ProjectSegfault/ansible
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new shit

Browse Source
This commit is contained in:
Arya
2025-12-05 13:43:51 +05:30
parent fcdd48ba6c
commit 6812205300
36 changed files with 285 additions and 1839 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
all/playbook.yaml
View File

@@ -15,15 +15,6 @@
ansible.builtin.apt_repository:
repo: deb http://deb.debian.org/debian bookworm-backports main contrib
state: present
- name: Get Knot GPG keys
ansible.builtin.get_url:
url: https://deb.knot-dns.cz/apt.gpg
dest: /usr/share/keyrings/knot.gpg
mode: '0644'
- name: Enable knot repo
ansible.builtin.apt_repository:
repo: deb [signed-by=/usr/share/keyrings/knot.gpg] https://deb.knot-dns.cz/knot-latest/ bookworm main
state: present
- name: Get GoAccess GPG keys
ansible.builtin.get_url:
url: https://deb.goaccess.io/gnugpg.key
@@ -247,7 +238,7 @@
# very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me)
borg_encryption_passcommand: "cat /etc/borgmatic/passphrase"
- name: UFW Firewall Configuration
hosts: eu,us # IN is behind router so no f/w is needed
hosts: eu # IN is behind router so no f/w is needed
tasks:
- name: Enable UFW
community.general.ufw:

5
all/templates/us/daemon.json
View File

@@ -1,5 +0,0 @@
{
"log-driver": "local",
"ipv6": true,
"fixed-cidr-v6": "fd00:dead:beef::/48"
}

11
cron/caddy-builds-soleil.yaml
View File

@@ -1,11 +0,0 @@
---
- name: Caddy Builds on IN Node (Weekly Cron)
hosts: in
tasks:
- name: Do the thing
ansible.builtin.command: xcaddy build --with github.com/caddy-dns/rfc2136@master --with github.com/gi-yt/ratelimit@master --with github.com/aksdb/caddy-cgi/v2@master --output /var/www/caddy-build/api/download
register: out
changed_when: out.rc != 0
- name: Print output of thing
ansible.builtin.debug:
var: out.stderr_lines

5
cron/hourly-restarts.yaml
View File

@@ -3,13 +3,10 @@
hosts: privfrontends
vars:
services:
- breezewiki
- anonymousoverflow
- gothub
- mozhi
- redlib
- teddit
- nitter
- rimgo
tasks:
- name: Do thing
ansible.builtin.command: docker restart {{ item }}

12
cron/knot-restart.yaml
View File

@@ -1,12 +0,0 @@
---
- name: Knot Restarts (EU/US)
hosts: eu,us
vars:
services:
- knot
tasks:
- name: Do thing
ansible.builtin.systemd_service:
state: restarted
name: knot
with_items: "{{ services }}"

47
host_vars/eu/privfrontends_secrets.yaml
View File

@@ -1,39 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
31386435653631313961323564653565656339636635653366386166333162643863333034376332
3166363635636437383430366435343265663762666362320a653166643832363536373832653830
37323266653330613735623530393161623265663033643738646366376530633863393331323837
3465653866336461350a653465626265383034323034653166343163616163356236323566626534
34313832303461633432346437306236646366313431626165353930623664363133353635383930
36353065346262393636386463383666373333313834323532343930393431333130373132383665
61653363633066613464333765666464316435653638656262323634653662666237366564653934
61613634303232323934633166633162323161316337356430306335376631653138333538373661
33616466366665633430386533623337646230663365613332646138366339346634646363373262
66386465373562383730646530666432343765363263623064626338636564663331656333653239
31306562643866376130663364633738646530633463316439356434306333656139633437323334
39383539663934373330623737383932353766653535313539366130623861383034626134613639
30623861623164333731373964613837333139336636393631653339616163343431643832653032
64383562636135366135316664333437336539376261366336343137653066333332333563653466
36646263363739323762323633616431643062356536653937313764633731353666333466363965
65333332663139303733626631336331326362636463613961313962343161343831393137636263
65383032333233666437376437666366636366366366316332383932646265343238363133653334
35613366653834663964393735366565313935383831343736666566346532633331666636303336
33643366353437383131346163663438653132346161333464333134313230653835623633303633
37366637613232316439383930366566643265636139326639613636663136313961613263643364
65653630633133336339633430313231336632383837636633383835343732373238323166666463
39343365333066353365626462366161346439656433646434633038303830333361633665643965
32353839326661343833323866623261353730366563353761646464376632313763353164386431
64653730613038343466613938643836396161626331383431636636363361363335383237633132
38326633643232333735366265656538343664626536343433666235636563346163336138313566
37623532306634333164636262633965383833636633306133326632386132303136613736363734
36626162303236353663396165666363336566373566303237373866633334323761373238396231
38313130303666316633626666363436613939336438383434373062383330353030646331313834
62653065396265653362656461613038396333386233366662303465376634643839643666383735
30356438366362363565666134656232313766626166306661396461396433666532393731636332
36363732306637323565323831373161656436303461313562623263373461303361663037336535
31623239346435653035313434393363353630383339613234343736373861383839376437383864
37363634343230316464393264636639373164306334393964396166376461373162663035303738
39666565346564616536316433326533626564636137333035653833623831326563633732653438
65333134356439353437376337633663313430363964373565316639343534366632623532636336
39373263646232623762623337316239333330323162666365396331366566613834393965363132
64613139613432646539353139383963313834313832356633356163303634306462633739633531
6337666233363432653063366361623830333131363564353834
38663164386336373962396634363134393738383562643035303630346466353530663731623233
6664306261353464306338333633666330306536626633640a663738336236636632366138653761
34363933616432343932636361646265616664613134363061326133616634373837356363383364
3031336437656433660a613339643666613166383035376665316530376461396565623339363736
63376132346138616564373066623832346534363232613361373936663136323730303632323339
63363633396232383835636536396664616638396263333364376362373234656662356530626631
64326634336539313436323664373462613864353766623366666364356533326134346530396436
64326332633666323236623434313631313539333464393865303432373637333030643462366665
6338

3
host_vars/in/misc.yaml
View File

@@ -31,12 +31,9 @@ bkp_postgresql_databases:
- name: gitea
- name: healthchecks
- name: hedgedoc
- name: invin
- name: mailu
- name: piped
- name: postgres
- name: roundcube
- name: semaphore
- name: synapse
- name: vaultwarden
- name: wikijs

35
host_vars/in/privfrontends_secrets.yaml
View File

@@ -1,27 +1,10 @@
$ANSIBLE_VAULT;1.1;AES256
62393338626639643838383931353333666538386437386464376434386639313034643464303566
3364613933636666373834653234323935656566316632360a383834356137363464663861326661
62313063323535646566353361326333306234613733306665363436656335643361396666633038
6162633562353566310a633937373563313562363465376363393361613834343463316439643366
33373932663331326564626465396138306531633630633863383465613436376630333263336262
32353762353361633836353262663737353364653462386436663236616637333134323036323139
30336132383661653362323962626430376334376361363039353263653031656635303063386234
61393864303531333430346336346165356430613664623436306338636463363737333631376461
63613064336438346636343562313165313963613164353161623238313066623337333230303338
61656637623665343835306366643438636635663530666430323961653237626132663133656165
61656163623839363461363635333831396239613534653962653462623737633765623730396434
62363038376231626439323464643135393266333261643834643739383265333237353231336664
39323239356134653237656365323832386663346363633732376462303035333565343662363634
35613934386631613032363639373232333530323837353638313262663930306437383866313034
64316334396633653462356633633733333532373662363930343236343730333838323762393561
65346337356463396634343165636131373664346137373762326234316534633539643639313865
66643230373565386233386235316365366632626437313163393635343361663961356337363434
63303434383761303962333065306562646361353164646138623962386265313337643935616538
37363464363335373961633664353533363563313834303463383562356634343833313431336339
61386339346334626365633565353836663662363737656262636462376533323562666633373534
33333835613639656166363464623061323933326661353231343135373432636466376238323062
32313839313233376531656165356135363365323164393739323963656431666161336462393331
65396139333031646266663039626434323336616332313837613139663339353834326632303938
33613131623666643065303933383038653064393938656461633561376530633238643265653434
63303861323537383766616230346636386130636433663463366263646266373963376531353535
3662346663643162313761373637383439386436323230336538
61323839346135366165636437343033343331383434306538316363336165616266343238626432
3831343064613032356664386263646666303933386365620a353536333938326665343435653063
31343337386630383864613531383065366535616662396336306464356339643831336336323736
3835313766386335640a666364653233383766656331333264333632396630616430653435313131
38393738633766366636323738343333333061343338373063303363376338633763313838323863
62366537313231333661386635323537343734666532303531303431343366303066313361623362
64383562316630316233303662613539346563376365313334353431646132303732376635306165
31343539623935353138353863376463376139366338646139323736323861656136323761323735
6633

14
host_vars/us/healthchecks.yaml
View File

@@ -1,14 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
36393333323061396634373536623135376336653134303130336163316163343438613966313162
6263613432353933633535656633383865643537386132320a623837636238386135376333623630
35393233306435363332346562363239663636633863616362643931626563343037343463333365
3632373132653830610a373763316130343737613233636237626534323030303430323461353562
62333061376563343562386562313031363132326137333634316135343339626264623238343935
31656639376339353439656632393363656664346362663031343931313534393862616532353732
31663463363039386565653363653332396336306634356339616630623261643162373839356132
64323038343430346433633865356462623133353339653336386261323637373731333630666333
35643961316137356532653864613631633938303031663231343365646232636264633961373930
36326239653963353562633134666262613332393963646239306336646338363734306161646562
31366633336566393636616230326663363430333137656366336435656335343732393165363834
34393766336138373164386332643661646162346166316265346664363530336336313334636366
3132

35
host_vars/us/misc.yaml
View File

@@ -1,35 +0,0 @@
---
ufw_allow_rules:
- port: 443
proto: tcp
- port: 443
proto: udp
- port: 80
proto: tcp
- port: 53
proto: udp
- port: 53
proto: tcp
- port: 5201
proto: tcp
bkp_source_directories:
- /home
- /etc
- /boot
- /root
- /opt
- /usr
- /var
bkp_exclude_patterns:
- /var/log
- /var/lib/docker/buildkit
- /var/lib/docker/containers
- /var/lib/docker/image
- /var/lib/docker/overlay2
- /var/lib/docker/plugins
- /var/lib/docker/runtimes
- /var/lib/docker/swarm
- /var/lib/docker/tmp
- /var/lib/docker/trust
bkp_postgresql_databases:
- name: invidious

29
host_vars/us/privfrontends_secrets.yaml
View File

@@ -1,29 +0,0 @@
$ANSIBLE_VAULT;1.1;AES256
30383034393632393233613963333833353330663862626166363735333635336534396661323030
3833636238656664343834363434653836623936653932340a623666323162613965643934613533
31316265313430333531346464346664626166306435383339633166613665396464323362613334
3139386335613664320a666234326462653064613331393464383634653030323162323265626635
35303965613639326438373565353665396266366131623462393139313931393232663536626239
30376535656338373133366539353431383861643239366433613139373733633563646538363061
34643539376266616164653835343433353163663234663832376262393863393962333062353136
37346638633737313333326432363836363561333037653830306562396536616238613433653435
33656464663530306564363865303266366339313531643865346638393438333138346332383465
30383736356539643132353364613239343862366436306233393931373038343136326461633138
62396362303639633565323261376331646334333366643466303037616235306630636233393861
34376165326461313364353730666331343235333661623936363730613337363532636331373566
63653634393736646536663761373233613831356364613764646632626132346164623463616433
30363436366532363366376336323032306366383932653839343733343132306263393939343936
61613133343631353737386134653035333763666639663837343236666538636239346630363533
32326637646337373138316431303935396532356637633339396636386133393763633662336138
33623934373234343831666662663138313564623439333735343231643762363130623938643564
63663436623963653536393662376164323337393664353939323430656435616330323062646463
64623663356364366565363233383039666130303438653731643831326466366139323839646363
34363431666264633536343638636165353064626362306362626337613865616436393462393132
62386165366239373635353965393733393134616135636539363332636231613866653337366635
39306165363833393233353737643231326332376538366366376564303238313361306436306434
33643366393038303130346439646537626637666164346666333164626461633934343866663633
63343964643034616664333737366532363838306666363030633338383531366165616330373163
34383732353537316331666262316435616437653531383863323932626338343834656166326333
31373232313439633434633964613038393433633939653933363563326263343238303937613735
31346561393038313633326335613435653430343265303030363435616661356335316630623439
62636663323232313634

13
inventory.yml
View File

@@ -15,19 +15,6 @@ all:
wiki_page: Pizza-1
watchtower_mtrx_username: psf-watchtower-pizza
rsyncnet_slug: pizza1
us:
ansible_host: us.vpn.projectsegfau.lt
ansible_user: ansiblerunner
ansible_port: 22
port: 22
ansible_become: true # Run everything as root
docker_dir: /opt/docker-privfrontends
country: United States
isp: Racknerd
wiki_page: US_Node
server_prefix: us
watchtower_mtrx_username: psf-watchtower-us
rsyncnet_slug: us
in:
ansible_host: in.vpn.projectsegfau.lt
ansible_user: ansiblerunner

55
pizza1/configs/haproxy/haproxy.cfg
View File

@@ -1,55 +0,0 @@
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 3600000
timeout client 3600000
timeout server 3600000
timeout tunnel 3600000
listen ssh
bind :::22 v4v6
balance roundrobin
mode tcp
option tcp-check
tcp-check expect rstring SSH-2.0-OpenSSH.*
server pubnix 10.7.0.2:22 check inter 10s fall 2 rise 1
listen xrdp
bind :::3389 v4v6
balance roundrobin
mode tcp
option tcp-check
server pubnix 10.7.0.2:3389 check inter 10s fall 2 rise 1
listen gemini
bind :::1965 v4v6
balance roundrobin
mode tcp
option tcp-check
server pubnix 10.7.0.2:1965 check inter 10s fall 2 rise 1
listen soju
bind :::6697 v4v6
balance roundrobin
mode tcp
option tcp-check
server pubnix 10.7.0.2:6697 check inter 10s fall 2 rise 1
listen iperf3
bind :::5202 v4v6
balance roundrobin
mode tcp
option tcp-check
server pubnix 10.7.0.2:5201 check inter 10s fall 2 rise 1
listen nodexporter
bind :::9101 v4v6
balance roundrobin
mode tcp
option tcp-check
server pubnix 10.7.0.2:9100 check inter 10s fall 2 rise 1

16
pizza1/configs/wireguard/wg0.conf
View File

@@ -1,16 +0,0 @@
[Interface]
Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64
PrivateKey = {{wireguard_private_key}}
ListenPort = 51820
PostUp = iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT; iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT; ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -I POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to 45.145.41.226; ip6tables -t nat -I POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to 2a0d:5940:99:3::1
PostDown = iptables -D FORWARD -s 10.7.0.0/24 -j ACCEPT; iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT; ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to 45.145.41.226; ip6tables -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to 2a0d:5940:99:3::1
[Peer]
PublicKey = {{wireguard_pubnix_pubkey}}
AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128
[Peer]
PublicKey = {{wireguard_in_gluetun_pubkey}}
AllowedIPs = 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128
# Personal
[Peer]
PublicKey = 7c/IIUXnEa3cMfdSJ1CcB1nCSFhgNaHq5CrF+q4TgmE=
AllowedIPs = 10.7.0.4/32, fddd:2c4:2c4:2c4::4/128

25
pizza1/playbook.yaml
View File

@@ -8,11 +8,6 @@
- postfix
- postfix-pgsql
- tor
- knot
- knot-dnsutils
- knot-module-geoip
- haproxy
- wireguard
- name: Setup postfix configs
ansible.builtin.copy:
src: ./configs/postfix
@@ -34,23 +29,3 @@
name: tor
enabled: true
state: restarted
- name: Setup haproxy configs
ansible.builtin.copy:
src: ./configs/haproxy/haproxy.cfg
dest: /etc/haproxy/haproxy.cfg
mode: preserve
- name: Restart+Enable haproxy
ansible.builtin.service:
name: haproxy
enabled: true
state: restarted
- name: Setup wireguard configs
ansible.builtin.template:
src: ./configs/wireguard/wg0.conf
dest: /etc/wireguard/wg0.conf
mode: preserve
- name: Enable wireguard
ansible.builtin.service:
name: wg-quick@wg0
enabled: true
state: restarted

5
privfrontends/configs/breezewiki/config.ini
View File

@@ -1,5 +0,0 @@
canonical_origin = https://bw.projectsegfau.lt
debug = false
port = 10416
strict_proxy = false
feature_search_suggestions = true

4
privfrontends/configs/fail2ban/caddy-status.conf
View File

@@ -1,4 +0,0 @@
[Definition]
failregex = ^.*"remote_ip":"<HOST>",.*?"status":(?:429|403),.*$
ignoreregex =
datepattern = LongEpoch

271
privfrontends/configs/fail2ban/jail.local
View File

@@ -1,271 +0,0 @@
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 1h
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
bantime.increment = true
# "bantime.rndtime" is the max number of seconds using for mixing with random time
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
#bantime.rndtime =
# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
#bantime.maxtime =
# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
# default value of factor is 1 and with default value of formula, the ban time
# grows by 1, 2, 4, 8, 16 ...
#bantime.factor = 1
# "bantime.formula" used by default to calculate next value of ban time, default value below,
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
#
# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
# previously ban count and given "bantime.factor" (for multipliers default is 1);
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
#bantime.multipliers = 1 2 4 8 16 32 64
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
#bantime.multipliers = 1 5 30 60 300 720 1440 2880
# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
# cross over all jails, if false (default), only current jail of the ban IP will be searched
#bantime.overalljails = false
# --------------------
# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
# (default is true). Fail2ban will not ban a host which matches such addresses.
#ignoreself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8 ::1
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 10m
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 10m
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s[mode=%(mode)s]
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@<fq-hostname>
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = <known/chain>
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(action_)s
%(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(action_)s
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(action_)s
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
# ban & send a notification to one or more of the 50+ services supported by Apprise.
# See https://github.com/caronc/apprise/wiki for details on what is supported.
#
# You may optionally over-ride the default configuration line (containing the Apprise URLs)
# by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
# /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
# action = %(action_)s
# apprise
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
# corresponding jail.d/my-jail.local file).
#
action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via abuseipdb.com.
#
# See action.d/abuseipdb.conf for usage example and details.
#
action_abuseipdb = abuseipdb
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
[caddy-status]
enabled = true
port = http,https
filter = caddy-status
logpath = /var/log/caddy/ratelimiters.log

2
privfrontends/configs/hyperpipe/entrypoint.sh
View File

@@ -1,2 +0,0 @@
#!/bin/sh
find /usr/share/nginx/html -type f -exec sed -i s/pipedapi.kavin.rocks/{% if server_prefix == 'eu' %}api.piped.projectsegfau.lt{%else%}pipedapi.{{server_prefix}}.projectsegfau.lt{%endif%}/g {} \; -exec sed -i s/hyperpipeapi.onrender.com/hyperpipebackend.{{ server_prefix }}.projectsegfau.lt/g {} \; && /docker-entrypoint.sh && nginx -g "daemon off;"

70
privfrontends/configs/librarian/config.yml
View File

@@ -1,70 +0,0 @@
DOMAIN: 'https://lbry.projectsegfau.lt'
PORT: '3550'
FIBER_PREFORK: false
# Optional: Set address to bind to, example: 127.0.0.1
ADDRESS: ''
# Running a custom API server is not recommended and is not suitable for a public instance
API_URL: 'https://api.na-backend.odysee.com/api/v1/proxy'
# Block access to claims in case of DMCA
BLOCKED_CLAIMS:
- claimId
# AUTH_TOKEN and HMAC_KEY is automatically generated
AUTH_TOKEN: '{{librarian_auth_token}}'
HMAC_KEY: '{{librarian_hmac_key}}'
# Create IMAGE_CACHE_DIR before enabling image caching
IMAGE_CACHE: false
IMAGE_CACHE_DIR: '/var/cache/librarian'
IMAGE_CACHE_CLEANUP_INTERVAL: 24h
# The next 2 options will proxy video data through the instance.
# This will cause increased bandwidth usage.
# ENABLE_STREAM_PROXY proxies videos and ENABLE_LIVESTREAM enables livestreams.
ENABLE_STREAM_PROXY: true
ENABLE_LIVESTREAM: true
# Set custom SponsorBlock URL (with https://github.com/mchangrh/sb-mirror or other)
SPONSORBLOCK_URL: 'https://sponsor.ajay.app'
# Advanced: Custom video streaming endpoint
VIDEO_STREAMING_URL: ''
# Rewrite links to other frontends. example: https://yt.domain.tld
FRONTEND:
youtube: 'https://invidious.projectsegfau.lt'
twitter: 'https://nitter.projectsegfau.lt'
imgur: 'https://rimgo.projectsegfau.lt'
instagram: ''
tiktok: ''
reddit: 'https://libreddit.projectsegfau.lt'
# Default instance settings
DEFAULT_SETTINGS:
theme: 'dark' # system, light, dark
relatedVideos: true
nsfw: false
autoplay: false
speed: '1' # 0.25, 0.5, 0.75, 1, 1.25, 1.5, 1.75, 2, 4
quality: '0' # 0 - Auto, 144 - 144p, 360 - 360p, 720 - 720p, 1080 - 1080p
sponsorblock:
sponsor: true
selfpromo: true
interaction: true
intro: false
outro: false
preview: false
filler_tangent: false
# Instance privacy: This is required to get your instance listed. For more info,
# See: https://codeberg.org/librarian/librarian/wiki/Instance-privacy
INSTANCE_PRIVACY:
# This is the default if you are using NGINX and have not disabled data collection.
# Read https://codeberg.org/librarian/librarian/wiki/Instance-privacy
DATA_NOT_COLLECTED: true
DATA_COLLECTED_IP: true
DATA_COLLECTED_URL: true
DATA_COLLECTED_DEVICE: true
DATA_COLLECTED_DIAGNOSTIC_ONLY: false
INSTANCE_COUNTRY: "{{country}}"
INSTANCE_PROVIDER: "{{isp}}"
# Cloudflare use is discouraged. You can set this to false if it is not proxied (gray cloud icon)
INSTANCE_CLOUDFLARE: false
# Optional: Explain your usage of data (if collected) and how it is stored.
MESSAGE: ""
# Link to your privacy policy, leave blank if you don't have one.
PRIVACY_POLICY: "https://projectsegfau.lt/legal/privacy-policy"

6
privfrontends/configs/nitter/nitter.conf
View File

@@ -36,9 +36,9 @@ tokenCount = 10
# Change default preferences here, see src/prefs_impl.nim for a complete list
[Preferences]
theme = "Nitter"
replaceTwitter = "nitter.projectsegfau.lt"
replaceYouTube = "invidious.projectsegfau.lt"
replaceReddit = "libreddit.projectsegfau.lt"
replaceTwitter = ""
replaceYouTube = ""
replaceReddit = ""
replaceInstagram = ""
proxyVideos = false
hlsPlayback = true

68
privfrontends/configs/priviblur/config.toml
View File

@@ -1,68 +0,0 @@
# Controls deployment options
[deployment]
host = "0.0.0.0"
port = 8000
# Amount of worker Priviblur instances to spawn. Increases speed significantly.
workers = 4
# # If you're running Priviblur behind a remote proxy, one or more of the following must be set
# # can also be set via env variables by captialzing and prefixing with PRIVIBLUR_
# #
# # For more information see
# # https://sanic.dev/en/guide/advanced/proxy-headers.html
# #
# # Default: None
# #
# forwarded_secret =
# real_ip_header =
# proxies_count =
# Controls redis cache options
# Ignore to disable the cache
#
[cache]
url = "redis://priviblur-redis:6379"
# Number of seconds to cache poll results from active polls
cache_active_poll_results_for = 3600
# Number of seconds to cache poll results from expired polls
cache_expired_poll_results_for = 86400
# Number of seconds to cache feed (explore, search, etc) results for
cache_feed_for = 3600
# Number of seconds to cache blog feed (blog posts, blog search, blog tagged posts, etc) results for
cache_blog_feed_for = 3600
# Number of seconds to cache individual posts for
cache_blog_post_for = 300
# Controls behaviors pertaining to the way Priviblur requests Tumblr
[priviblur_backend]
# # Timeout for requests to Tumblr's API
main_response_timeout = 10
# # Timeout for fetching image responses from Tumblr
image_response_timeout = 30
# Controls logging behavior
#
# Use Python's numerical logging levels
# https://docs.python.org/3/howto/logging.html#logging-levels
# [logging]
# # Sanic (Server)'s logging level'
# sanic_logging_level = 30
# # Priviblur's logging level
# priviblur_logging_level = 30
# # Priviblur extractor's logging level
# priviblur_extractor_logging_level = 20
# [misc]
# # Enable sanic's dev mode
# dev_mode = false

180
privfrontends/configs/redlib/policy.yml
View File

@@ -1,180 +0,0 @@
challenges:
dnsbl:
runtime: dnsbl
parameters:
dnsbl-host: "dnsbl.dronebl.org"
dnsbl-decay: 1h
dnsbl-timeout: 1s
conditions:
is-static-asset:
- 'path == "/apple-touch-icon.png"'
- 'path == "/apple-touch-icon-precomposed.png"'
- 'path.matches("\\.(manifest|ttf|woff|woff2|jpg|jpeg|gif|png|webp|avif|svg|mp4|webm|css|js|mjs|wasm)$")'
is-suspicious-crawler:
- 'userAgent.contains("Presto/") || userAgent.contains("Trident/")'
# Old IE browsers
- 'userAgent.matches("MSIE ([2-9]|10|11)\\.")'
# Old Linux browsers
- 'userAgent.matches("Linux i[63]86") || userAgent.matches("FreeBSD i[63]86")'
# Old Windows browsers
- 'userAgent.matches("Windows (3|95|98|CE)") || userAgent.matches("Windows NT [1-5]\\.")'
# Old mobile browsers
- 'userAgent.matches("Android [1-5]\\.") || userAgent.matches("(iPad|iPhone) OS [1-9]_")'
# Old generic browsers
- 'userAgent.startsWith("Opera/")'
#- 'userAgent.matches("Gecko/(201[0-9]|200[0-9])")'
- 'userAgent.matches("^Mozilla/[1-4]")'
# Rules are checked sequentially in order, from top to bottom
rules:
- name: allow-well-known-resources
conditions:
- '($is-well-known-asset)'
action: pass
- name: allow-static-resources
conditions:
- '($is-static-asset)'
action: pass
- name: allow-hls-js
conditions:
- 'path == "/hls.min.js"'
- 'path.startsWith("/hls/")'
action: pass
- name: allow-private-networks
conditions:
# Allows localhost and private networks CIDR
- *is-network-localhost
- *is-network-private
action: pass
- name: undesired-crawlers
conditions:
- '($is-headless-chromium)'
- 'userAgent.startsWith("Lightpanda/")'
- 'userAgent.startsWith("masscan/")'
# Typo'd opera botnet
- 'userAgent.matches("^Opera/[0-9.]+\\.\\(")'
# AI bullshit stuff, they do not respect robots.txt even while they read it
# TikTok Bytedance AI training
- 'userAgent.contains("Bytedance") || userAgent.contains("Bytespider") || userAgent.contains("TikTokSpider")'
# Meta AI training; The Meta-ExternalAgent crawler crawls the web for use cases such as training AI models or improving products by indexing content directly.
- 'userAgent.contains("meta-externalagent/") || userAgent.contains("meta-externalfetcher/") || userAgent.contains("FacebookBot")'
# Who the fuck is this ?
- 'userAgent.contains("SemrushBot") || userAgent.contains("Barklower")'
# Anthropic AI training and usage
- 'userAgent.contains("ClaudeBot") || userAgent.contains("Claude-User")|| userAgent.contains("Claude-SearchBot")'
# Common Crawl AI crawlers
- 'userAgent.contains("CCBot")'
# ChatGPT AI crawlers https://platform.openai.com/docs/bots
- 'userAgent.contains("GPTBot") || userAgent.contains("OAI-SearchBot") || userAgent.contains("ChatGPT-User")'
# Other AI crawlers
- 'userAgent.contains("Amazonbot") || userAgent.contains("Google-Extended") || userAgent.contains("PanguBot") || userAgent.contains("AI2Bot") || userAgent.contains("Diffbot") || userAgent.contains("cohere-training-data-crawler") || userAgent.contains("Applebot-Extended")'
# SEO / Ads and marketing
- 'userAgent.contains("BLEXBot")'
# Yandex isn't catched, and doesn't seem to care about robots.txt
- 'userAgent.contains("YandexBot/3.0; +http://yandex.com/bots)"'
# At this point I'd rather not have any search browser crawl the frontend.
- *is-bot-googlebot
- *is-bot-bingbot
- *is-bot-duckduckbot
- *is-bot-kagibot
- *is-bot-qwantbot
- *is-bot-yandexbot
action: drop
- name: unknown-crawlers
conditions:
# No user agent set
- 'userAgent == ""'
action: deny
# check a sequence of challenges
- name: suspicious-crawlers
conditions: ['($is-suspicious-crawler)']
action: none
children:
- name: 0
action: check
settings:
challenges: [js-refresh, js-pow-sha256]
- name: 1
action: check
settings:
challenges: [preload-link, resource-load]
- name: 2
action: check
settings:
challenges: [header-refresh]
# check DNSBL and serve harder challenges
# todo: make this specific to score
- name: undesired-dnsbl
action: check
settings:
challenges: [dnsbl]
# if DNSBL fails, check additional challenges
fail: check
fail-settings:
challenges: [js-refresh, js-pow-sha256]
- name: suspicious-fetchers
action: check
settings:
challenges: [js-refresh, js-pow-sha256]
conditions:
- 'userAgent.contains("facebookexternalhit/") || userAgent.contains("facebookcatalog/")'
# Allow PUT/DELETE/PATCH/POST requests in general
- name: non-get-request
action: pass
conditions:
- '!(method == "HEAD" || method == "GET")'
# Enable fetching OpenGraph and other tags from backend on these paths
- name: enable-meta-tags
action: context
settings:
context-set:
# Map OpenGraph or similar <meta> tags back to the reply, even if denied/challenged
proxy-meta-tags: "true"
response-headers:
# Solves the varnish bug even if we pulled it through a different way.
reddit-stats:
- io=1
via:
- 1.1 varnish
# Set additional response headers
#response-headers:
# X-Clacks-Overhead:
# - GNU Terry Pratchett
- name: plaintext-browser
action: challenge
settings:
challenges: [meta-refresh, cookie]
conditions:
- 'userAgent.startsWith("Lynx/")'
# Uncomment this rule out to challenge tool-like user agents
- name: standard-tools
action: challenge
settings:
challenges: [cookie]
conditions:
- '($is-generic-robot-ua)'
- '($is-tool-ua)'
- '!($is-generic-browser)'
- name: standard-browser
action: challenge
settings:
challenges: [preload-link, meta-refresh, resource-load, js-refresh, js-pow-sha256]
conditions:

190
privfrontends/configs/searxng/settings.yml
View File

@@ -1,190 +0,0 @@
use_default_settings: true
general:
debug: false
instance_name: "SearXNG | Project Segfault"
privacypolicy_url: https://projectsegfau.lt/legal/privacy-policy
donation_url: https://projectsegfau.lt/donate
contact_url: https://projectsegfau.lt/contact
enable_metrics: true
server:
# base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml
secret_key: "{{searxng_secret_key}}" # change this!
limiter: false # can be disabled for a private instance
image_proxy: true
method: "GET"
public_instance: true
ui:
static_use_hash: false
query_in_title: true
infinite_scroll: true
default_theme: simple
center_alignment: true
default_locale: "en"
results_on_new_tab: true
theme_args:
simple_style: auto
redis:
url: redis://searxng-redis:6379/0
search:
# Filter results. 0: None, 1: Moderate, 2: Strict
safe_search: 1
# Default search language - leave blank to detect from browser information or
# Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "yandex", "mwmbl",
# "seznam", "startpage", "stract", "swisscows", "qwant", "wikipedia" - leave blank to turn it off
# by default.
autocomplete: ""
# minimun characters to type before autocompleter starts
autocomplete_min: 4
# use codes from 'languages.py'
default_lang: "en"
# ban time in seconds after engine errors
ban_time_on_fail: 5
# max ban time in seconds after engine errors
max_ban_time_on_fail: 120
suspended_times:
# Engine suspension time after error (in seconds; set to 0 to disable)
# For error "Access denied" and "HTTP error [402, 403]"
SearxEngineAccessDenied: 86400
# For error "CAPTCHA"
SearxEngineCaptcha: 86400
# For error "Too many request" and "HTTP error 429"
SearxEngineTooManyRequests: 3600
# Cloudflare CAPTCHA
cf_SearxEngineCaptcha: 1296000
cf_SearxEngineAccessDenied: 86400
# ReCAPTCHA
recaptcha_SearxEngineCaptcha: 604800
formats:
- html
- csv
- json
- rss
outgoing:
enable_http2: true
enabled_plugins:
- 'Hash plugin'
- 'Self Information'
- 'Tracker URL remover'
- 'Open Access DOI rewrite'
- 'Vim-like hotkeys'
- 'Tor check plugin'
- 'Search on category select'
engines:
- name: google
disabled: false
- name: bing
engine: bing
shortcut: bi
disabled: false
- name: crowdview
engine: json_engine
shortcut: cv
categories: general
paging: false
search_url: https://crowdview-next-js.onrender.com/api/search-v3?query={query}
results_query: results
url_query: link
title_query: title
content_query: snippet
disabled: false
about:
website: https://crowdview.ai/
- name: duckduckgo
engine: duckduckgo
shortcut: ddg
disabled: true # DDG is useless since it just scrapes bing for results anyway
- name: wikiquote
engine: mediawiki
shortcut: wq
categories: general
base_url: "https://{language}.wikiquote.org/"
number_of_results: 5
search_type: text
about:
website: https://www.wikiquote.org/
wikidata_id: Q369
disabled: false
- name: brave
engine: brave
shortcut: br
time_range_support: true
paging: true
categories: [general, web]
brave_category: search
# brave_spellcheck: true
- name: brave.images
engine: brave
network: brave
shortcut: brimg
categories: [images, web]
brave_category: images
- name: brave.videos
engine: brave
network: brave
shortcut: brvid
categories: [videos, web]
brave_category: videos
- name: brave.news
engine: brave
network: brave
shortcut: brnews
categories: news
brave_category: news
- name: codeberg
engine: json_engine
search_url: https://codeberg.org/api/v1/repos/search?q={query}&limit=10
url_query: html_url
title_query: name
content_query: description
categories: [it, repos]
shortcut: cb
about:
website: https://codeberg.org/
wikidata_id:
official_api_documentation: https://try.gitea.io/api/swagger
use_official_api: false
require_api_key: false
results: JSON
disabled: false
- name: gitlab
engine: json_engine
paging: true
search_url: https://gitlab.com/api/v4/projects?search={query}&page={pageno}
url_query: web_url
title_query: name_with_namespace
content_query: description
page_size: 20
categories: [it, repos]
shortcut: gl
timeout: 10.0
about:
website: https://about.gitlab.com/
wikidata_id: Q16639197
official_api_documentation: https://docs.gitlab.com/ee/api/
use_official_api: false
require_api_key: false
results: JSON
disabled: false
- name: sourcehut
shortcut: srht
engine: xpath
paging: true
search_url: https://sr.ht/projects?page={pageno}&search={query}
results_xpath: (//div[@class="event-list"])[1]/div[@class="event"]
url_xpath: ./h4/a[2]/@href
title_xpath: ./h4/a[2]
content_xpath: ./p
first_page_num: 1
categories: [it, repos]
disabled: false
about:
website: https://sr.ht
wikidata_id: Q78514485
official_api_documentation: https://man.sr.ht/
use_official_api: false
require_api_key: false
results: HTML

51
privfrontends/configs/shoelace/shoelace.toml
View File

@@ -1,51 +0,0 @@
[server]
# Address to listen on
listen="0.0.0.0"
# Port to bind
port=8080
# Instance URL. Needed for accurate proxied media locations in API
base_url="https://lace.projectsegfau.lt"
[server.tls]
# Enable TLS support
enabled=false
# Path for certificate chain, in PEM format
cert="cert.pem"
# Path for key file, in PEM format
key="key.pem"
[endpoint]
# Toggle the frontend
frontend=true
# Toggle the API
api=true
[proxy]
# Proxy backend. Valid options are:
# - none: Disable the media proxy. Not recommended if frontend is enabled
# - internal: Stores values in memory. Destroys itself after stopping Shoelace.
# - redis: Stores values in a Redis server. Higher performance. Requires additional software
backend="internal"
[proxy.redis]
# URI for Redis server.
# - TCP: redis://[<username>][:<password>@]<hostname>[:port][/<db>]
# - Unix socket: redis+unix:///<path>[?db=<db>[&pass=<password>][&user=<username>]]
uri="redis://127.0.0.1/"
[logging]
# Sets log level, for both stdout and logfiles. Valid levels are:
# - error: Shows errors presented during runtime
# - warn: Plus Alerts
# - info: Plus useful information, such as PID, requests, etc. (Recommended)
# - debug: Plus verbose actions. Not being used much.
# - trace: Plus low-level, extremely verbose info. Not used much.
level = "info"
# Whether to log the IP of an incoming connection
log_ips = false
# Whether to log what URLs are being assigned to each hash
log_cdn = false
# Store logs in a text file
store = false
# Where to store the logs in that case
output = "shoelace.log"

19
privfrontends/playbook.yaml
View File

@@ -54,22 +54,3 @@
group: caddy
mode: 0777
tags: caddy-non-update
- name: Fail2Ban
hosts: privfrontends
tasks:
- name: Copy jail.local config to fail2ban
ansible.builtin.copy:
src: "./configs/fail2ban/jail.local"
dest: "/etc/fail2ban/jail.local"
mode: "0644"
tags: fail2ban
- name: Copy caddy-status filter to fail2ban
ansible.builtin.copy:
src: "./configs/fail2ban/caddy-status.conf"
dest: "/etc/fail2ban/filter.d/caddy-status.conf"
mode: "0644"
tags: fail2ban
- name: Restart fail2ban
ansible.builtin.service:
name: fail2ban
state: restarted

204
privfrontends/templates/Caddyfile.j2
View File

@@ -23,11 +23,8 @@
}
(acmedns) {
tls {
dns rfc2136 {
key_name "dynupd"
key_alg "hmac-sha256"
key "{{ rfc2136_key }}"
server "45.145.41.226:53"
dns desec {
token "{{ rfc2136_key }}"
}
}
}
@@ -85,239 +82,86 @@
import ./*.Caddyfile
{{ inventory_hostname }}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} {
redir https://wiki.projectsegfau.lt/index.php?title={{ wiki_page }}
}
cdn.projectsegfau.lt cdn.{{ server_prefix }}.projectsegfau.lt {
encode zstd gzip
root * /var/cdn
file_server {
browse
}
import def
}
lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt {
reverse_proxy :3550
import def
import torloc lbry
}
# We need this inventory_hostname block since nitter is only going to be on EU from now on
{% if inventory_hostname == 'eu' %}
nitter.projectsegfau.lt n.psf.lt {
reverse_proxy :8387
import def
route {
reverse_proxy /outpost.goauthentik.io/* https://in.v.psf.lt:7444 {
header_up Host {http.reverse_proxy.upstream.hostport}
transport http {
tls_insecure_skip_verify
}
}
# Forward authentication requests to Authentik's outpost
forward_auth https://in.v.psf.lt:7444 {
transport http {
tls_insecure_skip_verify
}
uri /outpost.goauthentik.io/auth/caddy
# Ensure these headers are passed, using correct capitalization
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name
trusted_proxies private_ranges
}
}
}
nitter.eu.projectsegfau.lt nitter.us.projectsegfau.lt nitter.in.projectsegfau.lt {
redir https://nitter.projectsegfau.lt{uri}
:8093 {
cgi /vnstat /var/lib/caddy/www/vnstat-metrics.cgi
}
n.eu.psf.lt n.us.psf.lt n.in.psf.lt {
redir https://n.psf.lt{uri}
}
{% endif %}
libreddit.{{ server_prefix }}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{ server_prefix }}.psf.lt {
reverse_proxy :6464
route {
reverse_proxy /preview/* :6465
}
import def
log {
# This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date.
output file /var/log/caddy/ratelimiters.log
format json
}
import torloc libreddit
}
teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{ server_prefix }}.psf.lt {
redir https://libreddit.projectsegfau.lt{uri}
respond "Service has been shutdown"
import def
import torloc teddit
}
inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt {
reverse_proxy :7573 {
header_up Host "inv.{{ server_prefix }}.projectsegfau.lt"
}
@pipedproxy {
path /videoplayback
path /videoplayback/*
path /vi/*
path /ggpht/*
}
handle @pipedproxy {
reverse_proxy :6970 {
header_up Host "pipedproxy.{{ server_prefix }}.projectsegfau.lt"
}
@jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg
@thumbnailRedirect path /ggpht/*
uri @thumbnailRedirect strip_prefix /ggpht
rewrite @thumbnailRedirect ?host=yt3.ggpht.com
uri @jpgRedirect replace /maxres.jpg /maxres2.jpg
rewrite /vi/* ?host=i.ytimg.com
}
respond "Service has been shutdown"
import def
header -X-Frame-Options
header -Content-Security-Policy
log {
# This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date.
output file /var/log/caddy/ratelimiters.log
format json
}
}
gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt {
reverse_proxy :1024
import def
import torloc gothub
import torloc inv
}
overflow.{{ server_prefix }}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{ server_prefix }}.psf.lt {
reverse_proxy :8694
respond "Service has been shutdown"
import def
import torloc overflow
}
rimgo.{{ server_prefix }}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{ server_prefix }}.psf.lt {
reverse_proxy :9016
respond "Service has been shutdown"
import def
import torloc rimgo
}
bw.{{ server_prefix }}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{ server_prefix }}.psf.lt {
import def
import torloc breezewiki
reverse_proxy :10416
respond "Service has been shutdown"
}
scribe.{{ server_prefix }}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{ server_prefix }}.psf.lt {
import def
import torloc scribe
reverse_proxy :8006
}
translate.{{ server_prefix }}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :5046
import torloc translate
respond "Service has been shutdown"
}
safetwitch.{{ server_prefix }}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :5070
respond "Service has been shutdown"
import torloc safetwitch
}
api.safetwitch.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :5072
respond "Service has been shutdown"
# Something is taking the port 5071, I've went ahead and changed it to 5072 temporarily, can be permanently kept.
import def
}
hyperpipe.{{ server_prefix }}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :8843
respond "Service has been shutdown"
}
hyperpipebackend.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :3536
respond "Service has been shutdown"
import def
}
search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{{ server_prefix }}.psf.lt {
import def
import torloc search
reverse_proxy :8081 {
header_up X-Real-IP {remote_host}
}
@api {
path /config
path /healthz
path /stats/errors
path /stats/checker
}
@static {
path /static/*
}
@notstatic {
not path /static/*
}
@imageproxy {
path /image_proxy
}
@notimageproxy {
not path /image_proxy
}
header {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disable some features
Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"
# Disable some features (legacy)
Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
# Referer
Referrer-Policy "no-referrer"
# X-Robots-Tag
X-Robots-Tag "noindex, noarchive, nofollow"
# Remove Server header
-Server
}
import acmedns
header @api {
Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
}
# Cache
header @static {
# Cache
Cache-Control "public, max-age=31536000"
defer
}
header @notstatic {
# No Cache
Cache-Control "no-cache, no-store"
Pragma "no-cache"
}
# CSP (see http://content-security-policy.com/ )
header @imageproxy {
Content-Security-Policy "default-src 'none'; img-src 'self' data:"
}
header @notimageproxy {
Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
}
respond "Service has been shutdown"
}
piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :6970
respond "Service has been shutdown"
header -X-Frame-Options
import def
}
pi.{{ server_prefix }}.psf.lt {
reverse_proxy :6970 {
header_up Host "{% if server_prefix == 'eu' %}piped.projectsegfau.lt{%else%}piped.{{ server_prefix }}.projectsegfau.lt{%endif%}"
}
header -X-Frame-Options
respond "Service has been shutdown"
import def
}
priviblur.{{ server_prefix }}.projectsegfau.lt priviblur.projectsegfau.lt pb.psf.lt pb.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :9084
respond "Service has been shutdown"
import torloc priviblur
}
lace.{{ server_prefix }}.projectsegfau.lt lace.projectsegfau.lt l.psf.lt l.{{ server_prefix }}.psf.lt {
import def
reverse_proxy :9029
respond "Service has been shutdown"
import torloc lace
}
:8093 {
cgi /vnstat /var/lib/caddy/www/vnstat-metrics.cgi
lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt {
respond "Service has been shutdown"
import def
import torloc lbry
}

20
privfrontends/templates/eu/darknet.Caddyfile
View File

@@ -36,19 +36,27 @@ http://*.p.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
# Privacy Frontends
http://lbry.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor lbry
reverse_proxy :3550
reverse_proxy https://lbry.projectsegfau.lt {
header_up Host "lbry.projectsegfau.lt"
}
}
http://nitter.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
reverse_proxy :8387
reverse_proxy https://nitter.projectsegfau.lt {
header_up Host "nitter.projectsegfau.lt"
}
import tor nitter
}
http://libreddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor libreddit
reverse_proxy :6464
reverse_proxy https://libreddit.projectsegfau.lt {
header_up Host "libreddit.projectsegfau.lt"
}
}
http://teddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor teddit
reverse_proxy :9061
reverse_proxy https://teddit.projectsegfau.lt {
header_up Host "teddit.projectsegfau.lt"
}
}
http://inv.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor inv
@@ -58,7 +66,9 @@ http://inv.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
}
http://invbp.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor invbp
reverse_proxy :7573
reverse_proxy https://invbp.projectsegfau.lt {
header_up Host "invbp.projectsegfau.lt"
}
}
http://gothub.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion {
import tor gothub

129
privfrontends/templates/eu/misc.Caddyfile
View File

@@ -1,87 +1,76 @@
projectsegfau.lt www.projectsegfau.lt web.dev.projectsegfau.lt www.psf.lt psf.lt {
reverse_proxy :1339
import def
}
sl.projectsegfau.lt sl.psf.lt {
reverse_proxy :7777
import def
}
inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt {
reverse_proxy :7573 {
header_up Host "invidious.projectsegfau.lt"
}
@pipedproxy {
path /videoplayback
path /videoplayback/*
path /vi/*
path /ggpht/*
}
handle @pipedproxy {
reverse_proxy :6970 {
header_up Host "proxy.piped.projectsegfau.lt"
}
@jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg
@thumbnailRedirect path /ggpht/*
uri @thumbnailRedirect strip_prefix /ggpht
rewrite @thumbnailRedirect ?host=yt3.ggpht.com
uri @jpgRedirect replace /maxres.jpg /maxres2.jpg
rewrite /vi/* ?host=i.ytimg.com
}
nitter.projectsegfau.lt n.psf.lt {
reverse_proxy :8387
import def
header -X-Frame-Options
header -Content-Security-Policy
log {
# This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date.
output file /var/log/caddy/ratelimiters.log
format json
route {
reverse_proxy /outpost.goauthentik.io/* https://in.v.psf.lt:7444 {
header_up Host {http.reverse_proxy.upstream.hostport}
transport http {
tls_insecure_skip_verify
}
}
# Forward authentication requests to Authentik's outpost
forward_auth https://in.v.psf.lt:7444 {
transport http {
tls_insecure_skip_verify
}
uri /outpost.goauthentik.io/auth/caddy
# Ensure these headers are passed, using correct capitalization
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name
trusted_proxies private_ranges
}
}
}
libreddit.projectsegfau.lt lr.psf.lt {
reverse_proxy :6464
import def
route {
reverse_proxy /preview/* :6465
reverse_proxy /outpost.goauthentik.io/* https://in.v.psf.lt:7444 {
header_up Host {http.reverse_proxy.upstream.hostport}
transport http {
tls_insecure_skip_verify
}
}
# Forward authentication requests to Authentik's outpost
forward_auth https://in.v.psf.lt:7444 {
transport http {
tls_insecure_skip_verify
}
uri /outpost.goauthentik.io/auth/caddy
# Ensure these headers are passed, using correct capitalization
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name
trusted_proxies private_ranges
}
}
}
# REDIRECTS/SHUTDOWNS
inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt {
respond "Invidious has shutdown"
import def
import torloc invbp
}
piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt {
reverse_proxy :6970
header -X-Frame-Options
piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt pi.psf.lt {
respond "Piped has shutdown"
import def
}
pi.psf.lt {
reverse_proxy :6970 {
header_up Host "piped.projectsegfau.lt"
}
header -X-Frame-Options
import def
}
proxy.lbry.projectsegfau.lt {
reverse_proxy :3001
import def
}
aryak.me {
reverse_proxy https://prox-arya.p.projectsegfau.lt {
header_up Host prox-arya.p.projectsegfau.lt
}
}
arya.projectsegfau.lt {
redir https://aryak.me{uri}
import acmedns
}
## OLD URL REDIRECTS
bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt {
import def
import torloc beatbump
redir https://hyperpipe.projectsegfau.lt{uri}
respond "Beatbump has shutdown"
}
ferrit.projectsegfau.lt snooddit.projectsegfau.lt {
redir https://libreddit.projectsegfau.lt{uri} permanent
respond "Ferrit/Snoodit/Libreddit/Redlib has been shutdown"
import acmedns
}
www.midou.dev midou.dev {
# reverse_proxy https://midou36o.github.io {
# header_up Host {http.reverse_proxy.upstream.hostport}
# }
#root * /var/www/midouwebsite
reverse_proxy :3000
# Apparently sveltekit built apps needs to have strict path tries.
#try_files {path} {path}/index.html {path}.html =404
#file_server
}
file.midou.dev {
reverse_proxy :8986
}
fastdl.midou.dev {
root * /srv/fastdl-tf2
file_server browse
}

26
privfrontends/templates/eu/personal.Caddyfile Normal file
View File

@@ -0,0 +1,26 @@
www.midou.dev midou.dev {
# reverse_proxy https://midou36o.github.io {
# header_up Host {http.reverse_proxy.upstream.hostport}
# }
#root * /var/www/midouwebsite
reverse_proxy :3000
# Apparently sveltekit built apps needs to have strict path tries.
#try_files {path} {path}/index.html {path}.html =404
#file_server
}
file.midou.dev {
reverse_proxy :8986
}
fastdl.midou.dev {
root * /srv/fastdl-tf2
file_server browse
}
aryak.me {
reverse_proxy https://prox-arya.p.projectsegfau.lt {
header_up Host prox-arya.p.projectsegfau.lt
}
}
arya.projectsegfau.lt {
redir https://aryak.me{uri}
import acmedns
}

196
privfrontends/templates/in/apps.Caddyfile
View File

@@ -1,9 +1,50 @@
# ---Apps Caddyfile---
# Cinny
cinny.projectsegfau.lt cy.psf.lt {
reverse_proxy :3069
# Gitea
git.projectsegfau.lt {
reverse_proxy :3444
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
git.psf.lt {
reverse_proxy :3444 {
header_up Host "git.projectsegfau.lt"
}
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
translate.projectsegfau.lt tl.psf.lt {
import def
reverse_proxy :5046
import torloc translate
}
gothub.projectsegfau.lt gh.psf.lt {
reverse_proxy :1024
import def
import torloc gothub
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy :1025
import def
import torloc gothub.dev
}
# MailU
mail.projectsegfau.lt {
import def
reverse_proxy :8082
}
mtx.psf.lt {
@@ -11,23 +52,16 @@ mtx.psf.lt {
import def
}
ss3.psf.lt {
reverse_proxy :4567
# Cinny
cinny.projectsegfau.lt cy.psf.lt {
reverse_proxy :3069
import def
}
www.projectsegfau.lt www.psf.lt {
redir https://projectsegfau.lt{uri}
import torloc www
import acmedns
}
matrix.projectsegfau.lt {
reverse_proxy /_matrix/* :8456
# Hydrogen
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
reverse_proxy :3071
import def
handle_path / {
redir https://wiki.projectsegfau.lt/Matrix
}
}
# Element
@@ -43,23 +77,8 @@ doc.projectsegfau.lt {
}
import def
}
# Hydrogen
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
reverse_proxy :3071
import def
}
# Jitsi
jitsi.projectsegfau.lt {
reverse_proxy :8000 {
header_up X-Real-IP {remote_host}
}
import acmedns
}
# Excalidraw backend for jitsi
excalidraw.projectsegfau.lt {
reverse_proxy :8695
d.psf.lt {
redir https://doc.projectsegfau.lt{uri}
import acmedns
}
@@ -152,61 +171,11 @@ auth.p.projectsegfau.lt {
}
import def
}
# kbin
kbin.projectsegfau.lt, kb.psf.lt {
reverse_proxy :8014 {
header_up X-Real-IP {remote_host}
}
ntfy.projectsegfau.lt {
import def
reverse_proxy :8099
}
# RSS-Bridge
rssbridge.projectsegfau.lt, rb.psf.lt {
reverse_proxy :5678 {
header_up X-Real-IP {remote_host}
}
import torloc rssbridge
import def
}
# MatriXMPP Ejabberd
matrixmpp.projectsegfau.lt https://matrixmpp.projectsegfau.lt:8448 {
reverse_proxy :8446 {
header_up X-Real-IP {remote_host}
}
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/matrixmpp-well-known
file_server
}
import acmedns
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy :1025
import def
import torloc gothub.dev
}
ak.psf.lt {
redir https://social.projectsegfau.lt{uri}
import acmedns
}
j.psf.lt {
redir https://jitsi.projectsegfau.lt{uri}
import acmedns
}
d.psf.lt {
redir https://doc.projectsegfau.lt{uri}
import acmedns
}
rss.projectsegfau.lt freshrss.projectsegfau.lt rss.psf.lt {
reverse_proxy :3529
import def
import torloc rss
}
owncloud.projectsegfau.lt {
reverse_proxy http://127.0.0.1:9200
import def
@@ -245,31 +214,38 @@ minio.projectsegfau.lt {
reverse_proxy http://127.0.0.1:9000
}
mozhi.aryak.me {
reverse_proxy :5046
}
ak.psf.lt, social.projectsegfau.lt {
respond "Akkoma has shut down"
import acmedns
}
rss.projectsegfau.lt freshrss.projectsegfau.lt rss.psf.lt {
respond "FreshRSS has been shut down. If you have any data left on the instance, please email contact@projectsegfau.lt"
import def
import torloc rss
}
timetagger.projectsegfau.lt tt.psf.lt {
respond "Timetagger has been shut down. If you have any data left on the instance, please email contact@projectsegfau.lt"
import def
route {
reverse_proxy /outpost.goauthentik.io/* https://localhost:7444 {
header_up Host {http.reverse_proxy.upstream.hostport}
transport http {
tls_insecure_skip_verify
}
}
# Forward authentication requests to Authentik's outpost
forward_auth https://localhost:7444 {
transport http {
tls_insecure_skip_verify
}
uri /outpost.goauthentik.io/auth/caddy
# Ensure these headers are passed, using correct capitalization
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name
trusted_proxies private_ranges
}
}
reverse_proxy http://localhost:9900
}
ntfy.projectsegfau.lt {
# Jitsi
jitsi.projectsegfau.lt, j.psf.lt {
respond "jitsi has been shut down."
import acmedns
}
# RSS-Bridge
rssbridge.projectsegfau.lt, rb.psf.lt {
respond "RSS Bridge has been shut down. If you have any data left on the instance, please email contact@projectsegfau.lt"
import torloc rssbridge
import def
}
# kbin
kbin.projectsegfau.lt, kb.psf.lt {
respond "Kbin has been shut down"
import def
reverse_proxy :8099
}

19
privfrontends/templates/in/internal.Caddyfile
View File

@@ -1,24 +1,5 @@
# ---Internal Caddyfile---
# MailU
mail.projectsegfau.lt {
import def
reverse_proxy :8082
}
# Caddy daily build (for ansible)
cb.projectsegfau.lt {
root * /var/www/caddy-build
file_server browse
encode gzip
import def
}
# GotHub
docs.gothub.app {
redir https://gothub.app/docs{uri}
}
synapseadmin.vpn.projectsegfau.lt s.v.psf.lt {
import acmedns
reverse_proxy :8420

10
privfrontends/templates/in/misc.Caddyfile
View File

@@ -6,16 +6,6 @@ files.perso.in.projectsegfau.lt files.perso.in.projectsegfau.lt:6942 {
root * /zfspool/files
import acmedns
}
tnfiles.perso.in.projectsegfau.lt {
file_server {
browse
}
root * /zfspool/files/tn-sw
import acmedns
}
mozhi.aryak.me {
reverse_proxy :5046
}
http://*.tildevarsh.in https://tildevarsh.in {
respond `R.I.P ~varsh, you'll be missed. :q!
If you are a varsh user and want to get your data, email me@aryak.me with your username from your registered email address.

1
privfrontends/templates/us/misc.Caddyfile
View File

@@ -1 +0,0 @@

207
privfrontends/vars.yaml
View File

@@ -5,54 +5,6 @@ compose_dir: "/opt/docker-privfrontends"
data_dir: "/opt/data-privfrontends"
apps:
groups:
hyperpipe:
needs_configs_dir: true
needs_data_dir: false
docker_settings:
services:
- name: hyperpipe-frontend
image: codeberg.org/hyperpipe/hyperpipe
entrypoint: sh '/new-entrypoint.sh'
ports:
- "8843:80"
mounts:
- "{{configs_dir}}/hyperpipe/entrypoint.sh:/new-entrypoint.sh"
- name: hyperpipe-backend
image: codeberg.org/hyperpipe/hyperpipe-backend
environment:
HYP_PROXY: "{% if server_prefix == 'eu' %}proxy.piped.projectsegfau.lt{%else%}pipedproxy.{{server_prefix}}.projectsegfau.lt{%endif%}"
ports:
- "3536:3000"
anonymousoverflow:
needs_configs_dir: false
needs_data_dir: false
docker_settings:
services:
- name: anonymousoverflow
image: git.canine.tools/canine.tools/anonymous_overflow:latest
ports:
- "8694:8080"
environment:
APP_URL: https://overflow.projectsegfau.lt
JWT_SIGNING_SECRET: "{{ anonymousoverflow_signing_secret }}"
FLARESOLVER: "http://flaresolverr:8191"
- name: flaresolverr
image: ghcr.io/flaresolverr/flaresolverr:pr-1282
environment:
LOG_LEVEL: "info"
TZ: "UTC"
LANG: "en_US"
breezewiki:
needs_configs_dir: true
needs_data_dir: false
docker_settings:
services:
- name: breezewiki
image: quay.io/pussthecatorg/breezewiki:latest
ports:
- "10416:10416"
mounts:
- "{{configs_dir}}/breezewiki/config.ini:/app/config.ini"
gothub:
needs_configs_dir: false
needs_data_dir: false
@@ -95,20 +47,9 @@ apps:
GOTHUB_INSTANCE_CLOUDFLARE: false
ports:
- "1025:3000"
librarian:
needs_configs_dir: true
needs_data_dir: false
docker_settings:
services:
- name: librarian
image: quay.io/pussthecatorg/librarian
ports:
- "3550:3550"
mounts:
- "{{configs_dir}}/librarian/config.yml:/app/config.yml"
redlib:
needs_data_dir: true
needs_configs_dir: true
needs_data_dir: false
needs_configs_dir: false
docker_settings:
services:
- name: redlib
@@ -123,23 +64,6 @@ apps:
BLUR_NSFW: on
USE_HLS: on
AUTOPLAY_VIDEOS: off
- name: go-away
image: git.projectsegfau.lt/midou/go-away:latest
ports:
- "6464:9980"
- "9893:9893"
mounts:
- "{{data_dir}}/redlib/cache:/cache"
- "{{configs_dir}}/redlib/policy.yml:/policy.yml:ro"
environment:
GOAWAY_BIND: ":9980"
GOAWAY_METRICS_BIND: ":9893"
GOAWAY_BIND_NETWORK: "tcp"
GOAWAY_CLIENT_IP_HEADER: "X-Real-Ip"
GOAWAY_POLICY: "/policy.yml"
GOAWAY_SLOG_LEVEL: "WARN"
GOAWAY_CHALLENGE_TEMPLATE: redlib
GOAWAY_BACKEND: "*=http://redlib:8080"
nitter:
needs_data_dir: true
@@ -158,80 +82,6 @@ apps:
command: redis-server --save 60 1 --loglevel warning
mounts:
- "{{data_dir}}/nitter/redis-data:/data"
rimgo:
needs_configs_dir: false
needs_data_dir: false
docker_settings:
services:
- name: rimgo
image: codeberg.org/video-prize-ranch/rimgo
ports:
- "9016:3000"
environment:
ADDRESS: 0.0.0.0
PORT: 3000
FIBER_PREFORK: false
IMGUR_CLIENT_ID: 546c25a59c58ad7
PRIVACY_POLICY: https://projectsegfau.lt/legal/privacy-policy
PRIVACY_COUNTRY: "{{country}}"
PRIVACY_PROVIDER: "{{isp}}"
PRIVACY_CLOUDFLARE: false
PRIVACY_NOT_COLLECTED: true
safetwitch:
needs_data_dir: false
needs_configs_dir: false
docker_settings:
services:
- name: safetwitch-frontend
image: codeberg.org/safetwitch/safetwitch:latest
ports:
- "5070:8280"
environment:
SAFETWITCH_BACKEND_DOMAIN: "api.safetwitch.{{server_prefix}}.projectsegfau.lt"
SAFETWITCH_INSTANCE_DOMAIN: safetwitch.projectsegfau.lt
SAFETWITCH_HTTPS: true
- name: safetwitch-backend
image: codeberg.org/safetwitch/safetwitch-backend
ports:
- "5072:7000"
environment:
PORT: 7000
URL: "https://api.safetwitch.{{server_prefix}}.projectsegfau.lt"
scribe:
needs_configs_dir: false
needs_data_dir: false
docker_settings:
services:
- name: scribe
image: registry.gitlab.com/lomanic/scribe-binaries:latest
ports:
- "8006:8006"
environment:
SCRIBE_PORT: 8006
SCRIBE_HOST: 0.0.0.0
APP_DOMAIN: scribe.projectsegfau.lt
LUCKY_ENV: production
PORT: 8006
SECRET_KEY_BASE: "{{scribe_secret_key_base}}"
searxng:
needs_configs_dir: true
needs_data_dir: true
docker_settings:
services:
- name: searxng
image: searxng/searxng:latest
ports:
- "8081:8080"
mounts:
- "{{data_dir}}/searxng:/etc/searxng"
- "{{configs_dir}}/searxng/settings.yml:/etc/searxng/settings.yml:rw"
environment:
SEARXNG_BASE_URL: "https://{% if server_prefix == 'eu' %}search.projectsegfau.lt{%else%}search.{{inventory_hostname}}.projectsegfau.lt{%endif%}/"
- name: searxng-redis
image: redis:alpine
command: redis-server --save 30 1 --loglevel warning
mounts:
- "{{data_dir}}/searxng/redis-data:/data"
mozhi:
needs_configs_dir: false
needs_data_dir: false
@@ -243,59 +93,6 @@ apps:
- "5046:3000"
environment:
MOZHI_LIBRETRANSLATE_ENABLED: false
teddit:
needs_configs_dir: false
needs_data_dir: true
docker_settings:
services:
- name: teddit
image: teddit/teddit:latest
ports:
- "9061:8080"
environment:
DOMAIN: teddit.projectsegfau.lt
USE_HELMET: true
TRUST_PROXY: true
REDIS_HOST: teddit-redis
- name: teddit-redis
image: redis:6.2.5-alpine
command: redis-server
environment:
REDIS_REPLICATION_MODE: master
mounts:
- "{{data_dir}}/teddit/redis-data:/data"
priviblur:
needs_configs_dir: true
needs_data_dir: true
docker_settings:
services:
- name: priviblur
image: quay.io/syeopite/priviblur:latest
ports:
- "9084:8000"
mounts:
- "{{configs_dir}}/priviblur/config.toml:/priviblur/config.toml:Z,ro"
- name: priviblur-redis
image: redis:6.2.5-alpine
command: redis-server
environment:
REDIS_REPLICATION_MODE: master
mounts:
- "{{data_dir}}/priviblur/redis-data:/data"
shoelace:
needs_configs_dir: true
needs_data_dir: true
docker_settings:
services:
- name: shoelace
image: nixgoat/shoelace
ports:
- "9029:8080"
mounts:
- "{{configs_dir}}/shoelace/shoelace.toml:/data/shoelace.toml"
- "{{data_dir}}/shoelace:/data"
environment:
SHOELACE_CONFIG: /data/shoelace.toml
watchtower:
needs_configs_dir: false
needs_data_dir: false

130
secrets.yaml
View File

@@ -1,81 +1,51 @@
$ANSIBLE_VAULT;1.1;AES256
63383132383338646134323161653732626564393261313134373832666234336664356464346433
6633373466633634613039626233346562643862613037390a303265373839306532373235333232
36663566356665346638343535303332343333326163353535663932396531626530393932333365
3562623937393130380a326333623832393131623634393832396430313537623038663536663033
32613733363731306664626531306263393936613961633061313538353364633763623739336131
62386335323330326231306662326566643637313032373438376538383032306366323931363130
32366137333966613638303866633436643366373730623764343033346132353331656139343062
62663937383865613737333964383764336136363137623637376537616538303537623237333338
66656664623565363634663138643938386439646332633537313930343134336638363833336333
62616564343162323261306264646236626132653061383766383137633161376633636237386563
33383031653838353832643566356339336263653830383732336339663837323339623763376531
33653564636233343865623361316430633961663336323264313537386333383863666361306166
37306530643230383636346335633966623663626331633861376361313861363438303765616161
35343439393561666630393136666162366430373434376134663861303834613665396564336633
31653165653036626666396131656164336538653765653566646466396462333861366435613533
62646430393861623564303063653331633931376436393035623866636537373664653839656331
31613261393531383761666536356664363534393763653962373236366630353331643963613937
31656536363733326665633730346665316637383531643534343734343537336531653931383633
37396230613736383537356436333630373535326135393465653962303765396230316437373331
63646532326662326437653965373063373066376331336438633036623434623761396130373466
34626239373030653837633739336532373164386366623264323938396638356365396631636365
31343761356636646236666233326661313932666130663737343039646663396465363733656435
33306461663534323061626231383833373737653132373038396236313135326630646436623332
39633538373365653463323166363338613361663534343231636136613462663538333961666139
35313136336232633732326535376133313034353663346133636233343839303432303962346263
31316134363133303661646536346633346636333034353366323563613336366536383066643861
33623066363135363066646434313130646631633438356134303531303339663331376533613836
63366138316464613566303963616362626237666261363466353362343566663564366333303464
34396230313963396664396462373261376463353331336662316533373338353864613931353434
36313232623361623539643264663266663561306533313739343765353765353462363338303637
34376135346235316164366331356435656538343237613466366166356630396136356335336466
64363736336538313335376537366633623437326561333464313339313561646137383730336535
63356263656535643465643431626533326235306637643333336565616263653464653738356134
36633464323638656339666236653461313261653434613366646334373861303238626536643665
65336339366261396532366434613564323238373439613032333734306333393237383539376235
66363866306562646231663866373939363466656565656533656233373238376163643033646330
30633335363137623933303831343039306639363632646133366339326634646663636439643264
30343534363263333162366337613066646531613864363835666135613165393761646230313165
30656165646630333833636439396130643436353163366637633461383039663963333936386231
34393635356466303834666537636266353463663935633365303162353362393736653836333933
33626232306561313138643232373235336163393164613364333462353165303966343035336664
36616637333265303564396264303836656530393265333931363238383733356566623734646465
61333732633731306566353437626434326364653830636530326337383934613739386635616138
34356539333730363633633534346263636430313962643366323832643231313234353032633036
65343735383639303966326261616338633338343033323364636665386461633231623438663362
33633761613534636133323739613135313162363564623931316436353065343362336461303735
37353164396236366537616364643031373133646663316639613032356335643263366231333637
30353931306162616236363832356536353461613831366336336531386261343038333462313338
64353165666236393539303566323634346430373464303365323461323364643061303364326533
61363662626438346639616664313333653962623734653533396234663931313332613239303831
61343932636564623866396161383532373036336532313336376262653731373761333130343434
64643737636636323161313032663964383335666338333766346662373461653864383835376130
66396239393431643636396437346663373033333339333134373533346630366366393861626336
37643065636262643761646464373364663761323233323266323430633566343638643962643635
64363431613930313062353931643330626230663832393235346435393665306662326161396537
61666133616666653262616330626462363635623961343432333664333465363836633039303165
36666536656433306139393430373233393331653732626331613364343035326536353663313630
38323163376562646665336332316434333262616261333738336435663539336565383765326362
32393063323934646630386436303363393532663162396239363733323637363463383962656339
63326234313134343363333365616537383632316365343136313263393930363764373466383062
31646561313833653333666264383561376336663265666234333932613138623137623361303439
36623338643965343538313264626332326665666333373465356663326231663532393335336337
32643130313461326530306132316631626331633034326439356637663964303465376339663839
30306665643539376634336634316265313562333966643632663264353438393335396463383764
31313334313435376138373230303531313136326536343035623635656165613966663564646334
36646365633235636534376166333739323335396665626231383561626361653437646263333131
66346234393931626630326136303237396266303034363938363461616461373932623935383764
32373137303165393163303337653339313239386462616666393735353937333762336665363736
31643137333438383866653133396636666362393935343765626262386130336436653233363138
61653038393864316434623637396638643430313563396566643834633963373861663763326465
32663932653031343761643837316531623839666363356436383831383838343131313239386431
62363966636139383232616430373036356236323463326264653935643865396334643132376134
37363132656166393061616663646335303331363637353336363937666334393662383063386133
37333837363864313061323631633862613436613439386166353331643764303430626634633964
39373033343836336538623465363633303830643461353462333731633762316532353362643936
38643338653964343530383639336237326131313361356466396238333931336666313032376333
62393564393633323138313838643166633136616131643335326234613137663738386464663539
36643139376463623461303631363238346664313431373338373264653332343066663366393039
65666331376139663231623132333334323764373637616637643062326665623634383062363764
63386336393338616232
62633465666433613531653834643833623063663334346630643637323534373338616561666362
3932633339333932393035633737343565623866376465310a323863653535346236316339336431
36356332313931626433333935623433633562376533303235373536613034383761313036306439
6133343535326336660a393139643363643337643036636234363034666638376335336437613531
39356364303838306639316630646131653039323865326534643034383730303436623433633537
30326662393935366137336363616462633064303336303030313439393133363334666164313265
38636263356537396663623430653838643465363866373431653763633931323337356635333665
63356362336532393664303735623861343339363864663533333439316364663863383038666631
31306535303934666165353465643935613834623431333231316538303433353063646434303935
30636430623333373032303434633832363435313134306531386330393138616161313132623131
38363165343238333765616137353466396536623731633836633134633466663839626132326234
33383434663235653666643437336532366164323664376135346665333664653136656263333934
33366564613734376536316134323437383535396638373366633030363938303233363933653161
31393233373936336661333763643433653664623265663531633966346337363231663432346633
32303937303166306538613632393632616137333566303732313031343966343835316530346231
62393665306635323135363866636131653266343938613532323136666534613835373432366339
62373437653061363864643436646563346666616361346430653038626538633134353130306562
36313330626633363934663465353732333437663739383637343939386134613733383035373634
66326331623464373635626238653836653361396234623566643233333363613866393234373261
33376163336631323736313530663961376464303431346534393863653731363835376332653439
63656134663435333133643731613236616333353034626333303864386666373866323466373964
63343133396539663162633233336238393533333032636162353865313132376663383237373336
38363531363031636336366538626364393138356138346133306361316566353034353635356133
31383937633932386464623437303665336131663838353738613637326638313261333066386631
32623832313630616233316366326237656131396631626461663538653037393732646432646438
33633564666139316632356335353466306537343564626131346530643333316436646332633038
65646462396334336536366235303934353030336531366664333962393965313531613161623263
39353266613038356130646238376364306465326139303731303066656533373261666339396139
31633666633931633631643466333763323339393334333730363638333566346232393164353035
38386231383162303366326134633563373861306539633161363538653630336363313434373232
33373461656138373063383965393333313663343138643565653638396639633130656432663765
31303434633836383565633365323836323463313835386131306135636536363063313835663832
61386432633237323134663465343632623036613438303164336362343736373733323239633033
65333631613737343032303832373030643962303339316331356266323233303236373238373937
61343833396361303365636439653736616132333232316138333765346161353538666563646166
39333434356337376164626666643461343165616632343538616263376634633539326134633133
63663166326436653931336564363263613164346233626462363338653732323237353964343933
39653434616261306539646166353936346565656664663631306238326265623137633337373363
64363533623361383964623361343166636131346463333135323135626330643265346339616530
35633736643566333335626337623965396263316630323564323535356564636636623339646135
30376138323730383461656138663638396464326264643563363539343431353133636166336336
62343362366362393364333838636565303537633135633933653334363533386333323737303265
35653535363662333639313033633364626366376466373531333637656230643236313838633361
32396164386139393865383538633039653234393533353462383538363531343761656536643063
31366635333263646436646564346433323862653062623037636233613961396430616463356533
39346338333062653234316166326632633435613434386632356132336639303935656433613030
31306664326533633436356531393163636131326330313636663563653833396331366163663066
32643339313737616362666538643262376631336437643361643530323962383233333766376364
38396562303338363362636261363734656161666266653735363832333232353732633739363463
3032623866333162663831613331626236376366373364653865