diff --git a/all/playbook.yaml b/all/playbook.yaml index c7112f3..51c27b9 100644 --- a/all/playbook.yaml +++ b/all/playbook.yaml @@ -15,15 +15,6 @@ ansible.builtin.apt_repository: repo: deb http://deb.debian.org/debian bookworm-backports main contrib state: present - - name: Get Knot GPG keys - ansible.builtin.get_url: - url: https://deb.knot-dns.cz/apt.gpg - dest: /usr/share/keyrings/knot.gpg - mode: '0644' - - name: Enable knot repo - ansible.builtin.apt_repository: - repo: deb [signed-by=/usr/share/keyrings/knot.gpg] https://deb.knot-dns.cz/knot-latest/ bookworm main - state: present - name: Get GoAccess GPG keys ansible.builtin.get_url: url: https://deb.goaccess.io/gnugpg.key @@ -247,7 +238,7 @@ # very secure I know; it has to be plain text anyway for automated backups, unless there is a better way (in which case please email me@aryak.me) borg_encryption_passcommand: "cat /etc/borgmatic/passphrase" - name: UFW Firewall Configuration - hosts: eu,us # IN is behind router so no f/w is needed + hosts: eu # IN is behind router so no f/w is needed tasks: - name: Enable UFW community.general.ufw: diff --git a/all/templates/us/daemon.json b/all/templates/us/daemon.json deleted file mode 100644 index e7343f4..0000000 --- a/all/templates/us/daemon.json +++ /dev/null @@ -1,5 +0,0 @@ -{ -"log-driver": "local", -"ipv6": true, -"fixed-cidr-v6": "fd00:dead:beef::/48" -} diff --git a/cron/caddy-builds-soleil.yaml b/cron/caddy-builds-soleil.yaml deleted file mode 100644 index 840a356..0000000 --- a/cron/caddy-builds-soleil.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Caddy Builds on IN Node (Weekly Cron) - hosts: in - tasks: - - name: Do the thing - ansible.builtin.command: xcaddy build --with github.com/caddy-dns/rfc2136@master --with github.com/gi-yt/ratelimit@master --with github.com/aksdb/caddy-cgi/v2@master --output /var/www/caddy-build/api/download - register: out - changed_when: out.rc != 0 - - name: Print output of thing - ansible.builtin.debug: - var: out.stderr_lines diff --git a/cron/hourly-restarts.yaml b/cron/hourly-restarts.yaml index a476e84..b6e40e9 100644 --- a/cron/hourly-restarts.yaml +++ b/cron/hourly-restarts.yaml @@ -3,13 +3,10 @@ hosts: privfrontends vars: services: - - breezewiki - - anonymousoverflow - gothub + - mozhi - redlib - - teddit - nitter - - rimgo tasks: - name: Do thing ansible.builtin.command: docker restart {{ item }} diff --git a/cron/knot-restart.yaml b/cron/knot-restart.yaml deleted file mode 100644 index ea43921..0000000 --- a/cron/knot-restart.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Knot Restarts (EU/US) - hosts: eu,us - vars: - services: - - knot - tasks: - - name: Do thing - ansible.builtin.systemd_service: - state: restarted - name: knot - with_items: "{{ services }}" diff --git a/host_vars/eu/privfrontends_secrets.yaml b/host_vars/eu/privfrontends_secrets.yaml index ede7fa4..5bd4c0f 100644 --- a/host_vars/eu/privfrontends_secrets.yaml +++ b/host_vars/eu/privfrontends_secrets.yaml @@ -1,39 +1,10 @@ $ANSIBLE_VAULT;1.1;AES256 -31386435653631313961323564653565656339636635653366386166333162643863333034376332 -3166363635636437383430366435343265663762666362320a653166643832363536373832653830 -37323266653330613735623530393161623265663033643738646366376530633863393331323837 -3465653866336461350a653465626265383034323034653166343163616163356236323566626534 -34313832303461633432346437306236646366313431626165353930623664363133353635383930 -36353065346262393636386463383666373333313834323532343930393431333130373132383665 -61653363633066613464333765666464316435653638656262323634653662666237366564653934 -61613634303232323934633166633162323161316337356430306335376631653138333538373661 -33616466366665633430386533623337646230663365613332646138366339346634646363373262 -66386465373562383730646530666432343765363263623064626338636564663331656333653239 -31306562643866376130663364633738646530633463316439356434306333656139633437323334 -39383539663934373330623737383932353766653535313539366130623861383034626134613639 -30623861623164333731373964613837333139336636393631653339616163343431643832653032 -64383562636135366135316664333437336539376261366336343137653066333332333563653466 -36646263363739323762323633616431643062356536653937313764633731353666333466363965 -65333332663139303733626631336331326362636463613961313962343161343831393137636263 -65383032333233666437376437666366636366366366316332383932646265343238363133653334 -35613366653834663964393735366565313935383831343736666566346532633331666636303336 -33643366353437383131346163663438653132346161333464333134313230653835623633303633 -37366637613232316439383930366566643265636139326639613636663136313961613263643364 -65653630633133336339633430313231336632383837636633383835343732373238323166666463 -39343365333066353365626462366161346439656433646434633038303830333361633665643965 -32353839326661343833323866623261353730366563353761646464376632313763353164386431 -64653730613038343466613938643836396161626331383431636636363361363335383237633132 -38326633643232333735366265656538343664626536343433666235636563346163336138313566 -37623532306634333164636262633965383833636633306133326632386132303136613736363734 -36626162303236353663396165666363336566373566303237373866633334323761373238396231 -38313130303666316633626666363436613939336438383434373062383330353030646331313834 -62653065396265653362656461613038396333386233366662303465376634643839643666383735 -30356438366362363565666134656232313766626166306661396461396433666532393731636332 -36363732306637323565323831373161656436303461313562623263373461303361663037336535 -31623239346435653035313434393363353630383339613234343736373861383839376437383864 -37363634343230316464393264636639373164306334393964396166376461373162663035303738 -39666565346564616536316433326533626564636137333035653833623831326563633732653438 -65333134356439353437376337633663313430363964373565316639343534366632623532636336 -39373263646232623762623337316239333330323162666365396331366566613834393965363132 -64613139613432646539353139383963313834313832356633356163303634306462633739633531 -6337666233363432653063366361623830333131363564353834 +38663164386336373962396634363134393738383562643035303630346466353530663731623233 +6664306261353464306338333633666330306536626633640a663738336236636632366138653761 +34363933616432343932636361646265616664613134363061326133616634373837356363383364 +3031336437656433660a613339643666613166383035376665316530376461396565623339363736 +63376132346138616564373066623832346534363232613361373936663136323730303632323339 +63363633396232383835636536396664616638396263333364376362373234656662356530626631 +64326634336539313436323664373462613864353766623366666364356533326134346530396436 +64326332633666323236623434313631313539333464393865303432373637333030643462366665 +6338 diff --git a/host_vars/in/misc.yaml b/host_vars/in/misc.yaml index 64bec9c..5e99c81 100644 --- a/host_vars/in/misc.yaml +++ b/host_vars/in/misc.yaml @@ -31,12 +31,9 @@ bkp_postgresql_databases: - name: gitea - name: healthchecks - name: hedgedoc - - name: invin - name: mailu - - name: piped - name: postgres - name: roundcube - - name: semaphore - name: synapse - name: vaultwarden - name: wikijs diff --git a/host_vars/in/privfrontends_secrets.yaml b/host_vars/in/privfrontends_secrets.yaml index e5054b3..d9b19ec 100644 --- a/host_vars/in/privfrontends_secrets.yaml +++ b/host_vars/in/privfrontends_secrets.yaml @@ -1,27 +1,10 @@ $ANSIBLE_VAULT;1.1;AES256 -62393338626639643838383931353333666538386437386464376434386639313034643464303566 -3364613933636666373834653234323935656566316632360a383834356137363464663861326661 -62313063323535646566353361326333306234613733306665363436656335643361396666633038 -6162633562353566310a633937373563313562363465376363393361613834343463316439643366 -33373932663331326564626465396138306531633630633863383465613436376630333263336262 -32353762353361633836353262663737353364653462386436663236616637333134323036323139 -30336132383661653362323962626430376334376361363039353263653031656635303063386234 -61393864303531333430346336346165356430613664623436306338636463363737333631376461 -63613064336438346636343562313165313963613164353161623238313066623337333230303338 -61656637623665343835306366643438636635663530666430323961653237626132663133656165 -61656163623839363461363635333831396239613534653962653462623737633765623730396434 -62363038376231626439323464643135393266333261643834643739383265333237353231336664 -39323239356134653237656365323832386663346363633732376462303035333565343662363634 -35613934386631613032363639373232333530323837353638313262663930306437383866313034 -64316334396633653462356633633733333532373662363930343236343730333838323762393561 -65346337356463396634343165636131373664346137373762326234316534633539643639313865 -66643230373565386233386235316365366632626437313163393635343361663961356337363434 -63303434383761303962333065306562646361353164646138623962386265313337643935616538 -37363464363335373961633664353533363563313834303463383562356634343833313431336339 -61386339346334626365633565353836663662363737656262636462376533323562666633373534 -33333835613639656166363464623061323933326661353231343135373432636466376238323062 -32313839313233376531656165356135363365323164393739323963656431666161336462393331 -65396139333031646266663039626434323336616332313837613139663339353834326632303938 -33613131623666643065303933383038653064393938656461633561376530633238643265653434 -63303861323537383766616230346636386130636433663463366263646266373963376531353535 -3662346663643162313761373637383439386436323230336538 +61323839346135366165636437343033343331383434306538316363336165616266343238626432 +3831343064613032356664386263646666303933386365620a353536333938326665343435653063 +31343337386630383864613531383065366535616662396336306464356339643831336336323736 +3835313766386335640a666364653233383766656331333264333632396630616430653435313131 +38393738633766366636323738343333333061343338373063303363376338633763313838323863 +62366537313231333661386635323537343734666532303531303431343366303066313361623362 +64383562316630316233303662613539346563376365313334353431646132303732376635306165 +31343539623935353138353863376463376139366338646139323736323861656136323761323735 +6633 diff --git a/host_vars/us/healthchecks.yaml b/host_vars/us/healthchecks.yaml deleted file mode 100644 index 1807942..0000000 --- a/host_vars/us/healthchecks.yaml +++ /dev/null @@ -1,14 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -36393333323061396634373536623135376336653134303130336163316163343438613966313162 -6263613432353933633535656633383865643537386132320a623837636238386135376333623630 -35393233306435363332346562363239663636633863616362643931626563343037343463333365 -3632373132653830610a373763316130343737613233636237626534323030303430323461353562 -62333061376563343562386562313031363132326137333634316135343339626264623238343935 -31656639376339353439656632393363656664346362663031343931313534393862616532353732 -31663463363039386565653363653332396336306634356339616630623261643162373839356132 -64323038343430346433633865356462623133353339653336386261323637373731333630666333 -35643961316137356532653864613631633938303031663231343365646232636264633961373930 -36326239653963353562633134666262613332393963646239306336646338363734306161646562 -31366633336566393636616230326663363430333137656366336435656335343732393165363834 -34393766336138373164386332643661646162346166316265346664363530336336313334636366 -3132 diff --git a/host_vars/us/misc.yaml b/host_vars/us/misc.yaml deleted file mode 100644 index 8d0eab0..0000000 --- a/host_vars/us/misc.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -ufw_allow_rules: - - port: 443 - proto: tcp - - port: 443 - proto: udp - - port: 80 - proto: tcp - - port: 53 - proto: udp - - port: 53 - proto: tcp - - port: 5201 - proto: tcp -bkp_source_directories: - - /home - - /etc - - /boot - - /root - - /opt - - /usr - - /var -bkp_exclude_patterns: - - /var/log - - /var/lib/docker/buildkit - - /var/lib/docker/containers - - /var/lib/docker/image - - /var/lib/docker/overlay2 - - /var/lib/docker/plugins - - /var/lib/docker/runtimes - - /var/lib/docker/swarm - - /var/lib/docker/tmp - - /var/lib/docker/trust -bkp_postgresql_databases: - - name: invidious diff --git a/host_vars/us/privfrontends_secrets.yaml b/host_vars/us/privfrontends_secrets.yaml deleted file mode 100644 index e5867df..0000000 --- a/host_vars/us/privfrontends_secrets.yaml +++ /dev/null @@ -1,29 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -30383034393632393233613963333833353330663862626166363735333635336534396661323030 -3833636238656664343834363434653836623936653932340a623666323162613965643934613533 -31316265313430333531346464346664626166306435383339633166613665396464323362613334 -3139386335613664320a666234326462653064613331393464383634653030323162323265626635 -35303965613639326438373565353665396266366131623462393139313931393232663536626239 -30376535656338373133366539353431383861643239366433613139373733633563646538363061 -34643539376266616164653835343433353163663234663832376262393863393962333062353136 -37346638633737313333326432363836363561333037653830306562396536616238613433653435 -33656464663530306564363865303266366339313531643865346638393438333138346332383465 -30383736356539643132353364613239343862366436306233393931373038343136326461633138 -62396362303639633565323261376331646334333366643466303037616235306630636233393861 -34376165326461313364353730666331343235333661623936363730613337363532636331373566 -63653634393736646536663761373233613831356364613764646632626132346164623463616433 -30363436366532363366376336323032306366383932653839343733343132306263393939343936 -61613133343631353737386134653035333763666639663837343236666538636239346630363533 -32326637646337373138316431303935396532356637633339396636386133393763633662336138 -33623934373234343831666662663138313564623439333735343231643762363130623938643564 -63663436623963653536393662376164323337393664353939323430656435616330323062646463 -64623663356364366565363233383039666130303438653731643831326466366139323839646363 -34363431666264633536343638636165353064626362306362626337613865616436393462393132 -62386165366239373635353965393733393134616135636539363332636231613866653337366635 -39306165363833393233353737643231326332376538366366376564303238313361306436306434 -33643366393038303130346439646537626637666164346666333164626461633934343866663633 -63343964643034616664333737366532363838306666363030633338383531366165616330373163 -34383732353537316331666262316435616437653531383863323932626338343834656166326333 -31373232313439633434633964613038393433633939653933363563326263343238303937613735 -31346561393038313633326335613435653430343265303030363435616661356335316630623439 -62636663323232313634 diff --git a/inventory.yml b/inventory.yml index e146af0..a9d425d 100644 --- a/inventory.yml +++ b/inventory.yml @@ -15,19 +15,6 @@ all: wiki_page: Pizza-1 watchtower_mtrx_username: psf-watchtower-pizza rsyncnet_slug: pizza1 - us: - ansible_host: us.vpn.projectsegfau.lt - ansible_user: ansiblerunner - ansible_port: 22 - port: 22 - ansible_become: true # Run everything as root - docker_dir: /opt/docker-privfrontends - country: United States - isp: Racknerd - wiki_page: US_Node - server_prefix: us - watchtower_mtrx_username: psf-watchtower-us - rsyncnet_slug: us in: ansible_host: in.vpn.projectsegfau.lt ansible_user: ansiblerunner diff --git a/pizza1/configs/haproxy/haproxy.cfg b/pizza1/configs/haproxy/haproxy.cfg deleted file mode 100644 index ab2710e..0000000 --- a/pizza1/configs/haproxy/haproxy.cfg +++ /dev/null @@ -1,55 +0,0 @@ -global - log /dev/log local0 - log /dev/log local1 notice - chroot /var/lib/haproxy - stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners - stats timeout 30s - user haproxy - group haproxy - daemon -defaults - log global - mode http - option httplog - option dontlognull - timeout connect 3600000 - timeout client 3600000 - timeout server 3600000 - timeout tunnel 3600000 -listen ssh - bind :::22 v4v6 - balance roundrobin - mode tcp - option tcp-check - tcp-check expect rstring SSH-2.0-OpenSSH.* - server pubnix 10.7.0.2:22 check inter 10s fall 2 rise 1 -listen xrdp - bind :::3389 v4v6 - balance roundrobin - mode tcp - option tcp-check - server pubnix 10.7.0.2:3389 check inter 10s fall 2 rise 1 -listen gemini - bind :::1965 v4v6 - balance roundrobin - mode tcp - option tcp-check - server pubnix 10.7.0.2:1965 check inter 10s fall 2 rise 1 -listen soju - bind :::6697 v4v6 - balance roundrobin - mode tcp - option tcp-check - server pubnix 10.7.0.2:6697 check inter 10s fall 2 rise 1 -listen iperf3 - bind :::5202 v4v6 - balance roundrobin - mode tcp - option tcp-check - server pubnix 10.7.0.2:5201 check inter 10s fall 2 rise 1 -listen nodexporter - bind :::9101 v4v6 - balance roundrobin - mode tcp - option tcp-check - server pubnix 10.7.0.2:9100 check inter 10s fall 2 rise 1 diff --git a/pizza1/configs/wireguard/wg0.conf b/pizza1/configs/wireguard/wg0.conf deleted file mode 100644 index eb120cc..0000000 --- a/pizza1/configs/wireguard/wg0.conf +++ /dev/null @@ -1,16 +0,0 @@ -[Interface] -Address = 10.7.0.1/24, fddd:2c4:2c4:2c4::1/64 -PrivateKey = {{wireguard_private_key}} -ListenPort = 51820 -PostUp = iptables -I FORWARD -s 10.7.0.0/24 -j ACCEPT; iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; ip6tables -I FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT; ip6tables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -I POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to 45.145.41.226; ip6tables -t nat -I POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to 2a0d:5940:99:3::1 -PostDown = iptables -D FORWARD -s 10.7.0.0/24 -j ACCEPT; iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; ip6tables -D FORWARD -s fddd:2c4:2c4:2c4::/64 -j ACCEPT; ip6tables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT; iptables -t nat -D POSTROUTING -s 10.7.0.0/24 ! -d 10.7.0.0/24 -j SNAT --to 45.145.41.226; ip6tables -t nat -D POSTROUTING -s fddd:2c4:2c4:2c4::/64 ! -d fddd:2c4:2c4:2c4::/64 -j SNAT --to 2a0d:5940:99:3::1 -[Peer] -PublicKey = {{wireguard_pubnix_pubkey}} -AllowedIPs = 10.7.0.2/32, fddd:2c4:2c4:2c4::2/128 -[Peer] -PublicKey = {{wireguard_in_gluetun_pubkey}} -AllowedIPs = 10.7.0.3/32, fddd:2c4:2c4:2c4::3/128 -# Personal -[Peer] -PublicKey = 7c/IIUXnEa3cMfdSJ1CcB1nCSFhgNaHq5CrF+q4TgmE= -AllowedIPs = 10.7.0.4/32, fddd:2c4:2c4:2c4::4/128 diff --git a/pizza1/playbook.yaml b/pizza1/playbook.yaml index a701367..70280e5 100644 --- a/pizza1/playbook.yaml +++ b/pizza1/playbook.yaml @@ -8,11 +8,6 @@ - postfix - postfix-pgsql - tor - - knot - - knot-dnsutils - - knot-module-geoip - - haproxy - - wireguard - name: Setup postfix configs ansible.builtin.copy: src: ./configs/postfix @@ -34,23 +29,3 @@ name: tor enabled: true state: restarted - - name: Setup haproxy configs - ansible.builtin.copy: - src: ./configs/haproxy/haproxy.cfg - dest: /etc/haproxy/haproxy.cfg - mode: preserve - - name: Restart+Enable haproxy - ansible.builtin.service: - name: haproxy - enabled: true - state: restarted - - name: Setup wireguard configs - ansible.builtin.template: - src: ./configs/wireguard/wg0.conf - dest: /etc/wireguard/wg0.conf - mode: preserve - - name: Enable wireguard - ansible.builtin.service: - name: wg-quick@wg0 - enabled: true - state: restarted diff --git a/privfrontends/configs/breezewiki/config.ini b/privfrontends/configs/breezewiki/config.ini deleted file mode 100644 index 82d1c6a..0000000 --- a/privfrontends/configs/breezewiki/config.ini +++ /dev/null @@ -1,5 +0,0 @@ -canonical_origin = https://bw.projectsegfau.lt -debug = false -port = 10416 -strict_proxy = false -feature_search_suggestions = true diff --git a/privfrontends/configs/fail2ban/caddy-status.conf b/privfrontends/configs/fail2ban/caddy-status.conf deleted file mode 100644 index 59312f4..0000000 --- a/privfrontends/configs/fail2ban/caddy-status.conf +++ /dev/null @@ -1,4 +0,0 @@ -[Definition] -failregex = ^.*"remote_ip":"",.*?"status":(?:429|403),.*$ -ignoreregex = -datepattern = LongEpoch diff --git a/privfrontends/configs/fail2ban/jail.local b/privfrontends/configs/fail2ban/jail.local deleted file mode 100644 index 1e2de61..0000000 --- a/privfrontends/configs/fail2ban/jail.local +++ /dev/null @@ -1,271 +0,0 @@ -# -# WARNING: heavily refactored in 0.9.0 release. Please review and -# customize settings for your setup. -# -# Changes: in most of the cases you should not modify this -# file, but provide customizations in jail.local file, -# or separate .conf files under jail.d/ directory, e.g.: -# -# HOW TO ACTIVATE JAILS: -# -# YOU SHOULD NOT MODIFY THIS FILE. -# -# It will probably be overwritten or improved in a distribution update. -# -# Provide customizations in a jail.local file or a jail.d/customisation.local. -# For example to change the default bantime for all jails and to enable the -# ssh-iptables jail the following (uncommented) would appear in the .local file. -# See man 5 jail.conf for details. -# -# [DEFAULT] -# bantime = 1h -# -# [sshd] -# enabled = true -# -# See jail.conf(5) man page for more information - - - -# Comments: use '#' for comment lines and ';' (following a space) for inline comments - - -[INCLUDES] - -#before = paths-distro.conf -before = paths-debian.conf - -# The DEFAULT allows a global definition of the options. They can be overridden -# in each jail afterwards. - -[DEFAULT] - -# -# MISCELLANEOUS OPTIONS -# - -# "bantime.increment" allows to use database for searching of previously banned ip's to increase a -# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... -bantime.increment = true - -# "bantime.rndtime" is the max number of seconds using for mixing with random time -# to prevent "clever" botnets calculate exact time IP can be unbanned again: -#bantime.rndtime = - -# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) -#bantime.maxtime = - -# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, -# default value of factor is 1 and with default value of formula, the ban time -# grows by 1, 2, 4, 8, 16 ... -#bantime.factor = 1 - -# "bantime.formula" used by default to calculate next value of ban time, default value below, -# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... -#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor -# -# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : -#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) - -# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding -# previously ban count and given "bantime.factor" (for multipliers default is 1); -# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, -# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours -#bantime.multipliers = 1 2 4 8 16 32 64 -# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, -# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day -#bantime.multipliers = 1 5 30 60 300 720 1440 2880 - -# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed -# cross over all jails, if false (default), only current jail of the ban IP will be searched -#bantime.overalljails = false - -# -------------------- - -# "ignoreself" specifies whether the local resp. own IP addresses should be ignored -# (default is true). Fail2ban will not ban a host which matches such addresses. -#ignoreself = true - -# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban -# will not ban a host which matches an address in this list. Several addresses -# can be defined using space (and/or comma) separator. -#ignoreip = 127.0.0.1/8 ::1 - -# External command that will take an tagged arguments to ignore, e.g. , -# and return true if the IP is to be ignored. False otherwise. -# -# ignorecommand = /path/to/command -ignorecommand = - -# "bantime" is the number of seconds that a host is banned. -bantime = 10m - -# A host is banned if it has generated "maxretry" during the last "findtime" -# seconds. -findtime = 10m - -# "maxretry" is the number of failures before a host get banned. -maxretry = 5 - -# "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). -maxmatches = %(maxretry)s - -# "backend" specifies the backend used to get files modification. -# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". -# This option can be overridden in each jail as well. -# -# pyinotify: requires pyinotify (a file alteration monitor) to be installed. -# If pyinotify is not installed, Fail2ban will use auto. -# gamin: requires Gamin (a file alteration monitor) to be installed. -# If Gamin is not installed, Fail2ban will use auto. -# polling: uses a polling algorithm which does not require external libraries. -# systemd: uses systemd python library to access the systemd journal. -# Specifying "logpath" is not valid for this backend. -# See "journalmatch" in the jails associated filter config -# auto: will try to use the following backends, in order: -# pyinotify, gamin, polling. -# -# Note: if systemd backend is chosen as the default but you enable a jail -# for which logs are present only in its own log files, specify some other -# backend for that jail (e.g. polling) and provide empty value for -# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 -backend = auto - -# "usedns" specifies if jails should trust hostnames in logs, -# warn when DNS lookups are performed, or ignore all hostnames in logs -# -# yes: if a hostname is encountered, a DNS lookup will be performed. -# warn: if a hostname is encountered, a DNS lookup will be performed, -# but it will be logged as a warning. -# no: if a hostname is encountered, will not be used for banning, -# but it will be logged as info. -# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) -usedns = warn - -# "logencoding" specifies the encoding of the log files handled by the jail -# This is used to decode the lines from the log file. -# Typical examples: "ascii", "utf-8" -# -# auto: will use the system locale setting -logencoding = auto - -# "enabled" enables the jails. -# By default all jails are disabled, and it should stay this way. -# Enable only relevant to your setup jails in your .local or jail.d/*.conf -# -# true: jail will be enabled and log files will get monitored for changes -# false: jail is not enabled -enabled = false - - -# "mode" defines the mode of the filter (see corresponding filter implementation for more info). -mode = normal - -# "filter" defines the filter to use by the jail. -# By default jails have names matching their filter name -# -filter = %(__name__)s[mode=%(mode)s] - - -# -# ACTIONS -# - -# Some options used for actions - -# Destination email address used solely for the interpolations in -# jail.{conf,local,d/*} configuration files. -destemail = root@localhost - -# Sender email address used solely for some actions -sender = root@ - -# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the -# mailing. Change mta configuration parameter to mail if you want to -# revert to conventional 'mail'. -mta = sendmail - -# Default protocol -protocol = tcp - -# Specify chain where jumps would need to be added in ban-actions expecting parameter chain -chain = - -# Ports to be banned -# Usually should be overridden in a particular jail -port = 0:65535 - -# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 -fail2ban_agent = Fail2Ban/%(fail2ban_version)s - -# -# Action shortcuts. To be used to define action parameter - -# Default banning action (e.g. iptables, iptables-new, -# iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overridden globally or per -# section within jail.local file -banaction = iptables-multiport -banaction_allports = iptables-allports - -# The simplest action to take: ban only -action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report to the destemail. -action_mw = %(action_)s - %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report and relevant log lines -# to the destemail. -action_mwl = %(action_)s - %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] - -# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action -# -# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines -# to the destemail. -action_xarf = %(action_)s - xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] - -# ban & send a notification to one or more of the 50+ services supported by Apprise. -# See https://github.com/caronc/apprise/wiki for details on what is supported. -# -# You may optionally over-ride the default configuration line (containing the Apprise URLs) -# by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise -# /etc/fail2ban/apprise.conf is sourced for your supported notification configuration. -# action = %(action_)s -# apprise - -# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines -# to the destemail. -action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] - %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] - -# Report block via blocklist.de fail2ban reporting service API -# -# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. -# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation -# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` -# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in -# corresponding jail.d/my-jail.local file). -# -action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] - -# Report ban via abuseipdb.com. -# -# See action.d/abuseipdb.conf for usage example and details. -# -action_abuseipdb = abuseipdb - -# Choose default action. To change, just override value of 'action' with the -# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section -action = %(action_)s - - - -[caddy-status] -enabled = true -port = http,https -filter = caddy-status -logpath = /var/log/caddy/ratelimiters.log diff --git a/privfrontends/configs/hyperpipe/entrypoint.sh b/privfrontends/configs/hyperpipe/entrypoint.sh deleted file mode 100644 index de39256..0000000 --- a/privfrontends/configs/hyperpipe/entrypoint.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -find /usr/share/nginx/html -type f -exec sed -i s/pipedapi.kavin.rocks/{% if server_prefix == 'eu' %}api.piped.projectsegfau.lt{%else%}pipedapi.{{server_prefix}}.projectsegfau.lt{%endif%}/g {} \; -exec sed -i s/hyperpipeapi.onrender.com/hyperpipebackend.{{ server_prefix }}.projectsegfau.lt/g {} \; && /docker-entrypoint.sh && nginx -g "daemon off;" diff --git a/privfrontends/configs/librarian/config.yml b/privfrontends/configs/librarian/config.yml deleted file mode 100644 index 6f215de..0000000 --- a/privfrontends/configs/librarian/config.yml +++ /dev/null @@ -1,70 +0,0 @@ -DOMAIN: 'https://lbry.projectsegfau.lt' -PORT: '3550' -FIBER_PREFORK: false -# Optional: Set address to bind to, example: 127.0.0.1 -ADDRESS: '' -# Running a custom API server is not recommended and is not suitable for a public instance -API_URL: 'https://api.na-backend.odysee.com/api/v1/proxy' -# Block access to claims in case of DMCA -BLOCKED_CLAIMS: - - claimId -# AUTH_TOKEN and HMAC_KEY is automatically generated -AUTH_TOKEN: '{{librarian_auth_token}}' -HMAC_KEY: '{{librarian_hmac_key}}' -# Create IMAGE_CACHE_DIR before enabling image caching -IMAGE_CACHE: false -IMAGE_CACHE_DIR: '/var/cache/librarian' -IMAGE_CACHE_CLEANUP_INTERVAL: 24h -# The next 2 options will proxy video data through the instance. -# This will cause increased bandwidth usage. -# ENABLE_STREAM_PROXY proxies videos and ENABLE_LIVESTREAM enables livestreams. -ENABLE_STREAM_PROXY: true -ENABLE_LIVESTREAM: true -# Set custom SponsorBlock URL (with https://github.com/mchangrh/sb-mirror or other) -SPONSORBLOCK_URL: 'https://sponsor.ajay.app' -# Advanced: Custom video streaming endpoint -VIDEO_STREAMING_URL: '' -# Rewrite links to other frontends. example: https://yt.domain.tld -FRONTEND: - youtube: 'https://invidious.projectsegfau.lt' - twitter: 'https://nitter.projectsegfau.lt' - imgur: 'https://rimgo.projectsegfau.lt' - instagram: '' - tiktok: '' - reddit: 'https://libreddit.projectsegfau.lt' -# Default instance settings -DEFAULT_SETTINGS: - theme: 'dark' # system, light, dark - relatedVideos: true - nsfw: false - autoplay: false - speed: '1' # 0.25, 0.5, 0.75, 1, 1.25, 1.5, 1.75, 2, 4 - quality: '0' # 0 - Auto, 144 - 144p, 360 - 360p, 720 - 720p, 1080 - 1080p - sponsorblock: - sponsor: true - selfpromo: true - interaction: true - intro: false - outro: false - preview: false - filler_tangent: false -# Instance privacy: This is required to get your instance listed. For more info, -# See: https://codeberg.org/librarian/librarian/wiki/Instance-privacy -INSTANCE_PRIVACY: -# This is the default if you are using NGINX and have not disabled data collection. -# Read https://codeberg.org/librarian/librarian/wiki/Instance-privacy - DATA_NOT_COLLECTED: true - DATA_COLLECTED_IP: true - DATA_COLLECTED_URL: true - DATA_COLLECTED_DEVICE: true - DATA_COLLECTED_DIAGNOSTIC_ONLY: false - - INSTANCE_COUNTRY: "{{country}}" - INSTANCE_PROVIDER: "{{isp}}" - - # Cloudflare use is discouraged. You can set this to false if it is not proxied (gray cloud icon) - INSTANCE_CLOUDFLARE: false - # Optional: Explain your usage of data (if collected) and how it is stored. - MESSAGE: "" - # Link to your privacy policy, leave blank if you don't have one. - PRIVACY_POLICY: "https://projectsegfau.lt/legal/privacy-policy" diff --git a/privfrontends/configs/nitter/nitter.conf b/privfrontends/configs/nitter/nitter.conf index bf49f8c..fff56c3 100644 --- a/privfrontends/configs/nitter/nitter.conf +++ b/privfrontends/configs/nitter/nitter.conf @@ -36,9 +36,9 @@ tokenCount = 10 # Change default preferences here, see src/prefs_impl.nim for a complete list [Preferences] theme = "Nitter" -replaceTwitter = "nitter.projectsegfau.lt" -replaceYouTube = "invidious.projectsegfau.lt" -replaceReddit = "libreddit.projectsegfau.lt" +replaceTwitter = "" +replaceYouTube = "" +replaceReddit = "" replaceInstagram = "" proxyVideos = false hlsPlayback = true diff --git a/privfrontends/configs/priviblur/config.toml b/privfrontends/configs/priviblur/config.toml deleted file mode 100644 index 5bb6792..0000000 --- a/privfrontends/configs/priviblur/config.toml +++ /dev/null @@ -1,68 +0,0 @@ -# Controls deployment options -[deployment] - host = "0.0.0.0" - port = 8000 - - # Amount of worker Priviblur instances to spawn. Increases speed significantly. - workers = 4 - - # # If you're running Priviblur behind a remote proxy, one or more of the following must be set - # # can also be set via env variables by captialzing and prefixing with PRIVIBLUR_ - # # - # # For more information see - # # https://sanic.dev/en/guide/advanced/proxy-headers.html - # # - # # Default: None - # # - # forwarded_secret = - # real_ip_header = - # proxies_count = - -# Controls redis cache options -# Ignore to disable the cache -# -[cache] - url = "redis://priviblur-redis:6379" - - # Number of seconds to cache poll results from active polls - cache_active_poll_results_for = 3600 - - # Number of seconds to cache poll results from expired polls - cache_expired_poll_results_for = 86400 - - # Number of seconds to cache feed (explore, search, etc) results for - cache_feed_for = 3600 - - # Number of seconds to cache blog feed (blog posts, blog search, blog tagged posts, etc) results for - cache_blog_feed_for = 3600 - - # Number of seconds to cache individual posts for - cache_blog_post_for = 300 - -# Controls behaviors pertaining to the way Priviblur requests Tumblr -[priviblur_backend] - # # Timeout for requests to Tumblr's API - main_response_timeout = 10 - - # # Timeout for fetching image responses from Tumblr - image_response_timeout = 30 - - -# Controls logging behavior -# -# Use Python's numerical logging levels -# https://docs.python.org/3/howto/logging.html#logging-levels -# [logging] - # # Sanic (Server)'s logging level' - # sanic_logging_level = 30 - - # # Priviblur's logging level - # priviblur_logging_level = 30 - - # # Priviblur extractor's logging level - # priviblur_extractor_logging_level = 20 - - -# [misc] - # # Enable sanic's dev mode - # dev_mode = false diff --git a/privfrontends/configs/redlib/policy.yml b/privfrontends/configs/redlib/policy.yml deleted file mode 100644 index a8e2006..0000000 --- a/privfrontends/configs/redlib/policy.yml +++ /dev/null @@ -1,180 +0,0 @@ -challenges: - dnsbl: - runtime: dnsbl - parameters: - dnsbl-host: "dnsbl.dronebl.org" - dnsbl-decay: 1h - dnsbl-timeout: 1s - -conditions: - - is-static-asset: - - 'path == "/apple-touch-icon.png"' - - 'path == "/apple-touch-icon-precomposed.png"' - - 'path.matches("\\.(manifest|ttf|woff|woff2|jpg|jpeg|gif|png|webp|avif|svg|mp4|webm|css|js|mjs|wasm)$")' - - is-suspicious-crawler: - - 'userAgent.contains("Presto/") || userAgent.contains("Trident/")' - # Old IE browsers - - 'userAgent.matches("MSIE ([2-9]|10|11)\\.")' - # Old Linux browsers - - 'userAgent.matches("Linux i[63]86") || userAgent.matches("FreeBSD i[63]86")' - # Old Windows browsers - - 'userAgent.matches("Windows (3|95|98|CE)") || userAgent.matches("Windows NT [1-5]\\.")' - # Old mobile browsers - - 'userAgent.matches("Android [1-5]\\.") || userAgent.matches("(iPad|iPhone) OS [1-9]_")' - # Old generic browsers - - 'userAgent.startsWith("Opera/")' - #- 'userAgent.matches("Gecko/(201[0-9]|200[0-9])")' - - 'userAgent.matches("^Mozilla/[1-4]")' - - -# Rules are checked sequentially in order, from top to bottom -rules: - - name: allow-well-known-resources - conditions: - - '($is-well-known-asset)' - action: pass - - - name: allow-static-resources - conditions: - - '($is-static-asset)' - action: pass - - - name: allow-hls-js - conditions: - - 'path == "/hls.min.js"' - - 'path.startsWith("/hls/")' - action: pass - - - name: allow-private-networks - conditions: - # Allows localhost and private networks CIDR - - *is-network-localhost - - *is-network-private - action: pass - - - name: undesired-crawlers - conditions: - - '($is-headless-chromium)' - - 'userAgent.startsWith("Lightpanda/")' - - 'userAgent.startsWith("masscan/")' - # Typo'd opera botnet - - 'userAgent.matches("^Opera/[0-9.]+\\.\\(")' - # AI bullshit stuff, they do not respect robots.txt even while they read it - # TikTok Bytedance AI training - - 'userAgent.contains("Bytedance") || userAgent.contains("Bytespider") || userAgent.contains("TikTokSpider")' - # Meta AI training; The Meta-ExternalAgent crawler crawls the web for use cases such as training AI models or improving products by indexing content directly. - - 'userAgent.contains("meta-externalagent/") || userAgent.contains("meta-externalfetcher/") || userAgent.contains("FacebookBot")' - # Who the fuck is this ? - - 'userAgent.contains("SemrushBot") || userAgent.contains("Barklower")' - # Anthropic AI training and usage - - 'userAgent.contains("ClaudeBot") || userAgent.contains("Claude-User")|| userAgent.contains("Claude-SearchBot")' - # Common Crawl AI crawlers - - 'userAgent.contains("CCBot")' - # ChatGPT AI crawlers https://platform.openai.com/docs/bots - - 'userAgent.contains("GPTBot") || userAgent.contains("OAI-SearchBot") || userAgent.contains("ChatGPT-User")' - # Other AI crawlers - - 'userAgent.contains("Amazonbot") || userAgent.contains("Google-Extended") || userAgent.contains("PanguBot") || userAgent.contains("AI2Bot") || userAgent.contains("Diffbot") || userAgent.contains("cohere-training-data-crawler") || userAgent.contains("Applebot-Extended")' - # SEO / Ads and marketing - - 'userAgent.contains("BLEXBot")' - # Yandex isn't catched, and doesn't seem to care about robots.txt - - 'userAgent.contains("YandexBot/3.0; +http://yandex.com/bots)"' - # At this point I'd rather not have any search browser crawl the frontend. - - *is-bot-googlebot - - *is-bot-bingbot - - *is-bot-duckduckbot - - *is-bot-kagibot - - *is-bot-qwantbot - - *is-bot-yandexbot - action: drop - - - name: unknown-crawlers - conditions: - # No user agent set - - 'userAgent == ""' - action: deny - - # check a sequence of challenges - - name: suspicious-crawlers - conditions: ['($is-suspicious-crawler)'] - action: none - children: - - name: 0 - action: check - settings: - challenges: [js-refresh, js-pow-sha256] - - name: 1 - action: check - settings: - challenges: [preload-link, resource-load] - - name: 2 - action: check - settings: - challenges: [header-refresh] - - # check DNSBL and serve harder challenges - # todo: make this specific to score - - name: undesired-dnsbl - action: check - settings: - challenges: [dnsbl] - # if DNSBL fails, check additional challenges - fail: check - fail-settings: - challenges: [js-refresh, js-pow-sha256] - - - name: suspicious-fetchers - action: check - settings: - challenges: [js-refresh, js-pow-sha256] - conditions: - - 'userAgent.contains("facebookexternalhit/") || userAgent.contains("facebookcatalog/")' - - # Allow PUT/DELETE/PATCH/POST requests in general - - name: non-get-request - action: pass - conditions: - - '!(method == "HEAD" || method == "GET")' - - # Enable fetching OpenGraph and other tags from backend on these paths - - name: enable-meta-tags - action: context - settings: - context-set: - # Map OpenGraph or similar tags back to the reply, even if denied/challenged - proxy-meta-tags: "true" - response-headers: - # Solves the varnish bug even if we pulled it through a different way. - reddit-stats: - - io=1 - via: - - 1.1 varnish - - # Set additional response headers - #response-headers: - # X-Clacks-Overhead: - # - GNU Terry Pratchett - - - name: plaintext-browser - action: challenge - settings: - challenges: [meta-refresh, cookie] - conditions: - - 'userAgent.startsWith("Lynx/")' - - # Uncomment this rule out to challenge tool-like user agents - - name: standard-tools - action: challenge - settings: - challenges: [cookie] - conditions: - - '($is-generic-robot-ua)' - - '($is-tool-ua)' - - '!($is-generic-browser)' - - - name: standard-browser - action: challenge - settings: - challenges: [preload-link, meta-refresh, resource-load, js-refresh, js-pow-sha256] - conditions: diff --git a/privfrontends/configs/searxng/settings.yml b/privfrontends/configs/searxng/settings.yml deleted file mode 100644 index 92afd1a..0000000 --- a/privfrontends/configs/searxng/settings.yml +++ /dev/null @@ -1,190 +0,0 @@ -use_default_settings: true -general: - debug: false - instance_name: "SearXNG | Project Segfault" - privacypolicy_url: https://projectsegfau.lt/legal/privacy-policy - donation_url: https://projectsegfau.lt/donate - contact_url: https://projectsegfau.lt/contact - enable_metrics: true -server: - # base_url is defined in the SEARXNG_BASE_URL environment variable, see .env and docker-compose.yml - secret_key: "{{searxng_secret_key}}" # change this! - limiter: false # can be disabled for a private instance - image_proxy: true - method: "GET" - public_instance: true -ui: - static_use_hash: false - query_in_title: true - infinite_scroll: true - default_theme: simple - center_alignment: true - default_locale: "en" - results_on_new_tab: true - theme_args: - simple_style: auto -redis: - url: redis://searxng-redis:6379/0 -search: - # Filter results. 0: None, 1: Moderate, 2: Strict - safe_search: 1 - # Default search language - leave blank to detect from browser information or - # Existing autocomplete backends: "dbpedia", "duckduckgo", "google", "yandex", "mwmbl", - # "seznam", "startpage", "stract", "swisscows", "qwant", "wikipedia" - leave blank to turn it off - # by default. - autocomplete: "" - # minimun characters to type before autocompleter starts - autocomplete_min: 4 - # use codes from 'languages.py' - default_lang: "en" - # ban time in seconds after engine errors - ban_time_on_fail: 5 - # max ban time in seconds after engine errors - max_ban_time_on_fail: 120 - suspended_times: - # Engine suspension time after error (in seconds; set to 0 to disable) - # For error "Access denied" and "HTTP error [402, 403]" - SearxEngineAccessDenied: 86400 - # For error "CAPTCHA" - SearxEngineCaptcha: 86400 - # For error "Too many request" and "HTTP error 429" - SearxEngineTooManyRequests: 3600 - # Cloudflare CAPTCHA - cf_SearxEngineCaptcha: 1296000 - cf_SearxEngineAccessDenied: 86400 - # ReCAPTCHA - recaptcha_SearxEngineCaptcha: 604800 - formats: - - html - - csv - - json - - rss -outgoing: - enable_http2: true -enabled_plugins: - - 'Hash plugin' - - 'Self Information' - - 'Tracker URL remover' - - 'Open Access DOI rewrite' - - 'Vim-like hotkeys' - - 'Tor check plugin' - - 'Search on category select' -engines: - - name: google - disabled: false - - name: bing - engine: bing - shortcut: bi - disabled: false - - - name: crowdview - engine: json_engine - shortcut: cv - categories: general - paging: false - search_url: https://crowdview-next-js.onrender.com/api/search-v3?query={query} - results_query: results - url_query: link - title_query: title - content_query: snippet - disabled: false - about: - website: https://crowdview.ai/ - - name: duckduckgo - engine: duckduckgo - shortcut: ddg - disabled: true # DDG is useless since it just scrapes bing for results anyway - - name: wikiquote - engine: mediawiki - shortcut: wq - categories: general - base_url: "https://{language}.wikiquote.org/" - number_of_results: 5 - search_type: text - about: - website: https://www.wikiquote.org/ - wikidata_id: Q369 - disabled: false - - name: brave - engine: brave - shortcut: br - time_range_support: true - paging: true - categories: [general, web] - brave_category: search - # brave_spellcheck: true - - - name: brave.images - engine: brave - network: brave - shortcut: brimg - categories: [images, web] - brave_category: images - - - name: brave.videos - engine: brave - network: brave - shortcut: brvid - categories: [videos, web] - brave_category: videos - - - name: brave.news - engine: brave - network: brave - shortcut: brnews - categories: news - brave_category: news - - name: codeberg - engine: json_engine - search_url: https://codeberg.org/api/v1/repos/search?q={query}&limit=10 - url_query: html_url - title_query: name - content_query: description - categories: [it, repos] - shortcut: cb - about: - website: https://codeberg.org/ - wikidata_id: - official_api_documentation: https://try.gitea.io/api/swagger - use_official_api: false - require_api_key: false - results: JSON - disabled: false - - name: gitlab - engine: json_engine - paging: true - search_url: https://gitlab.com/api/v4/projects?search={query}&page={pageno} - url_query: web_url - title_query: name_with_namespace - content_query: description - page_size: 20 - categories: [it, repos] - shortcut: gl - timeout: 10.0 - about: - website: https://about.gitlab.com/ - wikidata_id: Q16639197 - official_api_documentation: https://docs.gitlab.com/ee/api/ - use_official_api: false - require_api_key: false - results: JSON - disabled: false - - name: sourcehut - shortcut: srht - engine: xpath - paging: true - search_url: https://sr.ht/projects?page={pageno}&search={query} - results_xpath: (//div[@class="event-list"])[1]/div[@class="event"] - url_xpath: ./h4/a[2]/@href - title_xpath: ./h4/a[2] - content_xpath: ./p - first_page_num: 1 - categories: [it, repos] - disabled: false - about: - website: https://sr.ht - wikidata_id: Q78514485 - official_api_documentation: https://man.sr.ht/ - use_official_api: false - require_api_key: false - results: HTML diff --git a/privfrontends/configs/shoelace/shoelace.toml b/privfrontends/configs/shoelace/shoelace.toml deleted file mode 100644 index e686a89..0000000 --- a/privfrontends/configs/shoelace/shoelace.toml +++ /dev/null @@ -1,51 +0,0 @@ -[server] -# Address to listen on -listen="0.0.0.0" -# Port to bind -port=8080 -# Instance URL. Needed for accurate proxied media locations in API -base_url="https://lace.projectsegfau.lt" - -[server.tls] -# Enable TLS support -enabled=false -# Path for certificate chain, in PEM format -cert="cert.pem" -# Path for key file, in PEM format -key="key.pem" - -[endpoint] -# Toggle the frontend -frontend=true -# Toggle the API -api=true - -[proxy] -# Proxy backend. Valid options are: -# - none: Disable the media proxy. Not recommended if frontend is enabled -# - internal: Stores values in memory. Destroys itself after stopping Shoelace. -# - redis: Stores values in a Redis server. Higher performance. Requires additional software -backend="internal" - -[proxy.redis] -# URI for Redis server. -# - TCP: redis://[][:@][:port][/] -# - Unix socket: redis+unix:///[?db=[&pass=][&user=]] -uri="redis://127.0.0.1/" - -[logging] -# Sets log level, for both stdout and logfiles. Valid levels are: -# - error: Shows errors presented during runtime -# - warn: Plus Alerts -# - info: Plus useful information, such as PID, requests, etc. (Recommended) -# - debug: Plus verbose actions. Not being used much. -# - trace: Plus low-level, extremely verbose info. Not used much. -level = "info" -# Whether to log the IP of an incoming connection -log_ips = false -# Whether to log what URLs are being assigned to each hash -log_cdn = false -# Store logs in a text file -store = false -# Where to store the logs in that case -output = "shoelace.log" diff --git a/privfrontends/playbook.yaml b/privfrontends/playbook.yaml index 1fcbbc7..1d151d5 100644 --- a/privfrontends/playbook.yaml +++ b/privfrontends/playbook.yaml @@ -54,22 +54,3 @@ group: caddy mode: 0777 tags: caddy-non-update -- name: Fail2Ban - hosts: privfrontends - tasks: - - name: Copy jail.local config to fail2ban - ansible.builtin.copy: - src: "./configs/fail2ban/jail.local" - dest: "/etc/fail2ban/jail.local" - mode: "0644" - tags: fail2ban - - name: Copy caddy-status filter to fail2ban - ansible.builtin.copy: - src: "./configs/fail2ban/caddy-status.conf" - dest: "/etc/fail2ban/filter.d/caddy-status.conf" - mode: "0644" - tags: fail2ban - - name: Restart fail2ban - ansible.builtin.service: - name: fail2ban - state: restarted diff --git a/privfrontends/templates/Caddyfile.j2 b/privfrontends/templates/Caddyfile.j2 index e87f708..82e45c4 100644 --- a/privfrontends/templates/Caddyfile.j2 +++ b/privfrontends/templates/Caddyfile.j2 @@ -23,11 +23,8 @@ } (acmedns) { tls { - dns rfc2136 { - key_name "dynupd" - key_alg "hmac-sha256" - key "{{ rfc2136_key }}" - server "45.145.41.226:53" + dns desec { + token "{{ rfc2136_key }}" } } } @@ -85,239 +82,86 @@ import ./*.Caddyfile -{{ inventory_hostname }}.projectsegfau.lt {% if inventory_hostname == 'eu' %} pizza1.projectsegfau.lt {% endif %} { - redir https://wiki.projectsegfau.lt/index.php?title={{ wiki_page }} -} -cdn.projectsegfau.lt cdn.{{ server_prefix }}.projectsegfau.lt { - encode zstd gzip - root * /var/cdn - file_server { - browse - } - import def -} -lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt { - reverse_proxy :3550 - import def - import torloc lbry -} -# We need this inventory_hostname block since nitter is only going to be on EU from now on -{% if inventory_hostname == 'eu' %} -nitter.projectsegfau.lt n.psf.lt { - reverse_proxy :8387 - import def - route { - reverse_proxy /outpost.goauthentik.io/* https://in.v.psf.lt:7444 { - header_up Host {http.reverse_proxy.upstream.hostport} - transport http { - tls_insecure_skip_verify - } - } - # Forward authentication requests to Authentik's outpost - forward_auth https://in.v.psf.lt:7444 { - transport http { - tls_insecure_skip_verify - } - uri /outpost.goauthentik.io/auth/caddy - - # Ensure these headers are passed, using correct capitalization - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name - trusted_proxies private_ranges - } - } -} -nitter.eu.projectsegfau.lt nitter.us.projectsegfau.lt nitter.in.projectsegfau.lt { - redir https://nitter.projectsegfau.lt{uri} +:8093 { + cgi /vnstat /var/lib/caddy/www/vnstat-metrics.cgi } -n.eu.psf.lt n.us.psf.lt n.in.psf.lt { - redir https://n.psf.lt{uri} -} -{% endif %} -libreddit.{{ server_prefix }}.projectsegfau.lt libreddit.projectsegfau.lt lr.psf.lt lr.{{ server_prefix }}.psf.lt { - reverse_proxy :6464 - route { - reverse_proxy /preview/* :6465 - } - import def - log { - # This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date. - output file /var/log/caddy/ratelimiters.log - format json - } - import torloc libreddit -} teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{{ server_prefix }}.psf.lt { - redir https://libreddit.projectsegfau.lt{uri} + respond "Service has been shutdown" import def import torloc teddit } inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt { - reverse_proxy :7573 { - header_up Host "inv.{{ server_prefix }}.projectsegfau.lt" - } - @pipedproxy { - path /videoplayback - path /videoplayback/* - path /vi/* - path /ggpht/* - } - handle @pipedproxy { - reverse_proxy :6970 { - header_up Host "pipedproxy.{{ server_prefix }}.projectsegfau.lt" - } - @jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg - @thumbnailRedirect path /ggpht/* - uri @thumbnailRedirect strip_prefix /ggpht - rewrite @thumbnailRedirect ?host=yt3.ggpht.com - uri @jpgRedirect replace /maxres.jpg /maxres2.jpg - rewrite /vi/* ?host=i.ytimg.com - } + respond "Service has been shutdown" import def - header -X-Frame-Options - header -Content-Security-Policy - log { - # This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date. - output file /var/log/caddy/ratelimiters.log - format json - } -} -gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt { - reverse_proxy :1024 - import def - import torloc gothub + import torloc inv } overflow.{{ server_prefix }}.projectsegfau.lt overflow.projectsegfau.lt o.psf.lt o.{{ server_prefix }}.psf.lt { - reverse_proxy :8694 + respond "Service has been shutdown" import def import torloc overflow } rimgo.{{ server_prefix }}.projectsegfau.lt rimgo.projectsegfau.lt rg.psf.lt rg.{{ server_prefix }}.psf.lt { - reverse_proxy :9016 + respond "Service has been shutdown" import def import torloc rimgo } bw.{{ server_prefix }}.projectsegfau.lt bw.projectsegfau.lt bw.psf.lt bw.{{ server_prefix }}.psf.lt { import def import torloc breezewiki - reverse_proxy :10416 + respond "Service has been shutdown" } scribe.{{ server_prefix }}.projectsegfau.lt scribe.projectsegfau.lt sc.psf.lt sc.{{ server_prefix }}.psf.lt { import def import torloc scribe - reverse_proxy :8006 -} -translate.{{ server_prefix }}.projectsegfau.lt translate.projectsegfau.lt tl.psf.lt tl.{{ server_prefix }}.psf.lt { - import def - reverse_proxy :5046 - import torloc translate + respond "Service has been shutdown" } safetwitch.{{ server_prefix }}.projectsegfau.lt safetwitch.projectsegfau.lt tw.psf.lt tw.{{ server_prefix }}.psf.lt { import def - reverse_proxy :5070 + respond "Service has been shutdown" import torloc safetwitch } api.safetwitch.{{ server_prefix }}.projectsegfau.lt { - reverse_proxy :5072 + respond "Service has been shutdown" # Something is taking the port 5071, I've went ahead and changed it to 5072 temporarily, can be permanently kept. import def } hyperpipe.{{ server_prefix }}.projectsegfau.lt hyperpipe.projectsegfau.lt hp.psf.lt hp.{{ server_prefix }}.psf.lt { import def - reverse_proxy :8843 + respond "Service has been shutdown" } hyperpipebackend.{{ server_prefix }}.projectsegfau.lt { - reverse_proxy :3536 + respond "Service has been shutdown" import def } search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{{ server_prefix }}.psf.lt { import def import torloc search - reverse_proxy :8081 { - header_up X-Real-IP {remote_host} - } - @api { - path /config - path /healthz - path /stats/errors - path /stats/checker - } - @static { - path /static/* - } - @notstatic { - not path /static/* - } - @imageproxy { - path /image_proxy - } - @notimageproxy { - not path /image_proxy - } - header { - # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS - Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" - # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type - X-Content-Type-Options "nosniff" - # Disable some features - Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()" - # Disable some features (legacy) - Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope 'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'" - # Referer - Referrer-Policy "no-referrer" - # X-Robots-Tag - X-Robots-Tag "noindex, noarchive, nofollow" - # Remove Server header - -Server - } - import acmedns - header @api { - Access-Control-Allow-Methods "GET, OPTIONS" - Access-Control-Allow-Origin "*" - } - # Cache - header @static { - # Cache - Cache-Control "public, max-age=31536000" - defer - } - header @notstatic { - # No Cache - Cache-Control "no-cache, no-store" - Pragma "no-cache" - } - # CSP (see http://content-security-policy.com/ ) - header @imageproxy { - Content-Security-Policy "default-src 'none'; img-src 'self' data:" - } - header @notimageproxy { - Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" - } + respond "Service has been shutdown" } piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt { - reverse_proxy :6970 + respond "Service has been shutdown" header -X-Frame-Options import def } pi.{{ server_prefix }}.psf.lt { - reverse_proxy :6970 { - header_up Host "{% if server_prefix == 'eu' %}piped.projectsegfau.lt{%else%}piped.{{ server_prefix }}.projectsegfau.lt{%endif%}" - } - header -X-Frame-Options + respond "Service has been shutdown" import def } priviblur.{{ server_prefix }}.projectsegfau.lt priviblur.projectsegfau.lt pb.psf.lt pb.{{ server_prefix }}.psf.lt { import def - reverse_proxy :9084 + respond "Service has been shutdown" import torloc priviblur } lace.{{ server_prefix }}.projectsegfau.lt lace.projectsegfau.lt l.psf.lt l.{{ server_prefix }}.psf.lt { import def - reverse_proxy :9029 + respond "Service has been shutdown" import torloc lace } -:8093 { - cgi /vnstat /var/lib/caddy/www/vnstat-metrics.cgi +lbry.{{ server_prefix }}.projectsegfau.lt lbry.projectsegfau.lt { + respond "Service has been shutdown" + import def + import torloc lbry } diff --git a/privfrontends/templates/eu/darknet.Caddyfile b/privfrontends/templates/eu/darknet.Caddyfile index 0f30379..624833d 100644 --- a/privfrontends/templates/eu/darknet.Caddyfile +++ b/privfrontends/templates/eu/darknet.Caddyfile @@ -36,19 +36,27 @@ http://*.p.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { # Privacy Frontends http://lbry.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { import tor lbry - reverse_proxy :3550 + reverse_proxy https://lbry.projectsegfau.lt { + header_up Host "lbry.projectsegfau.lt" + } } http://nitter.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { - reverse_proxy :8387 + reverse_proxy https://nitter.projectsegfau.lt { + header_up Host "nitter.projectsegfau.lt" + } import tor nitter } http://libreddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { import tor libreddit - reverse_proxy :6464 + reverse_proxy https://libreddit.projectsegfau.lt { + header_up Host "libreddit.projectsegfau.lt" + } } http://teddit.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { import tor teddit - reverse_proxy :9061 + reverse_proxy https://teddit.projectsegfau.lt { + header_up Host "teddit.projectsegfau.lt" + } } http://inv.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { import tor inv @@ -58,7 +66,9 @@ http://inv.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { } http://invbp.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { import tor invbp - reverse_proxy :7573 + reverse_proxy https://invbp.projectsegfau.lt { + header_up Host "invbp.projectsegfau.lt" + } } http://gothub.pjsfkvpxlinjamtawaksbnnaqs2fc2mtvmozrzckxh7f3kis6yea25ad.onion { import tor gothub diff --git a/privfrontends/templates/eu/misc.Caddyfile b/privfrontends/templates/eu/misc.Caddyfile index 5019d32..abdabb3 100644 --- a/privfrontends/templates/eu/misc.Caddyfile +++ b/privfrontends/templates/eu/misc.Caddyfile @@ -1,87 +1,76 @@ +projectsegfau.lt www.projectsegfau.lt web.dev.projectsegfau.lt www.psf.lt psf.lt { + reverse_proxy :1339 + import def +} sl.projectsegfau.lt sl.psf.lt { reverse_proxy :7777 import def } -inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt { - reverse_proxy :7573 { - header_up Host "invidious.projectsegfau.lt" - } - @pipedproxy { - path /videoplayback - path /videoplayback/* - path /vi/* - path /ggpht/* - } - handle @pipedproxy { - reverse_proxy :6970 { - header_up Host "proxy.piped.projectsegfau.lt" - } - @jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg - @thumbnailRedirect path /ggpht/* - uri @thumbnailRedirect strip_prefix /ggpht - rewrite @thumbnailRedirect ?host=yt3.ggpht.com - uri @jpgRedirect replace /maxres.jpg /maxres2.jpg - rewrite /vi/* ?host=i.ytimg.com - } +nitter.projectsegfau.lt n.psf.lt { + reverse_proxy :8387 import def - header -X-Frame-Options - header -Content-Security-Policy - log { - # This is temporarily required to monitor nitter traffic due to scrapers being more active, so we need to monitor and rate limit them at a later date. - output file /var/log/caddy/ratelimiters.log - format json + route { + reverse_proxy /outpost.goauthentik.io/* https://in.v.psf.lt:7444 { + header_up Host {http.reverse_proxy.upstream.hostport} + transport http { + tls_insecure_skip_verify + } + } + # Forward authentication requests to Authentik's outpost + forward_auth https://in.v.psf.lt:7444 { + transport http { + tls_insecure_skip_verify + } + uri /outpost.goauthentik.io/auth/caddy + + # Ensure these headers are passed, using correct capitalization + copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name + trusted_proxies private_ranges + } } +} +libreddit.projectsegfau.lt lr.psf.lt { + reverse_proxy :6464 + import def + route { + reverse_proxy /preview/* :6465 + reverse_proxy /outpost.goauthentik.io/* https://in.v.psf.lt:7444 { + header_up Host {http.reverse_proxy.upstream.hostport} + transport http { + tls_insecure_skip_verify + } + } + # Forward authentication requests to Authentik's outpost + forward_auth https://in.v.psf.lt:7444 { + transport http { + tls_insecure_skip_verify + } + uri /outpost.goauthentik.io/auth/caddy + + # Ensure these headers are passed, using correct capitalization + copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name + trusted_proxies private_ranges + } + } +} + +# REDIRECTS/SHUTDOWNS +inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt { + respond "Invidious has shutdown" + import def import torloc invbp } -piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt { - reverse_proxy :6970 - header -X-Frame-Options +piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt pi.psf.lt { + respond "Piped has shutdown" import def } -pi.psf.lt { - reverse_proxy :6970 { - header_up Host "piped.projectsegfau.lt" - } - header -X-Frame-Options - import def -} -proxy.lbry.projectsegfau.lt { - reverse_proxy :3001 - import def -} -aryak.me { - reverse_proxy https://prox-arya.p.projectsegfau.lt { - header_up Host prox-arya.p.projectsegfau.lt - } -} -arya.projectsegfau.lt { - redir https://aryak.me{uri} - import acmedns -} -## OLD URL REDIRECTS + bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt { import def import torloc beatbump - redir https://hyperpipe.projectsegfau.lt{uri} + respond "Beatbump has shutdown" } ferrit.projectsegfau.lt snooddit.projectsegfau.lt { - redir https://libreddit.projectsegfau.lt{uri} permanent + respond "Ferrit/Snoodit/Libreddit/Redlib has been shutdown" import acmedns } -www.midou.dev midou.dev { - # reverse_proxy https://midou36o.github.io { - # header_up Host {http.reverse_proxy.upstream.hostport} - # } - #root * /var/www/midouwebsite - reverse_proxy :3000 - # Apparently sveltekit built apps needs to have strict path tries. - #try_files {path} {path}/index.html {path}.html =404 - #file_server -} -file.midou.dev { - reverse_proxy :8986 -} -fastdl.midou.dev { - root * /srv/fastdl-tf2 - file_server browse -} diff --git a/privfrontends/templates/eu/personal.Caddyfile b/privfrontends/templates/eu/personal.Caddyfile new file mode 100644 index 0000000..f5938da --- /dev/null +++ b/privfrontends/templates/eu/personal.Caddyfile @@ -0,0 +1,26 @@ +www.midou.dev midou.dev { + # reverse_proxy https://midou36o.github.io { + # header_up Host {http.reverse_proxy.upstream.hostport} + # } + #root * /var/www/midouwebsite + reverse_proxy :3000 + # Apparently sveltekit built apps needs to have strict path tries. + #try_files {path} {path}/index.html {path}.html =404 + #file_server +} +file.midou.dev { + reverse_proxy :8986 +} +fastdl.midou.dev { + root * /srv/fastdl-tf2 + file_server browse +} +aryak.me { + reverse_proxy https://prox-arya.p.projectsegfau.lt { + header_up Host prox-arya.p.projectsegfau.lt + } +} +arya.projectsegfau.lt { + redir https://aryak.me{uri} + import acmedns +} diff --git a/privfrontends/templates/in/apps.Caddyfile b/privfrontends/templates/in/apps.Caddyfile index e85ae0c..9e2c8cb 100644 --- a/privfrontends/templates/in/apps.Caddyfile +++ b/privfrontends/templates/in/apps.Caddyfile @@ -1,9 +1,50 @@ # ---Apps Caddyfile--- - -# Cinny -cinny.projectsegfau.lt cy.psf.lt { - reverse_proxy :3069 +# Gitea +git.projectsegfau.lt { + reverse_proxy :3444 + respond /metrics 403 import def + request_body { + max_size 500MB + } + header { + Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';" + } + import torloc git +} +git.psf.lt { + reverse_proxy :3444 { + header_up Host "git.projectsegfau.lt" + } + respond /metrics 403 + import def + request_body { + max_size 500MB + } + header { + Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';" + } + import torloc git +} +translate.projectsegfau.lt tl.psf.lt { + import def + reverse_proxy :5046 + import torloc translate +} +gothub.projectsegfau.lt gh.psf.lt { + reverse_proxy :1024 + import def + import torloc gothub +} +gothub.dev.projectsegfau.lt gh.dev.psf.lt { + reverse_proxy :1025 + import def + import torloc gothub.dev +} +# MailU +mail.projectsegfau.lt { + import def + reverse_proxy :8082 } mtx.psf.lt { @@ -11,23 +52,16 @@ mtx.psf.lt { import def } -ss3.psf.lt { - reverse_proxy :4567 +# Cinny +cinny.projectsegfau.lt cy.psf.lt { + reverse_proxy :3069 import def } -www.projectsegfau.lt www.psf.lt { - redir https://projectsegfau.lt{uri} - import torloc www - import acmedns -} - -matrix.projectsegfau.lt { - reverse_proxy /_matrix/* :8456 +# Hydrogen +h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt { + reverse_proxy :3071 import def - handle_path / { - redir https://wiki.projectsegfau.lt/Matrix - } } # Element @@ -43,23 +77,8 @@ doc.projectsegfau.lt { } import def } - -# Hydrogen -h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt { - reverse_proxy :3071 - import def -} - -# Jitsi -jitsi.projectsegfau.lt { - reverse_proxy :8000 { - header_up X-Real-IP {remote_host} - } - import acmedns -} -# Excalidraw backend for jitsi -excalidraw.projectsegfau.lt { - reverse_proxy :8695 +d.psf.lt { + redir https://doc.projectsegfau.lt{uri} import acmedns } @@ -152,61 +171,11 @@ auth.p.projectsegfau.lt { } import def } -# kbin -kbin.projectsegfau.lt, kb.psf.lt { - reverse_proxy :8014 { - header_up X-Real-IP {remote_host} - } + +ntfy.projectsegfau.lt { import def + reverse_proxy :8099 } - -# RSS-Bridge -rssbridge.projectsegfau.lt, rb.psf.lt { - reverse_proxy :5678 { - header_up X-Real-IP {remote_host} - } - import torloc rssbridge - import def -} - -# MatriXMPP Ejabberd -matrixmpp.projectsegfau.lt https://matrixmpp.projectsegfau.lt:8448 { - reverse_proxy :8446 { - header_up X-Real-IP {remote_host} - } - header /.well-known/matrix/* Content-Type application/json - header /.well-known/matrix/* Access-Control-Allow-Origin * - handle_path /.well-known/* { - root * /var/www/matrixmpp-well-known - file_server - } - import acmedns -} - -gothub.dev.projectsegfau.lt gh.dev.psf.lt { - reverse_proxy :1025 - import def - import torloc gothub.dev -} -ak.psf.lt { - redir https://social.projectsegfau.lt{uri} - import acmedns -} -j.psf.lt { - redir https://jitsi.projectsegfau.lt{uri} - import acmedns -} -d.psf.lt { - redir https://doc.projectsegfau.lt{uri} - import acmedns -} - -rss.projectsegfau.lt freshrss.projectsegfau.lt rss.psf.lt { - reverse_proxy :3529 - import def - import torloc rss -} - owncloud.projectsegfau.lt { reverse_proxy http://127.0.0.1:9200 import def @@ -245,31 +214,38 @@ minio.projectsegfau.lt { reverse_proxy http://127.0.0.1:9000 } +mozhi.aryak.me { + reverse_proxy :5046 +} + +ak.psf.lt, social.projectsegfau.lt { + respond "Akkoma has shut down" + import acmedns +} +rss.projectsegfau.lt freshrss.projectsegfau.lt rss.psf.lt { + respond "FreshRSS has been shut down. If you have any data left on the instance, please email contact@projectsegfau.lt" + import def + import torloc rss +} + + timetagger.projectsegfau.lt tt.psf.lt { + respond "Timetagger has been shut down. If you have any data left on the instance, please email contact@projectsegfau.lt" import def - route { - reverse_proxy /outpost.goauthentik.io/* https://localhost:7444 { - header_up Host {http.reverse_proxy.upstream.hostport} - transport http { - tls_insecure_skip_verify - } - } - # Forward authentication requests to Authentik's outpost - forward_auth https://localhost:7444 { - transport http { - tls_insecure_skip_verify - } - uri /outpost.goauthentik.io/auth/caddy - - # Ensure these headers are passed, using correct capitalization - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name - trusted_proxies private_ranges - } - } - reverse_proxy http://localhost:9900 } - -ntfy.projectsegfau.lt { +# Jitsi +jitsi.projectsegfau.lt, j.psf.lt { + respond "jitsi has been shut down." + import acmedns +} +# RSS-Bridge +rssbridge.projectsegfau.lt, rb.psf.lt { + respond "RSS Bridge has been shut down. If you have any data left on the instance, please email contact@projectsegfau.lt" + import torloc rssbridge + import def +} +# kbin +kbin.projectsegfau.lt, kb.psf.lt { + respond "Kbin has been shut down" import def - reverse_proxy :8099 } diff --git a/privfrontends/templates/in/internal.Caddyfile b/privfrontends/templates/in/internal.Caddyfile index 1f2fe36..3bb0023 100644 --- a/privfrontends/templates/in/internal.Caddyfile +++ b/privfrontends/templates/in/internal.Caddyfile @@ -1,24 +1,5 @@ # ---Internal Caddyfile--- -# MailU -mail.projectsegfau.lt { - import def - reverse_proxy :8082 -} - -# Caddy daily build (for ansible) -cb.projectsegfau.lt { - root * /var/www/caddy-build - file_server browse - encode gzip - import def -} - -# GotHub -docs.gothub.app { - redir https://gothub.app/docs{uri} -} - synapseadmin.vpn.projectsegfau.lt s.v.psf.lt { import acmedns reverse_proxy :8420 diff --git a/privfrontends/templates/in/misc.Caddyfile b/privfrontends/templates/in/misc.Caddyfile index 11099a2..0af0aed 100644 --- a/privfrontends/templates/in/misc.Caddyfile +++ b/privfrontends/templates/in/misc.Caddyfile @@ -6,16 +6,6 @@ files.perso.in.projectsegfau.lt files.perso.in.projectsegfau.lt:6942 { root * /zfspool/files import acmedns } -tnfiles.perso.in.projectsegfau.lt { - file_server { - browse - } - root * /zfspool/files/tn-sw - import acmedns -} -mozhi.aryak.me { - reverse_proxy :5046 -} http://*.tildevarsh.in https://tildevarsh.in { respond `R.I.P ~varsh, you'll be missed. :q! If you are a varsh user and want to get your data, email me@aryak.me with your username from your registered email address. diff --git a/privfrontends/templates/us/misc.Caddyfile b/privfrontends/templates/us/misc.Caddyfile deleted file mode 100644 index 8b13789..0000000 --- a/privfrontends/templates/us/misc.Caddyfile +++ /dev/null @@ -1 +0,0 @@ - diff --git a/privfrontends/vars.yaml b/privfrontends/vars.yaml index 833b9a6..88ac3e7 100644 --- a/privfrontends/vars.yaml +++ b/privfrontends/vars.yaml @@ -5,54 +5,6 @@ compose_dir: "/opt/docker-privfrontends" data_dir: "/opt/data-privfrontends" apps: groups: - hyperpipe: - needs_configs_dir: true - needs_data_dir: false - docker_settings: - services: - - name: hyperpipe-frontend - image: codeberg.org/hyperpipe/hyperpipe - entrypoint: sh '/new-entrypoint.sh' - ports: - - "8843:80" - mounts: - - "{{configs_dir}}/hyperpipe/entrypoint.sh:/new-entrypoint.sh" - - name: hyperpipe-backend - image: codeberg.org/hyperpipe/hyperpipe-backend - environment: - HYP_PROXY: "{% if server_prefix == 'eu' %}proxy.piped.projectsegfau.lt{%else%}pipedproxy.{{server_prefix}}.projectsegfau.lt{%endif%}" - ports: - - "3536:3000" - anonymousoverflow: - needs_configs_dir: false - needs_data_dir: false - docker_settings: - services: - - name: anonymousoverflow - image: git.canine.tools/canine.tools/anonymous_overflow:latest - ports: - - "8694:8080" - environment: - APP_URL: https://overflow.projectsegfau.lt - JWT_SIGNING_SECRET: "{{ anonymousoverflow_signing_secret }}" - FLARESOLVER: "http://flaresolverr:8191" - - name: flaresolverr - image: ghcr.io/flaresolverr/flaresolverr:pr-1282 - environment: - LOG_LEVEL: "info" - TZ: "UTC" - LANG: "en_US" - breezewiki: - needs_configs_dir: true - needs_data_dir: false - docker_settings: - services: - - name: breezewiki - image: quay.io/pussthecatorg/breezewiki:latest - ports: - - "10416:10416" - mounts: - - "{{configs_dir}}/breezewiki/config.ini:/app/config.ini" gothub: needs_configs_dir: false needs_data_dir: false @@ -95,20 +47,9 @@ apps: GOTHUB_INSTANCE_CLOUDFLARE: false ports: - "1025:3000" - librarian: - needs_configs_dir: true - needs_data_dir: false - docker_settings: - services: - - name: librarian - image: quay.io/pussthecatorg/librarian - ports: - - "3550:3550" - mounts: - - "{{configs_dir}}/librarian/config.yml:/app/config.yml" redlib: - needs_data_dir: true - needs_configs_dir: true + needs_data_dir: false + needs_configs_dir: false docker_settings: services: - name: redlib @@ -123,23 +64,6 @@ apps: BLUR_NSFW: on USE_HLS: on AUTOPLAY_VIDEOS: off - - name: go-away - image: git.projectsegfau.lt/midou/go-away:latest - ports: - - "6464:9980" - - "9893:9893" - mounts: - - "{{data_dir}}/redlib/cache:/cache" - - "{{configs_dir}}/redlib/policy.yml:/policy.yml:ro" - environment: - GOAWAY_BIND: ":9980" - GOAWAY_METRICS_BIND: ":9893" - GOAWAY_BIND_NETWORK: "tcp" - GOAWAY_CLIENT_IP_HEADER: "X-Real-Ip" - GOAWAY_POLICY: "/policy.yml" - GOAWAY_SLOG_LEVEL: "WARN" - GOAWAY_CHALLENGE_TEMPLATE: redlib - GOAWAY_BACKEND: "*=http://redlib:8080" nitter: needs_data_dir: true @@ -158,80 +82,6 @@ apps: command: redis-server --save 60 1 --loglevel warning mounts: - "{{data_dir}}/nitter/redis-data:/data" - rimgo: - needs_configs_dir: false - needs_data_dir: false - docker_settings: - services: - - name: rimgo - image: codeberg.org/video-prize-ranch/rimgo - ports: - - "9016:3000" - environment: - ADDRESS: 0.0.0.0 - PORT: 3000 - FIBER_PREFORK: false - IMGUR_CLIENT_ID: 546c25a59c58ad7 - PRIVACY_POLICY: https://projectsegfau.lt/legal/privacy-policy - PRIVACY_COUNTRY: "{{country}}" - PRIVACY_PROVIDER: "{{isp}}" - PRIVACY_CLOUDFLARE: false - PRIVACY_NOT_COLLECTED: true - safetwitch: - needs_data_dir: false - needs_configs_dir: false - docker_settings: - services: - - name: safetwitch-frontend - image: codeberg.org/safetwitch/safetwitch:latest - ports: - - "5070:8280" - environment: - SAFETWITCH_BACKEND_DOMAIN: "api.safetwitch.{{server_prefix}}.projectsegfau.lt" - SAFETWITCH_INSTANCE_DOMAIN: safetwitch.projectsegfau.lt - SAFETWITCH_HTTPS: true - - name: safetwitch-backend - image: codeberg.org/safetwitch/safetwitch-backend - ports: - - "5072:7000" - environment: - PORT: 7000 - URL: "https://api.safetwitch.{{server_prefix}}.projectsegfau.lt" - scribe: - needs_configs_dir: false - needs_data_dir: false - docker_settings: - services: - - name: scribe - image: registry.gitlab.com/lomanic/scribe-binaries:latest - ports: - - "8006:8006" - environment: - SCRIBE_PORT: 8006 - SCRIBE_HOST: 0.0.0.0 - APP_DOMAIN: scribe.projectsegfau.lt - LUCKY_ENV: production - PORT: 8006 - SECRET_KEY_BASE: "{{scribe_secret_key_base}}" - searxng: - needs_configs_dir: true - needs_data_dir: true - docker_settings: - services: - - name: searxng - image: searxng/searxng:latest - ports: - - "8081:8080" - mounts: - - "{{data_dir}}/searxng:/etc/searxng" - - "{{configs_dir}}/searxng/settings.yml:/etc/searxng/settings.yml:rw" - environment: - SEARXNG_BASE_URL: "https://{% if server_prefix == 'eu' %}search.projectsegfau.lt{%else%}search.{{inventory_hostname}}.projectsegfau.lt{%endif%}/" - - name: searxng-redis - image: redis:alpine - command: redis-server --save 30 1 --loglevel warning - mounts: - - "{{data_dir}}/searxng/redis-data:/data" mozhi: needs_configs_dir: false needs_data_dir: false @@ -243,59 +93,6 @@ apps: - "5046:3000" environment: MOZHI_LIBRETRANSLATE_ENABLED: false - teddit: - needs_configs_dir: false - needs_data_dir: true - docker_settings: - services: - - name: teddit - image: teddit/teddit:latest - ports: - - "9061:8080" - environment: - DOMAIN: teddit.projectsegfau.lt - USE_HELMET: true - TRUST_PROXY: true - REDIS_HOST: teddit-redis - - name: teddit-redis - image: redis:6.2.5-alpine - command: redis-server - environment: - REDIS_REPLICATION_MODE: master - mounts: - - "{{data_dir}}/teddit/redis-data:/data" - priviblur: - needs_configs_dir: true - needs_data_dir: true - docker_settings: - services: - - name: priviblur - image: quay.io/syeopite/priviblur:latest - ports: - - "9084:8000" - mounts: - - "{{configs_dir}}/priviblur/config.toml:/priviblur/config.toml:Z,ro" - - name: priviblur-redis - image: redis:6.2.5-alpine - command: redis-server - environment: - REDIS_REPLICATION_MODE: master - mounts: - - "{{data_dir}}/priviblur/redis-data:/data" - shoelace: - needs_configs_dir: true - needs_data_dir: true - docker_settings: - services: - - name: shoelace - image: nixgoat/shoelace - ports: - - "9029:8080" - mounts: - - "{{configs_dir}}/shoelace/shoelace.toml:/data/shoelace.toml" - - "{{data_dir}}/shoelace:/data" - environment: - SHOELACE_CONFIG: /data/shoelace.toml watchtower: needs_configs_dir: false needs_data_dir: false diff --git a/secrets.yaml b/secrets.yaml index 4da539b..c423597 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -1,81 +1,51 @@ $ANSIBLE_VAULT;1.1;AES256 -63383132383338646134323161653732626564393261313134373832666234336664356464346433 -6633373466633634613039626233346562643862613037390a303265373839306532373235333232 -36663566356665346638343535303332343333326163353535663932396531626530393932333365 -3562623937393130380a326333623832393131623634393832396430313537623038663536663033 -32613733363731306664626531306263393936613961633061313538353364633763623739336131 -62386335323330326231306662326566643637313032373438376538383032306366323931363130 -32366137333966613638303866633436643366373730623764343033346132353331656139343062 -62663937383865613737333964383764336136363137623637376537616538303537623237333338 -66656664623565363634663138643938386439646332633537313930343134336638363833336333 -62616564343162323261306264646236626132653061383766383137633161376633636237386563 -33383031653838353832643566356339336263653830383732336339663837323339623763376531 -33653564636233343865623361316430633961663336323264313537386333383863666361306166 -37306530643230383636346335633966623663626331633861376361313861363438303765616161 -35343439393561666630393136666162366430373434376134663861303834613665396564336633 -31653165653036626666396131656164336538653765653566646466396462333861366435613533 -62646430393861623564303063653331633931376436393035623866636537373664653839656331 -31613261393531383761666536356664363534393763653962373236366630353331643963613937 -31656536363733326665633730346665316637383531643534343734343537336531653931383633 -37396230613736383537356436333630373535326135393465653962303765396230316437373331 -63646532326662326437653965373063373066376331336438633036623434623761396130373466 -34626239373030653837633739336532373164386366623264323938396638356365396631636365 -31343761356636646236666233326661313932666130663737343039646663396465363733656435 -33306461663534323061626231383833373737653132373038396236313135326630646436623332 -39633538373365653463323166363338613361663534343231636136613462663538333961666139 -35313136336232633732326535376133313034353663346133636233343839303432303962346263 -31316134363133303661646536346633346636333034353366323563613336366536383066643861 -33623066363135363066646434313130646631633438356134303531303339663331376533613836 -63366138316464613566303963616362626237666261363466353362343566663564366333303464 -34396230313963396664396462373261376463353331336662316533373338353864613931353434 -36313232623361623539643264663266663561306533313739343765353765353462363338303637 -34376135346235316164366331356435656538343237613466366166356630396136356335336466 -64363736336538313335376537366633623437326561333464313339313561646137383730336535 -63356263656535643465643431626533326235306637643333336565616263653464653738356134 -36633464323638656339666236653461313261653434613366646334373861303238626536643665 -65336339366261396532366434613564323238373439613032333734306333393237383539376235 -66363866306562646231663866373939363466656565656533656233373238376163643033646330 -30633335363137623933303831343039306639363632646133366339326634646663636439643264 -30343534363263333162366337613066646531613864363835666135613165393761646230313165 -30656165646630333833636439396130643436353163366637633461383039663963333936386231 -34393635356466303834666537636266353463663935633365303162353362393736653836333933 -33626232306561313138643232373235336163393164613364333462353165303966343035336664 -36616637333265303564396264303836656530393265333931363238383733356566623734646465 -61333732633731306566353437626434326364653830636530326337383934613739386635616138 -34356539333730363633633534346263636430313962643366323832643231313234353032633036 -65343735383639303966326261616338633338343033323364636665386461633231623438663362 -33633761613534636133323739613135313162363564623931316436353065343362336461303735 -37353164396236366537616364643031373133646663316639613032356335643263366231333637 -30353931306162616236363832356536353461613831366336336531386261343038333462313338 -64353165666236393539303566323634346430373464303365323461323364643061303364326533 -61363662626438346639616664313333653962623734653533396234663931313332613239303831 -61343932636564623866396161383532373036336532313336376262653731373761333130343434 -64643737636636323161313032663964383335666338333766346662373461653864383835376130 -66396239393431643636396437346663373033333339333134373533346630366366393861626336 -37643065636262643761646464373364663761323233323266323430633566343638643962643635 -64363431613930313062353931643330626230663832393235346435393665306662326161396537 -61666133616666653262616330626462363635623961343432333664333465363836633039303165 -36666536656433306139393430373233393331653732626331613364343035326536353663313630 -38323163376562646665336332316434333262616261333738336435663539336565383765326362 -32393063323934646630386436303363393532663162396239363733323637363463383962656339 -63326234313134343363333365616537383632316365343136313263393930363764373466383062 -31646561313833653333666264383561376336663265666234333932613138623137623361303439 -36623338643965343538313264626332326665666333373465356663326231663532393335336337 -32643130313461326530306132316631626331633034326439356637663964303465376339663839 -30306665643539376634336634316265313562333966643632663264353438393335396463383764 -31313334313435376138373230303531313136326536343035623635656165613966663564646334 -36646365633235636534376166333739323335396665626231383561626361653437646263333131 -66346234393931626630326136303237396266303034363938363461616461373932623935383764 -32373137303165393163303337653339313239386462616666393735353937333762336665363736 -31643137333438383866653133396636666362393935343765626262386130336436653233363138 -61653038393864316434623637396638643430313563396566643834633963373861663763326465 -32663932653031343761643837316531623839666363356436383831383838343131313239386431 -62363966636139383232616430373036356236323463326264653935643865396334643132376134 -37363132656166393061616663646335303331363637353336363937666334393662383063386133 -37333837363864313061323631633862613436613439386166353331643764303430626634633964 -39373033343836336538623465363633303830643461353462333731633762316532353362643936 -38643338653964343530383639336237326131313361356466396238333931336666313032376333 -62393564393633323138313838643166633136616131643335326234613137663738386464663539 -36643139376463623461303631363238346664313431373338373264653332343066663366393039 -65666331376139663231623132333334323764373637616637643062326665623634383062363764 -63386336393338616232 +62633465666433613531653834643833623063663334346630643637323534373338616561666362 +3932633339333932393035633737343565623866376465310a323863653535346236316339336431 +36356332313931626433333935623433633562376533303235373536613034383761313036306439 +6133343535326336660a393139643363643337643036636234363034666638376335336437613531 +39356364303838306639316630646131653039323865326534643034383730303436623433633537 +30326662393935366137336363616462633064303336303030313439393133363334666164313265 +38636263356537396663623430653838643465363866373431653763633931323337356635333665 +63356362336532393664303735623861343339363864663533333439316364663863383038666631 +31306535303934666165353465643935613834623431333231316538303433353063646434303935 +30636430623333373032303434633832363435313134306531386330393138616161313132623131 +38363165343238333765616137353466396536623731633836633134633466663839626132326234 +33383434663235653666643437336532366164323664376135346665333664653136656263333934 +33366564613734376536316134323437383535396638373366633030363938303233363933653161 +31393233373936336661333763643433653664623265663531633966346337363231663432346633 +32303937303166306538613632393632616137333566303732313031343966343835316530346231 +62393665306635323135363866636131653266343938613532323136666534613835373432366339 +62373437653061363864643436646563346666616361346430653038626538633134353130306562 +36313330626633363934663465353732333437663739383637343939386134613733383035373634 +66326331623464373635626238653836653361396234623566643233333363613866393234373261 +33376163336631323736313530663961376464303431346534393863653731363835376332653439 +63656134663435333133643731613236616333353034626333303864386666373866323466373964 +63343133396539663162633233336238393533333032636162353865313132376663383237373336 +38363531363031636336366538626364393138356138346133306361316566353034353635356133 +31383937633932386464623437303665336131663838353738613637326638313261333066386631 +32623832313630616233316366326237656131396631626461663538653037393732646432646438 +33633564666139316632356335353466306537343564626131346530643333316436646332633038 +65646462396334336536366235303934353030336531366664333962393965313531613161623263 +39353266613038356130646238376364306465326139303731303066656533373261666339396139 +31633666633931633631643466333763323339393334333730363638333566346232393164353035 +38386231383162303366326134633563373861306539633161363538653630336363313434373232 +33373461656138373063383965393333313663343138643565653638396639633130656432663765 +31303434633836383565633365323836323463313835386131306135636536363063313835663832 +61386432633237323134663465343632623036613438303164336362343736373733323239633033 +65333631613737343032303832373030643962303339316331356266323233303236373238373937 +61343833396361303365636439653736616132333232316138333765346161353538666563646166 +39333434356337376164626666643461343165616632343538616263376634633539326134633133 +63663166326436653931336564363263613164346233626462363338653732323237353964343933 +39653434616261306539646166353936346565656664663631306238326265623137633337373363 +64363533623361383964623361343166636131346463333135323135626330643265346339616530 +35633736643566333335626337623965396263316630323564323535356564636636623339646135 +30376138323730383461656138663638396464326264643563363539343431353133636166336336 +62343362366362393364333838636565303537633135633933653334363533386333323737303265 +35653535363662333639313033633364626366376466373531333637656230643236313838633361 +32396164386139393865383538633039653234393533353462383538363531343761656536643063 +31366635333263646436646564346433323862653062623037636233613961396430616463356533 +39346338333062653234316166326632633435613434386632356132336639303935656433613030 +31306664326533633436356531393163636131326330313636663563653833396331366163663066 +32643339313737616362666538643262376631336437643361643530323962383233333766376364 +38396562303338363362636261363734656161666266653735363832333232353732633739363463 +3032623866333162663831613331626236376366373364653865