-enabled/gitea
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name gitea.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name gitea.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://gitea:3000;

50
nginx/sites-enabled/gpodder
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80;
listen [::]:80;
server_name gpodder.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gpodder.loadingm.xyz;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -60,10 +22,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://gpodder:8000;

53
nginx/sites-enabled/immich Normal file
View File

@@ -0,0 +1,53 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name immich.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /api/socket.io {
proxy_pass http://immich-server:2283;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://immich-server:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/jellyfin
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name jellyfin.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;

29
nginx/sites-enabled/jellyseerr
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyseerr.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,26 +5,20 @@ server {
http2 on;
server_name jellyseerr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin

29
nginx/sites-enabled/karakeep
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name karakeep.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name karakeep.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -52,10 +35,6 @@ server {
set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://karakeep-web:3000;

53
nginx/sites-enabled/matrix Normal file
View File

@@ -0,0 +1,53 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name matrix.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
# location /api/socket.io {
# proxy_pass http://matrix-server:6167;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# }
location / {
# Proxy main karakeep traffic
proxy_pass http://matrix-server:6167;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/memos
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name memos.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
# Nginx versions 1.25+
listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on;
server_name memos.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://memos:5230;

18
nginx/sites-enabled/ollama
View File

@@ -5,9 +5,23 @@ server {
http2 on;
server_name ollama.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
# include /etc/nginx/snippets/authelia-location.conf;
location /ws/ {
proxy_pass http://ollama-webui:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
include /etc/nginx/snippets/proxy.conf;

53
nginx/sites-enabled/primary
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server {
listen 80 default_server;
listen [::]:80;
server_name loadingm.xyz *.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name loadingm.xyz;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
root /data/site;
@@ -60,11 +22,4 @@ server {
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

7
nginx/sites-enabled/servarr
View File

@@ -1,13 +1,14 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name servarr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/snippets/authelia-location.conf;
location /qbt/ {

25
nginx/snippets/letsencrypt.conf
View File

@@ -1,25 +0,0 @@
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}