Initial Commit

This commit is contained in:
Isaac Shoebottom 2022-10-07 00:40:05 -03:00
commit fcdb22a413
7 changed files with 312 additions and 0 deletions

42
dynmap.conf Normal file
View File

@ -0,0 +1,42 @@
server {
server_name dynmap.shoebottom.ca;
ssl_certificate /etc/letsencrypt/live/dynmap.shoebottom.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dynmap.shoebottom.ca/privkey.pem;
location / {
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8123/;
}
listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dynmap.shoebottom.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dynmap.shoebottom.ca/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/dynmap.shoebottom.ca/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
}
server {
if ($host = dynmap.shoebottom.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name dynmap.shoebottom.ca;
# Uncomment to redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}

33
gitea.conf Normal file
View File

@ -0,0 +1,33 @@
server {
server_name git.shoebottom.ca;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Increase size because commits would fail
client_max_body_size 500m;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/git.shoebottom.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/git.shoebottom.ca/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = git.shoebottom.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name git.shoebottom.ca;
return 404; # managed by Certbot
}

66
homepage.conf Normal file
View File

@ -0,0 +1,66 @@
server {
server_name shoebottom.ca; # managed by Certbot
root /home/isaac/www/shoebottom.ca;
index index.html;
listen [::]:443 ssl ipv6only=on default_server; # managed by Certbot
listen 443 ssl default_server; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/shoebottom.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/shoebottom.ca/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot
# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1";
add_header X-Content-Type-Options "nosniff";
# add_header Content-Security-Policy "default-src 'self' https://i.imgur.com;" always;
ssl_trusted_certificate /etc/letsencrypt/live/shoebottom.ca/chain.pem; # managed by Certbot
ssl_stapling on; # managed by Certbot
ssl_stapling_verify on; # managed by Certbot
location /music {
autoindex on;
sendfile on;
alias /home/isaac/Media/Music;
}
location /movies {
autoindex on;
sendfile on;
alias /home/isaac/Media/Movies;
}
location /tv {
autoindex on;
sendfile on;
alias /home/isaac/Media/TV;
}
location /anime {
autoindex on;
sendfile on;
alias /home/isaac/Media/Anime;
}
location /host {
autoindex off;
sendfile on;
alias /home/isaac/Media/Host;
}
}
server {
if ($host = shoebottom.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name shoebottom.ca; # managed by Certbot
root /home/isaac/www/shoebottom.ca;
index index.html;
}

7
jellyfin-vue.conf Normal file
View File

@ -0,0 +1,7 @@
server {
listen 8000;
listen [::]:8000;
root /home/isaac/www/jellyfin-vue.shoebottom.ca;
index index.html;
server_name jellyfin-vue.shoebottom.ca;
}

85
jellyfin.conf Normal file
View File

@ -0,0 +1,85 @@
# Uncomment the commented sections after you have acquired a SSL Certificate
server {
listen 80;
listen [::]:80;
server_name jellyfin.shoebottom.ca;
# Uncomment to redirect HTTP to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jellyfin.shoebottom.ca;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
set $jellyfin 127.0.0.1;
# resolver 127.0.0.1 valid=30;
ssl_certificate /etc/letsencrypt/live/jellyfin.shoebottom.ca/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jellyfin.shoebottom.ca/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_trusted_certificate /etc/letsencrypt/live/jellyfin.shoebottom.ca/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
# Security / XSS Mitigation Headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# add_header Content-Security-Policy "default-src https: data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://$jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://$jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}

38
owncast.conf Normal file
View File

@ -0,0 +1,38 @@
server {
server_name live.shoebottom.ca;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://127.0.0.1:8080;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/live.shoebottom.ca/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/live.shoebottom.ca/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = live.shoebottom.ca) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name live.shoebottom.ca;
listen 80;
return 404; # managed by Certbot
}

41
pihole.conf Normal file
View File

@ -0,0 +1,41 @@
server {
listen 31415;
listen [::]:31415;
root /var/www/html;
server_name dns.shoebottom.ca;
autoindex off;
index pihole/index.php index.php index.html index.htm;
location / {
expires max;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_param FQDN true;
# auth_basic "Restricted"; # For Basic Auth
# auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location /*.js {
index pihole/index.js;
# auth_basic "Restricted"; # For Basic Auth
# auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location /admin {
root /var/www/html;
index index.php index.html index.htm;
# auth_basic "Restricted"; # For Basic Auth
# auth_basic_user_file /etc/nginx/.htpasswd; # For Basic Auth
}
location ~ /\.ht {
deny all;
}
}