From 05c6d47c4566c66c4617afc043df9a878d529614 Mon Sep 17 00:00:00 2001
From: Mathieu Strypsteen <mathieu@strypsteen.me>
Date: Fri, 3 Jan 2025 12:17:37 +0100
Subject: [PATCH] Rework TLS config

---
 container-config/caddy/Caddyfile              | 26 ++++++++++++++++++-
 container-config/certbot/run-certbot          |  2 +-
 gpu/etc/containers/systemd/invokeai.container |  1 +
 gpu/etc/containers/systemd/ollama.container   |  2 ++
 4 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/container-config/caddy/Caddyfile b/container-config/caddy/Caddyfile
index d4c38f4..ff2a09b 100644
--- a/container-config/caddy/Caddyfile
+++ b/container-config/caddy/Caddyfile
@@ -1,5 +1,4 @@
 (base) {
-  tls /etc/certificates/fullchain.pem /etc/certificates/privkey.pem
   header {
     >Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
     >X-Frame-Options SAMEORIGIN
@@ -7,6 +6,9 @@
     >Referrer-Policy no-referrer
   }
 }
+(tls) {
+  tls /etc/certificates/fullchain.pem /etc/certificates/privkey.pem
+}
 (local-only) {
   @abort not remote_ip 192.168.0.0/16
   abort @abort
@@ -26,40 +28,52 @@ strypsteen.me {
 }
 auth.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://systemd-keycloak:8080
 }
 chat.strypsteen.com {
   import base
+  import local-only
+  import tls
   reverse_proxy http://home.server.home.arpa:8001
 }
 cloud.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://home.server.home.arpa:8002
 }
 code.strypsteen.com, *.code-proxy.strypsteen.com {
   import base
+  import local-only
+  import tls
   reverse_proxy http://sandbox.server.home.arpa:8080
 }
 matrix.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://home.server.home.arpa:8005
 }
 git.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://systemd-forgejo:3000
 }
 llm.strypsteen.com {
   import base
   import local-only
+  import tls
   reverse_proxy http://home.server.home.arpa:8004
 }
 metrics.strypsteen.com {
   import base
+  import tls
   reverse_proxy /api/v1/write http://systemd-prometheus:9090
   reverse_proxy /loki/api/v1/push http://systemd-loki:3100
 }
 monitoring.strypsteen.com {
   import base
+  import local-only
+  import tls
   reverse_proxy http://systemd-grafana:3000
 }
 mta-sts.strypsteen.me {
@@ -75,6 +89,7 @@ mta-sts.strypsteen.me {
 network.strypsteen.com {
   import base
   import local-only
+  import tls
   reverse_proxy https://home.server.home.arpa:8009 {
     transport http {
       tls_insecure_skip_verify
@@ -83,6 +98,7 @@ network.strypsteen.com {
 }
 office.strypsteen.com {
   import base
+  import tls
   reverse_proxy https://home.server.home.arpa:8010 {
     transport http {
       tls_insecure_skip_verify
@@ -91,15 +107,18 @@ office.strypsteen.com {
 }
 photos.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://home.server.home.arpa:8006
 }
 push.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://home.server.home.arpa:8003
 }
 remote-desktop.strypsteen.com {
   import base
   import local-only
+  import tls
   header >Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
   reverse_proxy https://gpu.server.home.arpa:47990 {
     transport http {
@@ -109,20 +128,25 @@ remote-desktop.strypsteen.com {
 }
 vault.strypsteen.com {
   import base
+  import local-only
+  import tls
   reverse_proxy http://systemd-vaultwarden
 }
 xmr.strypsteen.com {
   import base
+  import tls
   reverse_proxy http://home.server.home.arpa:8012
 }
 textgen.strypsteen.com {
   import base
   import local-only
+  import tls
   reverse_proxy http://gpu.server.home.arpa:11434
 }
 imagegen.strypsteen.com {
   import base
   import local-only
+  import tls
   basic_auth {
     mathieu {$INVOKEAI_PASSWORD}
   }
diff --git a/container-config/certbot/run-certbot b/container-config/certbot/run-certbot
index 2f18a67..ca6c653 100755
--- a/container-config/certbot/run-certbot
+++ b/container-config/certbot/run-certbot
@@ -4,7 +4,7 @@ certbot register --agree-tos --no-eff-email -m mathieu@strypsteen.me
 if [ "$CERTBOT_TYPE" = vps ]; then
   certbot certonly --standalone -d vps.strypsteen.com
 else
-  certbot certonly --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare --dns-cloudflare-propagation-seconds 30 -d strypsteen.com -d '*.strypsteen.com' -d strypsteen.me -d '*.strypsteen.me' -d '*.code-proxy.strypsteen.com'
+  certbot certonly --dns-cloudflare --dns-cloudflare-credentials /run/secrets/cloudflare --dns-cloudflare-propagation-seconds 20 -d strypsteen.com -d '*.strypsteen.com' -d '*.code-proxy.strypsteen.com'
 fi
 cp /etc/letsencrypt/live/*/fullchain.pem /etc/certificates
 chmod 644 /etc/letsencrypt/live/*/privkey.pem
diff --git a/gpu/etc/containers/systemd/invokeai.container b/gpu/etc/containers/systemd/invokeai.container
index 3f1f2fc..120d83e 100644
--- a/gpu/etc/containers/systemd/invokeai.container
+++ b/gpu/etc/containers/systemd/invokeai.container
@@ -1,5 +1,6 @@
 [Container]
 Image=ghcr.io/invoke-ai/invokeai:5-cuda
+UserNS=auto:uidmapping=0:0:1
 AddDevice=nvidia.com/gpu=all
 Volume=systemd-invokeai:/invokeai:U,Z
 PublishPort=10.0.2.2:9090:9090
diff --git a/gpu/etc/containers/systemd/ollama.container b/gpu/etc/containers/systemd/ollama.container
index 6a387b6..9bdea18 100644
--- a/gpu/etc/containers/systemd/ollama.container
+++ b/gpu/etc/containers/systemd/ollama.container
@@ -1,7 +1,9 @@
 [Container]
 Image=docker.io/ollama/ollama
+UserNS=auto:uidmapping=0:0:1
 AddDevice=nvidia.com/gpu=all
 Volume=systemd-ollama:/root/.ollama/models:U,Z
+Environment=OLLAMA_FLASH_ATTENTION=true
 Environment=OLLAMA_NOHISTORY=true
 PublishPort=10.0.2.2:11434:11434
 AutoUpdate=registry