ProjectSegfault/ansible
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Arya 2023-05-13 09:14:40 +08:00
commit 10f95ff535
Signed by: arya
GPG Key ID: 842D12BDA50DF120
34 changed files with 1385 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
/roles/galaxy/*

41
README.md Normal file
View File

@ -0,0 +1,41 @@
# Testing ansible
```
ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
ansible-playbook playbook.yaml # Initialize
ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass playbooks/caddy.yaml # Caddy
ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass playbooks/docker.yaml # Docker Compose
```
To add secrets: `ansible-vault edit secrets.enc`
## Per-playbook info
### /playbook.yaml
Configures basic stuff, meant for every server.
### /playbooks/docker.yaml
Configures privacy frontends, meant for US, IN and Pizza1.
### /playbooks/caddy.yaml
Configures Caddy, meant for US, IN and Pizza1.
## Adding new services
Adding new services is a bit janky, for I had to set it up with normal commands instead of the preferred community.docker collection (it doesn't support v2 which we use on most of our compose files)
Firstly, add the thing to `docker_services` array/var in `/playbooks/docker.yaml`. This list **MUST** be maintaind in alphabetical order for ease of maintanence.
Then, create the `/compose/SERVICE_NAME` directory and add the compose file to the same. You can use the `{{inventory_hostname}}` variables where required.
If the service needs a secret key, add it to the ansible-vault secrets.enc with `ansible-vault edit secrets.enc`. If you are a Project Segfault sysadmin you already have the password for it :P
Past this, Caddy needs to be configured.
The common GeoDNS configuration can be done following this format
```
SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt {
reverse_proxy :PORT
import def
import torloc SERVICE_NAME # Setup tor first following the wiki
}
```
Tor/I2P can be setup following the instructions in https://wiki.projectsegfau.lt/Internal:Setting_up_a_GeoDNS_service, with the only change that tor/i2p are now merged and they are in `/templates/01-extras.caddy`.
Past this, you can run the deployment as outlined in the beginning.
Please inform me (Arya) if any part of this documentation isn't clear, I suck at writing documentation.

2
all/files/arya.pub Normal file
View File

@ -0,0 +1,2 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeUQKFE6j+legQS2aam8VlwaGJ1r5BfJevbMUxpAi6N aryakiran@zohomail.eu

2
all/files/devrand.pub Normal file
View File

@ -0,0 +1,2 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE4EqdlXF8o8Fdf0v/I8sowP7Rw3tZiY5i/CP131AX5dAAAAC3NzaDp0ZXJtaXVz Generated By Termius

1
all/files/midou.pub Normal file
View File

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZRpxFYvYt3tfllosegLv3c/IV7+AhMUSfNQio/3kVY ServerAccess

109
all/playbook.yaml Normal file
View File

@ -0,0 +1,109 @@
---
- name: Install shit
hosts: all
tasks:
- name: Std Repo stuff
apt:
update_cache: true
name:
- vim
- curl
- wget
- sudo
- net-tools
- nmap
- python3-pip
- python3-passlib
- vnstat
- name: Enable VNStat service
service:
name: vnstat
enabled: yes
state: started
- name: Add users
hosts: all
vars:
users:
- arya
- devrand
- midou
vars_prompt:
- name: password
prompt: What is password to be used for all accs? (initial if no password is already set)
encrypt: sha512_crypt
confirm: true
salt_size: 6
tasks:
- name: bashrc skel
template:
src: templates/bashrc.j2
dest: /etc/skel/.bashrc
- name: profile skel
template:
src: templates/profile.j2
dest: /etc/skel/.profile
- name: bash_aliases skel
template:
src: templates/bash_aliases.j2
dest: /etc/skel/.bash_aliases
- name: prompt skel
template:
src: templates/prompt.j2
dest: /etc/skel/.prompt
- name: bashrc root
template:
src: templates/bashrc.j2
dest: /root/.bashrc
- name: profile root
template:
src: templates/profile.j2
dest: /root/.profile
- name: bash_aliases root
template:
src: templates/bash_aliases.j2
dest: /root/.bash_aliases
- name: prompt root
template:
src: templates/prompt.j2
dest: /root/.prompt
- name: Add user
user:
name: "{{ item }}"
group: users
groups: users,sudo
password: "{{ password }}"
shell: /bin/bash
update_password: on_create # Add the same initial password for all users (can be overwritten by user)
with_items:
- "{{ users }}"
- name: "Add authorized keys"
authorized_key:
user: "{{ item }}"
key: "{{ lookup('file', 'files/'+ item + '.pub') }}"
with_items:
- "{{ users }}"
- name: "Allow admin users to sudo without a password"
lineinfile:
dest: "/etc/sudoers" # path: in version 2.3
state: "present"
regexp: "^%sudo"
line: "%sudo ALL=(ALL) NOPASSWD: ALL"
- name: Configure SSHD
hosts: all
tasks:
- name: sshd configuration file update
template:
src: templates/sshd_config.j2
dest: /etc/ssh/sshd_config
backup: yes
owner: 0
group: 0
mode: 0644
validate: '/usr/sbin/sshd -T -f %s'
notify:
- restart sshd
handlers:
- name: restart sshd
service: name=sshd state=restarted

37
all/templates/bash_aliases.j2 Normal file
View File

@ -0,0 +1,37 @@
# General
alias clear="printf '\033c'" # faster than ncurses clear by a lot
alias c='clear'
alias bashrc="vim ~/.bashrc && source ~/.bashrc"
# LS
alias ls='ls --color=auto -FAh'
alias ll='ls -l'
alias la='ls'
alias l.='ls | egrep "^\."'
alias l=ls
# GREP
alias grep='grep --color=auto'
alias egrep='egrep --color=auto'
alias fgrep='fgrep --color=auto'
# GIT
alias ga='git add'
alias gc='git commit'
alias gp='git push'
alias lc='fc -nl $HISTCMD'
# CADDY
alias rc='caddy reload --config ~/Caddyfile'
alias ft='caddy fmt --overwrite ~/Caddyfile'
alias vt='caddy validate --config ~/Caddyfile'
# DOCKER
alias dockup='docker compose pull; docker compose down && docker compose up -d --build --remove-orphans'
# Navigation
alias ..='cd ..'
alias ...='cd ../../'
alias ....='cd ../../../'
alias .....='cd ../../../../'
# Readability
alias cp="cp -iv"
alias mv='mv -iv'
alias rm='rm -iv'
alias df='df -h'
alias free='free -m'
alias mkdir='mkdir -pv'

42
all/templates/bashrc.j2 Normal file
View File

@ -0,0 +1,42 @@
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
export HISTCONTROL=ignoredups:erasedups
export HISTFILESIZE=
export HISTSIZE=
export HISTTIMEFORMAT="[%F %T] "
# Change the file location because certain bash sessions truncate .bash_history file upon close.
# http://superuser.com/questions/575479/bash-history-truncated-to-500-lines-on-each-login
export HISTFILE=~/.bash_history
# Force prompt to write history after every command.
# http://superuser.com/questions/20900/bash-history-loss
PROMPT_COMMAND="history -a; $PROMPT_COMMAND"
shopt -s autocd # change to named directory
shopt -s cdspell # autocorrects cd misspellings
shopt -s cmdhist # save multi-line commands in history as single line
shopt -s dotglob
shopt -s histappend # do not overwrite history
shopt -s expand_aliases # expand aliases
shopt -s extglob
#ignore upper and lowercase when TAB completion
bind "set completion-ignore-case on"
# colored GCC warnings and errors
export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi

28
all/templates/profile.j2 Normal file
View File

@ -0,0 +1,28 @@
# ~/.profile: executed by the command interpreter for login shells.
# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login
# exists.
# see /usr/share/doc/bash/examples/startup-files for examples.
# the files are located in the bash-doc package.
# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022
# if running bash
if [ -n "$BASH_VERSION" ]; then
# include .bashrc if it exists
if [ -f "$HOME/.bashrc" ]; then
. "$HOME/.bashrc"
fi
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
PATH="$HOME/bin:$PATH"
fi
# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
PATH="$HOME/.local/bin:$PATH"
fi
. "$HOME/.prompt"

57
all/templates/prompt.j2 Normal file
View File

@ -0,0 +1,57 @@
__sig() {
# Giant switch case for getting the name of the signal (`kill -l`)
a=0
for i in $@; do
a=$((a+1))
case $i in
126) printf ACCES ;;
127) printf NOENT ;;
129) printf HUP ;;
130) printf INT ;;
131) printf QUIT ;;
132) printf ILL ;;
133) printf TRAP ;;
134) printf ABRT ;;
135) printf BUS ;;
136) printf FPE ;;
137) printf KILL ;;
138) printf USR1 ;;
139) printf SEGV ;;
140) printf USR2 ;;
141) printf PIPE ;;
142) printf ALRM ;;
143) printf TERM ;;
144) printf STKFLT ;;
145) printf CHLD ;;
146) printf CONT ;;
147) printf STOP ;;
148) printf TSTP ;;
149) printf TTIN ;;
150) printf TTOU ;;
151) printf URG ;;
152) printf XCPU ;;
153) printf XFSZ ;;
154) printf VTALRM ;;
155) printf PROF ;;
156) printf WINCH ;;
157) printf IO ;;
158) printf PWR ;;
159) printf SYS ;;
16[3-9]|1[7-8][0-9]|19[0-2]) printf RT$(($i-128)) ;; # Savagery
*) printf $i ;; # Print exit code if not in list
esac
done
}
sig() {
PLC=(${PIPESTATUS[@]})
printf "$(__sig ${PLC[@]})"
}
NO_COLOUR="\[\033[0m\]"
# Bold Colours
RED="\[\033[01;31m\]"
GREEN="\[\033[01;32m\]"
YELLOW="\[\033[01;33m\]"
BLUE="\[\033[01;34m\]"
PS1="[${RED}\$(sig)${NO_COLOUR}] [\t] [${RED}\u${NO_COLOUR}@${GREEN}\h${NO_COLOUR}|${BLUE}\w${NO_COLOUR}] [${YELLOW}#\#${NO_COLOUR}] ${GREEN}\$ ${NO_COLOUR}"

15
all/templates/sshd_config.j2 Normal file
View File

@ -0,0 +1,15 @@
{% if inventory_hostname == 'eu' %}
Port 222
{% else %}
Port 22
{% endif %}
PermitRootLogin prohibit-password
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no
X11Forwarding no
PrintMotd yes
UseDNS no
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server

2
ansible.cfg Normal file
View File

@ -0,0 +1,2 @@
[defaults]
INVENTORY = inventory.yml

4
collections/requirements.yml Normal file
View File

@ -0,0 +1,4 @@
---
collections:
- name: community.general
- name: community.docker

29
inventory.yml Normal file
View File

@ -0,0 +1,29 @@
all:
children:
soleil:
hosts:
core:
ansible_host: soleil.projectsegfau.lt
ansible_user: user
ansible_port: 2270
ansible_become: yes # Run everything as root
privfrontends:
hosts:
eu:
ansible_host: pizza1.projectsegfau.lt
ansible_user: arya
ansible_port: 222
ansible_become: yes # Run everything as root
caddy_extras_config: templates/1-extras.Caddyfile
us:
ansible_host: us.projectsegfau.lt
ansible_user: arya
ansible_port: 22
ansible_become: yes # Run everything as root
caddy_extras_config: templates/2-extras.Caddyfile
in:
ansible_host: in.projectsegfau.lt
ansible_user: root
ansible_port: 6922
caddy_extras_config: templates/3-extras.Caddyfile

9
privfrontends/compose/breezewiki/compose.yml.j2 Normal file
View File

@ -0,0 +1,9 @@
services:
breezewiki:
container_name: breezewiki
image: quay.io/pussthecatorg/breezewiki:latest
restart: unless-stopped
ports:
- "10416:10416"
volumes:
- "./config.ini:/app/config.ini"

4
privfrontends/compose/breezewiki/extras.conf.j2 Normal file
View File

@ -0,0 +1,4 @@
canonical_origin = https://bw.projectsegfau.lt
debug = false
port = 10416
feature_search_suggestions = true

32
privfrontends/compose/gothub-dev/compose.yml.j2 Normal file
View File

@ -0,0 +1,32 @@
version: "3"
services:
gothub:
image: codeberg.org/gothub/gothub:dev
restart: unless-stopped
ports:
- "1025:3000"
environment:
- DOCKER=true
- GOTHUB_SETUP_COMPLETE=true
- GOTHUB_PROXYING_ENABLED=true
- GOTHUB_IP_LOGGED=false
- GOTHUB_REQUEST_URL_LOGGED=false
- GOTHUB_USER_AGENT_LOGGED=false
- GOTHUB_DIAGNOSTIC_INFO_LOGGED=false
- GOTHUB_INSTANCE_PRIVACY_POLICY=https://projectsegfau.lt/legal/privacy-policy
{% if inventory_hostname == 'eu' %}
- GOTHUB_INSTANCE_COUNTRY=Luxembourg
- GOTHUB_INSTANCE_PROVIDER=BuyVM
{% else if inventory_hostname == 'us' %}
- GOTHUB_INSTANCE_COUNTRY=United States
- GOTHUB_INSTANCE_PROVIDER=Digital Ocean
{% else if inventory_hostname == 'in' %}
- GOTHUB_INSTANCE_COUNTRY=India
- GOTHUB_INSTANCE_PROVIDER=Bharti Airtel
{% endif %}
- GOTHUB_INSTANCE_CLOUDFLARE=false
healthcheck:
test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/version || exit 1
interval: 30s
timeout: 5s
retries: 2

14
privfrontends/compose/gothub/compose.yml.j2 Normal file
View File

@ -0,0 +1,14 @@
version: "3"
services:
gothub:
image: codeberg.org/gothub/gothub:latest
restart: unless-stopped
ports:
- "1024:3000"
environment:
- DOCKER=true
healthcheck:
test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/version || exit 1
interval: 30s
timeout: 5s
retries: 2

16
privfrontends/compose/librarian/compose.yml.j2 Normal file
View File

@ -0,0 +1,16 @@
version: '3'
services:
librarian:
image: codeberg.org/librarian/librarian:latest
ports:
- 3550:3550
volumes:
- ./extras.conf:/app/config.yml
restart: unless-stopped
stream-proxy:
image: codeberg.org/librarian/stream-proxy-ng:latest
ports:
- 3001:3001
restart: unless-stopped

78
privfrontends/compose/librarian/extras.conf.j2 Normal file
View File

@ -0,0 +1,78 @@
DOMAIN: 'https://lbry.projectsegfau.lt'
PORT: '3550'
FIBER_PREFORK: false
# Optional: Set address to bind to, example: 127.0.0.1
ADDRESS: ''
# Running a custom API server is not recommended and is not suitable for a public instance
API_URL: 'https://api.na-backend.odysee.com/api/v1/proxy'
# Block access to claims in case of DMCA
BLOCKED_CLAIMS:
- claimId
# AUTH_TOKEN and HMAC_KEY is automatically generated
AUTH_TOKEN: '{{librarian_auth_token}}'
HMAC_KEY: '{{librarian_hmac_key}}'
# Create IMAGE_CACHE_DIR before enabling image caching
IMAGE_CACHE: false
IMAGE_CACHE_DIR: '/var/cache/librarian'
IMAGE_CACHE_CLEANUP_INTERVAL: 24h
# The next 2 options will proxy video data through the instance.
# This will cause increased bandwidth usage.
# ENABLE_STREAM_PROXY proxies videos and ENABLE_LIVESTREAM enables livestreams.
ENABLE_STREAM_PROXY: true
ENABLE_LIVESTREAM: true
# Set custom SponsorBlock URL (with https://github.com/mchangrh/sb-mirror or other)
SPONSORBLOCK_URL: 'https://sponsor.ajay.app'
# Advanced: Custom video streaming endpoint
VIDEO_STREAMING_URL: 'https://proxy.lbry.projectsegfau.lt/stream'
# Rewrite links to other frontends. example: https://yt.domain.tld
FRONTEND:
youtube: 'https://invidious.projectsegfau.lt'
twitter: 'https://nitter.projectsegfau.lt'
imgur: 'https://rimgo.projectsegfau.lt'
instagram: ''
tiktok: ''
reddit: 'https://libreddit.projectsegfau.lt'
# Default instance settings
DEFAULT_SETTINGS:
theme: 'dark' # system, light, dark
relatedVideos: true
nsfw: false
autoplay: false
speed: '1' # 0.25, 0.5, 0.75, 1, 1.25, 1.5, 1.75, 2, 4
quality: '0' # 0 - Auto, 144 - 144p, 360 - 360p, 720 - 720p, 1080 - 1080p
sponsorblock:
sponsor: true
selfpromo: true
interaction: true
intro: false
outro: false
preview: false
filler_tangent: false
# Instance privacy: This is required to get your instance listed. For more info,
# See: https://codeberg.org/librarian/librarian/wiki/Instance-privacy
INSTANCE_PRIVACY:
# This is the default if you are using NGINX and have not disabled data collection.
# Read https://codeberg.org/librarian/librarian/wiki/Instance-privacy
DATA_NOT_COLLECTED: true
DATA_COLLECTED_IP: true
DATA_COLLECTED_URL: true
DATA_COLLECTED_DEVICE: true
DATA_COLLECTED_DIAGNOSTIC_ONLY: false
{% if inventory_hostname == 'eu' %}
INSTANCE_COUNTRY: "Luxembourg"
INSTANCE_PROVIDER: "BuyVM"
{% else if inventory_hostname == 'us' %}
INSTANCE_COUNTRY: "United States"
INSTANCE_PROVIDER: "Digital Ocean"
{% else if inventory_hostname == 'in' %}
INSTANCE_COUNTRY: "India"
INSTANCE_PROVIDER: "Bharti Airtel"
{% endif %}
# Cloudflare use is discouraged. You can set this to false if it is not proxied (gray cloud icon)
INSTANCE_CLOUDFLARE: false
# Optional: Explain your usage of data (if collected) and how it is stored.
MESSAGE: ""
# Link to your privacy policy, leave blank if you don't have one.
PRIVACY_POLICY: "https://projectsegfau.lt/legal/privacy-policy"

16
privfrontends/compose/libreddit/compose.yml.j2 Normal file
View File

@ -0,0 +1,16 @@
services:
libreddit:
image: libreddit/libreddit:latest
ports:
- 127.0.0.1:6464:8080
restart: unless-stopped
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"]
interval: 5m
timeout: 3s
environment:
- FRONT_PAGE=popular
- COMMENT_SORT=new
- BLUR_NSFW=on
- USE_HLS=on
- AUTOPLAY_VIDEOS=off

24
privfrontends/compose/nitter/compose.yml.j2 Normal file
View File

@ -0,0 +1,24 @@
version: "3"
services:
nitter:
image: zedeus/nitter:latest
ports:
- "8387:8080"
volumes:
- ./extras.conf:/src/nitter.conf:ro
depends_on:
- nitter-redis
restart: unless-stopped
nitter-redis:
image: redis:6-alpine
container_name: nitter-redis
command: redis-server --save 60 1 --loglevel warning
volumes:
- nitter-redis:/data
restart: unless-stopped
volumes:
nitter-redis:

45
privfrontends/compose/nitter/extras.conf.j2 Normal file
View File

@ -0,0 +1,45 @@
[Server]
address = "0.0.0.0"
port = 8080
https = true # disable to enable cookies when not using https
httpMaxConnections = 100
staticDir = "./public"
title = "nitter"
hostname = "nitter.projectsegfau.lt"
[Cache]
listMinutes = 240 # how long to cache list info (not the tweets, so keep it high)
rssMinutes = 10 # how long to cache rss queries
redisHost = "nitter-redis" # Change to "nitter-redis" if using docker-compose
redisPort = 6379
redisPassword = ""
redisConnections = 20 # connection pool size
redisMaxConnections = 30
# max, new connections are opened when none are available, but if the pool size
# goes above this, they're closed when released. don't worry about this unless
# you receive tons of requests per second
[Config]
hmacKey = "{{nitter_hmac_key}}" # random key for cryptographic signing of video urls
base64Media = false # use base64 encoding for proxied media urls
enableRSS = true # set this to false to disable RSS feeds
enableDebug = false # enable request logs and debug endpoints
proxy = "" # http/https url, SOCKS proxies are not supported
proxyAuth = ""
tokenCount = 10
# minimum amount of usable tokens. tokens are used to authorize API requests,
# but they expire after ~1 hour, and have a limit of 187 requests.
# the limit gets reset every 15 minutes, and the pool is filled up so there's
# always at least $tokenCount usable tokens. again, only increase this if
# you receive major bursts all the time
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = "nitter.projectsegfau.lt"
replaceYouTube = "invidious.projectsegfau.lt"
replaceReddit = "libreddit.projectsegfau.lt"
replaceInstagram = ""
proxyVideos = true
hlsPlayback = true
infiniteScroll = false

25
privfrontends/compose/rimgo/compose.yml.j2 Normal file
View File

@ -0,0 +1,25 @@
services:
rimgo:
image: codeberg.org/video-prize-ranch/rimgo # Official image
ports:
- 9016:3000
environment:
- ADDRESS=0.0.0.0
- PORT=3000
- FIBER_PREFORK=false
- IMGUR_CLIENT_ID=546c25a59c58ad7
- PRIVACY_POLICY=https://projectsegfau.lt/legal/privacy-policy
- PRIVACY_MESSAGE=
{% if inventory_hostname == 'eu' %}
- PRIVACY_COUNTRY=Luxembourg
- PRIVACY_PROVIDER=BuyVM
{% else if inventory_hostname == 'us' %}
- PRIVACY_COUNTRY=USA
- PRIVACY_PROVIDER=Digital Ocean
{% else if inventory_hostname == 'in' %}
- PRIVACY_COUNTRY=India
- PRIVACY_PROVIDER=Bharti Airtel
{% endif %}
- PRIVACY_CLOUDFLARE=false
- PRIVACY_NOT_COLLECTED=true
restart: unless-stopped

16
privfrontends/compose/scribe/compose.yml.j2 Normal file
View File

@ -0,0 +1,16 @@
version: "3.8"
services:
scribe:
image: registry.gitlab.com/lomanic/scribe-binaries:latest
restart: always
container_name: "scribe"
ports:
- 8006:8006
environment:
- SCRIBE_PORT=8006
- SCRIBE_HOST=0.0.0.0
- APP_DOMAIN=scribe.projectsegfau.lt
- LUCKY_ENV=production
- PORT=8006
- SECRET_KEY_BASE={{scribe_secret_key_base}}

41
privfrontends/compose/teddit/compose.yml.j2 Normal file
View File

@ -0,0 +1,41 @@
version: "3.8"
services:
teddit:
restart: always
container_name: teddit
image: teddit/teddit:latest
environment:
- DOMAIN=teddit.projectsegfau.lt
- USE_HELMET=true
- USE_HELMET_HSTS=true
- TRUST_PROXY=true
- REDIS_HOST=teddit-redis
ports:
- "9061:8080"
networks:
- teddit_net
healthcheck:
test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:8080/about"]
interval: 1m
timeout: 3s
depends_on:
- teddit-redis
teddit-redis:
restart: always
container_name: teddit-redis
image: redis:6.2.5-alpine
command: redis-server
environment:
- REDIS_REPLICATION_MODE=master
networks:
- teddit_net
volumes:
- teddit-redis:/data
volumes:
teddit-redis:
networks:
teddit_net:

35
privfrontends/docker-tasks.yaml Normal file
View File

@ -0,0 +1,35 @@
---
- name: Copy docker-compose templates for the service
ansible.builtin.template:
src: ../compose/{{item}}/compose.yml.j2
dest: /opt/docker/{{item}}/compose.yml
backup: yes
register: check_status
- name: check if extras file exists for the service
local_action: stat path=../compose/{{item}}/extras.conf.j2
register: file
- name: Copy extras file
ansible.builtin.template:
src: ../compose/{{item}}/extras.conf.j2
dest: /opt/docker/{{item}}/extras.conf
backup: yes
when: file.stat.exists
- name: "Update docker service image"
command:
chdir: "/opt/docker/{{ item }}"
cmd: docker compose pull
when: check_status is changed
- name: "Stop docker service"
command:
chdir: "/opt/docker/{{ item }}"
cmd: docker compose down
when: check_status is changed
- name: "Start docker service"
command:
chdir: "/opt/docker/{{ item }}"
cmd: docker compose up -d --build --remove-orphans
when: check_status is changed

47
privfrontends/playbook.yaml Normal file
View File

@ -0,0 +1,47 @@
---
- name: Setup Caddy
hosts: privfrontends
roles:
- role: caddy_ansible.caddy_ansible
caddy_systemd_capabilities_enabled: true
caddy_config: "{{ lookup('template', '../templates/Caddyfile.j2') }}"
caddy_user: "caddy"
caddy_home: "/var/lib/caddy"
# Static weekly builds of caddy with rfc2136 dns plugin
caddy_url_base: "https://cb.projectsegfau.lt/api/download"
tasks:
- name: Copy per-server caddy extras
ansible.builtin.copy:
src: "../{{ caddy_extras_config }}"
dest: /etc/caddy/extras.caddy
- name: Setup docker compose for privacy frontends
hosts: all
vars:
docker_services:
- anonymousoverflow
- beatbump
- breezewiki
- gothub
- gothub-dev
- invidious
- librarian
- libreddit
- nitter
- rimgo
- scribe
- teddit
- watchtower
non_pizza_docker_services:
- piped
- searxng-docker
tasks:
#
# community.docker does not support compose 2.0 right now.
# https://github.com/ansible-collections/community.docker/issues/216
#
- name: Update docker compose files and restart those with changes
include_tasks: docker-tasks.yaml
with_items: "{{ docker_services }}"
- name: Update docker compose files and restart those with changes (Privacy Frontends but without Pizza1)
include_tasks: docker-tasks.yaml
with_items: "{{ non_pizza_docker_services }}"

272
privfrontends/templates/1-extras.Caddyfile Normal file
View File

@ -0,0 +1,272 @@
## OLD URL REDIRECTS
invidious.mutahar.rocks {
redir https://inv.bp.projectsegfau.lt{uri} permanent
}
ferrit.projectsegfau.lt snooddit.projectsegfau.lt libreddit.mutahar.rocks {
redir https://libreddit.projectsegfau.lt{uri} permanent
}
lbry.mutahar.rocks {
redir https://lbry.projectsegfau.lt{uri} permanent
}
nitter.mutahar.rocks {
redir https://nitter.projectsegfau.lt{uri} permanent
}
#redir inv.bp.mutahar.rocks inv.bp.projectsegfau.lt permanent
#redir libreddit.mutahar.rocks libreddit.projectsegfau.lt permanent
#redir lbry.mutahar.rocks lbry.projectsegfau.lt permanent
#redir nitter.mutahar.rocks nitter.projectsegfau.lt permanent
arya.projectsegfau.lt aryak.me {
reverse_proxy https://arya.p.projectsegfau.lt {
header_up Host arya.p.projectsegfau.lt
}
}
gothub.dev.projectsegfau.lt {
reverse_proxy localhost:1025
import def
import torloc gothub.dev
}
## PUBNIX
# Reverse proxy all user sites
*.p.projectsegfau.lt {
reverse_proxy 10.7.0.2:80
import acmedns
}
# Redirect base subdomain to the pubnix homepage
p.projectsegfau.lt {
redir https://projectsegfau.lt/pubnix
}
# Cockpit
cockpit.p.projectsegfau.lt {
reverse_proxy 10.7.0.2:9090 {
transport http {
tls_insecure_skip_verify
}
}
import def
import torloc cockpit.p
}
# PublAPI
publapi.p.projectsegfau.lt {
reverse_proxy 10.7.0.2:3000
import def
}
grafana.p.projectsegfau.lt {
reverse_proxy 10.7.0.2:6943 {
header_up X-Real-IP {remote_host}
}
import def
}
geminiproxy.projectsegfau.lt geminiproxy.p.projectsegfau.lt {
reverse_proxy 10.7.0.2:8000
import def
import torloc geminiproxy.p
}
http://pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
reverse_proxy https://projectsegfau.lt {
header_up Host "projectsegfau.lt"
}
import tor www
import i2ploc pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p
}
http://www.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
reverse_proxy https://projectsegfau.lt {
header_up Host "projectsegfau.lt"
}
import tor www
import i2ploc pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p
}
# Privacy Frontends
http://scribe.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
reverse_proxy localhost:8006
import tor scribe
import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p
}
http://nitter.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
reverse_proxy localhost:8387
import tor nitter
import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p
}
http://lbry.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor lbry
import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p
reverse_proxy localhost:3550
}
http://libreddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor libreddit
import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
reverse_proxy localhost:6464
}
http://breezewiki.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor breezewiki
import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p
reverse_proxy localhost:10416
}
http://beatbump.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor beatbump
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p
reverse_proxy localhost:3069
}
http://invbp.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
reverse_proxy localhost:3000
}
http://rimgo.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor rimgo
reverse_proxy localhost:9016
}
http://teddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor teddit
reverse_proxy localhost:9061
}
http://overflow.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor overflow
reverse_proxy localhost:8694
}
http://gothub.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor gothub
reverse_proxy localhost:1024
}
http://gothub.dev.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor gothub.dev
reverse_proxy localhost:1025
}
http://inv.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor inv
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
reverse_proxy https://invidious.projectsegfau.lt {
header_up Host "invidious.projectsegfau.lt"
}
}
http://search.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor search
import i2ploc pjsfwklrellqoj275kzeu2tz4c3j5zktnqod56s7l5dc25ro3wgq.b32.i2p
reverse_proxy https://search.projectsegfau.lt {
header_up Host "search.projectsegfau.lt"
}
}
http://git.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor git
import i2ploc pjsfdrtv2465bisenvzhfvdleznx4arlih2hlnrhpzugailnm7iq.b32.i2p
reverse_proxy https://git.projectsegfau.lt {
header_up Host "git.projectsegfau.lt"
}
}
http://todo.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor todo
import i2ploc pjsfivs2sxudfy65kojxqophc6vqjqdr6woczy6hzaxvxvbj3bkq.b32.i2p
reverse_proxy https://todo.projectsegfau.lt {
header_up Host "todo.projectsegfau.lt"
}
}
http://wiki.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor wiki
reverse_proxy https://wiki.projectsegfau.lt {
header_up Host "wiki.projectsegfau.lt"
}
}
http://pass.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor pass
reverse_proxy https://pass.projectsegfau.lt {
header_up Host "pass.projectsegfau.lt"
}
}
# Pubnix
http://geminiproxy.p.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor geminiproxy.p
reverse_proxy https://geminiproxy.p.projectsegfau.lt {
header_up Host "geminiproxy.p.projectsegfau.lt"
}
}
http://cockpit.p.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor cockpit.p
reverse_proxy https://cockpit.p.projectsegfau.lt {
header_up Host "cockpit.p.projectsegfau.lt"
}
}
## I2P
## I2P
http://pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p:6001 {
reverse_proxy https://projectsegfau.lt {
header_up Host "projectsegfau.lt"
}
import tor www
import i2ploc pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p
}
http://pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p:6008 {
reverse_proxy localhost:8006
import tor scribe
import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p
}
http://pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p:6005 {
reverse_proxy localhost:8387
import tor nitter
import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p
}
http://pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p:6003 {
import tor lbry
import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p
reverse_proxy localhost:3550
}
http://pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p:6004 {
import tor libreddit
import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
reverse_proxy localhost:6464
}
http://pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p:6007 { # NW
import tor breezewiki
import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p
reverse_proxy localhost:10416
}
http://pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p:6006 {
import tor beatbump
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p
reverse_proxy localhost:3069
}
http://pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p:6016 {
import tor invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
reverse_proxy localhost:3000
}
http://pjsf5ahv7ce67i5ic46ghum3scwatrsyac5i6aa5bynvnnlmpzfa.b32.i2p:6017 {
import tor rimgo
import i2ploc pjsf5ahv7ce67i5ic46ghum3scwatrsyac5i6aa5bynvnnlmpzfa.b32.i2p
reverse_proxy localhost:9016
}
http://pjsfa3dd7rxocfqanxenpop2uqfgpw4nevrmy424u5qwyasqdu6a.b32.i2p:6018 {
import tor teddit
import i2ploc pjsfa3dd7rxocfqanxenpop2uqfgpw4nevrmy424u5qwyasqdu6a.b32.i2p
reverse_proxy localhost:9061
}
http://pjsfhqamc7k6htnumrvn4cwqqdoggeepj7u5viyimgnxg3gar72q.b32.i2p:6002 {
import tor inv
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
reverse_proxy https://invidious.projectsegfau.lt {
header_up Host "invidious.projectsegfau.lt"
}
}
http://pjsfwklrellqoj275kzeu2tz4c3j5zktnqod56s7l5dc25ro3wgq.b32.i2p:6012 {
import tor search
import i2ploc pjsfwklrellqoj275kzeu2tz4c3j5zktnqod56s7l5dc25ro3wgq.b32.i2p
reverse_proxy https://search.projectsegfau.lt {
header_up Host "search.projectsegfau.lt"
}
}
http://pjsfdrtv2465bisenvzhfvdleznx4arlih2hlnrhpzugailnm7iq.b32.i2p:6013 {
import tor git
import i2ploc pjsfdrtv2465bisenvzhfvdleznx4arlih2hlnrhpzugailnm7iq.b32.i2p
reverse_proxy https://git.projectsegfau.lt {
header_up Host "git.projectsegfau.lt"
}
}
http://pjsfivs2sxudfy65kojxqophc6vqjqdr6woczy6hzaxvxvbj3bkq.b32.i2p:6015 {
import i2ploc pjsfivs2sxudfy65kojxqophc6vqjqdr6woczy6hzaxvxvbj3bkq.b32.i2p
import tor todo
reverse_proxy https://todo.projectsegfau.lt {
header_up Host "todo.projectsegfau.lt"
}
}

4
privfrontends/templates/2-extras.Caddyfile Normal file
View File

@ -0,0 +1,4 @@
fb.us.projectsegfau.lt {
import def
reverse_proxy :8065
}

35
privfrontends/templates/3-extras.Caddyfile Normal file
View File

@ -0,0 +1,35 @@
bitpuit.in.projectsegfau.lt {
respond "Go fuck yourself devrand"
}
# PERSONAL
https://m.in.projectsegfau.lt:8448 m.in.projectsegfau.lt {
reverse_proxy http://192.168.1.47:8008
}
files.perso.in.projectsegfau.lt files.perso.in.projectsegfau.lt:6942 {
file_server {
browse
}
root * /zfspool/files
}
tnfiles.perso.in.projectsegfau.lt {
file_server {
browse
}
root * /zfspool/files/tn-sw
}
discourse.tildevarsh.in {
reverse_proxy https://192.168.1.21:443 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
}
jf.perso.in.projectsegfau.lt {
reverse_proxy 192.168.1.20:8096
import def
}
nc.perso.in.projectsegfau.lt {
reverse_proxy 192.168.1.20:80
import def
}

275
privfrontends/templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,275 @@
(tor) {
header {
-Strict-Transport-Security
-Referrer-Policy
-X-XSS-Protection
-Content-Security-Policy
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
Permissions-Policy interest-cohort=()
# clickjacking protection
X-Frame-Options SAMEORIGIN
Onion-Location http://{args.0}.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion{path}
defer
}
}
(torloc) {
header Onion-Location http://{args.0}.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion{path}
}
(i2ploc) {
header X-I2P-Location http://{args.0}{path}
}
(acmedns) {
tls {
dns rfc2136 {
key_name "dynupd"
key_alg "hmac-sha256"
# declared in secrets.en: https://aryak.me/blog/01-knot
key "{{ rfc2136_key }}"
server "107.189.12.96:53"
}
}
}
(def) {
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options SAMEORIGIN
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
{{inventory_hostname}}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} {
{% if inventory_hostname == 'eu' %}
redir https://wiki.projectsegfau.lt/index.php?title=Pizza1
{% elif inventory_hostname == 'us' %}
redir https://wiki.projectsegfau.lt/index.php?title=US_Node
{% elif inventory_hostname == 'in' %}
redir https://wiki.projectsegfau.lt/index.php?title=India_Node
{% else %}
{% endif %}
}
cdn.projectsegfau.lt cdn.{{inventory_hostname}}.projectsegfau.lt {
encode zstd gzip
root * /var/cdn
file_server {
browse
}
}
{% if inventory_hostname == 'eu' %}
inv.bp.projectsegfau.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001
import def
}
{% else %}
inv.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy localhost:7573
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
piped.{{inventory_hostname}}.projectsegfau.lt pipedproxy.{{inventory_hostname}}.projectsegfau.lt pipedapi.{{inventory_hostname}}.projectsegfau.lt {
reverse_proxy :6970
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
{% endif %}
lbry.{{inventory_hostname}}.projectsegfau.lt lbry.projectsegfau.lt {
reverse_proxy :7269
import def
import torloc lbry
import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p
}
gothub.{{inventory_hostname}}.projectsegfau.lt gothub.projectsegfau.lt {
reverse_proxy :1024
import def
import torloc gothub
}
overflow.{{inventory_hostname}}.projectsegfau.lt overflow.projectsegfau.lt {
reverse_proxy :8694
import def
import torloc overflow
}
teddit.{{inventory_hostname}}.projectsegfau.lt teddit.projectsegfau.lt {
reverse_proxy :9061
import def
import torloc teddit
}
rimgo.{{inventory_hostname}}.projectsegfau.lt rimgo.projectsegfau.lt {
reverse_proxy :9016
import def
import torloc rimgo
}
libreddit.{{inventory_hostname}}.projectsegfau.lt libreddit.projectsegfau.lt {
reverse_proxy :6464
import def
import torloc libreddit
import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p
}
nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt {
import def
header {
X-Permitted-Cross-Domain-Policies none
Permissions-Policy "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; script-src-attr 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"
}
reverse_proxy :8387 {
transport http {
compression off
}
}
import torloc nitter
import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p
}
bb.{{inventory_hostname}}.projectsegfau.lt bb.projectsegfau.lt {
import def
import torloc beatbump
import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p
reverse_proxy :3069
}
bw.{{inventory_hostname}}.projectsegfau.lt bw.projectsegfau.lt {
import def
import torloc breezewiki
import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p
reverse_proxy :10416
}
scribe.{{inventory_hostname}}.projectsegfau.lt scribe.projectsegfau.lt {
import def
import torloc scribe
import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p
reverse_proxy :8006
}
{% if inventory_hostname == 'eu' %}
{% else %}
search.{{inventory_hostname}}.projectsegfau.lt {
import def
reverse_proxy :8081
@api {
path /config
path /healthz
path /stats/errors
path /stats/checker
}
@static {
path /static/*
}
@notstatic {
not path /static/*
}
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disable some features
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
# Disable some features (legacy)
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
# Referer
Referrer-Policy "no-referrer"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
# Remove Server header
-Server
}
header @api {
Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
header @notstatic {
# No Cache
Cache-Control "no-cache, no-store"
Pragma "no-cache"
}
# CSP (see http://content-security-policy.com/ )
header @imageproxy {
Content-Security-Policy "default-src 'none'; img-src 'self' data:"
}
header @notimageproxy {
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
}
}
{% endif %}
include ./extras.caddy

5
requirements.yml Normal file
View File

@ -0,0 +1,5 @@
---
- src: git+https://github.com/caddy-ansible/caddy-ansible.git
version: v3.2.0

22
secrets.enc Normal file
View File

@ -0,0 +1,22 @@
$ANSIBLE_VAULT;1.1;AES256
32316630323862343738306231666531626333396630366537373664396636313737356665306530
3736386466623363383038393933343964316230636237380a343933626632663633376532663332
31353534613239613632653362616465393264336134656365353238336537626239393333646235
3139656638336630610a383666383336643331323930626131383865336263643632353335613432
38343533396530303734663135326462656230333062653566663666346663313637313166663261
65636635396465666630633335613465333763363530313930643533303763366163393364613232
63353861386530363665633266653330363433653731663936613139356663623933373731336665
34346336643965373566663362643766623364633233333531313165316665363132666466666333
36666331323966353632326433326232643533636564383734626462336564663663656234643863
33386138393934623735653437613135383936373231363966656535386530343566643265373463
36333139333535383135333133646630343431323835346662313062373337393161323330353131
64313230646230653664633034373462653764373033323333386638303737383461646630643835
32303863306663326364633530613934663635316261316431633932633465646538353834663663
36313830393264313232616638303839653637366366313132656438623432643666303362343564
38343439373736376362663939353130643464623733633334386632333239663935346363633238
31633366363634613365643333616439303435616338303836323932346465343035653535663437
61616430336265323336353866306366346639366366313365353039336333613162303864646462
36323661303164363462626664366162623631643963313232623661343766343165656335663162
64393162643861373734316535376534373665393561303265643939323632646162663661333561
35306639643764623862663930663339653064626331393863386538353763383838643332356339
30336238366634313762393334653466396139383735623132366132616264386465