commit 10f95ff5358cefa33fb23b93216a599b27cccb07 Author: Arya Kiran Date: Sat May 13 09:14:40 2023 +0800 init diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..708819c --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/roles/galaxy/* diff --git a/README.md b/README.md new file mode 100644 index 0000000..b363b95 --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ +# Testing ansible +``` +ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force +ansible-playbook playbook.yaml # Initialize +ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass playbooks/caddy.yaml # Caddy +ansible-playbook -i inventory.yml -e @secrets.enc --ask-vault-pass playbooks/docker.yaml # Docker Compose +``` + +To add secrets: `ansible-vault edit secrets.enc` +## Per-playbook info +### /playbook.yaml +Configures basic stuff, meant for every server. +### /playbooks/docker.yaml +Configures privacy frontends, meant for US, IN and Pizza1. +### /playbooks/caddy.yaml +Configures Caddy, meant for US, IN and Pizza1. +## Adding new services +Adding new services is a bit janky, for I had to set it up with normal commands instead of the preferred community.docker collection (it doesn't support v2 which we use on most of our compose files) + +Firstly, add the thing to `docker_services` array/var in `/playbooks/docker.yaml`. This list **MUST** be maintaind in alphabetical order for ease of maintanence. + +Then, create the `/compose/SERVICE_NAME` directory and add the compose file to the same. You can use the `{{inventory_hostname}}` variables where required. + +If the service needs a secret key, add it to the ansible-vault secrets.enc with `ansible-vault edit secrets.enc`. If you are a Project Segfault sysadmin you already have the password for it :P + +Past this, Caddy needs to be configured. + +The common GeoDNS configuration can be done following this format +``` +SERVICE_NAME.{{inventory_hostname}}.projectsegfau.lt SERVICE_NAME.projectsegfau.lt { + reverse_proxy :PORT + import def + import torloc SERVICE_NAME # Setup tor first following the wiki +} +``` + +Tor/I2P can be setup following the instructions in https://wiki.projectsegfau.lt/Internal:Setting_up_a_GeoDNS_service, with the only change that tor/i2p are now merged and they are in `/templates/01-extras.caddy`. + +Past this, you can run the deployment as outlined in the beginning. + +Please inform me (Arya) if any part of this documentation isn't clear, I suck at writing documentation. diff --git a/all/files/arya.pub b/all/files/arya.pub new file mode 100644 index 0000000..747ed23 --- /dev/null +++ b/all/files/arya.pub @@ -0,0 +1,2 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICeUQKFE6j+legQS2aam8VlwaGJ1r5BfJevbMUxpAi6N aryakiran@zohomail.eu + diff --git a/all/files/devrand.pub b/all/files/devrand.pub new file mode 100644 index 0000000..5b94cca --- /dev/null +++ b/all/files/devrand.pub @@ -0,0 +1,2 @@ +sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIE4EqdlXF8o8Fdf0v/I8sowP7Rw3tZiY5i/CP131AX5dAAAAC3NzaDp0ZXJtaXVz Generated By Termius + diff --git a/all/files/midou.pub b/all/files/midou.pub new file mode 100644 index 0000000..641d20e --- /dev/null +++ b/all/files/midou.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZRpxFYvYt3tfllosegLv3c/IV7+AhMUSfNQio/3kVY ServerAccess diff --git a/all/playbook.yaml b/all/playbook.yaml new file mode 100644 index 0000000..3df7675 --- /dev/null +++ b/all/playbook.yaml @@ -0,0 +1,109 @@ +--- +- name: Install shit + hosts: all + tasks: + - name: Std Repo stuff + apt: + update_cache: true + name: + - vim + - curl + - wget + - sudo + - net-tools + - nmap + - python3-pip + - python3-passlib + - vnstat + - name: Enable VNStat service + service: + name: vnstat + enabled: yes + state: started + +- name: Add users + hosts: all + vars: + users: + - arya + - devrand + - midou + vars_prompt: + - name: password + prompt: What is password to be used for all accs? (initial if no password is already set) + encrypt: sha512_crypt + confirm: true + salt_size: 6 + + tasks: + - name: bashrc skel + template: + src: templates/bashrc.j2 + dest: /etc/skel/.bashrc + - name: profile skel + template: + src: templates/profile.j2 + dest: /etc/skel/.profile + - name: bash_aliases skel + template: + src: templates/bash_aliases.j2 + dest: /etc/skel/.bash_aliases + - name: prompt skel + template: + src: templates/prompt.j2 + dest: /etc/skel/.prompt + - name: bashrc root + template: + src: templates/bashrc.j2 + dest: /root/.bashrc + - name: profile root + template: + src: templates/profile.j2 + dest: /root/.profile + - name: bash_aliases root + template: + src: templates/bash_aliases.j2 + dest: /root/.bash_aliases + - name: prompt root + template: + src: templates/prompt.j2 + dest: /root/.prompt + - name: Add user + user: + name: "{{ item }}" + group: users + groups: users,sudo + password: "{{ password }}" + shell: /bin/bash + update_password: on_create # Add the same initial password for all users (can be overwritten by user) + with_items: + - "{{ users }}" + - name: "Add authorized keys" + authorized_key: + user: "{{ item }}" + key: "{{ lookup('file', 'files/'+ item + '.pub') }}" + with_items: + - "{{ users }}" + - name: "Allow admin users to sudo without a password" + lineinfile: + dest: "/etc/sudoers" # path: in version 2.3 + state: "present" + regexp: "^%sudo" + line: "%sudo ALL=(ALL) NOPASSWD: ALL" +- name: Configure SSHD + hosts: all + tasks: + - name: sshd configuration file update + template: + src: templates/sshd_config.j2 + dest: /etc/ssh/sshd_config + backup: yes + owner: 0 + group: 0 + mode: 0644 + validate: '/usr/sbin/sshd -T -f %s' + notify: + - restart sshd + handlers: + - name: restart sshd + service: name=sshd state=restarted diff --git a/all/templates/bash_aliases.j2 b/all/templates/bash_aliases.j2 new file mode 100644 index 0000000..b7ff01d --- /dev/null +++ b/all/templates/bash_aliases.j2 @@ -0,0 +1,37 @@ +# General +alias clear="printf '\033c'" # faster than ncurses clear by a lot +alias c='clear' +alias bashrc="vim ~/.bashrc && source ~/.bashrc" +# LS +alias ls='ls --color=auto -FAh' +alias ll='ls -l' +alias la='ls' +alias l.='ls | egrep "^\."' +alias l=ls +# GREP +alias grep='grep --color=auto' +alias egrep='egrep --color=auto' +alias fgrep='fgrep --color=auto' +# GIT +alias ga='git add' +alias gc='git commit' +alias gp='git push' +alias lc='fc -nl $HISTCMD' +# CADDY +alias rc='caddy reload --config ~/Caddyfile' +alias ft='caddy fmt --overwrite ~/Caddyfile' +alias vt='caddy validate --config ~/Caddyfile' +# DOCKER +alias dockup='docker compose pull; docker compose down && docker compose up -d --build --remove-orphans' +# Navigation +alias ..='cd ..' +alias ...='cd ../../' +alias ....='cd ../../../' +alias .....='cd ../../../../' +# Readability +alias cp="cp -iv" +alias mv='mv -iv' +alias rm='rm -iv' +alias df='df -h' +alias free='free -m' +alias mkdir='mkdir -pv' diff --git a/all/templates/bashrc.j2 b/all/templates/bashrc.j2 new file mode 100644 index 0000000..52378ce --- /dev/null +++ b/all/templates/bashrc.j2 @@ -0,0 +1,42 @@ +# If not running interactively, don't do anything +case $- in + *i*) ;; + *) return;; +esac +export HISTCONTROL=ignoredups:erasedups +export HISTFILESIZE= +export HISTSIZE= +export HISTTIMEFORMAT="[%F %T] " +# Change the file location because certain bash sessions truncate .bash_history file upon close. +# http://superuser.com/questions/575479/bash-history-truncated-to-500-lines-on-each-login +export HISTFILE=~/.bash_history +# Force prompt to write history after every command. +# http://superuser.com/questions/20900/bash-history-loss +PROMPT_COMMAND="history -a; $PROMPT_COMMAND" + +shopt -s autocd # change to named directory +shopt -s cdspell # autocorrects cd misspellings +shopt -s cmdhist # save multi-line commands in history as single line +shopt -s dotglob +shopt -s histappend # do not overwrite history +shopt -s expand_aliases # expand aliases +shopt -s extglob +#ignore upper and lowercase when TAB completion +bind "set completion-ignore-case on" + +# colored GCC warnings and errors +export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01' + +if [ -f ~/.bash_aliases ]; then + . ~/.bash_aliases +fi +# enable programmable completion features (you don't need to enable +# this, if it's already enabled in /etc/bash.bashrc and /etc/profile +# sources /etc/bash.bashrc). +if ! shopt -oq posix; then + if [ -f /usr/share/bash-completion/bash_completion ]; then + . /usr/share/bash-completion/bash_completion + elif [ -f /etc/bash_completion ]; then + . /etc/bash_completion + fi +fi diff --git a/all/templates/profile.j2 b/all/templates/profile.j2 new file mode 100644 index 0000000..3c82fc7 --- /dev/null +++ b/all/templates/profile.j2 @@ -0,0 +1,28 @@ +# ~/.profile: executed by the command interpreter for login shells. +# This file is not read by bash(1), if ~/.bash_profile or ~/.bash_login +# exists. +# see /usr/share/doc/bash/examples/startup-files for examples. +# the files are located in the bash-doc package. + +# the default umask is set in /etc/profile; for setting the umask +# for ssh logins, install and configure the libpam-umask package. +#umask 022 + +# if running bash +if [ -n "$BASH_VERSION" ]; then + # include .bashrc if it exists + if [ -f "$HOME/.bashrc" ]; then + . "$HOME/.bashrc" + fi +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/bin" ] ; then + PATH="$HOME/bin:$PATH" +fi + +# set PATH so it includes user's private bin if it exists +if [ -d "$HOME/.local/bin" ] ; then + PATH="$HOME/.local/bin:$PATH" +fi +. "$HOME/.prompt" diff --git a/all/templates/prompt.j2 b/all/templates/prompt.j2 new file mode 100644 index 0000000..884b78e --- /dev/null +++ b/all/templates/prompt.j2 @@ -0,0 +1,57 @@ +__sig() { + # Giant switch case for getting the name of the signal (`kill -l`) + a=0 + for i in $@; do + a=$((a+1)) + case $i in + 126) printf ACCES ;; + 127) printf NOENT ;; + 129) printf HUP ;; + 130) printf INT ;; + 131) printf QUIT ;; + 132) printf ILL ;; + 133) printf TRAP ;; + 134) printf ABRT ;; + 135) printf BUS ;; + 136) printf FPE ;; + 137) printf KILL ;; + 138) printf USR1 ;; + 139) printf SEGV ;; + 140) printf USR2 ;; + 141) printf PIPE ;; + 142) printf ALRM ;; + 143) printf TERM ;; + 144) printf STKFLT ;; + 145) printf CHLD ;; + 146) printf CONT ;; + 147) printf STOP ;; + 148) printf TSTP ;; + 149) printf TTIN ;; + 150) printf TTOU ;; + 151) printf URG ;; + 152) printf XCPU ;; + 153) printf XFSZ ;; + 154) printf VTALRM ;; + 155) printf PROF ;; + 156) printf WINCH ;; + 157) printf IO ;; + 158) printf PWR ;; + 159) printf SYS ;; + 16[3-9]|1[7-8][0-9]|19[0-2]) printf RT$(($i-128)) ;; # Savagery + *) printf $i ;; # Print exit code if not in list + esac + done +} +sig() { + PLC=(${PIPESTATUS[@]}) + printf "$(__sig ${PLC[@]})" +} +NO_COLOUR="\[\033[0m\]" +# Bold Colours +RED="\[\033[01;31m\]" +GREEN="\[\033[01;32m\]" +YELLOW="\[\033[01;33m\]" +BLUE="\[\033[01;34m\]" + +PS1="[${RED}\$(sig)${NO_COLOUR}] [\t] [${RED}\u${NO_COLOUR}@${GREEN}\h${NO_COLOUR}|${BLUE}\w${NO_COLOUR}] [${YELLOW}#\#${NO_COLOUR}] ${GREEN}\$ ${NO_COLOUR}" + diff --git a/all/templates/sshd_config.j2 b/all/templates/sshd_config.j2 new file mode 100644 index 0000000..99a4af4 --- /dev/null +++ b/all/templates/sshd_config.j2 @@ -0,0 +1,15 @@ +{% if inventory_hostname == 'eu' %} +Port 222 +{% else %} +Port 22 +{% endif %} +PermitRootLogin prohibit-password +PasswordAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +UsePAM no +X11Forwarding no +PrintMotd yes +UseDNS no +AcceptEnv LANG LC_* +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..66c09e6 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,2 @@ +[defaults] +INVENTORY = inventory.yml diff --git a/collections/requirements.yml b/collections/requirements.yml new file mode 100644 index 0000000..483ed15 --- /dev/null +++ b/collections/requirements.yml @@ -0,0 +1,4 @@ +--- +collections: + - name: community.general + - name: community.docker diff --git a/inventory.yml b/inventory.yml new file mode 100644 index 0000000..d75a7d8 --- /dev/null +++ b/inventory.yml @@ -0,0 +1,29 @@ +all: + children: + soleil: + hosts: + core: + ansible_host: soleil.projectsegfau.lt + ansible_user: user + ansible_port: 2270 + ansible_become: yes # Run everything as root + privfrontends: + hosts: + eu: + ansible_host: pizza1.projectsegfau.lt + ansible_user: arya + ansible_port: 222 + ansible_become: yes # Run everything as root + caddy_extras_config: templates/1-extras.Caddyfile + us: + ansible_host: us.projectsegfau.lt + ansible_user: arya + ansible_port: 22 + ansible_become: yes # Run everything as root + caddy_extras_config: templates/2-extras.Caddyfile + in: + ansible_host: in.projectsegfau.lt + ansible_user: root + ansible_port: 6922 + caddy_extras_config: templates/3-extras.Caddyfile + diff --git a/privfrontends/compose/breezewiki/compose.yml.j2 b/privfrontends/compose/breezewiki/compose.yml.j2 new file mode 100644 index 0000000..b617302 --- /dev/null +++ b/privfrontends/compose/breezewiki/compose.yml.j2 @@ -0,0 +1,9 @@ +services: + breezewiki: + container_name: breezewiki + image: quay.io/pussthecatorg/breezewiki:latest + restart: unless-stopped + ports: + - "10416:10416" + volumes: + - "./config.ini:/app/config.ini" diff --git a/privfrontends/compose/breezewiki/extras.conf.j2 b/privfrontends/compose/breezewiki/extras.conf.j2 new file mode 100644 index 0000000..62b57f1 --- /dev/null +++ b/privfrontends/compose/breezewiki/extras.conf.j2 @@ -0,0 +1,4 @@ +canonical_origin = https://bw.projectsegfau.lt +debug = false +port = 10416 +feature_search_suggestions = true diff --git a/privfrontends/compose/gothub-dev/compose.yml.j2 b/privfrontends/compose/gothub-dev/compose.yml.j2 new file mode 100644 index 0000000..433c9be --- /dev/null +++ b/privfrontends/compose/gothub-dev/compose.yml.j2 @@ -0,0 +1,32 @@ +version: "3" +services: + gothub: + image: codeberg.org/gothub/gothub:dev + restart: unless-stopped + ports: + - "1025:3000" + environment: + - DOCKER=true + - GOTHUB_SETUP_COMPLETE=true + - GOTHUB_PROXYING_ENABLED=true + - GOTHUB_IP_LOGGED=false + - GOTHUB_REQUEST_URL_LOGGED=false + - GOTHUB_USER_AGENT_LOGGED=false + - GOTHUB_DIAGNOSTIC_INFO_LOGGED=false + - GOTHUB_INSTANCE_PRIVACY_POLICY=https://projectsegfau.lt/legal/privacy-policy + {% if inventory_hostname == 'eu' %} + - GOTHUB_INSTANCE_COUNTRY=Luxembourg + - GOTHUB_INSTANCE_PROVIDER=BuyVM + {% else if inventory_hostname == 'us' %} + - GOTHUB_INSTANCE_COUNTRY=United States + - GOTHUB_INSTANCE_PROVIDER=Digital Ocean + {% else if inventory_hostname == 'in' %} + - GOTHUB_INSTANCE_COUNTRY=India + - GOTHUB_INSTANCE_PROVIDER=Bharti Airtel + {% endif %} + - GOTHUB_INSTANCE_CLOUDFLARE=false + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/version || exit 1 + interval: 30s + timeout: 5s + retries: 2 diff --git a/privfrontends/compose/gothub/compose.yml.j2 b/privfrontends/compose/gothub/compose.yml.j2 new file mode 100644 index 0000000..90061bf --- /dev/null +++ b/privfrontends/compose/gothub/compose.yml.j2 @@ -0,0 +1,14 @@ +version: "3" +services: + gothub: + image: codeberg.org/gothub/gothub:latest + restart: unless-stopped + ports: + - "1024:3000" + environment: + - DOCKER=true + healthcheck: + test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/version || exit 1 + interval: 30s + timeout: 5s + retries: 2 diff --git a/privfrontends/compose/librarian/compose.yml.j2 b/privfrontends/compose/librarian/compose.yml.j2 new file mode 100644 index 0000000..966ba97 --- /dev/null +++ b/privfrontends/compose/librarian/compose.yml.j2 @@ -0,0 +1,16 @@ +version: '3' + +services: + librarian: + image: codeberg.org/librarian/librarian:latest + ports: + - 3550:3550 + volumes: + - ./extras.conf:/app/config.yml + restart: unless-stopped + + stream-proxy: + image: codeberg.org/librarian/stream-proxy-ng:latest + ports: + - 3001:3001 + restart: unless-stopped diff --git a/privfrontends/compose/librarian/extras.conf.j2 b/privfrontends/compose/librarian/extras.conf.j2 new file mode 100644 index 0000000..a99816a --- /dev/null +++ b/privfrontends/compose/librarian/extras.conf.j2 @@ -0,0 +1,78 @@ +DOMAIN: 'https://lbry.projectsegfau.lt' +PORT: '3550' +FIBER_PREFORK: false +# Optional: Set address to bind to, example: 127.0.0.1 +ADDRESS: '' +# Running a custom API server is not recommended and is not suitable for a public instance +API_URL: 'https://api.na-backend.odysee.com/api/v1/proxy' +# Block access to claims in case of DMCA +BLOCKED_CLAIMS: + - claimId +# AUTH_TOKEN and HMAC_KEY is automatically generated +AUTH_TOKEN: '{{librarian_auth_token}}' +HMAC_KEY: '{{librarian_hmac_key}}' +# Create IMAGE_CACHE_DIR before enabling image caching +IMAGE_CACHE: false +IMAGE_CACHE_DIR: '/var/cache/librarian' +IMAGE_CACHE_CLEANUP_INTERVAL: 24h +# The next 2 options will proxy video data through the instance. +# This will cause increased bandwidth usage. +# ENABLE_STREAM_PROXY proxies videos and ENABLE_LIVESTREAM enables livestreams. +ENABLE_STREAM_PROXY: true +ENABLE_LIVESTREAM: true +# Set custom SponsorBlock URL (with https://github.com/mchangrh/sb-mirror or other) +SPONSORBLOCK_URL: 'https://sponsor.ajay.app' +# Advanced: Custom video streaming endpoint +VIDEO_STREAMING_URL: 'https://proxy.lbry.projectsegfau.lt/stream' +# Rewrite links to other frontends. example: https://yt.domain.tld +FRONTEND: + youtube: 'https://invidious.projectsegfau.lt' + twitter: 'https://nitter.projectsegfau.lt' + imgur: 'https://rimgo.projectsegfau.lt' + instagram: '' + tiktok: '' + reddit: 'https://libreddit.projectsegfau.lt' +# Default instance settings +DEFAULT_SETTINGS: + theme: 'dark' # system, light, dark + relatedVideos: true + nsfw: false + autoplay: false + speed: '1' # 0.25, 0.5, 0.75, 1, 1.25, 1.5, 1.75, 2, 4 + quality: '0' # 0 - Auto, 144 - 144p, 360 - 360p, 720 - 720p, 1080 - 1080p + sponsorblock: + sponsor: true + selfpromo: true + interaction: true + intro: false + outro: false + preview: false + filler_tangent: false +# Instance privacy: This is required to get your instance listed. For more info, +# See: https://codeberg.org/librarian/librarian/wiki/Instance-privacy +INSTANCE_PRIVACY: +# This is the default if you are using NGINX and have not disabled data collection. +# Read https://codeberg.org/librarian/librarian/wiki/Instance-privacy + DATA_NOT_COLLECTED: true + DATA_COLLECTED_IP: true + DATA_COLLECTED_URL: true + DATA_COLLECTED_DEVICE: true + DATA_COLLECTED_DIAGNOSTIC_ONLY: false + + {% if inventory_hostname == 'eu' %} + INSTANCE_COUNTRY: "Luxembourg" + INSTANCE_PROVIDER: "BuyVM" + {% else if inventory_hostname == 'us' %} + INSTANCE_COUNTRY: "United States" + INSTANCE_PROVIDER: "Digital Ocean" + {% else if inventory_hostname == 'in' %} + INSTANCE_COUNTRY: "India" + INSTANCE_PROVIDER: "Bharti Airtel" + {% endif %} + + # Cloudflare use is discouraged. You can set this to false if it is not proxied (gray cloud icon) + INSTANCE_CLOUDFLARE: false + # Optional: Explain your usage of data (if collected) and how it is stored. + MESSAGE: "" + # Link to your privacy policy, leave blank if you don't have one. + PRIVACY_POLICY: "https://projectsegfau.lt/legal/privacy-policy" diff --git a/privfrontends/compose/libreddit/compose.yml.j2 b/privfrontends/compose/libreddit/compose.yml.j2 new file mode 100644 index 0000000..014f686 --- /dev/null +++ b/privfrontends/compose/libreddit/compose.yml.j2 @@ -0,0 +1,16 @@ +services: + libreddit: + image: libreddit/libreddit:latest + ports: + - 127.0.0.1:6464:8080 + restart: unless-stopped + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "--tries=1", "http://localhost:8080/settings"] + interval: 5m + timeout: 3s + environment: + - FRONT_PAGE=popular + - COMMENT_SORT=new + - BLUR_NSFW=on + - USE_HLS=on + - AUTOPLAY_VIDEOS=off diff --git a/privfrontends/compose/nitter/compose.yml.j2 b/privfrontends/compose/nitter/compose.yml.j2 new file mode 100644 index 0000000..fd40ec2 --- /dev/null +++ b/privfrontends/compose/nitter/compose.yml.j2 @@ -0,0 +1,24 @@ +version: "3" + +services: + + nitter: + image: zedeus/nitter:latest + ports: + - "8387:8080" + volumes: + - ./extras.conf:/src/nitter.conf:ro + depends_on: + - nitter-redis + restart: unless-stopped + + nitter-redis: + image: redis:6-alpine + container_name: nitter-redis + command: redis-server --save 60 1 --loglevel warning + volumes: + - nitter-redis:/data + restart: unless-stopped + +volumes: + nitter-redis: diff --git a/privfrontends/compose/nitter/extras.conf.j2 b/privfrontends/compose/nitter/extras.conf.j2 new file mode 100644 index 0000000..4dce5d9 --- /dev/null +++ b/privfrontends/compose/nitter/extras.conf.j2 @@ -0,0 +1,45 @@ +[Server] +address = "0.0.0.0" +port = 8080 +https = true # disable to enable cookies when not using https +httpMaxConnections = 100 +staticDir = "./public" +title = "nitter" +hostname = "nitter.projectsegfau.lt" + +[Cache] +listMinutes = 240 # how long to cache list info (not the tweets, so keep it high) +rssMinutes = 10 # how long to cache rss queries +redisHost = "nitter-redis" # Change to "nitter-redis" if using docker-compose +redisPort = 6379 +redisPassword = "" +redisConnections = 20 # connection pool size +redisMaxConnections = 30 +# max, new connections are opened when none are available, but if the pool size +# goes above this, they're closed when released. don't worry about this unless +# you receive tons of requests per second + +[Config] +hmacKey = "{{nitter_hmac_key}}" # random key for cryptographic signing of video urls +base64Media = false # use base64 encoding for proxied media urls +enableRSS = true # set this to false to disable RSS feeds +enableDebug = false # enable request logs and debug endpoints +proxy = "" # http/https url, SOCKS proxies are not supported +proxyAuth = "" +tokenCount = 10 +# minimum amount of usable tokens. tokens are used to authorize API requests, +# but they expire after ~1 hour, and have a limit of 187 requests. +# the limit gets reset every 15 minutes, and the pool is filled up so there's +# always at least $tokenCount usable tokens. again, only increase this if +# you receive major bursts all the time + +# Change default preferences here, see src/prefs_impl.nim for a complete list +[Preferences] +theme = "Nitter" +replaceTwitter = "nitter.projectsegfau.lt" +replaceYouTube = "invidious.projectsegfau.lt" +replaceReddit = "libreddit.projectsegfau.lt" +replaceInstagram = "" +proxyVideos = true +hlsPlayback = true +infiniteScroll = false diff --git a/privfrontends/compose/rimgo/compose.yml.j2 b/privfrontends/compose/rimgo/compose.yml.j2 new file mode 100644 index 0000000..f8076d2 --- /dev/null +++ b/privfrontends/compose/rimgo/compose.yml.j2 @@ -0,0 +1,25 @@ +services: + rimgo: + image: codeberg.org/video-prize-ranch/rimgo # Official image + ports: + - 9016:3000 + environment: + - ADDRESS=0.0.0.0 + - PORT=3000 + - FIBER_PREFORK=false + - IMGUR_CLIENT_ID=546c25a59c58ad7 + - PRIVACY_POLICY=https://projectsegfau.lt/legal/privacy-policy + - PRIVACY_MESSAGE= + {% if inventory_hostname == 'eu' %} + - PRIVACY_COUNTRY=Luxembourg + - PRIVACY_PROVIDER=BuyVM + {% else if inventory_hostname == 'us' %} + - PRIVACY_COUNTRY=USA + - PRIVACY_PROVIDER=Digital Ocean + {% else if inventory_hostname == 'in' %} + - PRIVACY_COUNTRY=India + - PRIVACY_PROVIDER=Bharti Airtel + {% endif %} + - PRIVACY_CLOUDFLARE=false + - PRIVACY_NOT_COLLECTED=true + restart: unless-stopped diff --git a/privfrontends/compose/scribe/compose.yml.j2 b/privfrontends/compose/scribe/compose.yml.j2 new file mode 100644 index 0000000..cf11ecb --- /dev/null +++ b/privfrontends/compose/scribe/compose.yml.j2 @@ -0,0 +1,16 @@ +version: "3.8" + +services: + scribe: + image: registry.gitlab.com/lomanic/scribe-binaries:latest + restart: always + container_name: "scribe" + ports: + - 8006:8006 + environment: + - SCRIBE_PORT=8006 + - SCRIBE_HOST=0.0.0.0 + - APP_DOMAIN=scribe.projectsegfau.lt + - LUCKY_ENV=production + - PORT=8006 + - SECRET_KEY_BASE={{scribe_secret_key_base}} diff --git a/privfrontends/compose/teddit/compose.yml.j2 b/privfrontends/compose/teddit/compose.yml.j2 new file mode 100644 index 0000000..f09767e --- /dev/null +++ b/privfrontends/compose/teddit/compose.yml.j2 @@ -0,0 +1,41 @@ +version: "3.8" + +services: + + teddit: + restart: always + container_name: teddit + image: teddit/teddit:latest + environment: + - DOMAIN=teddit.projectsegfau.lt + - USE_HELMET=true + - USE_HELMET_HSTS=true + - TRUST_PROXY=true + - REDIS_HOST=teddit-redis + ports: + - "9061:8080" + networks: + - teddit_net + healthcheck: + test: ["CMD", "wget" ,"--no-verbose", "--tries=1", "--spider", "http://localhost:8080/about"] + interval: 1m + timeout: 3s + depends_on: + - teddit-redis + + teddit-redis: + restart: always + container_name: teddit-redis + image: redis:6.2.5-alpine + command: redis-server + environment: + - REDIS_REPLICATION_MODE=master + networks: + - teddit_net + volumes: + - teddit-redis:/data +volumes: + teddit-redis: + +networks: + teddit_net: diff --git a/privfrontends/docker-tasks.yaml b/privfrontends/docker-tasks.yaml new file mode 100644 index 0000000..43fad35 --- /dev/null +++ b/privfrontends/docker-tasks.yaml @@ -0,0 +1,35 @@ +--- +- name: Copy docker-compose templates for the service + ansible.builtin.template: + src: ../compose/{{item}}/compose.yml.j2 + dest: /opt/docker/{{item}}/compose.yml + backup: yes + register: check_status + +- name: check if extras file exists for the service + local_action: stat path=../compose/{{item}}/extras.conf.j2 + register: file +- name: Copy extras file + ansible.builtin.template: + src: ../compose/{{item}}/extras.conf.j2 + dest: /opt/docker/{{item}}/extras.conf + backup: yes + when: file.stat.exists + +- name: "Update docker service image" + command: + chdir: "/opt/docker/{{ item }}" + cmd: docker compose pull + when: check_status is changed + +- name: "Stop docker service" + command: + chdir: "/opt/docker/{{ item }}" + cmd: docker compose down + when: check_status is changed + +- name: "Start docker service" + command: + chdir: "/opt/docker/{{ item }}" + cmd: docker compose up -d --build --remove-orphans + when: check_status is changed diff --git a/privfrontends/playbook.yaml b/privfrontends/playbook.yaml new file mode 100644 index 0000000..fdb6797 --- /dev/null +++ b/privfrontends/playbook.yaml @@ -0,0 +1,47 @@ +--- +- name: Setup Caddy + hosts: privfrontends + roles: + - role: caddy_ansible.caddy_ansible + caddy_systemd_capabilities_enabled: true + caddy_config: "{{ lookup('template', '../templates/Caddyfile.j2') }}" + caddy_user: "caddy" + caddy_home: "/var/lib/caddy" + # Static weekly builds of caddy with rfc2136 dns plugin + caddy_url_base: "https://cb.projectsegfau.lt/api/download" + tasks: + - name: Copy per-server caddy extras + ansible.builtin.copy: + src: "../{{ caddy_extras_config }}" + dest: /etc/caddy/extras.caddy +- name: Setup docker compose for privacy frontends + hosts: all + vars: + docker_services: + - anonymousoverflow + - beatbump + - breezewiki + - gothub + - gothub-dev + - invidious + - librarian + - libreddit + - nitter + - rimgo + - scribe + - teddit + - watchtower + non_pizza_docker_services: + - piped + - searxng-docker + tasks: + # + # community.docker does not support compose 2.0 right now. + # https://github.com/ansible-collections/community.docker/issues/216 + # + - name: Update docker compose files and restart those with changes + include_tasks: docker-tasks.yaml + with_items: "{{ docker_services }}" + - name: Update docker compose files and restart those with changes (Privacy Frontends but without Pizza1) + include_tasks: docker-tasks.yaml + with_items: "{{ non_pizza_docker_services }}" diff --git a/privfrontends/templates/1-extras.Caddyfile b/privfrontends/templates/1-extras.Caddyfile new file mode 100644 index 0000000..3e94a5d --- /dev/null +++ b/privfrontends/templates/1-extras.Caddyfile @@ -0,0 +1,272 @@ +## OLD URL REDIRECTS +invidious.mutahar.rocks { + redir https://inv.bp.projectsegfau.lt{uri} permanent +} +ferrit.projectsegfau.lt snooddit.projectsegfau.lt libreddit.mutahar.rocks { + redir https://libreddit.projectsegfau.lt{uri} permanent +} +lbry.mutahar.rocks { + redir https://lbry.projectsegfau.lt{uri} permanent +} +nitter.mutahar.rocks { + redir https://nitter.projectsegfau.lt{uri} permanent +} +#redir inv.bp.mutahar.rocks inv.bp.projectsegfau.lt permanent +#redir libreddit.mutahar.rocks libreddit.projectsegfau.lt permanent +#redir lbry.mutahar.rocks lbry.projectsegfau.lt permanent +#redir nitter.mutahar.rocks nitter.projectsegfau.lt permanent +arya.projectsegfau.lt aryak.me { + reverse_proxy https://arya.p.projectsegfau.lt { + header_up Host arya.p.projectsegfau.lt + } +} +gothub.dev.projectsegfau.lt { + reverse_proxy localhost:1025 + import def + import torloc gothub.dev +} + +## PUBNIX +# Reverse proxy all user sites +*.p.projectsegfau.lt { + reverse_proxy 10.7.0.2:80 + import acmedns +} + +# Redirect base subdomain to the pubnix homepage +p.projectsegfau.lt { + redir https://projectsegfau.lt/pubnix +} + +# Cockpit +cockpit.p.projectsegfau.lt { + reverse_proxy 10.7.0.2:9090 { + transport http { + tls_insecure_skip_verify + } + } + import def + import torloc cockpit.p +} + +# PublAPI +publapi.p.projectsegfau.lt { + reverse_proxy 10.7.0.2:3000 + import def +} +grafana.p.projectsegfau.lt { + reverse_proxy 10.7.0.2:6943 { + header_up X-Real-IP {remote_host} + } + import def +} +geminiproxy.projectsegfau.lt geminiproxy.p.projectsegfau.lt { + reverse_proxy 10.7.0.2:8000 + import def + import torloc geminiproxy.p +} +http://pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + reverse_proxy https://projectsegfau.lt { + header_up Host "projectsegfau.lt" + } + import tor www + import i2ploc pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p +} +http://www.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + reverse_proxy https://projectsegfau.lt { + header_up Host "projectsegfau.lt" + } + import tor www + import i2ploc pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p +} +# Privacy Frontends +http://scribe.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + reverse_proxy localhost:8006 + import tor scribe + import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p +} +http://nitter.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + reverse_proxy localhost:8387 + import tor nitter + import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p +} +http://lbry.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor lbry + import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p + reverse_proxy localhost:3550 +} +http://libreddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor libreddit + import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p + reverse_proxy localhost:6464 +} +http://breezewiki.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor breezewiki + import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p + reverse_proxy localhost:10416 +} +http://beatbump.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor beatbump + import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p + reverse_proxy localhost:3069 +} +http://invbp.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor invbp + import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p + reverse_proxy localhost:3000 +} +http://rimgo.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor rimgo + reverse_proxy localhost:9016 +} +http://teddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor teddit + reverse_proxy localhost:9061 +} +http://overflow.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor overflow + reverse_proxy localhost:8694 +} +http://gothub.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor gothub + reverse_proxy localhost:1024 +} +http://gothub.dev.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor gothub.dev + reverse_proxy localhost:1025 +} +http://inv.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor inv + import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p + reverse_proxy https://invidious.projectsegfau.lt { + header_up Host "invidious.projectsegfau.lt" + } +} +http://search.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor search + import i2ploc pjsfwklrellqoj275kzeu2tz4c3j5zktnqod56s7l5dc25ro3wgq.b32.i2p + reverse_proxy https://search.projectsegfau.lt { + header_up Host "search.projectsegfau.lt" + } +} +http://git.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor git + import i2ploc pjsfdrtv2465bisenvzhfvdleznx4arlih2hlnrhpzugailnm7iq.b32.i2p + reverse_proxy https://git.projectsegfau.lt { + header_up Host "git.projectsegfau.lt" + } +} +http://todo.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor todo + import i2ploc pjsfivs2sxudfy65kojxqophc6vqjqdr6woczy6hzaxvxvbj3bkq.b32.i2p + reverse_proxy https://todo.projectsegfau.lt { + header_up Host "todo.projectsegfau.lt" + } +} +http://wiki.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor wiki + reverse_proxy https://wiki.projectsegfau.lt { + header_up Host "wiki.projectsegfau.lt" + } +} +http://pass.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor pass + reverse_proxy https://pass.projectsegfau.lt { + header_up Host "pass.projectsegfau.lt" + } +} +# Pubnix +http://geminiproxy.p.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor geminiproxy.p + reverse_proxy https://geminiproxy.p.projectsegfau.lt { + header_up Host "geminiproxy.p.projectsegfau.lt" + } +} +http://cockpit.p.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor cockpit.p + reverse_proxy https://cockpit.p.projectsegfau.lt { + header_up Host "cockpit.p.projectsegfau.lt" + } +} +## I2P +## I2P +http://pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p:6001 { + reverse_proxy https://projectsegfau.lt { + header_up Host "projectsegfau.lt" + } + import tor www + import i2ploc pjsfg3pdzzocax6a4oznoyf5k4etzknfatqu23i43wxejwdaffoa.b32.i2p +} +http://pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p:6008 { + reverse_proxy localhost:8006 + import tor scribe + import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p +} +http://pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p:6005 { + reverse_proxy localhost:8387 + import tor nitter + import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p +} +http://pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p:6003 { + import tor lbry + import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p + reverse_proxy localhost:3550 +} +http://pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p:6004 { + import tor libreddit + import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p + reverse_proxy localhost:6464 +} +http://pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p:6007 { # NW + import tor breezewiki + import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p + reverse_proxy localhost:10416 +} +http://pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p:6006 { + import tor beatbump + import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p + reverse_proxy localhost:3069 +} +http://pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p:6016 { + import tor invbp + import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p + reverse_proxy localhost:3000 +} +http://pjsf5ahv7ce67i5ic46ghum3scwatrsyac5i6aa5bynvnnlmpzfa.b32.i2p:6017 { + import tor rimgo + import i2ploc pjsf5ahv7ce67i5ic46ghum3scwatrsyac5i6aa5bynvnnlmpzfa.b32.i2p + reverse_proxy localhost:9016 +} +http://pjsfa3dd7rxocfqanxenpop2uqfgpw4nevrmy424u5qwyasqdu6a.b32.i2p:6018 { + import tor teddit + import i2ploc pjsfa3dd7rxocfqanxenpop2uqfgpw4nevrmy424u5qwyasqdu6a.b32.i2p + reverse_proxy localhost:9061 +} +http://pjsfhqamc7k6htnumrvn4cwqqdoggeepj7u5viyimgnxg3gar72q.b32.i2p:6002 { + import tor inv + import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p + reverse_proxy https://invidious.projectsegfau.lt { + header_up Host "invidious.projectsegfau.lt" + } +} +http://pjsfwklrellqoj275kzeu2tz4c3j5zktnqod56s7l5dc25ro3wgq.b32.i2p:6012 { + import tor search + import i2ploc pjsfwklrellqoj275kzeu2tz4c3j5zktnqod56s7l5dc25ro3wgq.b32.i2p + reverse_proxy https://search.projectsegfau.lt { + header_up Host "search.projectsegfau.lt" + } +} +http://pjsfdrtv2465bisenvzhfvdleznx4arlih2hlnrhpzugailnm7iq.b32.i2p:6013 { + import tor git + import i2ploc pjsfdrtv2465bisenvzhfvdleznx4arlih2hlnrhpzugailnm7iq.b32.i2p + reverse_proxy https://git.projectsegfau.lt { + header_up Host "git.projectsegfau.lt" + } +} +http://pjsfivs2sxudfy65kojxqophc6vqjqdr6woczy6hzaxvxvbj3bkq.b32.i2p:6015 { + import i2ploc pjsfivs2sxudfy65kojxqophc6vqjqdr6woczy6hzaxvxvbj3bkq.b32.i2p + import tor todo + reverse_proxy https://todo.projectsegfau.lt { + header_up Host "todo.projectsegfau.lt" + } +} diff --git a/privfrontends/templates/2-extras.Caddyfile b/privfrontends/templates/2-extras.Caddyfile new file mode 100644 index 0000000..d3033f5 --- /dev/null +++ b/privfrontends/templates/2-extras.Caddyfile @@ -0,0 +1,4 @@ +fb.us.projectsegfau.lt { + import def + reverse_proxy :8065 +} diff --git a/privfrontends/templates/3-extras.Caddyfile b/privfrontends/templates/3-extras.Caddyfile new file mode 100644 index 0000000..3b9fea8 --- /dev/null +++ b/privfrontends/templates/3-extras.Caddyfile @@ -0,0 +1,35 @@ +bitpuit.in.projectsegfau.lt { + respond "Go fuck yourself devrand" +} +# PERSONAL +https://m.in.projectsegfau.lt:8448 m.in.projectsegfau.lt { + reverse_proxy http://192.168.1.47:8008 +} +files.perso.in.projectsegfau.lt files.perso.in.projectsegfau.lt:6942 { + file_server { + browse + } + root * /zfspool/files +} +tnfiles.perso.in.projectsegfau.lt { + file_server { + browse + } + root * /zfspool/files/tn-sw +} +discourse.tildevarsh.in { + reverse_proxy https://192.168.1.21:443 { + transport http { + tls_insecure_skip_verify + } + header_up X-Real-IP {remote_host} + } +} +jf.perso.in.projectsegfau.lt { + reverse_proxy 192.168.1.20:8096 + import def +} +nc.perso.in.projectsegfau.lt { + reverse_proxy 192.168.1.20:80 + import def +} diff --git a/privfrontends/templates/Caddyfile.j2 b/privfrontends/templates/Caddyfile.j2 new file mode 100644 index 0000000..0d88abf --- /dev/null +++ b/privfrontends/templates/Caddyfile.j2 @@ -0,0 +1,275 @@ +(tor) { + header { + -Strict-Transport-Security + -Referrer-Policy + -X-XSS-Protection + -Content-Security-Policy + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + Permissions-Policy interest-cohort=() + # clickjacking protection + X-Frame-Options SAMEORIGIN + Onion-Location http://{args.0}.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion{path} + defer + } +} +(torloc) { + header Onion-Location http://{args.0}.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion{path} +} +(i2ploc) { + header X-I2P-Location http://{args.0}{path} +} +(acmedns) { + tls { + dns rfc2136 { + key_name "dynupd" + key_alg "hmac-sha256" + # declared in secrets.en: https://aryak.me/blog/01-knot + key "{{ rfc2136_key }}" + server "107.189.12.96:53" + } + } +} +(def) { + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # clickjacking protection + X-Frame-Options SAMEORIGIN + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + {% if inventory_hostname == 'in' %} + import acmedns + {% endif %} +} +{{inventory_hostname}}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} { +{% if inventory_hostname == 'eu' %} + redir https://wiki.projectsegfau.lt/index.php?title=Pizza1 +{% elif inventory_hostname == 'us' %} + redir https://wiki.projectsegfau.lt/index.php?title=US_Node +{% elif inventory_hostname == 'in' %} + redir https://wiki.projectsegfau.lt/index.php?title=India_Node +{% else %} +{% endif %} +} +cdn.projectsegfau.lt cdn.{{inventory_hostname}}.projectsegfau.lt { + encode zstd gzip + root * /var/cdn + file_server { + browse + } +} +{% if inventory_hostname == 'eu' %} +inv.bp.projectsegfau.lt { + reverse_proxy localhost:7573 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + import torloc invbp + import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p +} +proxy.lbry.projectsegfau.lt { + reverse_proxy localhost:3001 + import def +} +{% else %} +inv.{{inventory_hostname}}.projectsegfau.lt { + reverse_proxy localhost:7573 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + {% if inventory_hostname == 'in' %} + import acmedns + {% endif %} +} +piped.{{inventory_hostname}}.projectsegfau.lt pipedproxy.{{inventory_hostname}}.projectsegfau.lt pipedapi.{{inventory_hostname}}.projectsegfau.lt { + reverse_proxy :6970 + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection "1; mode=block" + defer + } + {% if inventory_hostname == 'in' %} + import acmedns + {% endif %} +} +{% endif %} +lbry.{{inventory_hostname}}.projectsegfau.lt lbry.projectsegfau.lt { + reverse_proxy :7269 + import def + import torloc lbry + import i2ploc pjsf7uucpqf2crcmfo3nvwdmjhirxxjfyuvibdfp5x3af2ghqnaa.b32.i2p +} +gothub.{{inventory_hostname}}.projectsegfau.lt gothub.projectsegfau.lt { + reverse_proxy :1024 + import def + import torloc gothub +} +overflow.{{inventory_hostname}}.projectsegfau.lt overflow.projectsegfau.lt { + reverse_proxy :8694 + import def + import torloc overflow +} +teddit.{{inventory_hostname}}.projectsegfau.lt teddit.projectsegfau.lt { + reverse_proxy :9061 + import def + import torloc teddit +} +rimgo.{{inventory_hostname}}.projectsegfau.lt rimgo.projectsegfau.lt { + reverse_proxy :9016 + import def + import torloc rimgo +} + +libreddit.{{inventory_hostname}}.projectsegfau.lt libreddit.projectsegfau.lt { + reverse_proxy :6464 + import def + import torloc libreddit + import i2ploc pjsfkref7g66mji45kyccqnn5hmjtjp3cfodozabpyplj2rmv5sa.b32.i2p +} + +nitter.{{inventory_hostname}}.projectsegfau.lt nitter.projectsegfau.lt { + import def + header { + X-Permitted-Cross-Domain-Policies none + Permissions-Policy "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()" + header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; script-src-attr 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'" + } + reverse_proxy :8387 { + transport http { + compression off + } + } + import torloc nitter + import i2ploc pjsfs4ukb6prmfx3qx3a5ef2cpcupkvcrxdh72kqn2rxc2cw4nka.b32.i2p +} +bb.{{inventory_hostname}}.projectsegfau.lt bb.projectsegfau.lt { + import def + import torloc beatbump + import i2ploc pjsflmvtqax7ii44qy4ladap65c3kqspbs7h7krqy7x43uovklla.b32.i2p + reverse_proxy :3069 +} + +bw.{{inventory_hostname}}.projectsegfau.lt bw.projectsegfau.lt { + import def + import torloc breezewiki + import i2ploc pjsfk4xvekoc7wx4pteevp3q2wy7jmzlem7rvl74nx33zkdr4vyq.b32.i2p + reverse_proxy :10416 +} +scribe.{{inventory_hostname}}.projectsegfau.lt scribe.projectsegfau.lt { + import def + import torloc scribe + import i2ploc pjsflkkkcn33ahmzmpyq6idy2knkzh4atp7zaetqfsnenpyori6a.b32.i2p + reverse_proxy :8006 +} +{% if inventory_hostname == 'eu' %} +{% else %} +search.{{inventory_hostname}}.projectsegfau.lt { + import def + reverse_proxy :8081 + @api { + path /config + path /healthz + path /stats/errors + path /stats/checker + } + @static { + path /static/* + } + @notstatic { + not path /static/* + } + @imageproxy { + path /image_proxy + } + @notimageproxy { + not path /image_proxy + } + header { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disable some features + Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" + # Disable some features (legacy) + Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" + # Referer + Referrer-Policy "no-referrer" + # X-Robots-Tag + X-Robots-Tag "noindex, noarchive, nofollow" + # Remove Server header + -Server + } + header @api { + Access-Control-Allow-Methods "GET, OPTIONS" + Access-Control-Allow-Origin "*" + } + # Cache + header @static { + # Cache + Cache-Control "public, max-age=31536000" + defer + } + header @notstatic { + # No Cache + Cache-Control "no-cache, no-store" + Pragma "no-cache" + } + # CSP (see http://content-security-policy.com/ ) + header @imageproxy { + Content-Security-Policy "default-src 'none'; img-src 'self' data:" + } + header @notimageproxy { + Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" + } +} +{% endif %} +include ./extras.caddy diff --git a/requirements.yml b/requirements.yml new file mode 100644 index 0000000..84cd352 --- /dev/null +++ b/requirements.yml @@ -0,0 +1,5 @@ +--- + +- src: git+https://github.com/caddy-ansible/caddy-ansible.git + version: v3.2.0 + diff --git a/secrets.enc b/secrets.enc new file mode 100644 index 0000000..e2d1f35 --- /dev/null +++ b/secrets.enc @@ -0,0 +1,22 @@ +$ANSIBLE_VAULT;1.1;AES256 +32316630323862343738306231666531626333396630366537373664396636313737356665306530 +3736386466623363383038393933343964316230636237380a343933626632663633376532663332 +31353534613239613632653362616465393264336134656365353238336537626239393333646235 +3139656638336630610a383666383336643331323930626131383865336263643632353335613432 +38343533396530303734663135326462656230333062653566663666346663313637313166663261 +65636635396465666630633335613465333763363530313930643533303763366163393364613232 +63353861386530363665633266653330363433653731663936613139356663623933373731336665 +34346336643965373566663362643766623364633233333531313165316665363132666466666333 +36666331323966353632326433326232643533636564383734626462336564663663656234643863 +33386138393934623735653437613135383936373231363966656535386530343566643265373463 +36333139333535383135333133646630343431323835346662313062373337393161323330353131 +64313230646230653664633034373462653764373033323333386638303737383461646630643835 +32303863306663326364633530613934663635316261316431633932633465646538353834663663 +36313830393264313232616638303839653637366366313132656438623432643666303362343564 +38343439373736376362663939353130643464623733633334386632333239663935346363633238 +31633366363634613365643333616439303435616338303836323932346465343035653535663437 +61616430336265323336353866306366346639366366313365353039336333613162303864646462 +36323661303164363462626664366162623631643963313232623661343766343165656335663162 +64393162643861373734316535376534373665393561303265643939323632646162663661333561 +35306639643764623862663930663339653064626331393863386538353763383838643332356339 +30336238366634313762393334653466396139383735623132366132616264386465