the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: the10thwiz:aa4917ec4d045cb994e4a8bbd52e717be5e78b29
Branches Tags
the10thwiz:main
..
compare: the10thwiz:main
Branches Tags
the10thwiz:main

11 Commits
aa4917ec4d ... main

Author SHA1 Message Date
Matthew Pomes
d4aeb6b50a Setup host mounts properly 2026-04-16 00:41:29 -05:00
Matthew Pomes
a7be996aec Add wasm & /data/site volume to gitea actions 2026-04-15 23:44:38 -05:00
Matthew Pomes
dc9075fc9b Update minecraft version 2026-04-15 23:31:27 -05:00
Matthew Pomes
3cfefe6283 Updates for various parts 2026-04-06 23:24:48 -05:00
Matthew Pomes
369079de16 Update minecraft settings 2026-02-15 04:34:21 -06:00
Matthew Pomes
710722b77e Add matrix a few minor changes 2026-02-11 21:19:18 -06:00
Matthew Pomes
4b572faf1d Add immich and switch to nginx-acme 2026-01-25 02:15:43 -06:00
Matthew Pomes
e269dac336 Update karakeep config 2026-01-25 00:51:14 -06:00
Matthew Pomes
ea65ae941b Add gpu to ollama, and fix gui websocket issue 2026-01-20 00:12:07 -06:00
Matthew Pomes
437de6be67 Minor updates / tweaks 2026-01-19 18:55:02 -06:00
Matthew Pomes
bf652175f9 Fix nginx headers for vaultwarden 2026-01-19 18:54:31 -06:00
26 changed files with 413 additions and 376 deletions
Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -1,4 +1,5 @@
.env .env
*.env
authelia/secrets/ authelia/secrets/
authelia/notification.txt authelia/notification.txt
authelia/db.sqlite3 authelia/db.sqlite3

2
authelia/configuration.yml
View File

@@ -52,7 +52,7 @@ access_control:
rules: rules:
- domain: 'servarr.loadingm.xyz' - domain: 'servarr.loadingm.xyz'
subject: subject:
- 'group:admins' - 'group:admin'
policy: one_factor policy: one_factor
# - domain: '*.loadingm.xyz' # - domain: '*.loadingm.xyz'
# policy: one_factor # policy: one_factor

13
build-certs.sh
View File

@@ -1,13 +0,0 @@
docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
-d loadingm.xyz \
-d gitea.loadingm.xyz \
-d auth.loadingm.xyz \
-d jellyfin.loadingm.xyz \
-d jellyseerr.loadingm.xyz \
-d servarr.loadingm.xyz \
-d karakeep.loadingm.xyz \
-d ollama.loadingm.xyz \
-d memos.loadingm.xyz \
-d bitwarden.loadingm.xyz \
-d gpodder.loadingm.xyz

98
docker-compose.yaml
View File

@@ -1,6 +1,8 @@
include: include:
- ./karakeep-compose.yaml - ./karakeep-compose.yaml
- ./jellyfin-compose.yaml - ./jellyfin-compose.yaml
- ./immich-compose.yaml
- ./matrix-compose.yaml
secrets: secrets:
JWT_SECRET: JWT_SECRET:
file: '/data/authelia/secrets/JWT_SECRET' file: '/data/authelia/secrets/JWT_SECRET'
@@ -14,34 +16,55 @@ volumes:
meilisearch: meilisearch:
karakeep: karakeep:
bitwarden: bitwarden:
immich-model-cache:
nginx:
networks: networks:
karakeep: karakeep:
external: false external: false
enable_ipv6: true
karakeep-int: karakeep-int:
external: false external: false
enable_ipv6: true
ollama: ollama:
external: false external: false
enable_ipv6: true
ollama-int: ollama-int:
external: false external: false
enable_ipv6: true
jellyfin: jellyfin:
external: false external: false
enable_ipv6: true
jellyfin-int: jellyfin-int:
external: false external: false
enable_ipv6: true
auth: auth:
external: false external: false
enable_ipv6: true
gitea: gitea:
external: false external: false
enable_ipv6: true
gpodder: gpodder:
external: false external: false
enable_ipv6: true
memos: memos:
external: false external: false
enable_ipv6: true
mail: mail:
external: false external: false
enable_ipv6: true
bitwarden: bitwarden:
external: false external: false
enable_ipv6: true
immich:
external: false
enable_ipv6: true
matrix:
external: false
enable_ipv6: true
services: services:
web: web:
image: "nginx" build:
dockerfile: ./nginx-dockerfile
restart: unless-stopped restart: unless-stopped
ports: ports:
- 80:80 - 80:80
@@ -49,9 +72,7 @@ services:
volumes: volumes:
- ./nginx:/etc/nginx:ro - ./nginx:/etc/nginx:ro
- /data/site:/data/site:ro - /data/site:/data/site:ro
- /data/certbot/www/:/var/www/certbot/:ro - nginx:/var/cache/nginx/
# - /etc/letsencrypt:/etc/letsencrypt:ro
- /data/certbot/conf:/etc/letsencrypt:ro
networks: networks:
- karakeep - karakeep
- ollama - ollama
@@ -62,6 +83,8 @@ services:
- gpodder - gpodder
- memos - memos
- bitwarden - bitwarden
- matrix
- immich
depends_on: depends_on:
- jellyfin - jellyfin
- ollama-webui - ollama-webui
@@ -71,6 +94,7 @@ services:
- gitea - gitea
- gpodder - gpodder
- memos - memos
- matrix-server
logging: &logging logging: &logging
options: options:
max-size: "50m" max-size: "50m"
@@ -79,11 +103,6 @@ services:
# source: /usr/local/share/fonts/cu # source: /usr/local/share/fonts/cu
# target: /usr/local/share/fonts/custom # target: /usr/local/share/fonts/custom
# read_only: true # read_only: true
certbot:
image: certbot/certbot:latest
volumes:
- /data/certbot/www/:/var/www/certbot/:rw
- /data/certbot/conf/:/etc/letsencrypt/:rw
authelia: authelia:
image: 'docker.io/authelia/authelia:latest' image: 'docker.io/authelia/authelia:latest'
command: command:
@@ -110,28 +129,37 @@ services:
restart: unless-stopped restart: unless-stopped
ports: ports:
- "25565:25565" - "25565:25565"
- "24454:24454/udp"
environment: environment:
EULA: "TRUE" EULA: "TRUE"
TYPE: "FABRIC" TYPE: "FABRIC"
MEMORY: "2048M" MEMORY: "4G"
MOTD: "Loading server..." MOTD: "Loading server..."
LEVEL: "world" # VERSION: "1.21.11"
USE_MEOWICE_FLAGS: "true" VERSION: "26.1.1"
DIFFICULTY: "3" # LEVEL: "world"
LEVEL: "house"
SEED: "881949285698121329"
# USE_MEOWICE_FLAGS: "true"
DIFFICULTY: "normal"
MODE: "survival"
OPS: |- OPS: |-
187eca31-2e33-4199-97e0-2286bf35f7f8 187eca31-2e33-4199-97e0-2286bf35f7f8
ENABLE_WHITELIST: "true" ENABLE_WHITELIST: "true"
WHITELIST: |- WHITELIST: |-
187eca31-2e33-4199-97e0-2286bf35f7f8 187eca31-2e33-4199-97e0-2286bf35f7f8,
5d341a01-506c-4473-a530-1ae9188c03c7,
34586a37-772e-4da4-86a1-6704f286d4c6,
1ff2724b-168f-4b17-8cf2-850894b34ead
PAUSE_WHEN_EMPTY_SECONDS: "20" PAUSE_WHEN_EMPTY_SECONDS: "20"
ENABLE_ROLLING_LOGS: "true" ENABLE_ROLLING_LOGS: "true"
REMOVE_OLD_MODS: "TRUE" REMOVE_OLD_MODS: "TRUE"
logging: *logging logging: *logging
volumes: volumes:
- "/data/minecraft/data:/data" - "/data/minecraft/data:/data"
- "/data/mincraft/mods:/mods" - "/data/minecraft/mods:/mods"
- "/data/mincraft/plugins:/plugins" - "/data/minecraft/plugins:/plugins"
- "/data/mincraft/config:/config" - "/data/minecraft/config:/config"
gitea: gitea:
image: docker.gitea.com/gitea:1.24 image: docker.gitea.com/gitea:1.24
environment: environment:
@@ -206,13 +234,46 @@ services:
logging: *logging logging: *logging
environment: environment:
- ALLOWED_SENDER_DOMAINS=loadingm.xyz - ALLOWED_SENDER_DOMAINS=loadingm.xyz
- POSTFIX_myhostname=mail # - POSTFIX_myhostname=mail
- POSTFIX_myhostname=loadingm.xyz
- POSTFIX_mydestination=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- MASQUERADED_DOMAINS=loadingm.xyz,loading-hpdl380g10.loadingm.xyz
- SMTPD_SASL_USERS="a:123,b:123"
volumes: volumes:
- /data/mail:/etc/opendkim/keys - /data/mail:/etc/opendkim/keys
networks: networks:
- mail - mail
ports: ports:
- 127.0.0.1:25:25 - 127.0.0.1:25:25
# mail:
# image: ghcr.io/docker-mailserver/docker-mailserver:latest
# container_name: mailserver
# # Provide the FQDN of your mail server here (Your DNS MX record should point to this value)
# hostname: mail.loadingm.xyz
# env_file: mailserver.env
# # More information about the mail-server ports:
# # https://docker-mailserver.github.io/docker-mailserver/latest/config/security/understanding-the-ports/
# ports:
# - "25:25" # SMTP (explicit TLS => STARTTLS, Authentication is DISABLED => use port 465/587 instead)
# - "143:143" # IMAP4 (explicit TLS => STARTTLS)
# - "465:465" # ESMTP (implicit TLS)
# - "587:587" # ESMTP (explicit TLS => STARTTLS)
# - "993:993" # IMAP4 (implicit TLS)
# volumes:
# - /data/dms/mail-data/:/var/mail/
# - /data/dms/mail-state/:/var/mail-state/
# - /data/dms/mail-logs/:/var/log/mail/
# - /data/dms/config/:/tmp/docker-mailserver/
# - /etc/localtime:/etc/localtime:ro
# restart: always
# stop_grace_period: 1m
# # Uncomment if using `ENABLE_FAIL2BAN=1`:
# # cap_add:
# # - NET_ADMIN
# healthcheck:
# test: "ss --listening --ipv4 --tcp | grep --silent ':smtp' || exit 1"
# timeout: 3s
# retries: 0
bitwarden: bitwarden:
# env_file: # env_file:
# - bitwarden.env # - bitwarden.env
@@ -222,6 +283,7 @@ services:
SMTP_FROM: bitwarden@loadingm.xyz SMTP_FROM: bitwarden@loadingm.xyz
SMTP_SECURITY: off SMTP_SECURITY: off
SIGNUPS_ALLOWED: false SIGNUPS_ALLOWED: false
# ADMIN_TOKEN: "google straining barracuda prescribe augmented bucket"
networks: networks:
- bitwarden - bitwarden
- mail - mail

7
gitea-runner.yaml
View File

@@ -45,6 +45,7 @@ runner:
- "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04" - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
- "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04" - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
- "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest" - "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
- "rustup-wasm:docker://gitea.loadingm.xyz/the10thwiz/rustup:wasm-stable"
- "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest" - "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
- "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable" - "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
- "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta" - "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
@@ -76,7 +77,7 @@ container:
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker). # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: false privileged: false
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway). # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options: options: '-v /data/site:/data/site'
# The parent directory of a job's working directory. # The parent directory of a job's working directory.
# NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically.
# If the path starts with '/', the '/' will be trimmed. # If the path starts with '/', the '/' will be trimmed.
@@ -92,12 +93,12 @@ container:
# If you want to allow any volume, please use the following configuration: # If you want to allow any volume, please use the following configuration:
# valid_volumes: # valid_volumes:
# - '**' # - '**'
valid_volumes: [] valid_volumes: ['**']
# overrides the docker client host with the specified one. # overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically. # If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers. # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work. # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: "" docker_host: "-"
# Pull docker image(s) even if already present # Pull docker image(s) even if already present
force_pull: false force_pull: false
# Rebuild docker image(s) even if already present # Rebuild docker image(s) even if already present

66
immich-compose.yaml Normal file
View File

@@ -0,0 +1,66 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:v2
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
- /data/immich/uploads:/data
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
DB_HOSTNAME: immich-db
REDIS_HOSTNAME: immich-redis
networks:
- immich
depends_on:
- immich-redis
- immich-db
restart: always
healthcheck:
disable: false
immich-machine-learning:
# For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
# Example tag: ${IMMICH_VERSION:-v2}-cuda
image: ghcr.io/immich-app/immich-machine-learning:v2
# extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- immich-model-cache:/cache
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
networks:
- immich
restart: always
healthcheck:
disable: false
immich-redis:
image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
healthcheck:
test: redis-cli ping || exit 1
networks:
- immich
restart: always
immich-db:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: '--data-checksums'
# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
# DB_STORAGE_TYPE: 'HDD'
volumes:
- /data/immich/postgres:/var/lib/postgresql/data
networks:
- immich
shm_size: 128mb
restart: always

33
jellyfin-compose.yaml
View File

@@ -24,6 +24,8 @@ services:
- VPN_PORT_FORWARDING=on - VPN_PORT_FORWARDING=on
- VPN_PORT_FORWARDING_PROVIDER=protonvpn - VPN_PORT_FORWARDING_PROVIDER=protonvpn
- VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
- VPN_PORT_FORWARDING_UP_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":{{PORT}},\"current_network_interface\":\"{{VPN_INTERFACE}}\",\"random_port\":false,\"upnp\":false}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- VPN_PORT_FORWARDING_DOWN_COMMAND=/bin/sh -c 'wget -O- --retry-connrefused --post-data "json={\"listen_port\":0,\"current_network_interface\":\"lo"}" http://127.0.0.1:8080/api/v2/app/setPreferences 2>&1'
- TZ=${TZ} - TZ=${TZ}
- UPDATER_PERIOD=24h - UPDATER_PERIOD=24h
restart: always restart: always
@@ -61,6 +63,8 @@ services:
- TZ=${TZ} - TZ=${TZ}
#- LANG=fr_FR #- LANG=fr_FR
#- LANG=en_US #- LANG=en_US
# volumes:
# - /tmp/flaresolver:/tmp
ports: ports:
- 8191:8191 - 8191:8191
networks: networks:
@@ -104,8 +108,8 @@ services:
- /data/jellyfin/configs/sonarr:/config - /data/jellyfin/configs/sonarr:/config
- /data/jellyfin/sonarr/tv:/tv - /data/jellyfin/sonarr/tv:/tv
- /data/jellyfin/qbittorrent/downloads:/downloads - /data/jellyfin/qbittorrent/downloads:/downloads
ports: # ports:
- 8989:8989 # - 8989:8989
networks: networks:
- jellyfin-int - jellyfin-int
restart: unless-stopped restart: unless-stopped
@@ -120,8 +124,8 @@ services:
- /data/jellyfin/configs/radarr:/config - /data/jellyfin/configs/radarr:/config
- /data/jellyfin/radarr/movies:/movies - /data/jellyfin/radarr/movies:/movies
- /data/jellyfin/qbittorrent/downloads:/downloads - /data/jellyfin/qbittorrent/downloads:/downloads
ports: # ports:
- 7878:7878 # - 7878:7878
networks: networks:
- jellyfin-int - jellyfin-int
restart: unless-stopped restart: unless-stopped
@@ -131,19 +135,24 @@ services:
- PUID=0 - PUID=0
- PGID=0 - PGID=0
- TZ=${TZ} - TZ=${TZ}
- JELLYFIN_DATA_DIR=/config/data
- JELLYFIN_CONFIG_DIR=/config
- JELLYFIN_LOG_DIR=/config/log
- JELLYFIN_CACHE_DIR=/config/cache
# - NVIDIA_VISIBLE_DEVICES=all # - NVIDIA_VISIBLE_DEVICES=all
ports: ports:
- 8096:8096 # - 8096:8096
- 8920:8920 # - 8920:8920
- 7359:7359/udp - 7359:7359/udp
- 1900:1900/udp
networks: networks:
- jellyfin - jellyfin
- jellyfin-int - jellyfin-int
volumes: volumes:
- /data/library:/data/library:ro - /data/library:/data/library:ro
- /data/jellyfin:/data/jellyfin - /data/jellyfin:/data/jellyfin
- /data/jellyfin/configs/jellyfin:/config - /backup:/data/jellyfin/backups
# - /data/jellyfin/configs/jellyfin:/config
- /srv/jellyfin:/config
- /data/jellyfin/jellyfin/cache:/cache - /data/jellyfin/jellyfin/cache:/cache
- /data/jellyfin/sonarr/tv:/data/tvshows - /data/jellyfin/sonarr/tv:/data/tvshows
- /data/jellyfin/radarr/movies:/data/movies - /data/jellyfin/radarr/movies:/data/movies
@@ -151,8 +160,8 @@ services:
restart: unless-stopped restart: unless-stopped
group_add: group_add:
- '993' - '993'
# devices: devices:
# - /dev/dri/renderD128:/dev/dri/renderD128 - /dev/dri/renderD128:/dev/dri/renderD128
# runtime: nvidia # runtime: nvidia
# deploy: # deploy:
# resources: # resources:
@@ -166,8 +175,8 @@ services:
environment: environment:
- LOG_LEVEL=debug - LOG_LEVEL=debug
- TZ=${TZ} - TZ=${TZ}
ports: # ports:
- 5055:5055 # - 5055:5055
volumes: volumes:
- /data/jellyfin/configs/jellyseerr:/app/config - /data/jellyfin/configs/jellyseerr:/app/config
restart: unless-stopped restart: unless-stopped

11
karakeep-compose.yaml
View File

@@ -21,7 +21,9 @@ services:
INFERENCE_OUTPUT_SCHEMA: json INFERENCE_OUTPUT_SCHEMA: json
INFERENCE_CONTEXT_LENGTH: 1024 INFERENCE_CONTEXT_LENGTH: 1024
INFERENCE_JOB_TIMEOUT_SEC: 120 INFERENCE_JOB_TIMEOUT_SEC: 120
LOG_LEVEL: debug CRAWLER_FULL_PAGE_ARCHIVE: true
BROWSER_COOKIE_PATH: /data/cookies.json
LOG_LEVEL: info
# You almost never want to change the value of the DATA_DIR variable. # You almost never want to change the value of the DATA_DIR variable.
# If you want to mount a custom directory, change the volume mapping above instead. # If you want to mount a custom directory, change the volume mapping above instead.
DATA_DIR: /data # DON'T CHANGE THIS DATA_DIR: /data # DON'T CHANGE THIS
@@ -53,11 +55,14 @@ services:
networks: networks:
- karakeep-int - karakeep-int
ollama: ollama:
image: docker.io/ollama/ollama:0.11.10 image: docker.io/ollama/ollama:rocm
volumes: volumes:
- .:/code - .:/code
- /data/library/ollama/ollama:/root/.ollama - /data/library/ollama/ollama:/root/.ollama
pull_policy: always devices:
- /dev/dri:/dev/dri
- /dev/kfd:/dev/kfd
# pull_policy: always
tty: true tty: true
restart: always restart: always
environment: environment:

27
matrix-compose.yaml Normal file
View File

@@ -0,0 +1,27 @@
services:
matrix-server:
image: forgejo.ellis.link/continuwuation/continuwuity
restart: unless-stopped
environment:
CONTINUWUITY_SERVER_NAME: "matrix.loadingm.xyz"
CONTINUWUITY_WELL_KNOWN__SERVER: "matrix.loadingm.xyz:443"
CONTINUWUITY_ALLOW_REGISTRATION: true
CONTINUWUITY_REGISTRATION_TOKEN: "qFz7aekKxgXdd6SpQ09llv52+S4="
CONTINUWUITY_ALLOW_FEDERATION: 'true'
CONTINUWUITY_ALLOW_CHECK_FOR_UPDATES: 'true'
CONTINUWUITY_TRUSTED_SERVERS: '["matrix.org", "mozilla.org"]'
CONTINUWUITY_DATABASE_PATH: /var/lib/continuwuity
CONTINUWUITY_PORT: 6167
CONTINUWUITY_ADDRESS: 0.0.0.0
volumes:
- /data/matrix/db:/var/lib/continuwuity
networks:
- matrix
# ports:
# - 8448:6167
# turn:
# image: docker.io/coturn/coturn
# restart: unless-stopped
# network_mode: "host"
# volumes:
# - ./coturn.conf:/etc/coturn/turnserver.conf:ro

2
nginx-dockerfile Normal file
View File

@@ -0,0 +1,2 @@
FROM nginx
RUN apt install nginx-module-acme

15
nginx/nginx.conf
View File

@@ -3,6 +3,7 @@ worker_processes auto;
worker_cpu_affinity auto; worker_cpu_affinity auto;
pid /run/nginx.pid; pid /run/nginx.pid;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
events { events {
worker_connections 768; worker_connections 768;
@@ -10,6 +11,14 @@ events {
} }
http { http {
resolver 127.0.0.11:53;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact matthew.pomes@pm.me;
state_path /var/cache/nginx/acme-letsencrypt;
accept_terms_of_service;
}
## ##
# Basic Settings # Basic Settings
@@ -57,6 +66,12 @@ http {
## ##
include /etc/nginx/sites-enabled/*; include /etc/nginx/sites-enabled/*;
server {
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
} }

19
nginx/sites-available/5d-diplomacy
View File

@@ -1,17 +1,8 @@
server { server {
if ($host = 5d-diplomacy.loadingm.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name 5d-diplomacy.loadingm.xyz; server_name 5d-diplomacy.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS # Uncomment to redirect HTTP to HTTPS
location / { location / {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
@@ -25,16 +16,14 @@ server {
http2 on; http2 on;
server_name 5d-diplomacy.loadingm.xyz; server_name 5d-diplomacy.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";

29
nginx/sites-enabled/auth
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name auth.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name auth.loadingm.xyz; server_name auth.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://authelia:9091; proxy_pass http://authelia:9091;

62
nginx/sites-enabled/bitwarden
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name bitwarden.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name bitwarden.loadingm.xyz; server_name bitwarden.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -40,20 +23,28 @@ server {
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin # Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
set $CSP "default-src https: data: blob:"; # set $CSP "default-src https: data: blob:";
set $CSP "$CSP; img-src 'self' https://* data:"; # set $CSP "$CSP; img-src 'self' https://* data:";
set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:"; # set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:"; # set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:"; # set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
set $CSP "$CSP; worker-src 'self' blob: data:"; # set $CSP "$CSP; worker-src 'self' blob: data:";
set $CSP "$CSP; connect-src 'self' data:"; # set $CSP "$CSP; connect-src 'self' data:";
set $CSP "$CSP; object-src 'none' data:"; # set $CSP "$CSP; object-src 'none' data:";
set $CSP "$CSP; frame-ancestors 'self' data:"; # set $CSP "$CSP; frame-ancestors 'self' data:";
set $CSP "$CSP; font-src 'self' data:"; # set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP; # add_header Content-Security-Policy $CSP;
location /notifications/hub {
location /.well-known/acme-challenge/ { proxy_pass http://bitwarden:80;
root /var/www/certbot; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
} }
location / { location / {
@@ -65,7 +56,6 @@ server {
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;
proxy_hide_header Content-Security-Policy;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming # Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off; proxy_buffering off;

29
nginx/sites-enabled/gitea
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name gitea.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name gitea.loadingm.xyz; server_name gitea.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G; client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://gitea:3000; proxy_pass http://gitea:3000;

50
nginx/sites-enabled/gpodder
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server { server {
listen 80;
listen [::]:80;
server_name gpodder.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration # SSL configuration
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
server_name gpodder.loadingm.xyz; server_name gpodder.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; ssl_certificate $acme_certificate;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; ssl_certificate_key $acme_certificate_key;
# include /etc/letsencrypt/options-ssl-nginx.conf; ssl_certificate_cache max=2;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -60,10 +22,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://gpodder:8000; proxy_pass http://gpodder:8000;

53
nginx/sites-enabled/immich Normal file
View File

@@ -0,0 +1,53 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name immich.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /api/socket.io {
proxy_pass http://immich-server:2283;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / {
# Proxy main karakeep traffic
proxy_pass http://immich-server:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/jellyfin
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name jellyfin.loadingm.xyz; server_name jellyfin.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main Jellyfin traffic # Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096; proxy_pass http://jellyfin:8096;

29
nginx/sites-enabled/jellyseerr
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyseerr.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,26 +5,20 @@ server {
http2 on; http2 on;
server_name jellyseerr.loadingm.xyz; server_name jellyseerr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients # Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Content Security Policy # Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin # Enforces https content and restricts JS/CSS to origin

29
nginx/sites-enabled/karakeep
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name karakeep.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name karakeep.loadingm.xyz; server_name karakeep.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -52,10 +35,6 @@ server {
set $CSP "$CSP; font-src 'self' data:"; set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP; add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://karakeep-web:3000; proxy_pass http://karakeep-web:3000;

53
nginx/sites-enabled/matrix Normal file
View File

@@ -0,0 +1,53 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name matrix.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
# location /api/socket.io {
# proxy_pass http://matrix-server:6167;
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "upgrade";
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header X-Forwarded-Protocol $scheme;
# proxy_set_header X-Forwarded-Host $http_host;
# }
location / {
# Proxy main karakeep traffic
proxy_pass http://matrix-server:6167;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/memos
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name memos.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name memos.loadingm.xyz; server_name memos.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G; client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://memos:5230; proxy_pass http://memos:5230;

18
nginx/sites-enabled/ollama
View File

@@ -5,9 +5,23 @@ server {
http2 on; http2 on;
server_name ollama.loadingm.xyz; server_name ollama.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf; location /ws/ {
# include /etc/nginx/snippets/authelia-location.conf; proxy_pass http://ollama-webui:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location / { location / {
include /etc/nginx/snippets/proxy.conf; include /etc/nginx/snippets/proxy.conf;

53
nginx/sites-enabled/primary
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server { server {
listen 80 default_server;
listen [::]:80;
server_name loadingm.xyz *.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration # SSL configuration
listen 443 ssl default_server; listen 443 ssl default_server;
listen [::]:443 ssl default_server; listen [::]:443 ssl default_server;
http2 on; http2 on;
server_name loadingm.xyz; server_name loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; ssl_certificate $acme_certificate;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; ssl_certificate_key $acme_certificate_key;
# include /etc/letsencrypt/options-ssl-nginx.conf; ssl_certificate_cache max=2;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
root /data/site; root /data/site;
@@ -60,11 +22,4 @@ server {
# as directory, then fall back to displaying a 404. # as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
} }

7
nginx/sites-enabled/servarr
View File

@@ -1,13 +1,14 @@
server { server {
# Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
server_name servarr.loadingm.xyz; server_name servarr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/snippets/authelia-location.conf; include /etc/nginx/snippets/authelia-location.conf;
location /qbt/ { location /qbt/ {

25
nginx/snippets/letsencrypt.conf
View File

@@ -1,25 +0,0 @@
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}