Switch to Caddy

container-config/caddy/Caddyfile

@@ -0,0 +1,117 @@
+(base) {
+  tls /etc/certificates/fullchain.pem /etc/certificates/privkey.pem
+  header {
+    >Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+    >X-Frame-Options SAMEORIGIN
+    >X-Content-Type-Options nosniff
+    >Referrer-Policy no-referrer
+  }
+}
+(local-only) {
+  @abort not remote_ip 192.168.0.0/16
+  abort @abort
+}
+strypsteen.me {
+  import base
+  root /var/www
+  file_server
+  header Content-Security-Policy "default-src 'self'"
+  header /.well-known/matrix/client Access-Control-Allow-Origin *
+  respond /.well-known/matrix/client <<EOF
+  {"m.homeserver": {"base_url": "https://matrix.strypsteen.com"}}
+  EOF
+  respond /.well-known/matrix/server <<EOF
+  {"m.server": "matrix.strypsteen.com:443"}
+  EOF
+}
+auth.strypsteen.com {
+  import base
+  reverse_proxy http://systemd-keycloak:8080
+}
+chat.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8001
+}
+cloud.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8002
+}
+code.strypsteen.com, *.code-proxy.strypsteen.com {
+  import base
+  reverse_proxy http://sandbox.server.home.arpa:8080
+}
+matrix.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8005
+}
+git.strypsteen.com {
+  import base
+  reverse_proxy http://systemd-forgejo:3000
+}
+llm.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8004
+}
+metrics.strypsteen.com {
+  import base
+  reverse_proxy /api/v1/write http://systemd-prometheus:9090
+  reverse_proxy /loki/api/v1/push http://systemd-loki:3100
+}
+monitoring.strypsteen.com {
+  import base
+  import local-only
+  reverse_proxy http://systemd-grafana:3000
+}
+mta-sts.strypsteen.me {
+  import base
+  respond /.well-known/mta-sts.txt <<EOF
+  version: STSv1
+  mode: enforce
+  mx: vps.strypsteen.com
+  max_age: 1209600
+  EOF
+  respond 404
+}
+network.strypsteen.com {
+  import base
+  import local-only
+  reverse_proxy https://home.server.home.arpa:8009 {
+    transport http {
+      tls_insecure_skip_verify
+    }
+  }
+}
+office.strypsteen.com {
+  import base
+  reverse_proxy https://home.server.home.arpa:8010 {
+    transport http {
+      tls_insecure_skip_verify
+    }
+  }
+}
+photos.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8006
+}
+push.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8003
+}
+remote-desktop.strypsteen.com {
+  import base
+  import local-only
+  header >Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"
+  reverse_proxy https://gpu.server.home.arpa:47990 {
+    transport http {
+      tls_insecure_skip_verify
+    }
+  }
+}
+vault.strypsteen.com {
+  import base
+  reverse_proxy http://systemd-vaultwarden
+}
+xmr.strypsteen.com {
+  import base
+  reverse_proxy http://home.server.home.arpa:8012
+}

container-config/nginx/mime.types

@@ -1,5 +0,0 @@
-types {
-  application/javascript js;
-  text/css css;
-  text/html html;
-}

container-config/nginx/nginx.conf

@@ -1,46 +0,0 @@
-pid /tmp/nginx.pid;
-
-http {
-  types_hash_max_size 4096;
-  ssl_certificate /etc/certificates/fullchain.pem;
-  ssl_certificate_key /etc/certificates/privkey.pem;
-  ssl_protocols TLSv1.2 TLSv1.3;
-  ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
-  ssl_prefer_server_ciphers on;
-  charset utf-8;
-  http2 on;
-  gzip on;
-  include mime.types;
-  map $scheme $hsts {
-    https "max-age=63072000; includeSubDomains; preload";
-  }
-  include snippets/headers.conf;
-  include snippets/csp.conf;
-  sendfile on;
-  tcp_nodelay on;
-  tcp_nopush on;
-  access_log off;
-  error_log /dev/null;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-  client_max_body_size 0;
-  proxy_read_timeout 600;
-  proxy_send_timeout 600;
-  resolver host.containers.internal;
-  include /etc/nginx/sites/*;
-  server {
-    listen 80;
-    listen [::]:80;
-    return 301 https://$host$request_uri;
-  }
-  server {
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
-    location / {
-      return 404;
-    }
-  }
-}
-events {
-  worker_connections 1024;
-}

container-config/nginx/sites/auth

@@ -1,11 +0,0 @@
-server {
-  server_name auth.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream systemd-keycloak.;
-    proxy_pass http://$upstream:8080;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/base

@@ -1,17 +0,0 @@
-server {
-  server_name strypsteen.me;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  root /var/www;
-  location = /.well-known/matrix/client {
-    include snippets/headers.conf;
-    include snippets/csp.conf;
-    add_header Access-Control-Allow-Origin *;
-    return 200 '{"m.homeserver": {"base_url": "https://matrix.strypsteen.com"}}';
-  }
-  location = /.well-known/matrix/server {
-    return 200 '{"m.server": "matrix.strypsteen.com:443"}';
-  }
-  add_before_body /header.html;
-  add_after_body /footer.html;
-}

container-config/nginx/sites/chat

@@ -1,11 +0,0 @@
-server {
-  server_name chat.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8001;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/cloud

@@ -1,11 +0,0 @@
-server {
-  server_name cloud.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8002;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/code

@@ -1,15 +0,0 @@
-server {
-  server_name code.strypsteen.com;
-  server_name *.code-proxy.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream sandbox.server.home.arpa;
-    proxy_pass http://$upstream:8080;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/git

@@ -1,13 +0,0 @@
-server {
-  server_name git.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  add_header Content-Security-Policy "default-src 'self'; font-src 'self' data:; img-src 'self' data:; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'";
-  location / {
-    set $upstream systemd-forgejo.;
-    proxy_pass http://$upstream:3000;
-    include snippets/proxy.conf;
-    proxy_hide_header Content-Security-Policy;
-  }
-}

container-config/nginx/sites/llm

@@ -1,12 +0,0 @@
-server {
-  server_name llm.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  include snippets/local-only.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8004;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/matrix

@@ -1,11 +0,0 @@
-server {
-  server_name matrix.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8005;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/metrics

@@ -1,16 +0,0 @@
-server {
-  server_name metrics.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location = /api/v1/write {
-    set $upstream systemd-prometheus.;
-    proxy_pass http://$upstream:9090;
-    include snippets/proxy.conf;
-  }
-  location = /loki/api/v1/push {
-    set $upstream systemd-loki.;
-    proxy_pass http://$upstream:3100;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/monitoring

@@ -1,15 +0,0 @@
-server {
-  server_name monitoring.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  include snippets/local-only.conf;
-  location / {
-    set $upstream systemd-grafana.;
-    proxy_pass http://$upstream:3000;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/mta-sts

@@ -1,11 +0,0 @@
-server {
-  server_name mta-sts.strypsteen.me;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  location = /.well-known/mta-sts.txt {
-    return 200 "version: STSv1\nmode: enforce\nmx: vps.strypsteen.com\nmax_age: 1209600";
-  }
-  location / {
-    return 404;
-  }
-}

container-config/nginx/sites/network

@@ -1,17 +0,0 @@
-server {
-  server_name network.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  include snippets/local-only.conf;
-  add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'" always;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass https://$upstream:8009;
-    proxy_ssl_verify off;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/office

@@ -1,15 +0,0 @@
-server {
-  server_name office.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass https://$upstream:8010;
-    proxy_ssl_verify off;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/photos

@@ -1,14 +0,0 @@
-server {
-  server_name photos.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8006;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/push

@@ -1,14 +0,0 @@
-server {
-  server_name push.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8003;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/remote-desktop

@@ -1,14 +0,0 @@
-server {
-  server_name remote-desktop.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  include snippets/local-only.conf;
-  add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'" always;
-  location / {
-    set $upstream gpu.server.home.arpa;
-    proxy_pass https://$upstream:47990;
-    proxy_ssl_verify off;
-    include snippets/proxy.conf;
-  }
-}

container-config/nginx/sites/vault

@@ -1,14 +0,0 @@
-server {
-  server_name vault.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream systemd-vaultwarden.;
-    proxy_pass http://$upstream;
-    include snippets/proxy.conf;
-    proxy_http_version 1.1;
-    proxy_set_header Connection upgrade;
-    proxy_set_header Upgrade $http_upgrade;
-  }
-}

container-config/nginx/sites/www

@@ -1,6 +0,0 @@
-server {
-  server_name www.strypsteen.me;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  return 301 https://strypsteen.me$request_uri;
-}

container-config/nginx/sites/xmr

@@ -1,12 +0,0 @@
-server {
-  server_name xmr.strypsteen.com;
-  listen 443 ssl;
-  listen [::]:443 ssl;
-  include snippets/headers.conf;
-  location / {
-    set $upstream home.server.home.arpa;
-    proxy_pass http://$upstream:8012;
-    include snippets/proxy.conf;
-    proxy_set_header Connection "";
-  }
-}

container-config/nginx/snippets/csp.conf

@@ -1 +0,0 @@
-add_header Content-Security-Policy "default-src 'self'" always;

container-config/nginx/snippets/headers.conf

@@ -1,4 +0,0 @@
-add_header X-Frame-Options SAMEORIGIN always;
-add_header X-Content-Type-Options nosniff always;
-add_header Referrer-Policy no-referrer always;
-add_header Strict-Transport-Security $hsts always;

container-config/nginx/snippets/local-only.conf

@@ -1,2 +0,0 @@
-allow 192.168.0.0/16;
-deny all;

container-config/nginx/snippets/proxy.conf

@@ -1,10 +0,0 @@
-proxy_set_header X-Forwarded-For $remote_addr;
-proxy_set_header X-Real-IP $remote_addr;
-proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header X-Forwarded-Host $host;
-proxy_set_header X-Forwarded-Port $server_port;
-proxy_set_header Host $host;
-proxy_hide_header X-Frame-Options;
-proxy_hide_header X-Content-Type-Options;
-proxy_hide_header Referrer-Policy;
-proxy_hide_header Strict-Transport-Security;

container-config/site/footer.html

@@ -1,11 +0,0 @@
-<footer>
-  <p>
-    <a href="mailto:mathieu@strypsteen.me">Mail</a>
-    -
-    <a href="https://matrix.to/#/@mathieu:strypsteen.me">Matrix</a>
-    -
-    <a href="https://git.strypsteen.com/mathieu">Git</a>
-  </p>
-</footer>
-</body>
-</html>

container-config/site/header.html

@@ -1,7 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <link rel="stylesheet" href="site.css"/>
-</head>
-<body>
-<header>

container-config/site/index.html

@@ -1,3 +1,21 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <link rel="stylesheet" href="site.css"/>
+</head>
+<body>
+  <header>
     <title>Mathieu Strypsteen</title>
     <h1>Mathieu Strypsteen</h1>
-</header>
+  </header>
+  <footer>
+    <p>
+      <a href="mailto:mathieu@strypsteen.me">Mail</a>
+      -
+      <a href="https://matrix.to/#/@mathieu:strypsteen.me">Matrix</a>
+      -
+      <a href="https://git.strypsteen.com/mathieu">Git</a>
+    </p>
+  </footer>
+</body>
+</html>

gpu/etc/containers/systemd/ollama.container

@@ -3,7 +3,7 @@ Image=docker.io/ollama/ollama
 AddDevice=nvidia.com/gpu=all
 Volume=systemd-ollama:/root/.ollama/models:U,Z
 Environment=OLLAMA_NOHISTORY=true
-PublishPort=11434:11434
+PublishPort=10.0.2.2:11434:11434
 AutoUpdate=registry
 [Install]
 WantedBy=multi-user.target

infra/etc/containers/systemd/caddy.container

@@ -1,14 +1,13 @@
 [Container]
-Image=cgr.dev/chainguard/nginx
+Image=docker.io/caddy
 Network=nginx.network
-Volume=/var/lib/system-config/container-config/nginx:/etc/nginx:z,ro
+Volume=/var/lib/system-config/container-config/caddy:/etc/caddy:z,ro
 Volume=/var/lib/system-config/container-config/site:/var/www:z,ro
 Volume=/etc/certificates/certificates:/etc/certificates:z,ro
-Tmpfs=/var/lib/nginx/tmp
-Tmpfs=/var/lib/nginx/logs
+Volume=systemd-caddy:/data:U,Z
 PublishPort=80:80
 PublishPort=443:443
-Sysctl=net.ipv4.ip_unprivileged_port_start=80
+PublishPort=443:443/udp
 AutoUpdate=registry
 [Install]
 WantedBy=multi-user.target

infra/etc/containers/systemd/vaultwarden.container

@@ -4,6 +4,7 @@ Network=nginx.network
 Volume=systemd-vaultwarden:/data:U,Z
 Environment=DOMAIN=https://vault.strypsteen.com
 Environment=ICON_SERVICE=bitwarden
+Environment=IP_HEADER=X-Forwarded-For
 Environment=LOG_LEVEL=warn
 Environment=SIGNUPS_ALLOWED=false
 Environment=TRASH_AUTO_DELETE_DAYS=14

setup-gpu.sh

@@ -8,4 +8,4 @@ sed "s/SUB_UID_COUNT.*/SUB_UID_COUNT 16777216/" -i /etc/login.defs
 sed "s/SUB_GID_COUNT.*/SUB_GID_COUNT 16777216/" -i /etc/login.defs
 useradd -M containers || true
 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
-flatpak install com.github.tchx84.Flatseal com.valvesoftware.Steam dev.lizardbyte.app.Sunshine net.lutris.Lutris org.chromium.Chromium org.gnome.Calculator org.gnome.FileRoller org.gnome.TextEditor org.mozilla.firefox
+flatpak install com.github.tchx84.Flatseal com.valvesoftware.Steam dev.lizardbyte.app.Sunshine net.lutris.Lutris org.chromium.Chromium org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/23.08 org.gnome.Calculator org.gnome.FileRoller org.gnome.TextEditor org.mozilla.firefox