Rework TLS config
This commit is contained in:
parent
b24dff8331
commit
05c6d47c45
GPG key ID:
782A42E461BC6824
4 changed files with 29 additions and 2 deletions
|
|
@ -1,5 +1,4 @@
|
|||
(base) {
|
||||
tls /etc/certificates/fullchain.pem /etc/certificates/privkey.pem
|
||||
header {
|
||||
>Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
|
||||
>X-Frame-Options SAMEORIGIN
|
||||
|
|
@ -7,6 +6,9 @@
|
|||
>Referrer-Policy no-referrer
|
||||
}
|
||||
}
|
||||
(tls) {
|
||||
tls /etc/certificates/fullchain.pem /etc/certificates/privkey.pem
|
||||
}
|
||||
(local-only) {
|
||||
@abort not remote_ip 192.168.0.0/16
|
||||
abort @abort
|
||||
|
|
@ -26,40 +28,52 @@ strypsteen.me {
|
|||
}
|
||||
auth.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://systemd-keycloak:8080
|
||||
}
|
||||
chat.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8001
|
||||
}
|
||||
cloud.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8002
|
||||
}
|
||||
code.strypsteen.com, *.code-proxy.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy http://sandbox.server.home.arpa:8080
|
||||
}
|
||||
matrix.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8005
|
||||
}
|
||||
git.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://systemd-forgejo:3000
|
||||
}
|
||||
llm.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8004
|
||||
}
|
||||
metrics.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy /api/v1/write http://systemd-prometheus:9090
|
||||
reverse_proxy /loki/api/v1/push http://systemd-loki:3100
|
||||
}
|
||||
monitoring.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy http://systemd-grafana:3000
|
||||
}
|
||||
mta-sts.strypsteen.me {
|
||||
|
|
@ -75,6 +89,7 @@ mta-sts.strypsteen.me {
|
|||
network.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy https://home.server.home.arpa:8009 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
|
|
@ -83,6 +98,7 @@ network.strypsteen.com {
|
|||
}
|
||||
office.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy https://home.server.home.arpa:8010 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
|
|
@ -91,15 +107,18 @@ office.strypsteen.com {
|
|||
}
|
||||
photos.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8006
|
||||
}
|
||||
push.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8003
|
||||
}
|
||||
remote-desktop.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
header >Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
|
||||
reverse_proxy https://gpu.server.home.arpa:47990 {
|
||||
transport http {
|
||||
|
|
@ -109,20 +128,25 @@ remote-desktop.strypsteen.com {
|
|||
}
|
||||
vault.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy http://systemd-vaultwarden
|
||||
}
|
||||
xmr.strypsteen.com {
|
||||
import base
|
||||
import tls
|
||||
reverse_proxy http://home.server.home.arpa:8012
|
||||
}
|
||||
textgen.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
reverse_proxy http://gpu.server.home.arpa:11434
|
||||
}
|
||||
imagegen.strypsteen.com {
|
||||
import base
|
||||
import local-only
|
||||
import tls
|
||||
basic_auth {
|
||||
mathieu {$INVOKEAI_PASSWORD}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ certbot register --agree-tos --no-eff-email -m mathieu@strypsteen.me
|
|||
if [ "$CERTBOT_TYPE" = vps ]; then
|
||||
certbot certonly --standalone -d vps.strypsteen.com
|
||||
else
|
||||
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare --dns-cloudflare-propagation-seconds 30 -d strypsteen.com -d '*.strypsteen.com' -d strypsteen.me -d '*.strypsteen.me' -d '*.code-proxy.strypsteen.com'
|
||||
certbot certonly --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare --dns-cloudflare-propagation-seconds 20 -d strypsteen.com -d '*.strypsteen.com' -d '*.code-proxy.strypsteen.com'
|
||||
fi
|
||||
cp /etc/letsencrypt/live/*/fullchain.pem /etc/certificates
|
||||
chmod 644 /etc/letsencrypt/live/*/privkey.pem
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
[Container]
|
||||
Image=ghcr.io/invoke-ai/invokeai:5-cuda
|
||||
UserNS=auto:uidmapping=0:0:1
|
||||
AddDevice=nvidia.com/gpu=all
|
||||
Volume=systemd-invokeai:/invokeai:U,Z
|
||||
PublishPort=10.0.2.2:9090:9090
|
||||
|
|
|
|||
|
|
@ -1,7 +1,9 @@
|
|||
[Container]
|
||||
Image=docker.io/ollama/ollama
|
||||
UserNS=auto:uidmapping=0:0:1
|
||||
AddDevice=nvidia.com/gpu=all
|
||||
Volume=systemd-ollama:/root/.ollama/models:U,Z
|
||||
Environment=OLLAMA_FLASH_ATTENTION=true
|
||||
Environment=OLLAMA_NOHISTORY=true
|
||||
PublishPort=10.0.2.2:11434:11434
|
||||
AutoUpdate=registry
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue