From 5258f9bd7a5039315cda2f2df304aebeb7e23b80 Mon Sep 17 00:00:00 2001 From: cutemeli Date: Thu, 8 Jan 2026 18:41:32 +0100 Subject: [PATCH] Track only selected configs --- .gitignore | 40 +++++ etc/nginx/sites-available/reverse-proxy.conf | 156 +++++++++++++++++++ etc/systemd/system/gitea.service | 16 ++ etc/systemd/system/monitoring.service | 15 ++ etc/systemd/system/nextcloud.service | 15 ++ etc/systemd/system/proxmox-vm.service | 21 +++ etc/systemd/system/vaultwarden.service | 15 ++ opt/gitea/docker-compose.yml | 45 ++++++ opt/monitoring/docker-compose.yml | 63 ++++++++ opt/nextcloud/docker-compose.yml | 34 ++++ opt/vaultwarden/docker-compose.yml | 17 ++ usr/lib/systemd/system/wg-quick@.service | 22 +++ 12 files changed, 459 insertions(+) create mode 100644 .gitignore create mode 100644 etc/nginx/sites-available/reverse-proxy.conf create mode 100644 etc/systemd/system/gitea.service create mode 100644 etc/systemd/system/monitoring.service create mode 100644 etc/systemd/system/nextcloud.service create mode 100644 etc/systemd/system/proxmox-vm.service create mode 100644 etc/systemd/system/vaultwarden.service create mode 100644 opt/gitea/docker-compose.yml create mode 100644 opt/monitoring/docker-compose.yml create mode 100644 opt/nextcloud/docker-compose.yml create mode 100644 opt/vaultwarden/docker-compose.yml create mode 100644 usr/lib/systemd/system/wg-quick@.service diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000000..bc44538d55 --- /dev/null +++ b/.gitignore @@ -0,0 +1,40 @@ +# IGNORE ALLES standardmäßig (Repo-Root ist /) + /* + +# Gitignore selbst muss rein +!/.gitignore + +# ---- WHITELIST: NGINX ---- +!/etc/ +!/etc/nginx/ +!/etc/nginx/sites-available/ +!/etc/nginx/sites-available/reverse-proxy.conf + +# ---- WHITELIST: Docker Compose Files ---- +!/opt/ +!/opt/gitea/ +!/opt/gitea/docker-compose.yml + +!/opt/monitoring/ +!/opt/monitoring/docker-compose.yml + +!/opt/nextcloud/ +!/opt/nextcloud/docker-compose.yml + +!/opt/vaultwarden/ +!/opt/vaultwarden/docker-compose.yml + +# ---- WHITELIST: systemd units ---- +!/usr/ +!/usr/lib/ +!/usr/lib/systemd/ +!/usr/lib/systemd/system/ +!/usr/lib/systemd/system/wg-quick@.service + +!/etc/systemd/ +!/etc/systemd/system/ +!/etc/systemd/system/monitoring.service +!/etc/systemd/system/proxmox-vm.service +!/etc/systemd/system/nextcloud.service +!/etc/systemd/system/gitea.service +!/etc/systemd/system/vaultwarden.service diff --git a/etc/nginx/sites-available/reverse-proxy.conf b/etc/nginx/sites-available/reverse-proxy.conf new file mode 100644 index 0000000000..4d4171601c --- /dev/null +++ b/etc/nginx/sites-available/reverse-proxy.conf @@ -0,0 +1,156 @@ +# ----------------------------- +# Proxmox (nur via VPN) +# ----------------------------- +server { + listen 443 ssl http2; + server_name proxmox.cutemeli.com; + + ssl_certificate /etc/ssl/certs/proxmox.pem; + ssl_certificate_key /etc/ssl/private/proxmox.key; + + allow 127.0.0.1; + allow 10.10.0.0/24; + allow 172.17.0.0/16; + allow 172.18.0.0/16; + allow 172.19.0.0/16; + deny all; + + location / { + proxy_pass https://127.0.0.1:8006; + proxy_ssl_verify off; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} +# ----------------------------- +# Git +# ----------------------------- +server { + listen 443 ssl http2; + server_name git.cutemeli.com; + + ssl_certificate /etc/ssl/certs/git.pem; + ssl_certificate_key /etc/ssl/private/git.key; + + #allow 10.10.0.0/24; + #allow 127.0.0.1; + #deny all; + + client_max_body_size 5g; + + location / { + proxy_pass http://127.0.0.1:3001; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + proxy_read_timeout 3600; + proxy_redirect off; + } +} + +# ----------------------------- +# Nextcloud +# ----------------------------- +server { + listen 443 ssl http2; + server_name share.cutemeli.com; + + ssl_certificate /etc/ssl/certs/share.pem; + ssl_certificate_key /etc/ssl/private/share.key; + + client_max_body_size 2G; + + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + + proxy_read_timeout 3600; + proxy_redirect off; + } + + # Pflicht für DAV / Kalender / Kontakte + location = /.well-known/carddav { + return 301 /remote.php/dav; + } + location = /.well-known/caldav { + return 301 /remote.php/dav; + } + + # Optional für Federation, Talk, etc. + location ^~ /.well-known { + proxy_pass http://127.0.0.1:8080; + } +} + +# ----------------------------- +# Monitoring (nur via VPN) +# ----------------------------- +server { + listen 443 ssl http2; + server_name monitor.cutemeli.com; + + ssl_certificate /etc/ssl/certs/monitor.pem; + ssl_certificate_key /etc/ssl/private/monitor.key; + + allow 10.10.0.0/24; + allow 127.0.0.1; + deny all; + + location / { + proxy_pass http://127.0.0.1:8082; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } +} +# ----------------------------- +# Vaultwarden +# ----------------------------- +server { + listen 443 ssl http2; + server_name vault.cutemeli.com; + + ssl_certificate /etc/ssl/certs/vault.pem; + ssl_certificate_key /etc/ssl/private/vault.key; + + location / { + proxy_pass http://127.0.0.1:8081; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + + # Für WebSocket Sync mit Browser Extensions + location /notifications/hub { + proxy_pass http://127.0.0.1:8081; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } + + location /notifications/hub/negotiate { + proxy_pass http://127.0.0.1:8081; + } +} + +# ----------------------------- +# Redirect HTTP -> HTTPS +# ----------------------------- +server { + listen 80; + listen [::]:80; + server_name git.cutemeli.com proxmox.cutemeli.com share.cutemeli.com monitor.cutemeli.com prometheus.cutemeli.com vault.cutemeli.com vpn.cutemeli.com; + return 301 https://$host$request_uri; +} + + + + + diff --git a/etc/systemd/system/gitea.service b/etc/systemd/system/gitea.service new file mode 100644 index 0000000000..eae6d2c991 --- /dev/null +++ b/etc/systemd/system/gitea.service @@ -0,0 +1,16 @@ +[Unit] +Description=Gitea (Docker Compose) +Requires=docker.service +After=docker.service network-online.target +Wants=network-online.target + +[Service] +Type=oneshot +WorkingDirectory=/opt/gitea +ExecStart=/usr/bin/docker compose up -d +ExecStop=/usr/bin/docker compose down +RemainAfterExit=yes +TimeoutStartSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/monitoring.service b/etc/systemd/system/monitoring.service new file mode 100644 index 0000000000..646c462847 --- /dev/null +++ b/etc/systemd/system/monitoring.service @@ -0,0 +1,15 @@ +[Unit] +Description=Monitoring Stack (Icinga) +Requires=docker.service +After=docker.service + +[Service] +Type=oneshot +WorkingDirectory=/opt/monitoring +RemainAfterExit=yes +ExecStart=/usr/bin/docker compose up -d +ExecStop=/usr/bin/docker compose down +TimeoutStartSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/nextcloud.service b/etc/systemd/system/nextcloud.service new file mode 100644 index 0000000000..8845a12fcb --- /dev/null +++ b/etc/systemd/system/nextcloud.service @@ -0,0 +1,15 @@ +[Unit] +Description=Nextcloud Docker Compose Service +Requires=docker.service +After=docker.service network.target + +[Service] +Type=oneshot +RemainAfterExit=yes +WorkingDirectory=/opt/nextcloud +ExecStart=/usr/bin/docker compose up -d +ExecStop=/usr/bin/docker compose down +ExecReload=/usr/bin/docker compose restart + +[Install] +WantedBy=multi-user.target diff --git a/etc/systemd/system/proxmox-vm.service b/etc/systemd/system/proxmox-vm.service new file mode 100644 index 0000000000..619742ce3b --- /dev/null +++ b/etc/systemd/system/proxmox-vm.service @@ -0,0 +1,21 @@ +[Unit] +Description=Proxmox VM (QEMU) +After=network.target + +[Service] +Type=simple +ExecStart=/usr/bin/qemu-system-x86_64 \ + -enable-kvm \ + -cpu host \ + -m 4096 \ + -smp 4 \ + -drive file=/root/proxmox-disk.qcow2,format=qcow2 \ + -boot order=c \ + -nographic \ + -netdev user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::8006-:8006 \ + -device virtio-net-pci,netdev=net0 +Restart=always + +[Install] +WantedBy=multi-user.target + diff --git a/etc/systemd/system/vaultwarden.service b/etc/systemd/system/vaultwarden.service new file mode 100644 index 0000000000..61f2df470f --- /dev/null +++ b/etc/systemd/system/vaultwarden.service @@ -0,0 +1,15 @@ +[Unit] +Description=Vaultwarden (Bitwarden in Rust) +After=docker.service +Requires=docker.service + +[Service] +Type=oneshot +RemainAfterExit=yes +WorkingDirectory=/opt/vaultwarden +ExecStart=/usr/bin/docker compose up -d +ExecStop=/usr/bin/docker compose down +TimeoutStartSec=0 + +[Install] +WantedBy=multi-user.target diff --git a/opt/gitea/docker-compose.yml b/opt/gitea/docker-compose.yml new file mode 100644 index 0000000000..165dbc675c --- /dev/null +++ b/opt/gitea/docker-compose.yml @@ -0,0 +1,45 @@ +services: + db: + image: postgres:16 + container_name: gitea-db + restart: unless-stopped + environment: + POSTGRES_USER: gitea + POSTGRES_PASSWORD: "oC^Kg66uG%^8aZ6KfSJM" + POSTGRES_DB: gitea + volumes: + - gitea_db:/var/lib/postgresql/data + networks: + - gitea + + gitea: + image: gitea/gitea:latest + container_name: gitea + restart: unless-stopped + depends_on: + - db + environment: + USER_UID: "1000" + USER_GID: "1000" + GITEA__database__DB_TYPE: postgres + GITEA__database__HOST: db:5432 + GITEA__database__NAME: gitea + GITEA__database__USER: gitea + GITEA__database__PASSWD: "oC^Kg66uG%^8aZ6KfSJM" + GITEA__service__DISABLE_REGISTRATION: "true" + GITEA__service__SHOW_REGISTRATION_BUTTON: "false" + volumes: + - gitea_data:/data + ports: + - "127.0.0.1:3001:3000" + - "2223:22" + networks: + - gitea + +volumes: + gitea_db: + gitea_data: + +networks: + gitea: + driver: bridge diff --git a/opt/monitoring/docker-compose.yml b/opt/monitoring/docker-compose.yml new file mode 100644 index 0000000000..05f0b5b469 --- /dev/null +++ b/opt/monitoring/docker-compose.yml @@ -0,0 +1,63 @@ +services: + db: + image: mariadb:11 + container_name: icinga-db + command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW + environment: + MARIADB_ROOT_PASSWORD: change-me-root + MARIADB_DATABASE: icinga + MARIADB_USER: icinga + MARIADB_PASSWORD: change-me-icinga + volumes: + - ./data/db:/var/lib/mysql + networks: + - monitoring + restart: unless-stopped + + redis: + image: redis:7-alpine + container_name: icinga-redis + command: ["redis-server", "--port", "6380"] + networks: + - monitoring + restart: unless-stopped + + icinga2: + image: icinga/icinga2:2.14 + container_name: icinga2 + environment: + ICINGA2_FEATURE_GRAPHITE: "0" + volumes: + - ./data/icinga2/etc:/etc/icinga2 + - ./data/icinga2/var:/var/lib/icinga2 + - ./data/icinga2/log:/var/log/icinga2 + - ./data/icinga2/cache:/var/cache/icinga2 + networks: + - monitoring + restart: unless-stopped + + icingaweb2: + image: icinga/icingaweb2:2.12 + container_name: icingaweb2 + depends_on: + - db + - icinga2 + environment: + # Web Setup läuft über UI, DB-Zugang ist trotzdem nötig: + ICINGAWEB2_DB_TYPE: mysql + ICINGAWEB2_DB_HOST: db + ICINGAWEB2_DB_NAME: icinga + ICINGAWEB2_DB_USERNAME: icinga + ICINGAWEB2_DB_PASSWORD: change-me-icinga + volumes: + - ./data/icingaweb2/config:/etc/icingaweb2 + - ./data/icingaweb2/data:/var/lib/icingaweb2 + ports: + - "8082:8080" # intern 8080 -> außen 8081 (für Nginx Proxy) + networks: + - monitoring + restart: unless-stopped + +networks: + monitoring: + name: monitoring diff --git a/opt/nextcloud/docker-compose.yml b/opt/nextcloud/docker-compose.yml new file mode 100644 index 0000000000..c7d6d8f501 --- /dev/null +++ b/opt/nextcloud/docker-compose.yml @@ -0,0 +1,34 @@ +version: '3.8' + +services: + db: + image: mariadb:10.11 + container_name: nextcloud-db + restart: always + environment: + MYSQL_ROOT_PASSWORD: supersecurepassword + MYSQL_DATABASE: nextcloud + MYSQL_USER: nextcloud + MYSQL_PASSWORD: nextcloudpass + volumes: + - db_data:/var/lib/mysql + + app: + image: nextcloud:31 + container_name: nextcloud-app + restart: always + ports: + - "8080:80" + volumes: + - nextcloud_data:/var/www/html + environment: + MYSQL_HOST: db + MYSQL_DATABASE: nextcloud + MYSQL_USER: nextcloud + MYSQL_PASSWORD: nextcloudpass + depends_on: + - db + +volumes: + db_data: + nextcloud_data: diff --git a/opt/vaultwarden/docker-compose.yml b/opt/vaultwarden/docker-compose.yml new file mode 100644 index 0000000000..9153ed3a81 --- /dev/null +++ b/opt/vaultwarden/docker-compose.yml @@ -0,0 +1,17 @@ +version: "3" + +services: + vaultwarden: + image: vaultwarden/server:latest + container_name: vaultwarden + restart: unless-stopped + volumes: + - /opt/vaultwarden/data:/data + environment: + - DOMAIN=https://vault.cutemeli.com + - ADMIN_TOKEN=Av3sM@NN5JyRk#ChqwxaberYYJfkpX + - WEBSOCKET_ENABLED=true + - SIGNUPS_ALLOWED=false + - LOG_FILE=/data/vaultwarden.log + ports: + - "127.0.0.1:8081:80" diff --git a/usr/lib/systemd/system/wg-quick@.service b/usr/lib/systemd/system/wg-quick@.service new file mode 100644 index 0000000000..dbdab44fb5 --- /dev/null +++ b/usr/lib/systemd/system/wg-quick@.service @@ -0,0 +1,22 @@ +[Unit] +Description=WireGuard via wg-quick(8) for %I +After=network-online.target nss-lookup.target +Wants=network-online.target nss-lookup.target +PartOf=wg-quick.target +Documentation=man:wg-quick(8) +Documentation=man:wg(8) +Documentation=https://www.wireguard.com/ +Documentation=https://www.wireguard.com/quickstart/ +Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 +Documentation=https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/wg-quick up %i +ExecStop=/usr/bin/wg-quick down %i +ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)' +Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity + +[Install] +WantedBy=multi-user.target