Pull latest changes from main before redeploying

2025-09-02 23:33:39 -05:00
16 changed files with 41 additions and 507 deletions
--- a/.gitea/workflows/certificates.yaml
+++ b/.gitea/workflows/certificates.yaml
@@ -1,28 +0,0 @@
 name: "Build certificates"
 on:
  workflow_dispatch:
    inputs:
      # Note: this doesn't work on current gitea for some reason?
      build_certs:
        description: "Build certificates from scratch"
        type: "boolean"
        required: true
        default: false
  schedule: "@weekly"
 env:
  TZ: "America/Chicago"
 jobs:
  deploy:
    name: "Setup/Renew certificates"
    runs-on: "homelab"
    steps:
      - name: "Build certificates"
        if: inputs.build_certs
        run: |
          cd /home/matthew/homelab
          bash ./build-certs.sh
      - name: "Renew certificates"
        run: |
          cd /home/matthew/homelab
          docker compose run --rm certbot renew
          docker restart homelab-web-1
--- a/.gitea/workflows/deploy.yaml
+++ b/.gitea/workflows/deploy.yaml
@@ -10,12 +10,8 @@ jobs:
    name: Deploy
    runs-on: homelab
    steps:
-      - name: "Pull latest code"
+      - run: |
        run: |
          cd /home/matthew/homelab
          git checkout main
          git pull
      - name: "Deploy containers"
        run: |
          cd /home/matthew/homelab
          docker compose up -d --remove-orphans
--- a/README.md
+++ b/README.md
@@ -1,45 +0,0 @@
 # My personal homelab setup
 Currently running on a Debian host
 ## Raw data
 Raw data is stored in `/data`, a ZFS data set
 ```bash
 # Install ZFS
 apt update
 apt install linux-headers-amd64
 apt install zfsutils-linux zfs-dkms
 zpool create hdd raidz2 <disks...>
 mkdir -p /data
 zfs create -o mountpoint=/data hdd/data
 zfs set compression=on hdd/data
 ```
 ## act_runner
 ```bash
 pushd /tmp
 wget https://gitea.com/gitea/act_runner/releases/download/v0.2.13/act_runner-0.2.13-linux-amd64.xz
 xz -d act_runner-0.2.13-linux-amd64.xz
 mv act_runner-0.2.13-linux-amd64 /usr/bin/act_runner
 chmod +x /usr/bin/act_runner
 mkdir /home/matthew/act_runner
 ```
 ## Systemd
 ```bash
 # Add services
 ln -s $PWD/*.service /etc/systemd/system/
 systemctl enable homelab
 systemctl start homelab
 cd ~/act_runner
 /usr/bin/act_runner register --config /home/matthew/homelab/host-runner.yaml
 systemctl enable act_runner
 systemctl start act_runner
 ```
--- a/act_runner.service
+++ b/act_runner.service
@@ -1,16 +0,0 @@
 [Unit]
 Description=Gitea Actions runner
 Documentation=https://gitea.com/gitea/act_runner
 After=docker.service
 [Service]
 ExecStart=/usr/bin/act_runner daemon --config /home/matthew/homelab/host-runner.yaml
 ExecReload=/bin/kill -s HUP $MAINPID
 WorkingDirectory=/home/matthew/act_runner
 TimeoutSec=0
 RestartSec=10
 Restart=always
 User=matthew
 [Install]
 WantedBy=multi-user.target
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -6,7 +6,7 @@ authentication_backend:
  password_change:
    disable: false
  file:
-    path: '/data/users.yml'
+    path: '/config/users.yml'
    watch: false
    search:
      email: false
@@ -37,72 +37,18 @@ session:
      remember_me: '1d'
 notifier:
  disable_startup_check: false
-  # filesystem:
+  filesystem:
-  #   filename: '/data/notification.txt'
+    filename: '/config/notification.txt'
  smtp:
    address: 'smtp://mail:25'
    sender: 'Authelia <auth@loadingm.xyz>'
    disable_require_tls: true # Determine if this is needed
    disable_starttls: true
 storage:
  local:
-    path: '/data/db.sqlite3'
+    path: '/config/db.sqlite3'
 access_control:
  default_policy: deny
  rules:
-    - domain: 'servarr.loadingm.xyz'
+    - domain: '*.loadingm.xyz'
      subject:
        - 'group:admins'
      policy: one_factor
    # - domain: '*.loadingm.xyz'
    #   policy: one_factor
 server:
  endpoints:
    authz:
      auth-request:
        implementation: 'AuthRequest'
 identity_providers:
  oidc:
    # enable_client_debug_messages: false
    # minimum_parameter_entropy: 8
    # enforce_pkce: 'public_clients_only'
    # enable_pkce_plain_challenge: false
    # enable_jwt_access_token_stateless_introspection: false
    # discovery_signed_response_alg: 'none'
    # discovery_signed_response_key_id: ''
    # require_pushed_authorization_requests: false
    # authorization_policies:
    #   policy_name:
    #     default_policy: 'two_factor'
    #     rules:
    #       - policy: 'deny'
    #         subject: 'group:services'
    #         networks:
    #           - '192.168.1.0/24'
    #           - '192.168.2.51'
    lifespans:
      access_token: '1h'
      authorize_code: '1m'
      id_token: '1h'
      refresh_token: '90m'
    # claims_policies:
    #   policy_name:
    #     id_token: []
    #     access_token: []
    #     id_token_audience_mode: 'specification'
    #     custom_claims:
    #       claim_name:
    #         name: 'claim_name'
    #         attribute: 'attribute_name'
    # scopes:
    #   scope_name:
    #     claims: []
    # cors:
    #   endpoints:
    #     - 'authorization'
    #     - 'token'
    #     - 'revocation'
    #     - 'introspection'
    #   allowed_origins:
    #     - 'https://example.com'
    #   allowed_origins_from_client_redirect_uris: false
--- a/authelia/secret-template.yml
+++ b/authelia/secret-template.yml
@@ -1,31 +0,0 @@
 # rand() {
 #   docker run --rm authelia/authelia:latest authelia crypto rand --length $1 --charset rfc3986
 # }
 # hash() {
 #   docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length $1 --random.charset rfc3986
 # }
 identity_providers:
  oidc:
    ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
    ## See: https://www.authelia.com/c/oidc
    clients:
      - client_name: 'Gitea'
        client_id: '$(rand 72)'
        client_secret: '$(hash 72)'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://gitea.loadingm.xyz/user/oauth2/authelia/callback'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'
--- a/build-certs.sh
+++ b/build-certs.sh
@@ -1,5 +1,5 @@
-docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/certbot/ \
+docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ \
  -d loadingm.xyz \
  -d gitea.loadingm.xyz \
  -d auth.loadingm.xyz \
@@ -7,6 +7,4 @@ docker compose run --rm certbot certonly -v --webroot --webroot-path /var/www/ce
  -d jellyseerr.loadingm.xyz \
  -d servarr.loadingm.xyz \
  -d karakeep.loadingm.xyz \
-  -d ollama.loadingm.xyz \
+  -d ollama.loadingm.xyz
  -d memos.loadingm.xyz \
  -d gpodder.loadingm.xyz
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,13 +3,13 @@ include:
  - ./jellyfin-compose.yaml
 secrets:
  JWT_SECRET:
-    file: '/data/authelia/secrets/JWT_SECRET'
+    file: './authelia/secrets/JWT_SECRET'
  SESSION_SECRET:
-    file: '/data/authelia/secrets/SESSION_SECRET'
+    file: './authelia/secrets/SESSION_SECRET'
  STORAGE_PASSWORD:
-    file: '/data/authelia/secrets/STORAGE_PASSWORD'
+    file: './authelia/secrets/STORAGE_PASSWORD'
  STORAGE_ENCRYPTION_KEY:
-    file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
+    file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
 volumes:
  meilisearch:
  karakeep:
@@ -30,12 +30,6 @@ networks:
    external: false
  gitea:
    external: false
  gpodder:
    external: false
  memos:
    external: false
  mail:
    external: false
 services:
  web:
    image: "nginx"
@@ -56,8 +50,6 @@ services:
      - jellyfin-int
      - auth
      - gitea
      - gpodder
      - memos
    depends_on:
      - jellyfin
      - ollama-webui
@@ -65,11 +57,6 @@ services:
      - authelia
      - qbittorrent
      - gitea
      - gpodder
      - memos
    logging: &logging
      options:
        max-size: "50m"
      # Optional - extra fonts to be used during transcoding with subtitle burn-in
      # - type: bind
      #   source: /usr/local/share/fonts/cu
@@ -81,24 +68,20 @@ services:
      - /data/certbot/www/:/var/www/certbot/:rw
      - /data/certbot/conf/:/etc/letsencrypt/:rw
  authelia:
    container_name: 'authelia'
    image: 'docker.io/authelia/authelia:latest'
    command:
      - 'authelia'
      - '--config=/config/configuration.yml'
      - '--config=/data/configuration.yml'
    restart: 'unless-stopped'
    secrets: ['JWT_SECRET', 'SESSION_SECRET', 'STORAGE_PASSWORD', 'STORAGE_ENCRYPTION_KEY']
    networks:
      - auth
      - mail
    environment:
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE: '/run/secrets/JWT_SECRET'
      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
    volumes:
-      - './authelia/:/config:ro'
+      - './authelia/:/config'
-      - '/data/authelia/:/data'
+  # webdav:
-    logging: *logging
+  #   image: ""
  minecraft:
    image: itzg/minecraft-server:latest
    tty: true
@@ -121,36 +104,24 @@ services:
        187eca31-2e33-4199-97e0-2286bf35f7f8
      PAUSE_WHEN_EMPTY_SECONDS: "20"
      ENABLE_ROLLING_LOGS: "true"
      REMOVE_OLD_MODS: "TRUE"
    logging: *logging
    volumes:
-      - "/data/minecraft/data:/data"
+      - "/opt/minecraft:/data"
      - "/data/mincraft/mods:/mods"
      - "/data/mincraft/plugins:/plugins"
      - "/data/mincraft/config:/config"
  gitea:
-    image: docker.gitea.com/gitea:1.24
+    image: gitea/gitea:latest
    environment:
-      - USER_UID=106
+      - USER_UID=1000
-      - USER_GID=110
+      - USER_GID=1000
      - ENABLE_NOTIFY_MAIL=true
      # - 
    restart: unless-stopped
    networks:
      - gitea
      - mail
    volumes:
      - /data/gitea/data:/data
      - /home/git/.ssh/:/data/git/.ssh
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "222:22"
    logging: *logging
    depends_on:
      - authelia
  gitea-runner:
-    image: docker.gitea.com/act_runner:latest
+    image: docker.io/gitea/act_runner:nightly
    restart: unless-stopped
    networks:
      - gitea
@@ -162,53 +133,6 @@ services:
      - /var/run/docker.sock:/var/run/docker.sock
      - /data/gitea/runner/:/data
      - ./gitea-runner.yaml:/config.yaml
    logging: *logging
    depends_on:
      - gitea
  gpodder:
    image: gitea.loadingm.xyz/the10thwiz/gpodder-rs:latest
    restart: unless-stopped
    environment:
      - ROCKET_SECRET_KEY=${GPODDER_SECRET_KEY}
    networks:
      - gpodder
    volumes:
      - /data/gpodder:/data
    logging: *logging
  tftp:
    image: kaczmar2/tftp-server
    restart: unless-stopped
    environment:
      - ENABLE_WEB_SERVER=false
    network_mode: host
    volumes:
      - /data/tftp:/srv/tftp:ro
      - /etc/localtime:/etc/localtime:ro
    logging: *logging
  memos:
    image: neosmemo/memos:stable
    networks:
      - memos
    volumes:
      - /data/memos:/var/opt/memos
    environment:
      - MEMOS_MODE=prod
      - MEMOS_PORT=5230
    restart: unless-stopped
    logging: *logging
  mail:
    image: boky/postfix
    restart: unless-stopped
    logging: *logging
    environment:
      - ALLOWED_SENDER_DOMAINS=loadingm.xyz
      - POSTFIX_myhostname=mail
    volumes:
      - /data/mail:/etc/opendkim/keys
    networks:
      - mail
    ports:
      - 127.0.0.1:25:25
  # calibre:
  #   image: "linuxserver/calibre-web"
  # 5d-diplomacy-frontend:
--- a/gitea-runner.yaml
+++ b/gitea-runner.yaml
@@ -45,7 +45,6 @@ runner:
    - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
    - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
    - "rustup-all:docker://gitea.loadingm.xyz/the10thwiz/rustup:latest"
    - "rustup-all-musl:docker://gitea.loadingm.xyz/the10thwiz/rustup:musl-latest"
    - "rustup-stable:docker://gitea.loadingm.xyz/the10thwiz/rustup:stable"
    - "rustup-beta:docker://gitea.loadingm.xyz/the10thwiz/rustup:beta"
    - "rustup-nightly:docker://gitea.loadingm.xyz/the10thwiz/rustup:nightly"
--- a/homelab.service
+++ b/homelab.service
@@ -1,20 +0,0 @@
 [Unit]
 Description=Homelab services
 Requires=docker.service
 After=docker.service
 [Service]
 Restart=always
 User=root
 Group=docker
 TimeoutStopSec=15
 WorkingDirectory=/home/matthew/homelab
 # Shutdown container (if running) when unit is started
 ExecStartPre=/usr/bin/docker compose -f docker-compose.yaml down
 # Start container when unit is started
 ExecStart=/usr/bin/docker compose -f docker-compose.yaml up
 # Stop container when unit is stopped
 ExecStop=/usr/bin/docker compose -f docker-compose.yaml down
 [Install]
 WantedBy=multi-user.target
--- a/jellyfin-compose.yaml
+++ b/jellyfin-compose.yaml
@@ -1,37 +1,7 @@
 services:
  gluetun:
    image: qmcgaw/gluetun
    cap_add:
      - NET_ADMIN
    ports:
      - 8080:8080
      - 51820:51820
      - 51820:51820/udp
      - 46931:46931
      - 46931:46931/udp
    networks:
      - jellyfin-int
    environment:
      - VPN_SERVICE_PROVIDER=custom
      - VPN_TYPE=wireguard
      - VPN_ENDPOINT_IP=${ENDPOINT_IP}
      - VPN_ENDPOINT_PORT=${ENDPOINT_PORT}
      - WIREGUARD_ADDRESSES=${WIREGUARD_ADDR}
      - VPN_DNS_ADDRESS=${DNS_ADDRESS}
      - WIREGUARD_PUBLIC_KEY=${PUBLIC_KEY}
      - WIREGUARD_PRIVATE_KEY=${PRIVATE_KEY}
      - VPN_PORT_FORWARDING=on
      - VPN_PORT_FORWARDING_PROVIDER=protonvpn
      - VPN_PORT_FORWARDING_STATUS_FILE=/tmp/gluetun/forwarded_port
      - TZ=${TZ}
      - UPDATER_PERIOD=24h
    restart: always
    volumes:
      - /data/jellyfin:/data/jellyfin
      - /data/jellyfin/gluetun:/tmp/gluetun
  qbittorrent:
    image: lscr.io/linuxserver/qbittorrent:latest
-    network_mode: service:gluetun
+    container_name: qbittorrent
    environment:
      - WEBUI_PORT=8080
      - PUID=0
@@ -41,18 +11,17 @@ services:
    volumes:
      - /data/jellyfin:/data/jellyfin
      - /data/jellyfin/configs/qbittorrent:/config
-      # - /data/jellyfin/qbittorrent/downloads:/data/jellyfin/qbittorrent/downloads
+      - /data/jellyfin/qbittorrent/downloads:/downloads
-    # ports:
+    ports:
-    #   - 8080:8080
+      - 8080:8080
-    #   - 6881:6881
+      - 6881:6881
-    #   - 6881:6881/udp
+      - 6881:6881/udp
-    # networks:
+    networks:
-    #   - jellyfin-int
+      - jellyfin-int
    depends_on:
      - gluetun
    restart: unless-stopped
  flaresolverr:
    image: ghcr.io/flaresolverr/flaresolverr:latest
    container_name: flaresolverr
    environment:
      - LOG_LEVEL=${LOG_LEVEL:-info}
      - LOG_HTML=${LOG_HTML:-false}
@@ -67,6 +36,7 @@ services:
    restart: unless-stopped
  prowlarr:
    image: lscr.io/linuxserver/prowlarr:latest
    container_name: prowlarr
    environment:
      - PUID=0
      - PGID=0
@@ -80,6 +50,7 @@ services:
    restart: unless-stopped
  jackett:
    image: lscr.io/linuxserver/jackett:latest
    container_name: jackett
    environment:
      - PUID=0
      - PGID=0
@@ -93,6 +64,7 @@ services:
    restart: unless-stopped
  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    container_name: sonarr
    environment:
      - PUID=0
      - PGID=0
@@ -109,6 +81,7 @@ services:
    restart: unless-stopped
  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
    environment:
      - PUID=0
      - PGID=0
@@ -125,6 +98,7 @@ services:
    restart: unless-stopped
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      - PUID=0
      - PGID=0
@@ -147,20 +121,9 @@ services:
      - /data/jellyfin/radarr/movies:/data/movies
      - /data/jellyfin/qbittorrent/downloads:/data/media_downloads
    restart: unless-stopped
    group_add:
      - '993'
    devices:
      - /dev/dri/renderD128:/dev/dri/renderD128
    # runtime: nvidia
    # deploy:
    #   resources:
    #     reservations:
    #       devices:
    #         - driver: intel
    #           count: all
    #           capabilities: [gpu]
  jellyseerr:
    image: fallenbagel/jellyseerr:latest
    container_name: jellyseerr
    environment:
      - LOG_LEVEL=debug
      - TZ=${TZ}
--- a/karakeep-compose.yaml
+++ b/karakeep-compose.yaml
@@ -52,10 +52,11 @@ services:
    networks:
      - karakeep-int
  ollama:
-    image: docker.io/ollama/ollama:0.11.10
+    image: docker.io/ollama/ollama:latest
    volumes:
      - .:/code
      - /data/library/ollama/ollama:/root/.ollama
    container_name: ollama
    pull_policy: always
    tty: true
    restart: always
@@ -68,6 +69,7 @@ services:
  ollama-webui:
    image: ghcr.io/open-webui/open-webui:main
    container_name: ollama-webui
    volumes:
      - /data/library/ollama/ollama-webui:/app/backend/data
    depends_on:
--- a/nginx/sites-enabled/gpodder
+++ b/nginx/sites-enabled/gpodder
@@ -1,80 +0,0 @@
 ##
 # You should look at the following URL's in order to grasp a solid understanding
 # of Nginx configuration files in order to fully unleash the power of Nginx.
 # https://www.nginx.com/resources/wiki/start/
 # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
 # https://wiki.debian.org/Nginx/DirectoryStructure
 #
 # In most cases, administrators will remove this file from sites-enabled/ and
 # leave it as reference inside of sites-available where it will continue to be
 # updated by the nginx packaging team.
 #
 # This file will automatically load configuration files provided by other
 # applications, such as Drupal or Wordpress. These applications will be made
 # available underneath a path with that package name, such as /drupal8.
 #
 # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
 ##
 server {
    listen 80;
    listen [::]:80;
    server_name gpodder.loadingm.xyz;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    # Uncomment to redirect HTTP to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
 }
 # Default server configuration
 #
 server {
 	# SSL configuration
 	listen 443 ssl;
 	listen [::]:443 ssl;
    http2 on;
 	server_name gpodder.loadingm.xyz;
    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";
    # Permissions policy. May cause issues with some clients
    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        # Proxy main karakeep traffic
        proxy_pass http://gpodder:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }
 }
--- a/nginx/sites-enabled/karakeep
+++ b/nginx/sites-enabled/karakeep
@@ -40,17 +40,7 @@ server {
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-    set $CSP "default-src https: data: blob:";
+    add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
    set $CSP "$CSP; img-src 'self' https://* data:";
    set $CSP "$CSP; style-src 'self' 'unsafe-inline' data:";
    set $CSP "$CSP; style-src-elem 'self' 'unsafe-inline' data:";
    set $CSP "$CSP; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtubse.com blob: data:";
    set $CSP "$CSP; worker-src 'self' blob: data:";
    set $CSP "$CSP; connect-src 'self' data:";
    set $CSP "$CSP; object-src 'none' data:";
    set $CSP "$CSP; frame-ancestors 'self' data:";
    set $CSP "$CSP; font-src 'self' data:";
    add_header Content-Security-Policy $CSP;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
@@ -65,7 +55,6 @@ server {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_hide_header Content-Security-Policy;
        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
--- a/nginx/sites-enabled/memos
+++ b/nginx/sites-enabled/memos
@@ -1,62 +0,0 @@
 server {
    listen 80;
    listen [::]:80;
    server_name memos.loadingm.xyz;
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    # Uncomment to redirect HTTP to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
 }
 server {
    # Nginx versions 1.25+
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name memos.loadingm.xyz;
    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
    client_max_body_size 200G;
    ssl_certificate /etc/letsencrypt/live/loadingm.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/loadingm.xyz/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/loadingm.xyz/chain.pem;
    # Security / XSS Mitigation Headers
    add_header X-Content-Type-Options "nosniff";
    # Permissions policy. May cause issues with some clients
    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
    # Content Security Policy
    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
    # Enforces https content and restricts JS/CSS to origin
    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
        add_header Content-Security-Policy "default-src https: data: blob: ; img-src 'self' https://* ; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'; font-src 'self'";
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    location / {
        # Proxy main karakeep traffic
        proxy_pass http://memos:5230;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
        proxy_buffering off;
    }
 }
--- a/nginx/sites-enabled/servarr
+++ b/nginx/sites-enabled/servarr
@@ -13,8 +13,7 @@ server {
    location /qbt/ {
        # include /etc/nginx/snippets/proxy.conf;
        include /etc/nginx/snippets/authelia-authrequest.conf;
-        # proxy_pass http://qbittorrent:8080/;
+        proxy_pass http://qbittorrent:8080/;
        proxy_pass http://gluetun:8080/;
        proxy_http_version 1.1;
        proxy_set_header   Host               $proxy_host;
        proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;