ansible/privfrontends/templates/core/apps.Caddyfile
2023-07-29 15:10:47 +05:30

286 lines
6.7 KiB
Caddyfile

# ---Apps Caddyfile---
# Akkoma
social.projectsegfau.lt {
import def
encode gzip
# this is explicitly IPv4 since Pleroma.Web.Endpoint binds on IPv4 only
# and `localhost.` resolves to [::0] on some systems: see issue #930
reverse_proxy 192.168.5.2:4011
handle /media/* {
redir https://media.social.projectsegfau.lt{uri} permanent
}
handle /proxy/* {
redir https://media.social.projectsegfau.lt{uri} permanent
}
}
# Security mitigation
# See https://webb.spiderden.org/2023/05/26/pleroma-mitigation/
# And https://poa.st/notice/AWDToOiKAl4BPhdEB6
# And https://gleasonator.com/notice/AW3PsTi4WCWEUbN0uO
media.social.projectsegfau.lt {
handle /media/* {
reverse_proxy 192.168.5.2:4011 {
transport http {
response_header_timeout 10s
read_timeout 15s
}
}
}
handle /proxy/* {
reverse_proxy 192.168.5.2:4011 {
transport http {
response_header_timeout 10s
read_timeout 15s
}
}
}
}
# Cinny
cinny.projectsegfau.lt cy.psf.lt {
reverse_proxy 192.168.5.2:3069
import def
}
# Website
projectsegfau.lt {
reverse_proxy 192.168.5.2:1337
import def
reverse_proxy /_matrix/* 192.168.5.2:8449 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_matrix/client/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_synapse/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
reverse_proxy /converse 192.168.5.5:5280
reverse_proxy /converseemojis.js 192.168.5.5:5280
reverse_proxy /converse/* 192.168.5.5:5280
reverse_proxy /bosh 192.168.5.5:5280
reverse_proxy /ws 192.168.5.5:5280
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/well-known
file_server
}
header /.well-known/host-meta Content-Type application/xrd+xml
header /.well-known/host-meta.json Content-Type application/json
header /.well-known/host-meta.json Access-Control-Allow-Origin *
header /.well-known/host-meta Access-Control-Allow-Origin *
import torloc www
}
psf.lt {
reverse_proxy 192.168.5.2:1337
import def
import torloc www
header /.well-known/matrix/* Content-Type application/json
header /.well-known/matrix/* Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/psf-well-known
file_server
}
}
ssync.projectsegfau.lt {
reverse_proxy 192.168.5.2:3333
import def
}
www.projectsegfau.lt www.psf.lt {
redir https://projectsegfau.lt{uri}
import torloc www
}
matrix.projectsegfau.lt {
reverse_proxy /_matrix/* 192.168.5.2:8449 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_matrix/client/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
reverse_proxy /_synapse/* 192.168.5.2:81 {
header_up Host "matrix.projectsegfau.lt"
}
import def
#reverse_proxy /_synapse/client/* 192.168.5.2:81 {
# header_up Host "matrix.projectsegfau.lt"
#}
handle_path / {
redir https://wiki.projectsegfau.lt/Matrix
}
}
# Directus
cms.projectsegfau.lt {
reverse_proxy 192.168.5.2:9456
import def
}
# Element
chat.projectsegfau.lt el.psf.lt {
reverse_proxy 192.168.5.2:3070
import def
}
# Gitea
git.projectsegfau.lt {
reverse_proxy 192.168.5.5:3444
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
git.psf.lt {
reverse_proxy 192.168.5.5:3444 {
header_up Host "git.projectsegfau.lt"
}
respond /metrics 403
import def
request_body {
max_size 500MB
}
header {
Content-Security-Policy "default-src 'self'; connect-src 'self'; font-src 'self' data:; form-action 'self'; img-src 'self' https: data:; manifest-src 'self' data:; object-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; worker-src 'self'; frame-ancestors 'self'; frame-src 'self';"
}
import torloc git
}
# HedgeDoc
doc.projectsegfau.lt {
reverse_proxy 192.168.5.2:2069 {
header_up X-Real-IP {remote_host}
}
import def
}
# Hydrogen
h2.projectsegfau.lt, hydrogen.projectsegfau.lt, h2.psf.lt {
reverse_proxy 192.168.5.2:3071
import def
}
# Jitsi
jitsi.projectsegfau.lt {
reverse_proxy 192.168.5.5:8000 {
header_up X-Real-IP {remote_host}
}
}
# Excalidraw backend for jitsi
excalidraw.projectsegfau.lt {
reverse_proxy 192.168.5.5:8694
}
# Maubot
mau.projectsegfau.lt {
reverse_proxy 192.168.5.2:29316
import def
}
# MediaWiki
wiki.projectsegfau.lt w.psf.lt {
reverse_proxy 192.168.5.3:8000 {
header_up X-Real-IP {remote_host}
}
import def
encode gzip
import torloc wiki
}
# Vikunja
todo.projectsegfau.lt vi.psf.lt {
reverse_proxy 192.168.5.2:3456
import def
import torloc todo
}
# Vaultwarden
pass.projectsegfau.lt vw.psf.lt {
reverse_proxy 192.168.5.2:6980 {
header_up X-Real-IP {remote_host}
}
import def
reverse_proxy /notifications/hub 192.168.5.2:3012 {
header_up X-Real-IP {remote_host}
}
import torloc pass
}
# XMPP
xmpp.projectsegfau.lt, conference.projectsegfau.lt, proxy.projectsegfau.lt, pubsub.projectsegfau.lt, upload.projectsegfau.lt {
reverse_proxy 192.168.5.5:5280 {
header_up X-Real-IP {remote_host}
}
reverse_proxy /.well-known/acme-challenge/* 192.168.5.5:5380
@register {
path /new/
path /change_password/
path /delete/
path /new
path /change_password
path /delete
}
redir @register /register{uri}
import def
header /.well-known/host-meta Content-Type application/xrd+xml
header /.well-known/host-meta.json Content-Type application/json
header /.well-known/host-meta.json Access-Control-Allow-Origin *
header /.well-known/host-meta Access-Control-Allow-Origin *
handle_path /.well-known/* {
root * /var/www/well-known
file_server
}
handle_path / {
redir https://wiki.projectsegfau.lt/XMPP
}
}
xmpp-web.projectsegfau.lt, x.psf.lt {
import def
reverse_proxy 192.168.5.2:3072
}
healthchecks.projectsegfau.lt, hc.psf.lt {
import def
reverse_proxy 192.168.5.2:8450
}
# Pubthentik
auth.p.projectsegfau.lt {
reverse_proxy 192.168.5.2:7444 {
transport http {
tls_insecure_skip_verify
}
header_up X-Real-IP {remote_host}
}
import def
}
# kbin
kbin.projectsegfau.lt, kb.psf.lt {
reverse_proxy 192.168.5.2:80 {
header_up X-Real-IP {remote_host}
}
import def
}
gothub.dev.projectsegfau.lt gh.dev.psf.lt {
reverse_proxy 192.168.5.2:1025
import def
}
ak.psf.lt {
redir https://social.projectsegfau.lt{uri}
}
j.psf.lt {
redir https://jitsi.projectsegfau.lt{uri}
}
d.psf.lt {
redir https://doc.projectsegfau.lt{uri}
}