refactor

2025-09-23 13:19:48 +00:00
parent a04a4abef6
commit dd3753fab4
170 changed files with 907 additions and 1715 deletions
--- a/ansible/tasks/servers/services/caddy/Caddyfile.j2
+++ b/ansible/tasks/servers/services/caddy/Caddyfile.j2
@@ -0,0 +1,228 @@
+# Global configuration for country blocking
+{
+    servers {
+        protocols h1 h2 h3
+    }
+}
+
+# Country blocking snippet using MaxMind GeoLocation - reusable across all sites
+{% if enable_country_blocking | default(false) and allowed_countries_codes | default([]) | length > 0 %}
+(country_block) {
+    @allowed_local {
+        remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+    }
+    @not_allowed_countries {
+        not remote_ip 127.0.0.1 ::1 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 157.180.41.167 2a01:4f9:c013:1a13::1
+        not {
+            maxmind_geolocation {
+                db_path "/etc/caddy/geoip/GeoLite2-Country.mmdb"
+                allow_countries {{ allowed_countries_codes | join(' ') }}
+            }
+        }
+    }
+    respond @not_allowed_countries "Access denied" 403
+}
+{% else %}
+(country_block) {
+    # Country blocking disabled
+}
+{% endif %}
+
+{% if inventory_hostname == 'mennos-desktop' %}
+git.mvl.sh {
+   import country_block
+   reverse_proxy gitea:3000
+   tls {{ caddy_email }}
+}
+
+git.vleeuwen.me {
+   import country_block
+   redir https://git.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+df.mvl.sh {
+   import country_block
+   redir / https://git.mvl.sh/vleeuwenmenno/dotfiles/raw/branch/master/setup.sh
+   tls {{ caddy_email }}
+}
+
+fsm.mvl.sh {
+   import country_block
+   reverse_proxy factorio-server-manager:80
+   tls {{ caddy_email }}
+}
+
+fsm.vleeuwen.me {
+   import country_block
+   redir https://fsm.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+beszel.mvl.sh {
+   import country_block
+   reverse_proxy beszel:8090
+   tls {{ caddy_email }}
+}
+
+beszel.vleeuwen.me {
+   import country_block
+   redir https://beszel.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+photos.mvl.sh {
+   import country_block
+   reverse_proxy immich:2283
+   tls {{ caddy_email }}
+}
+
+photos.vleeuwen.me {
+   import country_block
+   redir https://photos.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+home.mvl.sh {
+   import country_block
+   reverse_proxy host.docker.internal:8123 {
+       header_up Host {upstream_hostport}
+       header_up X-Real-IP {http.request.remote.host}
+   }
+   tls {{ caddy_email }}
+}
+
+home.vleeuwen.me {
+   import country_block
+   reverse_proxy host.docker.internal:8123 {
+       header_up Host {upstream_hostport}
+       header_up X-Real-IP {http.request.remote.host}
+   }
+   tls {{ caddy_email }}
+}
+
+
+unifi.mvl.sh {
+    reverse_proxy unifi-controller:8443 {
+        transport http {
+            tls_insecure_skip_verify
+        }
+        header_up Host {host}
+    }
+    tls {{ caddy_email }}
+}
+
+hotspot.mvl.sh {
+    reverse_proxy unifi-controller:8843 {
+        transport http {
+            tls_insecure_skip_verify
+        }
+        header_up Host {host}
+    }
+    tls {{ caddy_email }}
+}
+
+hotspot.mvl.sh:80 {
+    redir https://hotspot.mvl.sh{uri} permanent
+}
+
+bin.mvl.sh {
+   import country_block
+   reverse_proxy privatebin:8080
+   tls {{ caddy_email }}
+}
+
+ip.mvl.sh ip.vleeuwen.me {
+   import country_block
+   reverse_proxy echoip:8080 {
+       header_up X-Real-IP {http.request.remote.host}
+   }
+   tls {{ caddy_email }}
+}
+
+http://ip.mvl.sh http://ip.vleeuwen.me {
+   import country_block
+   reverse_proxy echoip:8080 {
+       header_up X-Real-IP {http.request.remote.host}
+   }
+}
+
+overseerr.mvl.sh {
+   import country_block
+   reverse_proxy overseerr:5055
+   tls {{ caddy_email }}
+}
+
+overseerr.vleeuwen.me {
+   import country_block
+   redir https://overseerr.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+plex.mvl.sh {
+   import country_block
+   reverse_proxy host.docker.internal:32400 {
+       header_up Host {upstream_hostport}
+       header_up X-Real-IP {http.request.remote.host}
+   }
+   tls {{ caddy_email }}
+}
+
+plex.vleeuwen.me {
+   import country_block
+   redir https://plex.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+tautulli.mvl.sh {
+   import country_block
+   reverse_proxy host.docker.internal:8181 {
+       header_up Host {upstream_hostport}
+       header_up X-Real-IP {http.request.remote.host}
+   }
+   tls {{ caddy_email }}
+}
+
+tautulli.vleeuwen.me {
+   import country_block
+   redir https://tautulli.mvl.sh{uri}
+   tls {{ caddy_email }}
+}
+
+drive.mvl.sh drive.vleeuwen.me {
+   import country_block
+
+   # CalDAV and CardDAV redirects
+   redir /.well-known/carddav /remote.php/dav/ 301
+   redir /.well-known/caldav /remote.php/dav/ 301
+
+   # Handle other .well-known requests
+   handle /.well-known/* {
+       reverse_proxy nextcloud:80 {
+           header_up Host {host}
+           header_up X-Real-IP {http.request.remote.host}
+       }
+   }
+
+   # Main reverse proxy configuration with proper headers
+   reverse_proxy nextcloud:80 {
+       header_up Host {host}
+       header_up X-Real-IP {http.request.remote.host}
+   }
+
+   # Security headers
+   header {
+       # HSTS header for enhanced security (required by Nextcloud)
+       Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+       # Additional security headers recommended for Nextcloud
+       X-Content-Type-Options "nosniff"
+       X-Frame-Options "SAMEORIGIN"
+       Referrer-Policy "no-referrer"
+       X-XSS-Protection "1; mode=block"
+       X-Permitted-Cross-Domain-Policies "none"
+       X-Robots-Tag "noindex, nofollow"
+   }
+
+   tls {{ caddy_email }}
+}
+{% endif %}