ProjectSegfault/ansible
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use dns01 auth for everything

Browse Source
This commit is contained in:
Arya 2023-11-23 15:55:00 +05:30
parent b261aa00a5
commit cf9f55f906
Signed by: arya
GPG Key ID: 842D12BDA50DF120
5 changed files with 30 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
privfrontends/templates/Caddyfile.j2
View File

@ -53,9 +53,7 @@
defer
}
{% if inventory_hostname == 'in' %}
import acmedns
{% endif %}
}
import ./*.Caddyfile
@ -85,8 +83,6 @@ nitter.{{ server_prefix }}.projectsegfau.lt nitter.projectsegfau.lt n.psf.lt n.{
format json
}
header {
X-Permitted-Cross-Domain-Policies none
Permissions-Policy "Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(self), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
header Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline'; script-src-attr 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; style-src-elem 'self'; font-src 'self'; object-src 'none'; media-src 'self' blob:; worker-src 'self' blob:; base-uri 'self'; form-action 'self'; frame-ancestors 'self'; connect-src 'self' https://*.twimg.com; manifest-src 'self'"
}
reverse_proxy :8065
@ -105,7 +101,9 @@ teddit.{{ server_prefix }}.projectsegfau.lt teddit.projectsegfau.lt t.psf.lt t.{
import torloc teddit
}
inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt {
reverse_proxy :7573
reverse_proxy :7573 {
header_up Host "inv.{{server_prefix}}.projectsegfau.lt"
}
@pipedproxy {
path /videoplayback
path /videoplayback/*
@ -123,30 +121,9 @@ inv.{{ server_prefix }}.projectsegfau.lt i.{{ server_prefix }}.psf.lt {
uri @jpgRedirect replace /maxres.jpg /maxres2.jpg
rewrite /vi/* ?host=i.ytimg.com
}
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
-Content-Security-Policy
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
header -X-Frame-Options
import def
import torloc inv
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
}
gothub.{{ server_prefix }}.projectsegfau.lt gothub.projectsegfau.lt gh.psf.lt gh.{{ server_prefix }}.psf.lt {
reverse_proxy :1024
@ -238,6 +215,7 @@ search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{
# Remove Server header
-Server
}
import acmedns
header @api {
Access-Control-Allow-Methods "GET, OPTIONS"
Access-Control-Allow-Origin "*"
@ -263,50 +241,13 @@ search.{{ server_prefix }}.projectsegfau.lt search.projectsegfau.lt s.psf.lt s.{
}
piped.{{ server_prefix }}.projectsegfau.lt pipedproxy.{{ server_prefix }}.projectsegfau.lt pipedapi.{{ server_prefix }}.projectsegfau.lt {
reverse_proxy :6970
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
{% if server_prefix == 'in' %}
import acmedns
{% endif %}
header -X-Frame-Options
import def
}
pi.{{ server_prefix }}.psf.lt {
reverse_proxy :6970 {
header_up Host "{% if server_prefix == 'eu' %}piped.projectsegfau.lt{%else%}piped.{{ server_prefix }}.projectsegfau.lt{%endif%}"
}
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
header -X-Frame-Options
import def
}

68
privfrontends/templates/eu/misc.Caddyfile
View File

@ -3,7 +3,9 @@ sl.projectsegfau.lt sl.psf.lt {
import def
}
inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectsegfau.lt, i.psf.lt {
reverse_proxy localhost:7573
reverse_proxy localhost:7573 {
header_up Hpst "invidious.projectsegfau.lt"
}
@pipedproxy {
path /videoplayback
path /videoplayback/*
@ -12,7 +14,7 @@ inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectseg
}
handle @pipedproxy {
reverse_proxy :6970 {
header_up Host "pipedproxy.{{server_prefix}}.projectsegfau.lt"
header_up Host "proxy.piped.projectsegfau.lt"
}
@jpgRedirect path_regexp maxres2 /vi/(.+)/maxres.jpg
@thumbnailRedirect path /ggpht/*
@ -21,71 +23,22 @@ inv.bp.projectsegfau.lt, i.bp.psf.lt, invidious.projectsegfau.lt, inv.projectseg
uri @jpgRedirect replace /maxres.jpg /maxres2.jpg
rewrite /vi/* ?host=i.ytimg.com
}
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
-Content-Security-Policy
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
import def
header -X-Frame-Options
import torloc invbp
import i2ploc pjsfi2szfkb4guqzmfmlyq4no46fayertjrwt4h2uughccrh2lvq.b32.i2p
}
piped.projectsegfau.lt proxy.piped.projectsegfau.lt api.piped.projectsegfau.lt {
reverse_proxy :6970
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
import acmedns
header -X-Frame-Options
import def
}
pi.psf.lt {
reverse_proxy :6970 {
header_up Host "piped.projectsegfau.lt"
}
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
header -X-Frame-Options
import def
}
proxy.lbry.projectsegfau.lt {
reverse_proxy localhost:3001
@ -98,6 +51,7 @@ aryak.me {
}
arya.projectsegfau.lt {
redir https://aryak.me{uri}
import acmedns
}
## OLD URL REDIRECTS
bb.us.projectsegfau.lt bb.in.projectsegfau.lt bb.eu.projectsegfau.lt bb.projectsegfau.lt {

1
privfrontends/templates/eu/pubnix.Caddyfile
View File

@ -16,6 +16,7 @@
# Redirect base subdomain to the pubnix homepage
p.projectsegfau.lt p.psf.lt {
redir https://projectsegfau.lt/pubnix
import acmedns
}
# Cockpit

33
privfrontends/templates/in/apps.Caddyfile
View File

@ -30,7 +30,6 @@ psf.lt {
reverse_proxy :1337
import def
import torloc www
import acmedns
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
@ -42,6 +41,7 @@ import acmedns
www.projectsegfau.lt www.psf.lt {
redir https://projectsegfau.lt{uri}
import torloc www
import acmedns
}
matrix.projectsegfau.lt {
@ -104,10 +104,12 @@ jitsi.projectsegfau.lt {
reverse_proxy :8000 {
header_up X-Real-IP {remote_host}
}
import acmedns
}
# Excalidraw backend for jitsi
excalidraw.projectsegfau.lt {
reverse_proxy :8695
import acmedns
}
# MediaWiki
@ -194,32 +196,6 @@ kbin.projectsegfau.lt, kb.psf.lt {
import def
}
inv.projectsegfau.lt invidious.projectsegfau.lt i.psf.lt {
reverse_proxy 192.168.1.64:7574
header {
# disable FLoC tracking
Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), serial=(), usb=(), sync-xhr=(), xr-spatial-tracking=()";
# enable HSTS
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
-Content-Security-Policy
X-XSS-Protection "1; mode=block"
defer
}
@badbots {
header "User-Agent" "Go-http-client/2.0"
}
respond @badbots "Access to this route denied" 403
import torloc inv
import acmedns
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy :1025
import def
@ -227,10 +203,13 @@ gothub.dev.projectsegfau.lt gh.dev.psf.lt {
}
ak.psf.lt {
redir https://social.projectsegfau.lt{uri}
import acmedns
}
j.psf.lt {
redir https://jitsi.projectsegfau.lt{uri}
import acmedns
}
d.psf.lt {
redir https://doc.projectsegfau.lt{uri}
import acmedns
}

2
privfrontends/templates/in/misc.Caddyfile
View File

@ -8,10 +8,12 @@ files.perso.in.projectsegfau.lt files.perso.in.projectsegfau.lt:6942 {
browse
}
root * /zfspool/files
import acmedns
}
tnfiles.perso.in.projectsegfau.lt {
file_server {
browse
}
root * /zfspool/files/tn-sw
import acmedns
}