prelimenary stuff for pizza -> sol privacy frontends

2023-07-17 22:36:06 +05:30
parent a42a3f4834
commit 1f2d73edc9
6 changed files with 591 additions and 263 deletions
--- a/privfrontends/templates/core/apps.Caddyfile
+++ b/privfrontends/templates/core/apps.Caddyfile
@@ -0,0 +1,287 @@
+# ---Apps Caddyfile---
+
+# Akkoma
+social.projectsegfau.lt {
+	import def
+	encode gzip
+
+	# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
+	# and `localhost.` resolves to [::0] on some systems: see issue #930
+	reverse_proxy 192.168.5.2:4011
+
+	handle /media/* {
+		redir https://media.social.projectsegfau.lt{uri} permanent
+	}
+	handle /proxy/* {
+		redir https://media.social.projectsegfau.lt{uri} permanent
+	}
+}
+
+# Security mitigation
+# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
+# And https://poa.st/notice/AWDToOiKAl4BPhdEB6
+# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
+media.social.projectsegfau.lt {
+        handle /media/* {
+                reverse_proxy 192.168.5.2:4011 {
+                        transport http {
+                                response_header_timeout 10s
+                                read_timeout 15s
+                        }
+                }
+        }
+
+    handle /proxy/* {
+                reverse_proxy 192.168.5.2:4011 {
+                        transport http {
+                                response_header_timeout 10s
+                                read_timeout 15s
+                        }
+                }
+        }
+}
+
+# Cinny
+cinny.projectsegfau.lt cy.psf.lt {
+	reverse_proxy 192.168.5.2:3069
+	import def
+}
+
+# Website 
+projectsegfau.lt {
+	reverse_proxy 192.168.5.2:1337
+	import def
+	reverse_proxy /_matrix/* 192.168.5.2:8449 {
+		header_up Host "matrix.projectsegfau.lt"
+	}
+	reverse_proxy /_matrix/client/* 192.168.5.2:81 {
+		header_up Host "matrix.projectsegfau.lt"
+	}
+	reverse_proxy /_synapse/* 192.168.5.2:81 {
+		header_up Host "matrix.projectsegfau.lt"
+	}
+	reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
+	reverse_proxy /converse 192.168.5.5:5280
+	reverse_proxy /converseemojis.js 192.168.5.5:5280
+	reverse_proxy /converse/* 192.168.5.5:5280
+	reverse_proxy /bosh 192.168.5.5:5280
+	reverse_proxy /ws 192.168.5.5:5280
+	header /.well-known/matrix/* Content-Type application/json
+	header /.well-known/matrix/* Access-Control-Allow-Origin *
+	handle_path /.well-known/* {
+		root * /var/www/well-known
+		file_server
+	}
+	header /.well-known/host-meta Content-Type application/xrd+xml
+	header /.well-known/host-meta.json Content-Type application/json
+	header /.well-known/host-meta.json Access-Control-Allow-Origin *
+	header /.well-known/host-meta Access-Control-Allow-Origin *
+	import torloc www
+}
+psf.lt {
+	reverse_proxy 192.168.5.2:1337
+	import def
+	import torloc www
+	header /.well-known/matrix/* Content-Type application/json
+	header /.well-known/matrix/* Access-Control-Allow-Origin *
+	handle_path /.well-known/* {
+		root * /var/www/psf-well-known
+		file_server
+	}
+}
+ssync.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:3333
+}
+
+www.projectsegfau.lt www.psf.lt {
+	redir https://projectsegfau.lt{uri}
+	import torloc www
+}
+
+matrix.projectsegfau.lt {
+	reverse_proxy /_matrix/* 192.168.5.2:8449 {
+		header_up Host "matrix.projectsegfau.lt"
+	}
+	reverse_proxy /_matrix/client/* 192.168.5.2:81 {
+		header_up Host "matrix.projectsegfau.lt"
+	}
+	reverse_proxy /_synapse/* 192.168.5.2:81 {
+		header_up Host "matrix.projectsegfau.lt"
+	}
+	#reverse_proxy /_synapse/client/* 192.168.5.2:81 {
+	#        header_up Host "matrix.projectsegfau.lt"
+	#}
+	handle_path / {
+		redir https://wiki.projectsegfau.lt/Matrix
+	}
+}
+
+# Directus
+cms.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:9456
+	import def
+}
+
+# Element
+chat.projectsegfau.lt el.psf.lt {
+	reverse_proxy 192.168.5.2:3070
+	import def
+}
+
+# Gitea
+git.projectsegfau.lt {
+	reverse_proxy 192.168.5.5:3444
+	respond /metrics 403
+	import def
+	request_body {
+		max_size 500MB
+	}
+	header {
+		Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
+	}
+	import torloc git
+}
+git.psf.lt {
+	reverse_proxy 192.168.5.5:3444 {
+		header_up Host "git.projectsegfau.lt"
+	}
+	respond /metrics 403
+	import def
+	request_body {
+		max_size 500MB
+	}
+	header {
+		Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
+	}
+	import torloc git
+}
+# HedgeDoc
+doc.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:2069 {
+		header_up X-Real-IP {remote_host}
+	}
+	import def
+}
+
+# Hydrogen
+h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
+	reverse_proxy 192.168.5.2:3071
+	import def
+}
+
+# Jitsi
+jitsi.projectsegfau.lt {
+	reverse_proxy 192.168.5.5:8000 {
+		header_up X-Real-IP {remote_host}
+	}
+}
+# Excalidraw backend for jitsi
+excalidraw.projectsegfau.lt {
+	reverse_proxy 192.168.5.5:8694
+}
+
+# Maubot
+mau.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:29316
+	import def
+}
+
+# MediaWiki
+wiki.projectsegfau.lt w.psf.lt {
+	reverse_proxy 192.168.5.3:8000 {
+		header_up X-Real-IP {remote_host}
+	}
+	import def
+	encode gzip
+	import torloc wiki
+}
+
+# Vikunja
+todo.projectsegfau.lt vi.psf.lt {
+	reverse_proxy 192.168.5.2:3456
+	import def
+	import torloc todo
+}
+
+# Vaultwarden
+pass.projectsegfau.lt vw.psf.lt {
+	reverse_proxy 192.168.5.2:6980 {
+		header_up X-Real-IP {remote_host}
+	}
+	import def
+	reverse_proxy /notifications/hub 192.168.5.2:3012 {
+		header_up X-Real-IP {remote_host}
+	}
+	import torloc pass
+}
+
+# XMPP
+xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {
+	reverse_proxy 192.168.5.5:5280 {
+		header_up X-Real-IP {remote_host}
+	}
+	reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
+	@register {
+		path /new/
+		path /change_password/
+		path /delete/
+		path /new
+		path /change_password
+		path /delete
+	}
+	redir @register /register{uri}
+	import def
+	header /.well-known/host-meta Content-Type application/xrd+xml
+	header /.well-known/host-meta.json Content-Type application/json
+	header /.well-known/host-meta.json Access-Control-Allow-Origin *
+	header /.well-known/host-meta Access-Control-Allow-Origin *
+	handle_path /.well-known/* {
+		root * /var/www/well-known
+		file_server
+	}
+	handle_path / {
+		redir https://wiki.projectsegfau.lt/XMPP
+	}
+}
+xmpp-web.projectsegfau.lt, x.psf.lt {
+	import def
+	reverse_proxy 192.168.5.2:3072
+}
+healthchecks.projectsegfau.lt, hc.psf.lt {
+	import def
+	reverse_proxy 192.168.5.2:8450
+}
+# Pubthentik
+auth.p.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:7444 {
+		transport http {
+			tls_insecure_skip_verify
+		}
+		header_up X-Real-IP {remote_host}
+	}
+	import def
+}
+# kbin
+kbin.projectsegfau.lt, kb.psf.lt {
+	reverse_proxy kbin.projectsegfau.lt:443 {
+		transport http {
+			tls_insecure_skip_verify
+		}
+		header_up X-Real-IP {remote_host}
+	}
+	#reverse_proxy 192.168.5.2:8643
+	import def
+}
+gothub.dev.projectsegfau.lt gh.dev.psf.lt {
+		reverse_proxy localhost:1025
+		import def
+}
+ak.psf.lt {
+	redir https://social.projectsegfau.lt{uri}
+}
+j.psf.lt {
+	redir https://jitsi.projectsegfau.lt{uri}
+}
+d.psf.lt {
+	redir https://doc.projectsegfau.lt{uri}
+}
--- a/privfrontends/templates/core/internal.Caddyfile
+++ b/privfrontends/templates/core/internal.Caddyfile
@@ -0,0 +1,101 @@
+# ---Internal Caddyfile---
+
+# Authentik
+sekuritee.projectsegfau.lt {
+	reverse_proxy https://192.168.5.2:7443 {
+		transport http {
+			tls_insecure_skip_verify
+		}
+		header_up X-Real-IP {remote_host}
+	}
+	import def
+}
+# Grafana
+grafana.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:3169
+	handle_path /api/live {
+		reverse_proxy 192.168.5.2:3169
+	}
+	import def
+}
+
+# MailU
+mail.projectsegfau.lt {
+	log {
+		output file /var/log/caddy/mail.projectsegfau.lt.log {
+			roll_disabled
+			roll_size 512M
+			roll_uncompressed
+			roll_local_time
+			roll_keep 3
+			roll_keep_for 48h
+		}
+	}
+	import def
+	reverse_proxy 192.168.5.5:8082
+}
+
+# Plausible
+analytics.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:8001
+	import def
+}
+
+# Website dev
+web.dev.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:1339
+	import def
+}
+
+blog.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:2368 {
+		header_up X-Forwarded-Proto https
+		header_up X-Real-IP {remote_host}
+	}
+	import def
+}
+prometheus.projectsegfau.lt {
+	reverse_proxy 192.168.5.2:9090
+	basicauth /* {
+		admin $2a$14$1asDwG2gbyJ3.SungtdOyeqBlW1IiKQ//qI3ienQCTldaosx1qzSC
+	}
+	import def
+}
+
+# Midou PersoVM
+matrix.midou.dev {
+	reverse_proxy /_matrix/* 192.168.5.6:8008
+}
+
+file.midou.dev {
+	reverse_proxy 192.168.5.6:8080
+}
+
+c.midou.dev {
+	reverse_proxy 192.168.5.6:8978
+}
+
+# Headscale (tailscale control server)
+hs.projectsegfau.lt {
+        reverse_proxy /web* https://192.168.5.5:9443 {
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+        reverse_proxy * 192.168.5.5:8089
+}
+
+# Caddy daily build (for ansible)
+cb.projectsegfau.lt {
+	root * /var/www/caddy-build
+	file_server browse
+	encode gzip
+}
+# GotHub
+docs.gothub.app {
+	redir https://gothub.app/docs{uri}
+}
+# OLD URLs
+http://mutahar.rocks, http://*.mutahar.rocks {
+        redir https://projectsegfau.lt
+}