the10thwiz/Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: the10thwiz:ea65ae941bc342e3527d72e50442167c786e0132
Branches Tags
the10thwiz:main
..
compare: the10thwiz:4b572faf1d5d926bc76205eeccb6fc4631cdcfab
Branches Tags
the10thwiz:main

2 Commits
ea65ae941b ... 4b572faf1d

Author SHA1 Message Date
Matthew Pomes
4b572faf1d Add immich and switch to nginx-acme 2026-01-25 02:15:43 -06:00
Matthew Pomes
e269dac336 Update karakeep config 2026-01-25 00:51:14 -06:00
20 changed files with 194 additions and 338 deletions
Expand all files Collapse all files

13
build-certs.sh
View File

@@ -1,13 +0,0 @@
docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
-d loadingm.xyz \
-d gitea.loadingm.xyz \
-d auth.loadingm.xyz \
-d jellyfin.loadingm.xyz \
-d jellyseerr.loadingm.xyz \
-d servarr.loadingm.xyz \
-d karakeep.loadingm.xyz \
-d ollama.loadingm.xyz \
-d memos.loadingm.xyz \
-d bitwarden.loadingm.xyz \
-d gpodder.loadingm.xyz

30
docker-compose.yaml
View File

@@ -1,6 +1,7 @@
include: include:
- ./karakeep-compose.yaml - ./karakeep-compose.yaml
- ./jellyfin-compose.yaml - ./jellyfin-compose.yaml
- ./immich-compose.yaml
secrets: secrets:
JWT_SECRET: JWT_SECRET:
file: '/data/authelia/secrets/JWT_SECRET' file: '/data/authelia/secrets/JWT_SECRET'
@@ -14,34 +15,52 @@ volumes:
meilisearch: meilisearch:
karakeep: karakeep:
bitwarden: bitwarden:
immich-model-cache:
nginx:
networks: networks:
karakeep: karakeep:
external: false external: false
enable_ipv6: true
karakeep-int: karakeep-int:
external: false external: false
enable_ipv6: true
ollama: ollama:
external: false external: false
enable_ipv6: true
ollama-int: ollama-int:
external: false external: false
enable_ipv6: true
jellyfin: jellyfin:
external: false external: false
enable_ipv6: true
jellyfin-int: jellyfin-int:
external: false external: false
enable_ipv6: true
auth: auth:
external: false external: false
enable_ipv6: true
gitea: gitea:
external: false external: false
enable_ipv6: true
gpodder: gpodder:
external: false external: false
enable_ipv6: true
memos: memos:
external: false external: false
enable_ipv6: true
mail: mail:
external: false external: false
enable_ipv6: true
bitwarden: bitwarden:
external: false external: false
enable_ipv6: true
# host:
# external: true
# enable_ipv6: true
services: services:
web: web:
image: "nginx" build:
dockerfile: ./nginx-dockerfile
restart: unless-stopped restart: unless-stopped
ports: ports:
- 80:80 - 80:80
@@ -49,9 +68,7 @@ services:
volumes: volumes:
- ./nginx:/etc/nginx:ro - ./nginx:/etc/nginx:ro
- /data/site:/data/site:ro - /data/site:/data/site:ro
- /data/certbot/www/:/var/www/certbot/:ro - nginx:/var/cache/nginx/
# - /etc/letsencrypt:/etc/letsencrypt:ro
- /data/certbot/conf:/etc/letsencrypt:ro
networks: networks:
- karakeep - karakeep
- ollama - ollama
@@ -79,11 +96,6 @@ services:
# source: /usr/local/share/fonts/cu # source: /usr/local/share/fonts/cu
# target: /usr/local/share/fonts/custom # target: /usr/local/share/fonts/custom
# read_only: true # read_only: true
certbot:
image: certbot/certbot:latest
volumes:
- /data/certbot/www/:/var/www/certbot/:rw
- /data/certbot/conf/:/etc/letsencrypt/:rw
authelia: authelia:
image: 'docker.io/authelia/authelia:latest' image: 'docker.io/authelia/authelia:latest'
command: command:

64
immich-compose.yaml Normal file
View File

@@ -0,0 +1,64 @@
services:
immich-server:
image: ghcr.io/immich-app/immich-server:v2
# extends:
# file: hwaccel.transcoding.yml
# service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
volumes:
# Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
- /data/immich/uploads:/data
- /etc/localtime:/etc/localtime:ro
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
# env_file:
# - .env
ports:
- '2283:2283'
depends_on:
- redis
- database
restart: always
healthcheck:
disable: false
immich-machine-learning:
# For hardware acceleration, add one of -[armnn, cuda, rocm, openvino, rknn] to the image tag.
# Example tag: ${IMMICH_VERSION:-v2}-cuda
image: ghcr.io/immich-app/immich-machine-learning:v2
# extends: # uncomment this section for hardware acceleration - see https://docs.immich.app/features/ml-hardware-acceleration
# file: hwaccel.ml.yml
# service: cpu # set to one of [armnn, cuda, rocm, openvino, openvino-wsl, rknn] for accelerated inference - use the `-wsl` version for WSL2 where applicable
volumes:
- immich-model-cache:/cache
environment:
DB_USERNAME: postgres
DB_PASSWORD: nVmwTyOKlcEa6VUc
DB_DATABASE_NAME: immich
# env_file:
# - .env
restart: always
healthcheck:
disable: false
redis:
image: docker.io/valkey/valkey:9@sha256:fb8d272e529ea567b9bf1302245796f21a2672b8368ca3fcb938ac334e613c8f
healthcheck:
test: redis-cli ping || exit 1
restart: always
database:
image: ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:bcf63357191b76a916ae5eb93464d65c07511da41e3bf7a8416db519b40b1c23
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: nVmwTyOKlcEa6VUc
POSTGRES_DB: immich
POSTGRES_INITDB_ARGS: '--data-checksums'
# Uncomment the DB_STORAGE_TYPE: 'HDD' var if your database isn't stored on SSDs
# DB_STORAGE_TYPE: 'HDD'
volumes:
# Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
- /data/immich/postgres:/var/lib/postgresql/data
shm_size: 128mb
restart: always

4
karakeep-compose.yaml
View File

@@ -21,7 +21,9 @@ services:
INFERENCE_OUTPUT_SCHEMA: json INFERENCE_OUTPUT_SCHEMA: json
INFERENCE_CONTEXT_LENGTH: 1024 INFERENCE_CONTEXT_LENGTH: 1024
INFERENCE_JOB_TIMEOUT_SEC: 120 INFERENCE_JOB_TIMEOUT_SEC: 120
LOG_LEVEL: debug CRAWLER_FULL_PAGE_ARCHIVE: true
BROWSER_COOKIE_PATH: /data/cookies.json
LOG_LEVEL: info
# You almost never want to change the value of the DATA_DIR variable. # You almost never want to change the value of the DATA_DIR variable.
# If you want to mount a custom directory, change the volume mapping above instead. # If you want to mount a custom directory, change the volume mapping above instead.
DATA_DIR: /data # DON'T CHANGE THIS DATA_DIR: /data # DON'T CHANGE THIS

2
nginx-dockerfile Normal file
View File

@@ -0,0 +1,2 @@
FROM nginx
RUN apt install nginx-module-acme

15
nginx/nginx.conf
View File

@@ -3,6 +3,7 @@ worker_processes auto;
worker_cpu_affinity auto; worker_cpu_affinity auto;
pid /run/nginx.pid; pid /run/nginx.pid;
error_log /var/log/nginx/error.log; error_log /var/log/nginx/error.log;
load_module /usr/lib/nginx/modules/ngx_http_acme_module.so;
events { events {
worker_connections 768; worker_connections 768;
@@ -10,6 +11,14 @@ events {
} }
http { http {
resolver 127.0.0.11:53;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact matthew.pomes@pm.me;
state_path /var/cache/nginx/acme-letsencrypt;
accept_terms_of_service;
}
## ##
# Basic Settings # Basic Settings
@@ -57,6 +66,12 @@ http {
## ##
include /etc/nginx/sites-enabled/*; include /etc/nginx/sites-enabled/*;
server {
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
} }

19
nginx/sites-available/5d-diplomacy
View File

@@ -1,17 +1,8 @@
server { server {
if ($host = 5d-diplomacy.loadingm.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name 5d-diplomacy.loadingm.xyz; server_name 5d-diplomacy.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS # Uncomment to redirect HTTP to HTTPS
location / { location / {
return 301 https://$host$request_uri; return 301 https://$host$request_uri;
@@ -25,16 +16,14 @@ server {
http2 on; http2 on;
server_name 5d-diplomacy.loadingm.xyz; server_name 5d-diplomacy.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/5d-diplomacy.loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";

29
nginx/sites-enabled/auth
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name auth.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name auth.loadingm.xyz; server_name auth.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://authelia:9091; proxy_pass http://authelia:9091;

29
nginx/sites-enabled/bitwarden
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name bitwarden.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name bitwarden.loadingm.xyz; server_name bitwarden.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -51,10 +34,6 @@ server {
# set $CSP "$CSP; frame-ancestors 'self' data:"; # set $CSP "$CSP; frame-ancestors 'self' data:";
# set $CSP "$CSP; font-src 'self' data:"; # set $CSP "$CSP; font-src 'self' data:";
# add_header Content-Security-Policy $CSP; # add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location /notifications/hub { location /notifications/hub {
proxy_pass http://bitwarden:80; proxy_pass http://bitwarden:80;
proxy_http_version 1.1; proxy_http_version 1.1;

29
nginx/sites-enabled/gitea
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name gitea.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name gitea.loadingm.xyz; server_name gitea.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G; client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://gitea:3000; proxy_pass http://gitea:3000;

50
nginx/sites-enabled/gpodder
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server { server {
listen 80;
listen [::]:80;
server_name gpodder.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration # SSL configuration
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
server_name gpodder.loadingm.xyz; server_name gpodder.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; ssl_certificate $acme_certificate;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; ssl_certificate_key $acme_certificate_key;
# include /etc/letsencrypt/options-ssl-nginx.conf; ssl_certificate_cache max=2;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -60,10 +22,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://gpodder:8000; proxy_pass http://gpodder:8000;

41
nginx/sites-enabled/immich Normal file
View File

@@ -0,0 +1,41 @@
server {
# Nginx versions 1.25+
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name immich.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location / {
# Proxy main karakeep traffic
proxy_pass http://immich:2283;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
}

29
nginx/sites-enabled/jellyfin
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name jellyfin.loadingm.xyz; server_name jellyfin.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main Jellyfin traffic # Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096; proxy_pass http://jellyfin:8096;

29
nginx/sites-enabled/jellyseerr
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name jellyseerr.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,26 +5,20 @@ server {
http2 on; http2 on;
server_name jellyseerr.loadingm.xyz; server_name jellyseerr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients # Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Content Security Policy # Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin # Enforces https content and restricts JS/CSS to origin

29
nginx/sites-enabled/karakeep
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name karakeep.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name karakeep.loadingm.xyz; server_name karakeep.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M; client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -52,10 +35,6 @@ server {
set $CSP "$CSP; font-src 'self' data:"; set $CSP "$CSP; font-src 'self' data:";
add_header Content-Security-Policy $CSP; add_header Content-Security-Policy $CSP;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://karakeep-web:3000; proxy_pass http://karakeep-web:3000;

29
nginx/sites-enabled/memos
View File

@@ -1,18 +1,3 @@
server {
listen 80;
listen [::]:80;
server_name memos.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server { server {
# Nginx versions 1.25+ # Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
@@ -20,16 +5,14 @@ server {
http2 on; http2 on;
server_name memos.loadingm.xyz; server_name memos.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 200G; client_max_body_size 200G;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers # Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff"; add_header X-Content-Type-Options "nosniff";
@@ -42,10 +25,6 @@ server {
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'"; add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / { location / {
# Proxy main karakeep traffic # Proxy main karakeep traffic
proxy_pass http://memos:5230; proxy_pass http://memos:5230;

6
nginx/sites-enabled/ollama
View File

@@ -5,9 +5,11 @@ server {
http2 on; http2 on;
server_name ollama.loadingm.xyz; server_name ollama.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
# include /etc/nginx/snippets/authelia-location.conf;
location /ws/ { location /ws/ {
proxy_pass http://ollama-webui:8080; proxy_pass http://ollama-webui:8080;
proxy_http_version 1.1; proxy_http_version 1.1;

53
nginx/sites-enabled/primary
View File

@@ -1,52 +1,14 @@
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
server { server {
listen 80 default_server;
listen [::]:80;
server_name loadingm.xyz *.loadingm.xyz;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Uncomment to redirect HTTP to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# Default server configuration
#
server {
# SSL configuration # SSL configuration
listen 443 ssl default_server; listen 443 ssl default_server;
listen [::]:443 ssl default_server; listen [::]:443 ssl default_server;
http2 on; http2 on;
server_name loadingm.xyz; server_name loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem; ssl_certificate $acme_certificate;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem; ssl_certificate_key $acme_certificate_key;
# include /etc/letsencrypt/options-ssl-nginx.conf; ssl_certificate_cache max=2;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
root /data/site; root /data/site;
@@ -60,11 +22,4 @@ server {
# as directory, then fall back to displaying a 404. # as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404; try_files $uri $uri/ =404;
} }
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
} }

7
nginx/sites-enabled/servarr
View File

@@ -1,13 +1,14 @@
server { server {
# Nginx versions 1.25+
listen 443 ssl; listen 443 ssl;
listen [::]:443 ssl; listen [::]:443 ssl;
http2 on; http2 on;
server_name servarr.loadingm.xyz; server_name servarr.loadingm.xyz;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
include /etc/nginx/snippets/letsencrypt.conf;
include /etc/nginx/snippets/authelia-location.conf; include /etc/nginx/snippets/authelia-location.conf;
location /qbt/ { location /qbt/ {

25
nginx/snippets/letsencrypt.conf
View File

@@ -1,25 +0,0 @@
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
# include /etc/letsencrypt/options-ssl-nginx.conf;
# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
# Security / XSS Mitigation Headers
add_header X-Content-Type-Options "nosniff";
# Permissions policy. May cause issues with some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}