diff --git a/container-config/caddy/Caddyfile b/container-config/caddy/Caddyfile new file mode 100644 index 0000000..9c4f966 --- /dev/null +++ b/container-config/caddy/Caddyfile @@ -0,0 +1,117 @@ +(base) { + tls /etc/certificates/fullchain.pem /etc/certificates/privkey.pem + header { + >Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + >X-Frame-Options SAMEORIGIN + >X-Content-Type-Options nosniff + >Referrer-Policy no-referrer + } +} +(local-only) { + @abort not remote_ip 192.168.0.0/16 + abort @abort +} +strypsteen.me { + import base + root /var/www + file_server + header Content-Security-Policy "default-src 'self'" + header /.well-known/matrix/client Access-Control-Allow-Origin * + respond /.well-known/matrix/client <Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" + reverse_proxy https://gpu.server.home.arpa:47990 { + transport http { + tls_insecure_skip_verify + } + } +} +vault.strypsteen.com { + import base + reverse_proxy http://systemd-vaultwarden +} +xmr.strypsteen.com { + import base + reverse_proxy http://home.server.home.arpa:8012 +} diff --git a/container-config/nginx/mime.types b/container-config/nginx/mime.types deleted file mode 100644 index 745f5ac..0000000 --- a/container-config/nginx/mime.types +++ /dev/null @@ -1,5 +0,0 @@ -types { - application/javascript js; - text/css css; - text/html html; -} diff --git a/container-config/nginx/nginx.conf b/container-config/nginx/nginx.conf deleted file mode 100644 index a686c20..0000000 --- a/container-config/nginx/nginx.conf +++ /dev/null @@ -1,46 +0,0 @@ -pid /tmp/nginx.pid; - -http { - types_hash_max_size 4096; - ssl_certificate /etc/certificates/fullchain.pem; - ssl_certificate_key /etc/certificates/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256; - ssl_prefer_server_ciphers on; - charset utf-8; - http2 on; - gzip on; - include mime.types; - map $scheme $hsts { - https "max-age=63072000; includeSubDomains; preload"; - } - include snippets/headers.conf; - include snippets/csp.conf; - sendfile on; - tcp_nodelay on; - tcp_nopush on; - access_log off; - error_log /dev/null; - ssl_stapling on; - ssl_stapling_verify on; - client_max_body_size 0; - proxy_read_timeout 600; - proxy_send_timeout 600; - resolver host.containers.internal; - include /etc/nginx/sites/*; - server { - listen 80; - listen [::]:80; - return 301 https://$host$request_uri; - } - server { - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - location / { - return 404; - } - } -} -events { - worker_connections 1024; -} diff --git a/container-config/nginx/sites/auth b/container-config/nginx/sites/auth deleted file mode 100644 index 337d8f9..0000000 --- a/container-config/nginx/sites/auth +++ /dev/null @@ -1,11 +0,0 @@ -server { - server_name auth.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream systemd-keycloak.; - proxy_pass http://$upstream:8080; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/base b/container-config/nginx/sites/base deleted file mode 100644 index 92a1c1e..0000000 --- a/container-config/nginx/sites/base +++ /dev/null @@ -1,17 +0,0 @@ -server { - server_name strypsteen.me; - listen 443 ssl; - listen [::]:443 ssl; - root /var/www; - location = /.well-known/matrix/client { - include snippets/headers.conf; - include snippets/csp.conf; - add_header Access-Control-Allow-Origin *; - return 200 '{"m.homeserver": {"base_url": "https://matrix.strypsteen.com"}}'; - } - location = /.well-known/matrix/server { - return 200 '{"m.server": "matrix.strypsteen.com:443"}'; - } - add_before_body /header.html; - add_after_body /footer.html; -} diff --git a/container-config/nginx/sites/chat b/container-config/nginx/sites/chat deleted file mode 100644 index 16c1cfb..0000000 --- a/container-config/nginx/sites/chat +++ /dev/null @@ -1,11 +0,0 @@ -server { - server_name chat.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8001; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/cloud b/container-config/nginx/sites/cloud deleted file mode 100644 index 3d8f91e..0000000 --- a/container-config/nginx/sites/cloud +++ /dev/null @@ -1,11 +0,0 @@ -server { - server_name cloud.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8002; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/code b/container-config/nginx/sites/code deleted file mode 100644 index 7f0bfda..0000000 --- a/container-config/nginx/sites/code +++ /dev/null @@ -1,15 +0,0 @@ -server { - server_name code.strypsteen.com; - server_name *.code-proxy.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream sandbox.server.home.arpa; - proxy_pass http://$upstream:8080; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/git b/container-config/nginx/sites/git deleted file mode 100644 index 23591a8..0000000 --- a/container-config/nginx/sites/git +++ /dev/null @@ -1,13 +0,0 @@ -server { - server_name git.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - add_header Content-Security-Policy "default-src 'self'; font-src 'self' data:; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"; - location / { - set $upstream systemd-forgejo.; - proxy_pass http://$upstream:3000; - include snippets/proxy.conf; - proxy_hide_header Content-Security-Policy; - } -} diff --git a/container-config/nginx/sites/llm b/container-config/nginx/sites/llm deleted file mode 100644 index a4200a6..0000000 --- a/container-config/nginx/sites/llm +++ /dev/null @@ -1,12 +0,0 @@ -server { - server_name llm.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - include snippets/local-only.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8004; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/matrix b/container-config/nginx/sites/matrix deleted file mode 100644 index 1b0cffa..0000000 --- a/container-config/nginx/sites/matrix +++ /dev/null @@ -1,11 +0,0 @@ -server { - server_name matrix.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8005; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/metrics b/container-config/nginx/sites/metrics deleted file mode 100644 index 457c85d..0000000 --- a/container-config/nginx/sites/metrics +++ /dev/null @@ -1,16 +0,0 @@ -server { - server_name metrics.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location = /api/v1/write { - set $upstream systemd-prometheus.; - proxy_pass http://$upstream:9090; - include snippets/proxy.conf; - } - location = /loki/api/v1/push { - set $upstream systemd-loki.; - proxy_pass http://$upstream:3100; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/monitoring b/container-config/nginx/sites/monitoring deleted file mode 100644 index cf86e82..0000000 --- a/container-config/nginx/sites/monitoring +++ /dev/null @@ -1,15 +0,0 @@ -server { - server_name monitoring.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - include snippets/local-only.conf; - location / { - set $upstream systemd-grafana.; - proxy_pass http://$upstream:3000; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/mta-sts b/container-config/nginx/sites/mta-sts deleted file mode 100644 index 47a1d06..0000000 --- a/container-config/nginx/sites/mta-sts +++ /dev/null @@ -1,11 +0,0 @@ -server { - server_name mta-sts.strypsteen.me; - listen 443 ssl; - listen [::]:443 ssl; - location = /.well-known/mta-sts.txt { - return 200 "version: STSv1\nmode: enforce\nmx: vps.strypsteen.com\nmax_age: 1209600"; - } - location / { - return 404; - } -} diff --git a/container-config/nginx/sites/network b/container-config/nginx/sites/network deleted file mode 100644 index 035f114..0000000 --- a/container-config/nginx/sites/network +++ /dev/null @@ -1,17 +0,0 @@ -server { - server_name network.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - include snippets/local-only.conf; - add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'" always; - location / { - set $upstream home.server.home.arpa; - proxy_pass https://$upstream:8009; - proxy_ssl_verify off; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/office b/container-config/nginx/sites/office deleted file mode 100644 index 3072ffe..0000000 --- a/container-config/nginx/sites/office +++ /dev/null @@ -1,15 +0,0 @@ -server { - server_name office.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass https://$upstream:8010; - proxy_ssl_verify off; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/photos b/container-config/nginx/sites/photos deleted file mode 100644 index 8be0e24..0000000 --- a/container-config/nginx/sites/photos +++ /dev/null @@ -1,14 +0,0 @@ -server { - server_name photos.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8006; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/push b/container-config/nginx/sites/push deleted file mode 100644 index e06259d..0000000 --- a/container-config/nginx/sites/push +++ /dev/null @@ -1,14 +0,0 @@ -server { - server_name push.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8003; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/remote-desktop b/container-config/nginx/sites/remote-desktop deleted file mode 100644 index db2c34a..0000000 --- a/container-config/nginx/sites/remote-desktop +++ /dev/null @@ -1,14 +0,0 @@ -server { - server_name remote-desktop.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - include snippets/local-only.conf; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" always; - location / { - set $upstream gpu.server.home.arpa; - proxy_pass https://$upstream:47990; - proxy_ssl_verify off; - include snippets/proxy.conf; - } -} diff --git a/container-config/nginx/sites/vault b/container-config/nginx/sites/vault deleted file mode 100644 index f02baf9..0000000 --- a/container-config/nginx/sites/vault +++ /dev/null @@ -1,14 +0,0 @@ -server { - server_name vault.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream systemd-vaultwarden.; - proxy_pass http://$upstream; - include snippets/proxy.conf; - proxy_http_version 1.1; - proxy_set_header Connection upgrade; - proxy_set_header Upgrade $http_upgrade; - } -} diff --git a/container-config/nginx/sites/www b/container-config/nginx/sites/www deleted file mode 100644 index 078cbea..0000000 --- a/container-config/nginx/sites/www +++ /dev/null @@ -1,6 +0,0 @@ -server { - server_name www.strypsteen.me; - listen 443 ssl; - listen [::]:443 ssl; - return 301 https://strypsteen.me$request_uri; -} diff --git a/container-config/nginx/sites/xmr b/container-config/nginx/sites/xmr deleted file mode 100644 index cca9c0b..0000000 --- a/container-config/nginx/sites/xmr +++ /dev/null @@ -1,12 +0,0 @@ -server { - server_name xmr.strypsteen.com; - listen 443 ssl; - listen [::]:443 ssl; - include snippets/headers.conf; - location / { - set $upstream home.server.home.arpa; - proxy_pass http://$upstream:8012; - include snippets/proxy.conf; - proxy_set_header Connection ""; - } -} diff --git a/container-config/nginx/snippets/csp.conf b/container-config/nginx/snippets/csp.conf deleted file mode 100644 index 84a1647..0000000 --- a/container-config/nginx/snippets/csp.conf +++ /dev/null @@ -1 +0,0 @@ -add_header Content-Security-Policy "default-src 'self'" always; diff --git a/container-config/nginx/snippets/headers.conf b/container-config/nginx/snippets/headers.conf deleted file mode 100644 index 2defab9..0000000 --- a/container-config/nginx/snippets/headers.conf +++ /dev/null @@ -1,4 +0,0 @@ -add_header X-Frame-Options SAMEORIGIN always; -add_header X-Content-Type-Options nosniff always; -add_header Referrer-Policy no-referrer always; -add_header Strict-Transport-Security $hsts always; diff --git a/container-config/nginx/snippets/local-only.conf b/container-config/nginx/snippets/local-only.conf deleted file mode 100644 index dea9f2d..0000000 --- a/container-config/nginx/snippets/local-only.conf +++ /dev/null @@ -1,2 +0,0 @@ -allow 192.168.0.0/16; -deny all; diff --git a/container-config/nginx/snippets/proxy.conf b/container-config/nginx/snippets/proxy.conf deleted file mode 100644 index f07aa38..0000000 --- a/container-config/nginx/snippets/proxy.conf +++ /dev/null @@ -1,10 +0,0 @@ -proxy_set_header X-Forwarded-For $remote_addr; -proxy_set_header X-Real-IP $remote_addr; -proxy_set_header X-Forwarded-Proto $scheme; -proxy_set_header X-Forwarded-Host $host; -proxy_set_header X-Forwarded-Port $server_port; -proxy_set_header Host $host; -proxy_hide_header X-Frame-Options; -proxy_hide_header X-Content-Type-Options; -proxy_hide_header Referrer-Policy; -proxy_hide_header Strict-Transport-Security; diff --git a/container-config/site/footer.html b/container-config/site/footer.html deleted file mode 100644 index 4387157..0000000 --- a/container-config/site/footer.html +++ /dev/null @@ -1,11 +0,0 @@ - - - diff --git a/container-config/site/header.html b/container-config/site/header.html deleted file mode 100644 index 6f64f32..0000000 --- a/container-config/site/header.html +++ /dev/null @@ -1,7 +0,0 @@ - - - - - - -
diff --git a/container-config/site/index.html b/container-config/site/index.html index 89a91f8..310da28 100644 --- a/container-config/site/index.html +++ b/container-config/site/index.html @@ -1,3 +1,21 @@ - Mathieu Strypsteen -

Mathieu Strypsteen

-
+ + + + + + +
+ Mathieu Strypsteen +

Mathieu Strypsteen

+
+ + + diff --git a/gpu/etc/containers/systemd/ollama.container b/gpu/etc/containers/systemd/ollama.container index 4373313..6a387b6 100644 --- a/gpu/etc/containers/systemd/ollama.container +++ b/gpu/etc/containers/systemd/ollama.container @@ -3,7 +3,7 @@ Image=docker.io/ollama/ollama AddDevice=nvidia.com/gpu=all Volume=systemd-ollama:/root/.ollama/models:U,Z Environment=OLLAMA_NOHISTORY=true -PublishPort=11434:11434 +PublishPort=10.0.2.2:11434:11434 AutoUpdate=registry [Install] WantedBy=multi-user.target diff --git a/infra/etc/containers/systemd/nginx.container b/infra/etc/containers/systemd/caddy.container similarity index 57% rename from infra/etc/containers/systemd/nginx.container rename to infra/etc/containers/systemd/caddy.container index 0c7444f..06ec6ad 100644 --- a/infra/etc/containers/systemd/nginx.container +++ b/infra/etc/containers/systemd/caddy.container @@ -1,14 +1,13 @@ [Container] -Image=cgr.dev/chainguard/nginx +Image=docker.io/caddy Network=nginx.network -Volume=/var/lib/system-config/container-config/nginx:/etc/nginx:z,ro +Volume=/var/lib/system-config/container-config/caddy:/etc/caddy:z,ro Volume=/var/lib/system-config/container-config/site:/var/www:z,ro Volume=/etc/certificates/certificates:/etc/certificates:z,ro -Tmpfs=/var/lib/nginx/tmp -Tmpfs=/var/lib/nginx/logs +Volume=systemd-caddy:/data:U,Z PublishPort=80:80 PublishPort=443:443 -Sysctl=net.ipv4.ip_unprivileged_port_start=80 +PublishPort=443:443/udp AutoUpdate=registry [Install] WantedBy=multi-user.target diff --git a/infra/etc/containers/systemd/vaultwarden.container b/infra/etc/containers/systemd/vaultwarden.container index c1cc881..286774e 100644 --- a/infra/etc/containers/systemd/vaultwarden.container +++ b/infra/etc/containers/systemd/vaultwarden.container @@ -4,6 +4,7 @@ Network=nginx.network Volume=systemd-vaultwarden:/data:U,Z Environment=DOMAIN=https://vault.strypsteen.com Environment=ICON_SERVICE=bitwarden +Environment=IP_HEADER=X-Forwarded-For Environment=LOG_LEVEL=warn Environment=SIGNUPS_ALLOWED=false Environment=TRASH_AUTO_DELETE_DAYS=14 diff --git a/setup-gpu.sh b/setup-gpu.sh index 90fbf3f..823dec8 100644 --- a/setup-gpu.sh +++ b/setup-gpu.sh @@ -8,4 +8,4 @@ sed "s/SUB_UID_COUNT.*/SUB_UID_COUNT 16777216/" -i /etc/login.defs sed "s/SUB_GID_COUNT.*/SUB_GID_COUNT 16777216/" -i /etc/login.defs useradd -M containers || true flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo -flatpak install com.github.tchx84.Flatseal com.valvesoftware.Steam dev.lizardbyte.app.Sunshine net.lutris.Lutris org.chromium.Chromium org.gnome.Calculator org.gnome.FileRoller org.gnome.TextEditor org.mozilla.firefox +flatpak install com.github.tchx84.Flatseal com.valvesoftware.Steam dev.lizardbyte.app.Sunshine net.lutris.Lutris org.chromium.Chromium org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/23.08 org.gnome.Calculator org.gnome.FileRoller org.gnome.TextEditor org.mozilla.firefox