Update caddy config

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>

.gitignore

@@ -1 +1,2 @@
 
+/*.tar.gz

Makefile

@@ -11,17 +11,18 @@
 #//                                                          //
 #//////////////////////////////////////////////////////////////
 
-ADMIN_SERVICES := openssh uptime-kuma yacht
-BLOG_SERVICES := wordpress
-7DAYS_TO_DIE_SERVICES := 7daystodie_server 7daystodie_backup
-MINECRAFT_SERVICES := minecraft_server minecraft_backup
-SATISFACTORY_SERVICES := satisfactory_server satisfactory_backup
-GIT_SERVICES := forgejo forgejo-runner
+ADMIN_SERVICES := openssh 
+#uptime-kuma yacht
+#BLOG_SERVICES := wordpress
+#7DAYS_TO_DIE_SERVICES := 7daystodie_server 7daystodie_backup
+#MINECRAFT_SERVICES := minecraft_server minecraft_backup
+#SATISFACTORY_SERVICES := satisfactory_server satisfactory_backup
+#GIT_SERVICES := forgejo forgejo-runner
 # gitea gitea-runner
-IA_SERVICES := open-webui
-SHARING_SERVICES := psitransfer picoshare privatebin projectsend jellyfin dufs syncthing
-TORRENTS_SERVICES := qbittorrent transmission
-UTILS_SERVICES := it-tools stirlingpdf omni-tools
+#IA_SERVICES := open-webui
+#SHARING_SERVICES := psitransfer picoshare privatebin projectsend jellyfin dufs syncthing
+#TORRENTS_SERVICES := qbittorrent transmission
+#UTILS_SERVICES := it-tools stirlingpdf omni-tools
 
 MAIN_SERVICES := main_infrastructure caddy homepage
 

README.md

@@ -121,10 +121,6 @@ And then, caddy will generate the certificate for you and renew it automatically
 | [public.bensuperpc.org](https://public.bensuperpc.org)             | Sub  | Caddy for file sharing                                       |
 | [memos.bensuperpc.org](https://memos.bensuperpc.org)               | Sub  | Caddy for file sharing                                       |
 | [stirlingpdf.bensuperpc.org](https://stirlingpdf.bensuperpc.org)   | Sub  | Stirling PDF tools                                           |
-| bensuperpc.com                                                     | Main | Redirect to [www.bensuperpc.org](https://www.bensuperpc.org) |
-| bensuperpc.fr                                                      | Main | Redirect to [www.bensuperpc.org](https://www.bensuperpc.org) |
-| bensuperpc.net                                                     | Main | Redirect to [www.bensuperpc.org](https://www.bensuperpc.org) |
-| bensuperpc.ovh                                                     | Main | Redirect to [www.bensuperpc.org](https://www.bensuperpc.org) |
 
 ### Configure the infrastructure
 

infrastructure/services/caddy/config/Caddyfile

@@ -3,13 +3,13 @@
 	key_type p384
 
 	log {
-		output file /data/logs/access.log
+		output file /data/logs/access.log {
+			roll_size 1GiB
+			roll_keep 20
+			roll_keep_for 720h
+		}
 		format json
 	}
 }
 
-import bensuperpc.org/*
-import bensuperpc.com/*
-import bensuperpc.net/*
-import bensuperpc.ovh/*
-import bensuperpc.fr/*
+import website/*

infrastructure/services/caddy/config/bensuperpc.com/Caddyfile

@@ -1,7 +0,0 @@
-bensuperpc.com {  
-  	redir https://www.bensuperpc.org{uri} permanent
-}
-
-www.bensuperpc.com {  
-  	redir https://www.bensuperpc.org{uri} permanent
-}

infrastructure/services/caddy/config/bensuperpc.fr/Caddyfile

@@ -1,7 +0,0 @@
-bensuperpc.fr {
-	redir https://www.bensuperpc.org{uri} permanent
-}
-
-www.bensuperpc.fr {
-	redir https://www.bensuperpc.org{uri} permanent
-}

infrastructure/services/caddy/config/bensuperpc.net/Caddyfile

@@ -1,19 +0,0 @@
-bensuperpc.net {
-	redir https://www.bensuperpc.org{uri} permanent
-}
-
-www.bensuperpc.net {
-	redir https://www.bensuperpc.org{uri} permanent
-}
-
-git.bensuperpc.net {
-	redir https://git.bensuperpc.org{uri} permanent
-}
-
-jellyfin.bensuperpc.net {
-	redir https://jellyfin.bensuperpc.org{uri} permanent
-}
-
-uptimekuma.bensuperpc.net {
-	redir https://uptimekuma.bensuperpc.org{uri} permanent
-}

infrastructure/services/caddy/config/bensuperpc.org/Caddyfile

@@ -1,184 +0,0 @@
-www.{$MAIN_DOMAIN} {
-	reverse_proxy homepage:3000
-}
-
-{$MAIN_DOMAIN} {
-	redir https://www.{host}{uri} permanent
-}
-
-homepage.{$MAIN_DOMAIN} {
-	redir https://www.{$MAIN_DOMAIN}{uri} permanent
-}
-
-public.{$MAIN_DOMAIN} {
-	root * /public_data
-	file_server browse
-}
-
-wordpress.{$MAIN_DOMAIN} {
-	root * /var/www/html
-	php_fastcgi wordpress:9000
-
-	file_server
-	encode zstd gzip
-
-	@disallowed {
-		path /xmlrpc.php
-		path *.sql
-		path /wp-content/uploads/*.php
-	}
-
-	rewrite @disallowed '/index.php'
-
-	respond /uploads/*.php 404
-
-	header {
-		# disable FLoC tracking
-		Permissions-Policy interest-cohort=()
-
-		# enable HSTS
-		Strict-Transport-Security max-age=31536000;
-
-		# disable clients from sniffing the media type
-		X-Content-Type-Options nosniff
-
-		# clickjacking protection
-		# X-Frame-Options DENY
-
-		# Disable powerful features we don't need
-		Permissions-Policy "geolocation=(), camera=(), microphone=() interest-cohort=()"
-	}
-}
-
-it-tools.{$MAIN_DOMAIN} {
-	# Load balance between 2 instances
-	reverse_proxy {
-		to it-tools0:80 it-tools1:80
-		lb_policy round_robin
-		lb_retries 3
-		lb_try_interval 1s
-	}
-}
-
-omni-tools.{$MAIN_DOMAIN} {
-	# Load balance between 2 instances
-	reverse_proxy {
-		to omni-tools0:80 omni-tools1:80
-		lb_policy round_robin
-		lb_retries 3
-		lb_try_interval 1s
-	}
-}
-
-uptimekuma.{$MAIN_DOMAIN} {
-	reverse_proxy uptime-kuma:3001
-}
-
-torrent.{$MAIN_DOMAIN} {
-	reverse_proxy qbittorrent:8080
-}
-
-qbittorrent.{$MAIN_DOMAIN} {
-	redir https://torrent.{$MAIN_DOMAIN} permanent
-}
-
-transmission.{$MAIN_DOMAIN} {
-	reverse_proxy transmission:9091
-}
-
-gitea.{$MAIN_DOMAIN} {
-	reverse_proxy gitea:3000
-}
-
-git.{$MAIN_DOMAIN} {
-	reverse_proxy forgejo:3000
-}
-
-forgejo.{$MAIN_DOMAIN} {
-	redir https://git.{$MAIN_DOMAIN}{uri} permanent
-}
-
-jellyfin.{$MAIN_DOMAIN} {
-	reverse_proxy jellyfin:8096
-}
-
-transfer.{$MAIN_DOMAIN} {
-	reverse_proxy psitransfer:3000
-}
-
-psitransfer.{$MAIN_DOMAIN} {
-	redir https://transfer.{$MAIN_DOMAIN}{uri} permanent
-}
-
-picoshare.{$MAIN_DOMAIN} {
-	reverse_proxy picoshare:4001
-}
-
-syncthing.{$MAIN_DOMAIN} {
-	reverse_proxy syncthing:8384 {
-		header_up Host {upstream_hostport}
-	}
-}
-
-privatebin.{$MAIN_DOMAIN} {
-	reverse_proxy privatebin:8080
-}
-
-pastebin.{$MAIN_DOMAIN} {
-	redir https://privatebin.{$MAIN_DOMAIN} permanent
-}
-
-yacht.{$MAIN_DOMAIN} {
-	reverse_proxy yacht:8000
-}
-
-projectsend.{$MAIN_DOMAIN} {
-	reverse_proxy projectsend:80
-}
-
-dufs.{$MAIN_DOMAIN} {
-	reverse_proxy dufs:5000
-}
-
-stirlingpdf.{$MAIN_DOMAIN} {
-	reverse_proxy stirlingpdf:8080
-}
-
-memos.{$MAIN_DOMAIN} {
-	reverse_proxy memos:5230
-}
-
-open-webui.{$MAIN_DOMAIN} {
-	reverse_proxy open-webui:8080
-}
-
-link.{$MAIN_DOMAIN} {
-	# TODO: Use service with database
-	# Friendly links
-	redir /gnous https://gnous.eu permanent
-	redir /proxy https://imagisphe.re permanent
-	redir /patch https://spaceint.fr permanent
-	redir /greep https://greep.fr permanent
-
-	# Youtube links
-	redir /rickroll https://www.youtube.com/watch?v=dQw4w9WgXcQ permanent
-	redir /babyshark https://www.youtube.com/watch?v=XqZsoesa55w permanent
-	redir /cowcowcow https://www.youtube.com/watch?v=FavUpD_IjVY permanent
-	redir /badapple https://www.youtube.com/watch?v=FtutLA63Cp8 permanent
-	redir /macdo https://www.youtube.com/watch?v=Q16KpquGsIc permanent
-	redir /superiser https://www.youtube.com/watch?v=srnyVw-OR0g permanent
-	redir /daicon https://youtu.be/-840keiiFDE?si=zIPIokytxcnGw5fJ&t=162 permanent
-	redir /scp https://www.youtube.com/watch?v=FGCDndN20G8 permanent
-	redir /scpfb https://youtu.be/9zrKk-1E8zM?si=8R_ZBVG3GzMUYOe8&t=36 permanent
-	redir /mother https://youtu.be/w3NyycHR3fE?si=rNNSW9zYv0bcO2Eu permanent
-	redir /cpu https://www.youtube.com/watch?v=y39D4529FM4 permanent
-	redir /lechanteur https://youtu.be/HXdP15Ubu6M?si=N0qvhqo--3pmSGmb permanent
-	redir /nohero https://youtu.be/4DuUejBkMqE?si=bkB8G6PHwCp56jxb permanent
-	redir /indochine https://youtu.be/M7X6oYg6iro?si=ZRarm3qamTJ8vIJ0 permanent
-	redir /bna https://youtu.be/3T3ofoKfEoY?si=_7HkGQXMC7rBng8O permanent
-	redir /jojo https://youtu.be/U0TXIXTzJEY?si=2acWJWX06ju2w4uj permanent
-	redir /patapon https://youtu.be/H6CbNHLHkmk?si=ZvU8SzrOK-oCUXT5 permanent
-	redir /darkwater https://youtu.be/Tr8ZgF4Dc0E?si=CEOmm2J6Jp5rdbbt permanent
-	redir /train https://youtu.be/l8mScKWj3kQ?si=BV07uJ9eP3kzV9Kl permanent
-	redir /jdg https://www.youtube.com/@joueurdugrenier permanent
-}

infrastructure/services/caddy/config/bensuperpc.ovh/Caddyfile

@@ -1,7 +0,0 @@
-bensuperpc.ovh {
-	redir https://www.bensuperpc.org{uri} permanent
-}
-
-www.bensuperpc.ovh {
-	redir https://www.bensuperpc.org{uri} permanent
-}

infrastructure/services/caddy/config/website/dufs.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+dufs.{$MAIN_DOMAIN} {
+	reverse_proxy dufs:5000
+}

infrastructure/services/caddy/config/website/forgejo.caddy

@@ -0,0 +1,9 @@
+import header.caddy
+
+git.{$MAIN_DOMAIN} {
+	reverse_proxy forgejo:3000
+}
+
+forgejo.{$MAIN_DOMAIN} {
+	redir https://git.{$MAIN_DOMAIN}{uri} permanent
+}

infrastructure/services/caddy/config/website/gitea.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+gitea.{$MAIN_DOMAIN} {
+	reverse_proxy gitea:3000
+}

infrastructure/services/caddy/config/website/header.caddy

@@ -0,0 +1,14 @@
+(header_common) {
+	Permissions-Policy: geolocation=(), camera=(), microphone=(), clipboard-read=(), usb=()
+	Strict-Transport-Security: max-age=31536000; includeSubDomains
+	X-Content-Type-Options: nosniff
+	X-Frame-Options: DENY
+	Referrer-Policy: strict-origin-when-cross-origin
+	# Only useful for old browsers
+	X-XSS-Protection: "1; mode=block"
+
+	# Can cause issues with external resources
+	#Cross-Origin-Embedder-Policy: require-corp
+	Cross-Origin-Opener-Policy: same-origin
+	#Cross-Origin-Resource-Policy: same-origin
+}

infrastructure/services/caddy/config/website/homepage.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+homepage.{$MAIN_DOMAIN} {
+	redir reverse_proxy homepage:3000
+}

infrastructure/services/caddy/config/website/it-tools.caddy

@@ -0,0 +1,11 @@
+import header.caddy
+
+it-tools.{$MAIN_DOMAIN} {
+	# Load balance between 2 instances
+	reverse_proxy {
+		to it-tools0:80 it-tools1:80
+		lb_policy round_robin
+		lb_retries 3
+		lb_try_interval 1s
+	}
+}

infrastructure/services/caddy/config/website/jellyfin.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+jellyfin.{$MAIN_DOMAIN} {
+	reverse_proxy jellyfin:8096
+}

infrastructure/services/caddy/config/website/main.caddy

@@ -0,0 +1,29 @@
+import header.caddy
+
+www.{$MAIN_DOMAIN} {
+	header {
+		Cache-Control "public, max-age=10"
+		import header_common
+	}
+
+	handle_errors {
+		@notFound expression `{http.error.status_code} == 404`
+		redir @notFound https://www.{$MAIN_DOMAIN} permanent
+	}
+
+	reverse_proxy homepage:3000
+}
+
+{$MAIN_DOMAIN} {
+	redir https://www.{host}{uri} permanent
+}
+
+public.{$MAIN_DOMAIN} {
+	root * /public_data
+	file_server browse
+
+	header / {
+		Cache-Control "no-store"
+		import header_common
+	}
+}

infrastructure/services/caddy/config/website/memos.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+memos.{$MAIN_DOMAIN} {
+	reverse_proxy memos:5230
+}

infrastructure/services/caddy/config/website/omni-tools.caddy

@@ -0,0 +1,11 @@
+import header.caddy
+
+omni-tools.{$MAIN_DOMAIN} {
+	# Load balance between 2 instances
+	reverse_proxy {
+		to omni-tools0:80 omni-tools1:80
+		lb_policy round_robin
+		lb_retries 3
+		lb_try_interval 1s
+	}
+}

infrastructure/services/caddy/config/website/open-webui.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+open-webui.{$MAIN_DOMAIN} {
+	reverse_proxy open-webui:8080
+}

infrastructure/services/caddy/config/website/picoshare.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+picoshare.{$MAIN_DOMAIN} {
+	reverse_proxy picoshare:4001
+}

infrastructure/services/caddy/config/website/privatebin.caddy

@@ -0,0 +1,9 @@
+import header.caddy
+
+privatebin.{$MAIN_DOMAIN} {
+	reverse_proxy privatebin:8080
+}
+
+pastebin.{$MAIN_DOMAIN} {
+	redir https://privatebin.{$MAIN_DOMAIN} permanent
+}

infrastructure/services/caddy/config/website/projectsend.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+projectsend.{$MAIN_DOMAIN} {
+	reverse_proxy projectsend:80
+}

infrastructure/services/caddy/config/website/psitransfer.caddy

@@ -0,0 +1,9 @@
+import header.caddy
+
+transfer.{$MAIN_DOMAIN} {
+	reverse_proxy psitransfer:3000
+}
+
+psitransfer.{$MAIN_DOMAIN} {
+	redir https://transfer.{$MAIN_DOMAIN}{uri} permanent
+}

infrastructure/services/caddy/config/website/qbittorrent.caddy

@@ -0,0 +1,9 @@
+import header.caddy
+
+torrent.{$MAIN_DOMAIN} {
+	reverse_proxy qbittorrent:8080
+}
+
+qbittorrent.{$MAIN_DOMAIN} {
+	redir https://torrent.{$MAIN_DOMAIN} permanent
+}

infrastructure/services/caddy/config/website/stirlingpdf.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+stirlingpdf.{$MAIN_DOMAIN} {
+	reverse_proxy stirlingpdf:8080
+}

infrastructure/services/caddy/config/website/syncthing.caddy

@@ -0,0 +1,7 @@
+import header.caddy
+
+syncthing.{$MAIN_DOMAIN} {
+	reverse_proxy syncthing:8384 {
+		header_up Host {upstream_hostport}
+	}
+}

infrastructure/services/caddy/config/website/transmission.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+transmission.{$MAIN_DOMAIN} {
+	reverse_proxy transmission:9091
+}

infrastructure/services/caddy/config/website/uptimekuma.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+uptimekuma.{$MAIN_DOMAIN} {
+	reverse_proxy uptime-kuma:3001
+}

infrastructure/services/caddy/config/website/wordpress.caddy

@@ -0,0 +1,36 @@
+import header.caddy
+
+wordpress.{$MAIN_DOMAIN} {
+	root * /var/www/html
+	php_fastcgi wordpress:9000
+
+	file_server
+	encode zstd gzip
+
+	@disallowed {
+		path /xmlrpc.php
+		path *.sql
+		path /wp-content/uploads/*.php
+	}
+
+	rewrite @disallowed '/index.php'
+
+	respond /uploads/*.php 404
+
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+
+		# enable HSTS
+		Strict-Transport-Security max-age=31536000;
+
+		# disable clients from sniffing the media type
+		X-Content-Type-Options nosniff
+
+		# clickjacking protection
+		# X-Frame-Options DENY
+
+		# Disable powerful features we don't need
+		Permissions-Policy "geolocation=(), camera=(), microphone=() interest-cohort=()"
+	}
+}

infrastructure/services/caddy/config/website/yacht.caddy

@@ -0,0 +1,5 @@
+import header.caddy
+
+yacht.{$MAIN_DOMAIN} {
+	reverse_proxy yacht:8000
+}