ansible/privfrontends/templates/core/apps.Caddyfile

# ---Apps Caddyfile---

# Akkoma
social.projectsegfau.lt {
	import def
	encode gzip

	# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
	# and `localhost.` resolves to [::0] on some systems: see issue #930
	reverse_proxy 192.168.5.2:4011

	handle /media/* {
		redir https://media.social.projectsegfau.lt{uri} permanent
	}
	handle /proxy/* {
		redir https://media.social.projectsegfau.lt{uri} permanent
	}
}

# Security mitigation
# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
# And https://poa.st/notice/AWDToOiKAl4BPhdEB6
# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
media.social.projectsegfau.lt {
	handle /media/* {
		reverse_proxy 192.168.5.2:4011 {
			transport http {
				response_header_timeout 10s
				read_timeout 15s
			}
		}
	}

	handle /proxy/* {
		reverse_proxy 192.168.5.2:4011 {
			transport http {
				response_header_timeout 10s
				read_timeout 15s
			}
		}
	}
}

# Cinny
cinny.projectsegfau.lt cy.psf.lt {
	reverse_proxy 192.168.5.2:3069
	import def
}

# Website 
projectsegfau.lt {
	reverse_proxy 192.168.5.2:1337
	import def
	reverse_proxy /_matrix/* 192.168.5.2:8449 {
		header_up Host "matrix.projectsegfau.lt"
	}
	reverse_proxy /_matrix/client/* 192.168.5.2:81 {
		header_up Host "matrix.projectsegfau.lt"
	}
	reverse_proxy /_synapse/* 192.168.5.2:81 {
		header_up Host "matrix.projectsegfau.lt"
	}
	reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
	reverse_proxy /converse 192.168.5.5:5280
	reverse_proxy /converseemojis.js 192.168.5.5:5280
	reverse_proxy /converse/* 192.168.5.5:5280
	reverse_proxy /bosh 192.168.5.5:5280
	reverse_proxy /ws 192.168.5.5:5280
	header /.well-known/matrix/* Content-Type application/json
	header /.well-known/matrix/* Access-Control-Allow-Origin *
	handle_path /.well-known/* {
		root * /var/www/well-known
		file_server
	}
	header /.well-known/host-meta Content-Type application/xrd+xml
	header /.well-known/host-meta.json Content-Type application/json
	header /.well-known/host-meta.json Access-Control-Allow-Origin *
	header /.well-known/host-meta Access-Control-Allow-Origin *
	import torloc www
}
psf.lt {
	reverse_proxy 192.168.5.2:1337
	import def
	import torloc www
	header /.well-known/matrix/* Content-Type application/json
	header /.well-known/matrix/* Access-Control-Allow-Origin *
	handle_path /.well-known/* {
		root * /var/www/psf-well-known
		file_server
	}
}
ssync.projectsegfau.lt {
	reverse_proxy 192.168.5.2:3333
	import def
}

www.projectsegfau.lt www.psf.lt {
	redir https://projectsegfau.lt{uri}
	import torloc www
}

matrix.projectsegfau.lt {
	reverse_proxy /_matrix/* 192.168.5.2:8449 {
		header_up Host "matrix.projectsegfau.lt"
	}
	reverse_proxy /_matrix/client/* 192.168.5.2:81 {
		header_up Host "matrix.projectsegfau.lt"
	}
	reverse_proxy /_synapse/* 192.168.5.2:81 {
		header_up Host "matrix.projectsegfau.lt"
	}
	import def
	#reverse_proxy /_synapse/client/* 192.168.5.2:81 {
	#        header_up Host "matrix.projectsegfau.lt"
	#}
	handle_path / {
		redir https://wiki.projectsegfau.lt/Matrix
	}
}

# Directus
cms.projectsegfau.lt {
	reverse_proxy 192.168.5.2:9456
	import def
}

# Element
chat.projectsegfau.lt el.psf.lt {
	reverse_proxy 192.168.5.2:3070
	import def
}

# Gitea
git.projectsegfau.lt {
	reverse_proxy 192.168.5.5:3444
	respond /metrics 403
	import def
	request_body {
		max_size 500MB
	}
	header {
		Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
	}
	import torloc git
}
git.psf.lt {
	reverse_proxy 192.168.5.5:3444 {
		header_up Host "git.projectsegfau.lt"
	}
	respond /metrics 403
	import def
	request_body {
		max_size 500MB
	}
	header {
		Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
	}
	import torloc git
}
# HedgeDoc
doc.projectsegfau.lt {
	reverse_proxy 192.168.5.2:2069 {
		header_up X-Real-IP {remote_host}
	}
	import def
}

# Hydrogen
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
	reverse_proxy 192.168.5.2:3071
	import def
}

# Jitsi
jitsi.projectsegfau.lt {
	reverse_proxy 192.168.5.5:8000 {
		header_up X-Real-IP {remote_host}
	}
}
# Excalidraw backend for jitsi
excalidraw.projectsegfau.lt {
	reverse_proxy 192.168.5.5:8694
}

# Maubot
mau.projectsegfau.lt {
	reverse_proxy 192.168.5.2:29316
	import def
}

# MediaWiki
wiki.projectsegfau.lt w.psf.lt {
	reverse_proxy 192.168.5.3:8000 {
		header_up X-Real-IP {remote_host}
	}
	import def
	encode gzip
	import torloc wiki
}

# Vikunja
todo.projectsegfau.lt vi.psf.lt {
	reverse_proxy 192.168.5.2:3456
	import def
	import torloc todo
}

# Vaultwarden
pass.projectsegfau.lt vw.psf.lt {
	reverse_proxy 192.168.5.2:6980 {
		header_up X-Real-IP {remote_host}
	}
	import def
	reverse_proxy /notifications/hub 192.168.5.2:3012 {
		header_up X-Real-IP {remote_host}
	}
	import torloc pass
}

# XMPP
xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {
	reverse_proxy 192.168.5.5:5280 {
		header_up X-Real-IP {remote_host}
	}
	reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
	@register {
		path /new/
		path /change_password/
		path /delete/
		path /new
		path /change_password
		path /delete
	}
	redir @register /register{uri}
	import def
	header /.well-known/host-meta Content-Type application/xrd+xml
	header /.well-known/host-meta.json Content-Type application/json
	header /.well-known/host-meta.json Access-Control-Allow-Origin *
	header /.well-known/host-meta Access-Control-Allow-Origin *
	handle_path /.well-known/* {
		root * /var/www/well-known
		file_server
	}
	handle_path / {
		redir https://wiki.projectsegfau.lt/XMPP
	}
}
xmpp-web.projectsegfau.lt, x.psf.lt {
	import def
	reverse_proxy 192.168.5.2:3072
}
healthchecks.projectsegfau.lt, hc.psf.lt {
	import def
	reverse_proxy 192.168.5.2:8450
	impor torloc healthchecks
}
# Pubthentik
auth.p.projectsegfau.lt {
	reverse_proxy 192.168.5.2:7444 {
		transport http {
			tls_insecure_skip_verify
		}
		header_up X-Real-IP {remote_host}
	}
	import def
}
# kbin
kbin.projectsegfau.lt, kb.psf.lt {
        reverse_proxy 192.168.5.2:80 {
                header_up X-Real-IP {remote_host}
        }
        import def
}
libretranslate.projectsegfau.lt lt.psf.lt libretranslate.in.projectsegfau.lt {
	reverse_proxy 192.168.5.2:5005
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
	reverse_proxy 192.168.5.2:1025
	import def
	import torloc gothub.dev
}
ak.psf.lt {
	redir https://social.projectsegfau.lt{uri}
}
j.psf.lt {
	redir https://jitsi.projectsegfau.lt{uri}
}
d.psf.lt {
	redir https://doc.projectsegfau.lt{uri}
}
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`# ---Apps Caddyfile---`

			`# Akkoma`
			`social.projectsegfau.lt {`
			`import def`
			`encode gzip`

			`# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only`
			# and `localhost.` resolves to [::0] on some systems: see issue #930
			`reverse_proxy 192.168.5.2:4011`

			`handle /media/* {`
			`redir https://media.social.projectsegfau.lt{uri} permanent`
			`}`
			`handle /proxy/* {`
			`redir https://media.social.projectsegfau.lt{uri} permanent`
			`}`
			`}`

			`# Security mitigation`
			`# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/`
			`# And https://poa.st/notice/AWDToOiKAl4BPhdEB6`
			`# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO`
			`media.social.projectsegfau.lt {`
caddyfmt on server-specific confs 2023-07-20 14:24:04 +05:30			`handle /media/* {`
			`reverse_proxy 192.168.5.2:4011 {`
			`transport http {`
			`response_header_timeout 10s`
			`read_timeout 15s`
			`}`
			`}`
			`}`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30
caddyfmt on server-specific confs 2023-07-20 14:24:04 +05:30			`handle /proxy/* {`
			`reverse_proxy 192.168.5.2:4011 {`
			`transport http {`
			`response_header_timeout 10s`
			`read_timeout 15s`
			`}`
			`}`
			`}`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`}`

			`# Cinny`
			`cinny.projectsegfau.lt cy.psf.lt {`
			`reverse_proxy 192.168.5.2:3069`
			`import def`
			`}`

			`# Website`
			`projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:1337`
			`import def`
			`reverse_proxy /_matrix/* 192.168.5.2:8449 {`
			`header_up Host "matrix.projectsegfau.lt"`
			`}`
			`reverse_proxy /_matrix/client/* 192.168.5.2:81 {`
			`header_up Host "matrix.projectsegfau.lt"`
			`}`
			`reverse_proxy /_synapse/* 192.168.5.2:81 {`
			`header_up Host "matrix.projectsegfau.lt"`
			`}`
			`reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380`
			`reverse_proxy /converse 192.168.5.5:5280`
			`reverse_proxy /converseemojis.js 192.168.5.5:5280`
			`reverse_proxy /converse/* 192.168.5.5:5280`
			`reverse_proxy /bosh 192.168.5.5:5280`
			`reverse_proxy /ws 192.168.5.5:5280`
			`header /.well-known/matrix/* Content-Type application/json`
			`header /.well-known/matrix/* Access-Control-Allow-Origin *`
			`handle_path /.well-known/* {`
			`root * /var/www/well-known`
			`file_server`
			`}`
			`header /.well-known/host-meta Content-Type application/xrd+xml`
			`header /.well-known/host-meta.json Content-Type application/json`
			`header /.well-known/host-meta.json Access-Control-Allow-Origin *`
			`header /.well-known/host-meta Access-Control-Allow-Origin *`
			`import torloc www`
			`}`
			`psf.lt {`
			`reverse_proxy 192.168.5.2:1337`
			`import def`
			`import torloc www`
			`header /.well-known/matrix/* Content-Type application/json`
			`header /.well-known/matrix/* Access-Control-Allow-Origin *`
			`handle_path /.well-known/* {`
			`root * /var/www/psf-well-known`
			`file_server`
			`}`
			`}`
			`ssync.projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:3333`
Soleil Caddyfile: dont log for matrix 2023-07-19 20:13:18 +05:30			`import def`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`}`

			`www.projectsegfau.lt www.psf.lt {`
			`redir https://projectsegfau.lt{uri}`
			`import torloc www`
			`}`

			`matrix.projectsegfau.lt {`
			`reverse_proxy /_matrix/* 192.168.5.2:8449 {`
			`header_up Host "matrix.projectsegfau.lt"`
			`}`
			`reverse_proxy /_matrix/client/* 192.168.5.2:81 {`
			`header_up Host "matrix.projectsegfau.lt"`
			`}`
			`reverse_proxy /_synapse/* 192.168.5.2:81 {`
			`header_up Host "matrix.projectsegfau.lt"`
			`}`
Soleil Caddyfile: dont log for matrix 2023-07-19 20:13:18 +05:30			`import def`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`#reverse_proxy /_synapse/client/* 192.168.5.2:81 {`
			`# header_up Host "matrix.projectsegfau.lt"`
			`#}`
			`handle_path / {`
			`redir https://wiki.projectsegfau.lt/Matrix`
			`}`
			`}`

			`# Directus`
			`cms.projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:9456`
			`import def`
			`}`

			`# Element`
			`chat.projectsegfau.lt el.psf.lt {`
			`reverse_proxy 192.168.5.2:3070`
			`import def`
			`}`

			`# Gitea`
			`git.projectsegfau.lt {`
			`reverse_proxy 192.168.5.5:3444`
			`respond /metrics 403`
			`import def`
			`request_body {`
			`max_size 500MB`
			`}`
			`header {`
			`Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"`
			`}`
			`import torloc git`
			`}`
			`git.psf.lt {`
			`reverse_proxy 192.168.5.5:3444 {`
			`header_up Host "git.projectsegfau.lt"`
			`}`
			`respond /metrics 403`
			`import def`
			`request_body {`
			`max_size 500MB`
			`}`
			`header {`
			`Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"`
			`}`
			`import torloc git`
			`}`
			`# HedgeDoc`
			`doc.projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:2069 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`import def`
			`}`

			`# Hydrogen`
			`h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {`
			`reverse_proxy 192.168.5.2:3071`
			`import def`
			`}`

			`# Jitsi`
			`jitsi.projectsegfau.lt {`
			`reverse_proxy 192.168.5.5:8000 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`}`
			`# Excalidraw backend for jitsi`
			`excalidraw.projectsegfau.lt {`
			`reverse_proxy 192.168.5.5:8694`
			`}`

			`# Maubot`
			`mau.projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:29316`
			`import def`
			`}`

			`# MediaWiki`
			`wiki.projectsegfau.lt w.psf.lt {`
			`reverse_proxy 192.168.5.3:8000 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`import def`
			`encode gzip`
			`import torloc wiki`
			`}`

			`# Vikunja`
			`todo.projectsegfau.lt vi.psf.lt {`
			`reverse_proxy 192.168.5.2:3456`
			`import def`
			`import torloc todo`
			`}`

			`# Vaultwarden`
			`pass.projectsegfau.lt vw.psf.lt {`
			`reverse_proxy 192.168.5.2:6980 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`import def`
			`reverse_proxy /notifications/hub 192.168.5.2:3012 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`import torloc pass`
			`}`

			`# XMPP`
			`xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {`
			`reverse_proxy 192.168.5.5:5280 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380`
			`@register {`
			`path /new/`
			`path /change_password/`
			`path /delete/`
			`path /new`
			`path /change_password`
			`path /delete`
			`}`
			`redir @register /register{uri}`
			`import def`
			`header /.well-known/host-meta Content-Type application/xrd+xml`
			`header /.well-known/host-meta.json Content-Type application/json`
			`header /.well-known/host-meta.json Access-Control-Allow-Origin *`
			`header /.well-known/host-meta Access-Control-Allow-Origin *`
			`handle_path /.well-known/* {`
			`root * /var/www/well-known`
			`file_server`
			`}`
			`handle_path / {`
			`redir https://wiki.projectsegfau.lt/XMPP`
			`}`
			`}`
			`xmpp-web.projectsegfau.lt, x.psf.lt {`
			`import def`
			`reverse_proxy 192.168.5.2:3072`
			`}`
			`healthchecks.projectsegfau.lt, hc.psf.lt {`
			`import def`
			`reverse_proxy 192.168.5.2:8450`
Update all the tor stuff 2023-08-09 16:26:58 +05:30			`impor torloc healthchecks`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`}`
			`# Pubthentik`
			`auth.p.projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:7444 {`
			`transport http {`
			`tls_insecure_skip_verify`
			`}`
			`header_up X-Real-IP {remote_host}`
			`}`
			`import def`
			`}`
			`# kbin`
			`kbin.projectsegfau.lt, kb.psf.lt {`
update kbin caddy 2023-07-29 15:09:14 +05:30			`reverse_proxy 192.168.5.2:80 {`
			`header_up X-Real-IP {remote_host}`
			`}`
			`import def`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`}`
move libretranslate to soleil 2023-08-06 11:54:26 +05:30			`libretranslate.projectsegfau.lt lt.psf.lt libretranslate.in.projectsegfau.lt {`
			`reverse_proxy 192.168.5.2:5005`
			`}`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`gothub.dev.projectsegfau.lt gh.dev.psf.lt {`
caddyfmt on server-specific confs 2023-07-20 14:24:04 +05:30			`reverse_proxy 192.168.5.2:1025`
			`import def`
Update all the tor stuff 2023-08-09 16:26:58 +05:30			`import torloc gothub.dev`
prelimenary stuff for pizza -> sol privacy frontends 2023-07-17 22:36:06 +05:30			`}`
			`ak.psf.lt {`
			`redir https://social.projectsegfau.lt{uri}`
			`}`
			`j.psf.lt {`
			`redir https://jitsi.projectsegfau.lt{uri}`
			`}`
			`d.psf.lt {`
			`redir https://doc.projectsegfau.lt{uri}`
			`}`