cutemeli/server
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Track server config (selected files)

Browse Source
This commit is contained in:
cutemeli
2025-12-22 11:03:43 +00:00
parent 10d1afbb17
commit da62732947
2922 changed files with 114890 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

83
etc/nginx/nginx.conf Normal file
View File

@@ -0,0 +1,83 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}

213
etc/nginx/sites-available/reverse-proxy.conf Normal file
View File

@@ -0,0 +1,213 @@
# -----------------------------
# Proxmox (nur via VPN erreichbar)
# -----------------------------
server {
listen 443 ssl http2;
server_name proxmox.cutemeli.com;
ssl_certificate /etc/ssl/certs/proxmox.pem;
ssl_certificate_key /etc/ssl/private/proxmox.key;
# Zugriff nur lokal / VPN / Docker
allow 127.0.0.1;
allow 10.10.0.0/24;
allow 172.17.0.0/16;
allow 172.18.0.0/16;
allow 172.19.0.0/16;
deny all;
location / {
proxy_pass https://127.0.0.1:8006;
proxy_ssl_verify off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# -----------------------------
# Git
# -----------------------------
server {
listen 443 ssl http2;
server_name git.cutemeli.com;
ssl_certificate /etc/ssl/certs/git.pem;
ssl_certificate_key /etc/ssl/private/git.key;
#allow 10.10.0.0/24;
#allow 127.0.0.1;
#deny all;
client_max_body_size 2g;
location / {
proxy_pass http://127.0.0.1:3001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 3600;
proxy_redirect off;
}
}
# -----------------------------
# Nextcloud (Docker @ localhost:8080)
# -----------------------------
server {
listen 443 ssl http2;
server_name share.cutemeli.com;
ssl_certificate /etc/ssl/certs/share.pem;
ssl_certificate_key /etc/ssl/private/share.key;
client_max_body_size 2G;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 3600;
proxy_redirect off;
}
# Pflicht für DAV / Kalender / Kontakte
location = /.well-known/carddav {
return 301 /remote.php/dav;
}
location = /.well-known/caldav {
return 301 /remote.php/dav;
}
# Optional für Federation, Talk, etc.
location ^~ /.well-known {
proxy_pass http://127.0.0.1:8080;
}
}
# -----------------------------
# Monitoring
# -----------------------------
server {
listen 443 ssl http2;
server_name monitor.cutemeli.com;
ssl_certificate /etc/ssl/certs/monitor.pem;
ssl_certificate_key /etc/ssl/private/monitor.key;
# Zugriff nur aus VPN / lokal
allow 10.10.0.0/24;
allow 127.0.0.1;
deny all;
location / {
proxy_pass http://127.0.0.1:3000; # Grafana UI
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# ====================================================
# PROMETHEUS
# ====================================================
server {
listen 443 ssl http2;
server_name prometheus.cutemeli.com;
# nutzt dasselbe Zertifikat wie monitor
ssl_certificate /etc/ssl/certs/prometheus.pem;
ssl_certificate_key /etc/ssl/private/prometheus.key;
allow 127.0.0.1;
allow 10.10.0.0/24;
deny all;
location / {
proxy_pass http://127.0.0.1:9090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
# -----------------------------
# Vaultwarden
# -----------------------------
server {
listen 443 ssl http2;
server_name vault.cutemeli.com;
ssl_certificate /etc/ssl/certs/vault.pem;
ssl_certificate_key /etc/ssl/private/vault.key;
location / {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
# Für WebSocket Sync mit Browser Extensions
location /notifications/hub {
proxy_pass http://127.0.0.1:8081;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /notifications/hub/negotiate {
proxy_pass http://127.0.0.1:8081;
}
}
# -----------------------------
# OPENVPN
# -----------------------------
server {
listen 443 ssl http2;
server_name vpn.cutemeli.com;
ssl_certificate /etc/ssl/certs/vpn.pem;
ssl_certificate_key /etc/ssl/private/vpn.key;
# Zugriff nur aus deinem VPN + lokal erlauben
allow 10.10.0.0/24;
allow 172.17.0.0/16;
allow 127.0.0.1;
deny all;
location / {
proxy_pass http://127.0.0.1:8082; # <- hier der neue Port für ovpn-admin
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# -----------------------------
# Redirect HTTP -> HTTPS
# -----------------------------
server {
listen 80;
listen [::]:80;
server_name git.cutemeli.com proxmox.cutemeli.com share.cutemeli.com monitor.cutemeli.com prometheus.cutemeli.com vault.cutemeli.com vpn.cutemeli.com;
return 301 https://$host$request_uri;
}

16
etc/systemd/system/gitea.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=Gitea (Docker Compose)
Requires=docker.service
After=docker.service network-online.target
Wants=network-online.target
[Service]
Type=oneshot
WorkingDirectory=/opt/gitea
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
RemainAfterExit=yes
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target

16
etc/systemd/system/monitoring.service Normal file
View File

@@ -0,0 +1,16 @@
[Unit]
Description=Monitoring Stack (Prometheus + Grafana)
After=docker.service
Requires=docker.service
Wants=network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/monitoring
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target

15
etc/systemd/system/nextcloud.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=Nextcloud Docker Compose Service
Requires=docker.service
After=docker.service network.target
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/nextcloud
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
ExecReload=/usr/bin/docker compose restart
[Install]
WantedBy=multi-user.target

21
etc/systemd/system/proxmox-vm.service Normal file
View File

@@ -0,0 +1,21 @@
[Unit]
Description=Proxmox VM (QEMU)
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/qemu-system-x86_64 \
-enable-kvm \
-cpu host \
-m 4096 \
-smp 4 \
-drive file=/root/proxmox-disk.qcow2,format=qcow2 \
-boot order=c \
-nographic \
-netdev user,id=net0,hostfwd=tcp::2222-:22,hostfwd=tcp::8006-:8006 \
-device virtio-net-pci,netdev=net0
Restart=always
[Install]
WantedBy=multi-user.target

15
etc/systemd/system/vaultwarden.service Normal file
View File

@@ -0,0 +1,15 @@
[Unit]
Description=Vaultwarden (Bitwarden in Rust)
After=docker.service
Requires=docker.service
[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/opt/vaultwarden
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down
TimeoutStartSec=0
[Install]
WantedBy=multi-user.target

1
etc/wireguard/phone.key Normal file
View File

@@ -0,0 +1 @@
GEzAUAl0PD6ETQaHXB7y3K+8pZFR14vYKbekFhLW33w=

1
etc/wireguard/phone.pub Normal file
View File

@@ -0,0 +1 @@
nLkb5y0EZ5trDj3OJKvJrWZ2959JBL5JESpCDJ/9XCs=

1
etc/wireguard/server_private.key Normal file
View File

@@ -0,0 +1 @@
8N42OwrvVoJ5WTv4b6MN5Jae+2PGNnc8/EsGaeZUlG0=

1
etc/wireguard/server_public.key Normal file
View File

@@ -0,0 +1 @@
PeBWISuYRFymxeQRaXr96P5lQqd+MzczDQNJyasarFM=

13
etc/wireguard/wg0.conf Normal file
View File

@@ -0,0 +1,13 @@
[Interface]
Address = 10.10.0.1/24
ListenPort = 443
PrivateKey = 8N42OwrvVoJ5WTv4b6MN5Jae+2PGNnc8/EsGaeZUlG0=
[Peer]
PublicKey = sLv94jaQwWHqx8KKdA3Jc6WY4Gbt/iHuptAVoyscL1Y=
AllowedIPs = 10.10.0.2/32
[Peer]
PublicKey = nLkb5y0EZ5trDj3OJKvJrWZ2959JBL5JESpCDJ/9XCs=
AllowedIPs = 10.10.0.3/32
PersistentKeepalive = 25