diff --git a/all/playbook.yaml b/all/playbook.yaml index 65800d4..93bba67 100644 --- a/all/playbook.yaml +++ b/all/playbook.yaml @@ -24,6 +24,15 @@ ansible.builtin.apt_repository: repo: deb [signed-by=/usr/share/keyrings/knot.gpg] https://deb.knot-dns.cz/knot-latest/ bookworm main state: present + - name: Get GoAccess GPG keys + ansible.builtin.get_url: + url: https://deb.goaccess.io/gnugpg.key + dest: /usr/share/keyrings/goaccess.asc + mode: '0644' + - name: Enable goaccess repo + ansible.builtin.apt_repository: + repo: deb [signed-by=/usr/share/keyrings/goaccess.asc arch=amd64] https://deb.goaccess.io/ bookworm main + state: present - name: Install Required Programs / APT ansible.builtin.apt: name: diff --git a/cron/knot-restart.yaml b/cron/knot-restart.yaml new file mode 100644 index 0000000..ea43921 --- /dev/null +++ b/cron/knot-restart.yaml @@ -0,0 +1,12 @@ +--- +- name: Knot Restarts (EU/US) + hosts: eu,us + vars: + services: + - knot + tasks: + - name: Do thing + ansible.builtin.systemd_service: + state: restarted + name: knot + with_items: "{{ services }}" diff --git a/privfrontends/blocked-ranges.yaml b/privfrontends/blocked-ranges.yaml new file mode 100644 index 0000000..4b67981 --- /dev/null +++ b/privfrontends/blocked-ranges.yaml @@ -0,0 +1,2 @@ +# As of now, this only includes Alibaba AS45102 +blocked_ranges: "2400:b200:4100::/48 2400:b200:4101::/48 2400:b200:4102::/48 2400:b200:4103::/48 2401:b180:4100::/48 2404:2280:1000::/36 2404:2280:1000::/37 2404:2280:1800::/37 2404:2280:2000::/36 2404:2280:2000::/37 2404:2280:2800::/37 2404:2280:4ffe::/48 2404:2280:4fff::/48 2408:4000:1000::/48 2408:4000:1001::/48 2408:4009:500::/48 240b:4000::/32 240b:4000::/33 240b:4000:8000::/33 240b:4001::/32 240b:4001::/33 240b:4001:8000::/33 240b:4002::/32 240b:4002::/33 240b:4002:8000::/33 240b:4003:e::/48 240b:4004::/32 240b:4004::/33 240b:4004:8000::/33 240b:4005::/32 240b:4005::/33 240b:4005:8000::/33 240b:4007::/32 240b:4007::/33 240b:4007:8000::/33 240b:4007:fffd::/48 240b:4009::/32 240b:4009::/33 240b:4009:8000::/33 240b:400b::/32 240b:400b::/33 240b:400b:8000::/33 240b:400c::/32 240b:400c::/33 240b:400c::/40 240b:400c::/41 240b:400c:80::/41 240b:400c:100::/40 240b:400c:100::/41 240b:400c:180::/41 240b:400c:f00::/48 240b:400c:f01::/48 240b:400c:8000::/33 240b:400d::/32 240b:400d::/33 240b:400d:8000::/33 240b:400e::/32 240b:400e::/33 240b:400e:8000::/33 240b:400f::/32 240b:400f::/33 240b:400f:8000::/33 240b:4011::/32 240b:4011::/33 240b:4011:8000::/33 240b:4011:fffc::/48 240b:4012::/48 5.181.224.0/23 8.208.0.0/16 8.208.0.0/17 8.208.0.0/18 8.208.0.0/19 8.208.32.0/19 8.208.128.0/17 8.209.0.0/19 8.209.0.0/20 8.209.16.0/20 8.209.36.0/23 8.209.36.0/24 8.209.37.0/24 8.209.38.0/23 8.209.38.0/24 8.209.39.0/24 8.209.40.0/22 8.209.40.0/23 8.209.42.0/23 8.209.44.0/22 8.209.44.0/23 8.209.46.0/23 8.209.48.0/20 8.209.48.0/21 8.209.56.0/21 8.209.64.0/18 8.209.64.0/19 8.209.96.0/19 8.209.128.0/18 8.209.128.0/19 8.209.160.0/19 8.209.192.0/18 8.209.192.0/19 8.209.224.0/19 8.210.0.0/16 8.210.0.0/17 8.210.128.0/17 8.210.240.0/24 8.211.0.0/17 8.211.0.0/18 8.211.64.0/18 8.211.128.0/18 8.211.128.0/19 8.211.160.0/19 8.211.192.0/18 8.211.192.0/19 8.211.224.0/19 8.211.226.0/24 8.212.0.0/17 8.212.0.0/18 8.212.64.0/18 8.212.128.0/18 8.212.128.0/19 8.212.160.0/19 8.212.192.0/18 8.212.192.0/19 8.212.224.0/19 8.213.0.0/17 8.213.0.0/18 8.213.64.0/18 8.213.128.0/19 8.213.128.0/20 8.213.144.0/20 8.213.160.0/21 8.213.160.0/22 8.213.164.0/22 8.213.176.0/20 8.213.176.0/21 8.213.184.0/21 8.213.192.0/18 8.213.192.0/19 8.213.224.0/19 8.213.251.0/24 8.213.252.0/24 8.214.0.0/16 8.214.0.0/17 8.214.128.0/17 8.215.0.0/16 8.215.0.0/17 8.215.128.0/17 8.215.160.0/24 8.216.0.0/17 8.216.0.0/18 8.216.64.0/18 8.216.69.0/24 8.216.128.0/17 8.216.128.0/18 8.216.148.0/24 8.216.192.0/18 8.217.0.0/16 8.217.0.0/17 8.217.128.0/17 8.218.0.0/16 8.218.0.0/17 8.218.128.0/17 8.219.0.0/16 8.219.0.0/17 8.219.128.0/17 8.220.0.0/18 8.220.0.0/19 8.220.32.0/19 8.220.64.0/18 8.220.64.0/19 8.220.96.0/19 8.220.116.0/23 8.220.116.0/24 8.220.128.0/18 8.220.128.0/19 8.220.147.0/24 8.220.160.0/19 8.220.192.0/18 8.220.192.0/19 8.220.224.0/19 8.220.229.0/24 8.221.0.0/17 8.221.0.0/18 8.221.64.0/18 8.221.128.0/17 8.221.128.0/18 8.221.192.0/18 8.222.0.0/20 8.222.0.0/21 8.222.8.0/21 8.222.16.0/20 8.222.16.0/21 8.222.24.0/21 8.222.32.0/20 8.222.32.0/21 8.222.40.0/21 8.222.48.0/20 8.222.48.0/21 8.222.56.0/21 8.222.64.0/20 8.222.64.0/21 8.222.72.0/21 8.222.80.0/20 8.222.80.0/21 8.222.88.0/21 8.222.128.0/17 8.222.128.0/18 8.222.192.0/18 8.223.0.0/17 8.223.0.0/18 8.223.64.0/18 43.91.0.0/16 43.91.0.0/17 43.91.128.0/17 43.96.0.0/24 43.96.1.0/24 43.96.2.0/24 43.96.3.0/24 43.96.4.0/24 43.96.5.0/24 43.96.7.0/24 43.96.8.0/24 43.96.9.0/24 43.96.10.0/24 43.96.11.0/24 43.96.12.0/24 43.96.13.0/24 43.96.16.0/24 43.96.17.0/24 43.96.18.0/24 43.96.19.0/24 43.96.20.0/24 43.96.21.0/24 43.96.23.0/24 43.96.24.0/24 43.96.25.0/24 43.96.26.0/24 43.96.27.0/24 43.96.28.0/24 43.96.29.0/24 43.96.32.0/24 43.96.33.0/24 43.96.34.0/24 43.96.35.0/24 43.96.36.0/24 43.96.66.0/24 43.96.67.0/24 43.96.68.0/24 43.96.69.0/24 43.96.70.0/24 43.96.71.0/24 43.96.72.0/24 43.96.73.0/24 43.96.74.0/24 43.96.75.0/24 43.96.77.0/24 43.96.80.0/24 45.196.28.0/24 45.199.179.0/24 47.52.0.0/16 47.52.0.0/17 47.52.128.0/17 47.56.0.0/15 47.56.0.0/16 47.57.0.0/16 47.74.0.0/18 47.74.0.0/19 47.74.0.0/21 47.74.32.0/19 47.74.64.0/18 47.74.64.0/19 47.74.96.0/19 47.74.128.0/17 47.74.128.0/18 47.74.192.0/18 47.75.0.0/16 47.75.0.0/17 47.75.128.0/17 47.76.0.0/16 47.76.0.0/17 47.76.128.0/17 47.77.0.0/22 47.77.0.0/23 47.77.2.0/23 47.77.4.0/22 47.77.4.0/23 47.77.6.0/23 47.78.0.0/16 47.78.0.0/17 47.78.128.0/17 47.79.0.0/20 47.79.0.0/21 47.79.8.0/21 47.79.16.0/20 47.79.16.0/21 47.79.24.0/21 47.79.32.0/20 47.79.32.0/21 47.79.40.0/21 47.79.48.0/20 47.79.48.0/21 47.79.52.0/23 47.79.54.0/23 47.79.56.0/21 47.79.56.0/23 47.79.58.0/23 47.79.60.0/23 47.79.62.0/23 47.79.64.0/20 47.79.64.0/21 47.79.72.0/21 47.79.96.0/19 47.79.96.0/20 47.79.104.0/21 47.79.112.0/20 47.80.0.0/18 47.80.0.0/19 47.80.32.0/19 47.80.64.0/18 47.80.64.0/19 47.80.96.0/19 47.82.0.0/18 47.82.0.0/19 47.82.32.0/19 47.82.32.0/21 47.88.0.0/17 47.88.0.0/18 47.88.41.0/24 47.88.42.0/24 47.88.43.0/24 47.88.64.0/18 47.88.128.0/17 47.88.128.0/18 47.88.135.0/24 47.88.192.0/18 47.89.0.0/18 47.89.0.0/19 47.89.32.0/19 47.89.71.0/24 47.89.72.0/22 47.89.72.0/23 47.89.74.0/23 47.89.76.0/22 47.89.76.0/23 47.89.78.0/23 47.89.80.0/23 47.89.82.0/23 47.89.84.0/24 47.89.85.0/24 47.89.88.0/22 47.89.88.0/23 47.89.90.0/23 47.89.92.0/22 47.89.92.0/23 47.89.94.0/23 47.89.96.0/24 47.89.97.0/24 47.89.98.0/23 47.89.99.0/24 47.89.100.0/24 47.89.101.0/24 47.89.102.0/24 47.89.103.0/24 47.89.104.0/21 47.89.104.0/22 47.89.108.0/22 47.89.122.0/24 47.89.123.0/24 47.89.124.0/23 47.89.124.0/24 47.89.125.0/24 47.89.128.0/18 47.89.128.0/19 47.89.160.0/19 47.89.192.0/18 47.89.192.0/19 47.89.221.0/24 47.89.224.0/19 47.90.0.0/17 47.90.0.0/18 47.90.64.0/18 47.90.128.0/17 47.90.128.0/18 47.90.192.0/18 47.91.0.0/19 47.91.0.0/20 47.91.16.0/20 47.91.32.0/19 47.91.32.0/20 47.91.48.0/20 47.91.64.0/19 47.91.64.0/20 47.91.80.0/20 47.91.96.0/19 47.91.96.0/20 47.91.112.0/20 47.91.128.0/17 47.91.128.0/18 47.91.192.0/18 47.235.0.0/19 47.235.0.0/22 47.235.0.0/23 47.235.1.0/24 47.235.2.0/23 47.235.4.0/24 47.235.5.0/24 47.235.6.0/23 47.235.6.0/24 47.235.7.0/24 47.235.8.0/24 47.235.9.0/24 47.235.10.0/23 47.235.10.0/24 47.235.11.0/24 47.235.12.0/23 47.235.12.0/24 47.235.13.0/24 47.235.16.0/23 47.235.16.0/24 47.235.18.0/23 47.235.18.0/24 47.235.19.0/24 47.235.20.0/24 47.235.21.0/24 47.235.22.0/24 47.235.24.0/22 47.235.24.0/23 47.235.26.0/23 47.235.28.0/23 47.235.28.0/24 47.235.29.0/24 47.236.0.0/15 47.236.0.0/16 47.237.0.0/16 47.237.34.0/24 47.238.0.0/15 47.238.0.0/16 47.239.0.0/16 47.240.0.0/16 47.240.0.0/17 47.240.128.0/17 47.240.213.0/24 47.241.0.0/16 47.241.0.0/17 47.241.128.0/17 47.242.0.0/15 47.242.0.0/16 47.243.0.0/16 47.244.0.0/16 47.244.0.0/17 47.244.73.0/24 47.244.128.0/17 47.245.0.0/18 47.245.0.0/19 47.245.32.0/19 47.245.64.0/18 47.245.64.0/19 47.245.96.0/19 47.245.128.0/17 47.245.128.0/18 47.245.192.0/18 47.246.32.0/22 47.246.64.0/24 47.246.66.0/24 47.246.67.0/24 47.246.68.0/23 47.246.68.0/24 47.246.69.0/24 47.246.72.0/21 47.246.72.0/22 47.246.76.0/22 47.246.80.0/24 47.246.82.0/23 47.246.82.0/24 47.246.83.0/24 47.246.84.0/22 47.246.84.0/23 47.246.86.0/23 47.246.88.0/22 47.246.88.0/23 47.246.90.0/23 47.246.92.0/23 47.246.92.0/24 47.246.93.0/24 47.246.96.0/21 47.246.96.0/22 47.246.100.0/22 47.246.104.0/21 47.246.104.0/22 47.246.108.0/22 47.246.120.0/24 47.246.121.0/24 47.246.122.0/24 47.246.123.0/24 47.246.124.0/24 47.246.125.0/24 47.246.128.0/22 47.246.128.0/23 47.246.130.0/23 47.246.132.0/22 47.246.132.0/23 47.246.134.0/23 47.246.136.0/21 47.246.136.0/22 47.246.140.0/22 47.246.144.0/23 47.246.144.0/24 47.246.145.0/24 47.246.146.0/23 47.246.146.0/24 47.246.147.0/24 47.246.148.0/23 47.246.148.0/24 47.246.149.0/24 47.246.150.0/23 47.246.150.0/24 47.246.151.0/24 47.246.152.0/23 47.246.152.0/24 47.246.153.0/24 47.246.154.0/24 47.246.155.0/24 47.246.156.0/22 47.246.156.0/23 47.246.158.0/23 47.246.160.0/20 47.246.160.0/21 47.246.168.0/21 47.246.176.0/20 47.246.176.0/21 47.246.184.0/21 47.246.192.0/22 47.246.192.0/23 47.246.194.0/23 47.246.196.0/22 47.246.196.0/23 47.246.198.0/23 47.250.0.0/17 47.250.0.0/18 47.250.64.0/18 47.250.99.0/24 47.250.128.0/17 47.250.128.0/18 47.250.192.0/18 47.251.0.0/16 47.251.0.0/17 47.251.128.0/17 47.252.0.0/17 47.252.0.0/18 47.252.64.0/18 47.252.67.0/24 47.252.128.0/17 47.252.128.0/18 47.252.192.0/18 47.253.0.0/16 47.253.0.0/17 47.253.128.0/17 47.254.0.0/17 47.254.0.0/18 47.254.64.0/18 47.254.113.0/24 47.254.128.0/18 47.254.128.0/19 47.254.160.0/19 47.254.192.0/18 47.254.192.0/19 47.254.224.0/19 59.82.136.0/23 103.81.186.0/23 103.183.154.0/23 110.76.21.0/24 110.76.23.0/24 116.251.64.0/18 139.95.0.0/23 139.95.2.0/23 139.95.4.0/23 139.95.6.0/23 139.95.8.0/23 139.95.10.0/23 139.95.12.0/23 139.95.14.0/23 139.95.16.0/23 139.95.18.0/23 140.205.1.0/24 140.205.122.0/24 147.139.0.0/17 147.139.0.0/18 147.139.26.0/24 147.139.64.0/18 147.139.128.0/17 147.139.128.0/18 147.139.192.0/18 149.129.0.0/16 149.129.0.0/20 149.129.0.0/21 149.129.8.0/21 149.129.16.0/23 149.129.32.0/19 149.129.64.0/18 149.129.64.0/19 149.129.96.0/19 149.129.128.0/18 149.129.128.0/19 149.129.160.0/19 149.129.192.0/18 149.129.192.0/19 149.129.224.0/19 156.227.20.0/24 156.236.12.0/24 156.236.17.0/24 156.240.76.0/23 156.245.1.0/24 161.117.0.0/16 161.117.0.0/17 161.117.126.0/24 161.117.127.0/24 161.117.128.0/17 161.117.128.0/24 161.117.129.0/24 161.117.138.0/24 161.117.143.0/24 170.33.24.0/24 170.33.29.0/24 170.33.30.0/24 170.33.31.0/24 170.33.32.0/24 170.33.33.0/24 170.33.34.0/24 170.33.35.0/24 170.33.72.0/24 170.33.73.0/24 170.33.74.0/24 170.33.75.0/24 170.33.76.0/24 170.33.77.0/24 170.33.78.0/24 170.33.79.0/24 170.33.80.0/24 170.33.81.0/24 170.33.82.0/24 170.33.83.0/24 170.33.84.0/24 170.33.85.0/24 170.33.86.0/24 170.33.104.0/24 170.33.105.0/24 170.33.106.0/24 170.33.107.0/24 185.78.106.0/23 198.11.128.0/18 198.11.137.0/24 198.11.184.0/21 202.144.199.0/24 203.107.64.0/24 203.107.65.0/24 203.107.66.0/24 203.107.67.0/24 203.107.68.0/24 205.204.96.0/19 205.204.102.0/23 205.204.111.0/24 205.204.117.0/24 205.204.125.0/24 223.5.5.0/24 223.6.6.0/24" diff --git a/privfrontends/configs/librarian/config.yml b/privfrontends/configs/librarian/config.yml index 8b870f7..6f215de 100644 --- a/privfrontends/configs/librarian/config.yml +++ b/privfrontends/configs/librarian/config.yml @@ -23,7 +23,7 @@ ENABLE_LIVESTREAM: true # Set custom SponsorBlock URL (with https://github.com/mchangrh/sb-mirror or other) SPONSORBLOCK_URL: 'https://sponsor.ajay.app' # Advanced: Custom video streaming endpoint -VIDEO_STREAMING_URL: 'https://proxy.lbry.projectsegfau.lt/stream' +VIDEO_STREAMING_URL: '' # Rewrite links to other frontends. example: https://yt.domain.tld FRONTEND: youtube: 'https://invidious.projectsegfau.lt' diff --git a/privfrontends/configs/priviblur/config.toml b/privfrontends/configs/priviblur/config.toml new file mode 100644 index 0000000..5bb6792 --- /dev/null +++ b/privfrontends/configs/priviblur/config.toml @@ -0,0 +1,68 @@ +# Controls deployment options +[deployment] + host = "0.0.0.0" + port = 8000 + + # Amount of worker Priviblur instances to spawn. Increases speed significantly. + workers = 4 + + # # If you're running Priviblur behind a remote proxy, one or more of the following must be set + # # can also be set via env variables by captialzing and prefixing with PRIVIBLUR_ + # # + # # For more information see + # # https://sanic.dev/en/guide/advanced/proxy-headers.html + # # + # # Default: None + # # + # forwarded_secret = + # real_ip_header = + # proxies_count = + +# Controls redis cache options +# Ignore to disable the cache +# +[cache] + url = "redis://priviblur-redis:6379" + + # Number of seconds to cache poll results from active polls + cache_active_poll_results_for = 3600 + + # Number of seconds to cache poll results from expired polls + cache_expired_poll_results_for = 86400 + + # Number of seconds to cache feed (explore, search, etc) results for + cache_feed_for = 3600 + + # Number of seconds to cache blog feed (blog posts, blog search, blog tagged posts, etc) results for + cache_blog_feed_for = 3600 + + # Number of seconds to cache individual posts for + cache_blog_post_for = 300 + +# Controls behaviors pertaining to the way Priviblur requests Tumblr +[priviblur_backend] + # # Timeout for requests to Tumblr's API + main_response_timeout = 10 + + # # Timeout for fetching image responses from Tumblr + image_response_timeout = 30 + + +# Controls logging behavior +# +# Use Python's numerical logging levels +# https://docs.python.org/3/howto/logging.html#logging-levels +# [logging] + # # Sanic (Server)'s logging level' + # sanic_logging_level = 30 + + # # Priviblur's logging level + # priviblur_logging_level = 30 + + # # Priviblur extractor's logging level + # priviblur_extractor_logging_level = 20 + + +# [misc] + # # Enable sanic's dev mode + # dev_mode = false diff --git a/privfrontends/configs/shoelace/shoelace.toml b/privfrontends/configs/shoelace/shoelace.toml new file mode 100644 index 0000000..e686a89 --- /dev/null +++ b/privfrontends/configs/shoelace/shoelace.toml @@ -0,0 +1,51 @@ +[server] +# Address to listen on +listen="0.0.0.0" +# Port to bind +port=8080 +# Instance URL. Needed for accurate proxied media locations in API +base_url="https://lace.projectsegfau.lt" + +[server.tls] +# Enable TLS support +enabled=false +# Path for certificate chain, in PEM format +cert="cert.pem" +# Path for key file, in PEM format +key="key.pem" + +[endpoint] +# Toggle the frontend +frontend=true +# Toggle the API +api=true + +[proxy] +# Proxy backend. Valid options are: +# - none: Disable the media proxy. Not recommended if frontend is enabled +# - internal: Stores values in memory. Destroys itself after stopping Shoelace. +# - redis: Stores values in a Redis server. Higher performance. Requires additional software +backend="internal" + +[proxy.redis] +# URI for Redis server. +# - TCP: redis://[][:@][:port][/] +# - Unix socket: redis+unix:///[?db=[&pass=][&user=]] +uri="redis://127.0.0.1/" + +[logging] +# Sets log level, for both stdout and logfiles. Valid levels are: +# - error: Shows errors presented during runtime +# - warn: Plus Alerts +# - info: Plus useful information, such as PID, requests, etc. (Recommended) +# - debug: Plus verbose actions. Not being used much. +# - trace: Plus low-level, extremely verbose info. Not used much. +level = "info" +# Whether to log the IP of an incoming connection +log_ips = false +# Whether to log what URLs are being assigned to each hash +log_cdn = false +# Store logs in a text file +store = false +# Where to store the logs in that case +output = "shoelace.log" diff --git a/privfrontends/playbook.yaml b/privfrontends/playbook.yaml index 76421df..a271b66 100644 --- a/privfrontends/playbook.yaml +++ b/privfrontends/playbook.yaml @@ -16,6 +16,8 @@ when: service.value.docker_settings - name: Setup Caddy hosts: privfrontends + vars_files: + - ./blocked-ranges.yaml tasks: - name: Copy Caddyfile ansible.builtin.template: diff --git a/privfrontends/templates/Caddyfile.j2 b/privfrontends/templates/Caddyfile.j2 index 7583170..f6cda77 100644 --- a/privfrontends/templates/Caddyfile.j2 +++ b/privfrontends/templates/Caddyfile.j2 @@ -1,32 +1,4 @@ { -log { - # Anonymised IPs, User-Agents, and Cookies, also removed the URI as mentionned in the privacy policy. - # Subject to change, if we find any missing config we haven't filtered, it will be added. - output file /var/log/caddy/caddy.log - format filter { - wrap json - fields { - request>remote_ip ip_mask { - ipv4 24 - ipv6 64 - } - request>headers>X-Forwarded-For ip_mask { - ipv4 24 - ipv6 64 - } - request>headers>client_ip ip_mask { - ipv4 24 - ipv6 64 - } - request>headers>Cookie cookie { - replace session REDACTED - delete secret - } - request>headers>User-Agent delete - request>uri delete - } - } -} order rate_limit before basicauth } @@ -34,7 +6,6 @@ log { header { -Strict-Transport-Security -Referrer-Policy - -X-XSS-Protection -Content-Security-Policy # disable clients from sniffing the media type X-Content-Type-Options nosniff @@ -72,10 +43,43 @@ log { # clickjacking protection X-Frame-Options SAMEORIGIN - X-XSS-Protection "1; mode=block" defer } + log { + # Anonymised IPs, User-Agents, and Cookies, also removed the URI as mentionned in the privacy policy. + # Subject to change, if we find any missing config we haven't filtered, it will be added. + output file /var/log/caddy/caddy.log + format filter { + wrap json + fields { + request>remote_ip ip_mask { + ipv4 16 + ipv6 64 + } + request>client_ip ip_mask { + ipv4 16 + ipv6 64 + } + request>headers>X-Forwarded-For ip_mask { + ipv4 16 + ipv6 64 + } + request>headers>Cookie cookie { + replace session REDACTED + delete secret + } + request>headers>User-Agent delete + request>headers>Onion-Location delete + request>headers>Referer delete + request>uri replace "/ABCDF" + } + } + } + @denied client_ip {{ blocked_ranges }} + respond @denied "Unfortunately, your IP is part of a range that has been involved in mass spam to our servers. If you think our action was a mistake, please email contact@projectsegfau.lt." 403 + + import acmedns } @@ -143,9 +147,19 @@ inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt { uri @jpgRedirect replace /maxres.jpg /maxres2.jpg rewrite /vi/* ?host=i.ytimg.com } - header -X-Frame-Options import def - import torloc inv + header -X-Frame-Options + header -Content-Security-Policy + @ratelimit not path /videoplayback/* /ggpht/* /vi/* /videoplayback /videojs/* /css/* /js/* /fonts/* /apple-touch-icon.png /favicon-16x16.png /feed/webhook /feed/webhook/* + rate_limit @ratelimit {remote.ip} 10r/s + rate_limit @ratelimit {remote.ip} 100r/m + @ratelimit_pubsub path /feed/webhook /feed/webhook/* + rate_limit @ratelimit_pubsub {remote.ip} 2r/s 404 + log { + # This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date. + output file /var/log/caddy/ratelimiters.log + format json + } } gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt { reverse_proxy :1024 @@ -222,8 +236,6 @@ search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{ header { # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Enable cross-site filter (XSS) and tell browser to block detected attacks - X-XSS-Protection "1; mode=block" # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type X-Content-Type-Options "nosniff" # Disable some features @@ -273,3 +285,14 @@ pi.{{ server_prefix }}.psf.lt { header -X-Frame-Options import def } +priviblur.{{ server_prefix }}.projectsegfau.lt priviblur.projectsegfau.lt pb.psf.lt pb.{{ server_prefix }}.psf.lt { + import def + reverse_proxy :9084 + import torloc priviblur +} + +lace.{{ server_prefix }}.projectsegfau.lt lace.projectsegfau.lt l.psf.lt l.{{ server_prefix }}.psf.lt { + import def + reverse_proxy :9029 + import torloc lace +} diff --git a/privfrontends/templates/eu/darknet.Caddyfile b/privfrontends/templates/eu/darknet.Caddyfile index 0f1b738..a53e181 100644 --- a/privfrontends/templates/eu/darknet.Caddyfile +++ b/privfrontends/templates/eu/darknet.Caddyfile @@ -139,3 +139,9 @@ http://healthchecks.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.oni header_up Host "healthchecks.projectsegfau.lt" } } +http://rss.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { + import tor rss + reverse_proxy https://rss.projectsegfau.lt { + header_up Host "rss.projectsegfau.lt" + } +} diff --git a/privfrontends/templates/eu/misc.Caddyfile b/privfrontends/templates/eu/misc.Caddyfile index 315a75f..80b4e90 100644 --- a/privfrontends/templates/eu/misc.Caddyfile +++ b/privfrontends/templates/eu/misc.Caddyfile @@ -3,7 +3,7 @@ sl.projectsegfau.lt sl.psf.lt { import def } inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt { - reverse_proxy localhost:7573 { + reverse_proxy :7573 { header_up Host "invidious.projectsegfau.lt" } @pipedproxy { @@ -25,6 +25,17 @@ inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectseg } import def header -X-Frame-Options + header -Content-Security-Policy + @ratelimit not path /videoplayback/* /ggpht/* /vi/* /videoplayback /videojs/* /css/* /js/* /fonts/* /apple-touch-icon.png /favicon-16x16.png /feed/webhook /feed/webhook/* + rate_limit @ratelimit {remote.ip} 10r/s + rate_limit @ratelimit {remote.ip} 100r/m + @ratelimit_pubsub path /feed/webhook /feed/webhook/* + rate_limit @ratelimit_pubsub {remote.ip} 2r/s 404 + log { + # This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date. + output file /var/log/caddy/ratelimiters.log + format json + } import torloc invbp } piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt { @@ -40,7 +51,7 @@ pi.psf.lt { import def } proxy.lbry.projectsegfau.lt { - reverse_proxy localhost:3001 + reverse_proxy :3001 import def } aryak.me { @@ -67,7 +78,7 @@ www.midou.dev midou.dev { # header_up Host {http.reverse_proxy.upstream.hostport} # } #root * /var/www/midouwebsite -reverse_proxy http://localhost:3000 +reverse_proxy :3000 # Apparently sveltekit built apps needs to have strict path tries. #try_files {path} {path}/index.html {path}.html =404 #file_server diff --git a/privfrontends/templates/in/apps.Caddyfile b/privfrontends/templates/in/apps.Caddyfile index 23f136f..eaa50ce 100644 --- a/privfrontends/templates/in/apps.Caddyfile +++ b/privfrontends/templates/in/apps.Caddyfile @@ -273,3 +273,9 @@ timetagger.projectsegfau.lt tt.projectsegfau.lt tt.psf.lt { reverse_proxy :9900 import def } + +rss.projectsegfau.lt freshrss.projectsegfau.lt rss.psf.lt { + reverse_proxy :3529 + import def + import torloc rss +} diff --git a/privfrontends/vars.yaml b/privfrontends/vars.yaml index 0115f3c..fac5ac8 100644 --- a/privfrontends/vars.yaml +++ b/privfrontends/vars.yaml @@ -94,15 +94,11 @@ apps: docker_settings: services: - name: librarian - image: codeberg.org/librarian/librarian:latest + image: quay.io/pussthecatorg/librarian ports: - "3550:3550" mounts: - "{{configs_dir}}/librarian/config.yml:/app/config.yml" - - name: stream-proxy - image: codeberg.org/librarian/stream-proxy-ng:latest - ports: - - "3001:3001" redlib: needs_data_dir: false needs_configs_dir: false @@ -125,7 +121,7 @@ apps: docker_settings: services: - name: nitter - image: codeberg.org/aryak/nitter-image:latest + image: ghcr.io/privacydevel/nitter:master ports: - "8387:8080" mounts: @@ -242,6 +238,38 @@ apps: REDIS_REPLICATION_MODE: master mounts: - "{{data_dir}}/teddit/redis-data:/data" + priviblur: + needs_configs_dir: true + needs_data_dir: true + docker_settings: + services: + - name: priviblur + image: quay.io/pussthecatorg/priviblur:latest + ports: + - "9084:8000" + mounts: + - "{{configs_dir}}/priviblur/config.toml:/priviblur/config.toml:Z,ro" + - name: priviblur-redis + image: redis:6.2.5-alpine + command: redis-server + environment: + REDIS_REPLICATION_MODE: master + mounts: + - "{{data_dir}}/priviblur/redis-data:/data" + shoelace: + needs_configs_dir: true + needs_data_dir: true + docker_settings: + services: + - name: shoelace + image: nixgoat/shoelace + ports: + - "9029:8080" + mounts: + - "{{configs_dir}}/shoelace/shoelace.toml:/data/shoelace.toml" + - "{{data_dir}}/shoelace:/data" + environment: + SHOELACE_CONFIG: /data/shoelace.toml watchtower: needs_configs_dir: false needs_data_dir: false