First commit

.gitignore

@@ -0,0 +1,10 @@
+transmission/data
+transmission/.env
+jellyfin/cache
+jellyfin/config
+jellyfin/logs
+homeassistant/config
+nextcloud/databases
+nextcloud/nextcloud
+nextcloud/.env
+nginx/configs/certbot

README.md

@@ -1,3 +0,0 @@
-# docker-compose
-
-My docker-compose files

homeassistant/docker-compose.yaml

@@ -0,0 +1,30 @@
+services:
+  homeassistant:
+    container_name: homeassistant
+    image: "ghcr.io/home-assistant/home-assistant:stable"
+    ports:
+      - 8123:8123
+    volumes:
+      - ./config:/config
+      - /etc/localtime:/etc/localtime:ro
+      - /run/dbus:/run/dbus:ro
+    restart: unless-stopped
+    privileged: true
+    networks:
+      - net
+  
+  mosquitto:
+    image: eclipse-mosquitto
+    hostname: mosquitto
+    container_name: mosquitto
+    restart: unless-stopped
+    ports:
+      - 1883:1883
+      - 9001:9001
+    volumes:
+      - ./mosquitto:/etc/mosquitto
+      - ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
+      - ./mosquitto/passwd:/etc/mosquitto/passwd
+networks:
+  net:
+    external: true

homeassistant/mosquitto/mosquitto.conf

@@ -0,0 +1,3 @@
+allow_anonymous true
+listener 1883
+#password_file /etc/mosquitto/passwd

homeassistant/mosquitto/passwd

@@ -0,0 +1 @@
+fakeowl1:$7$101$y3UG7ZvU5ipWeW1o$CvCQvS4zhMe6EuNH2sEnw5gVhw1a5Doivy3/ybEdjjO//RqM7kkqKON1QwDigm5JDd1RjW6qyWldoKodQk5cZA==

jellyfin/docker-compose.yaml

@@ -0,0 +1,23 @@
+services:
+  jellyfin:
+    image: jellyfin/jellyfin
+    user: "1000:1000"
+    ports:
+      - 8096:8096
+    volumes:
+      - ./config:/config
+      - ./cache:/cache
+      - type: bind
+        source: /media/hda1/jellyfin
+        target: /media
+    devices:
+      - /dev/dri/renderD128:/dev/dri/renderD128
+    environment:
+      - TZ=Europe/Kyiv
+    networks: 
+      - net
+    restart: 'unless-stopped'
+
+networks: 
+  net:
+    external: true    

nextcloud/.env.dist

@@ -0,0 +1,3 @@
+MYSQL_ROOT_PASSWORD=
+MYSQL_PASSWORD=
+REDIS_PASSWORD=

nextcloud/.gitignore

@@ -0,0 +1,8 @@
+/.idea/
+/logs/
+/nextcloud/
+/databases/
+/configs/certbot/
+/configs/nextcloud/
+/docker-compose.yml
+/configs/nginx/conf.d/default.conf

nginx/configs/nginx/certbot/options-ssl-nginx.conf

@@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

nginx/configs/nginx/certbot/ssl-dhparams.pem

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

nginx/configs/nginx/conf.d/homeassistant.conf

@@ -0,0 +1,36 @@
+server {
+  listen 80;
+  # Remove '#' in the next line to enable IPv6
+  # listen [::]:443 ssl http2;
+  server_name hass.fakeowl1.local;
+
+  location / {
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host $host;
+    proxy_pass         http://192.168.1.158:8123/;
+    proxy_http_version 1.1;
+    proxy_set_header   Upgrade $http_upgrade;
+    proxy_set_header   Connection "upgrade";
+  }
+}
+
+
+server {
+  listen 443 ssl;
+  # Remove '#' in the next line to enable IPv6
+  listen [::]:443 ssl;
+  server_name hass.fakeowl1.com;
+  
+  ssl_certificate /etc/letsencrypt/live/hass.fakeowl1.com/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/hass.fakeowl1.com/privkey.pem;
+  location / {
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host $host;
+    proxy_pass         http://192.168.1.158:8123/;
+    proxy_http_version 1.1;
+    proxy_set_header   Upgrade $http_upgrade;
+    proxy_set_header   Connection "upgrade";
+  }
+}

nginx/configs/nginx/conf.d/jellyfin.conf

@@ -0,0 +1,202 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jellyfin.fakeowl1.com;
+ 
+    location /.well-known/acme-challenge/ {
+       root /var/www/certbot/;
+    }
+    
+    location / {
+        return 301 https://$server_name:443$request_uri;
+    }
+} 
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name jellyfin.fakeowl1.com;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 20M;
+
+    # Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
+    # ssl_protocols TLSv1.3 TLSv1.2;
+
+    # use a variable to store the upstream proxy
+    # in this example we are using a hostname which is resolved via DNS
+    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
+    resolver 127.0.0.1 valid=30s;
+
+    ssl_certificate /etc/letsencrypt/live/jellyfin.fakeowl1.com-0001/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/jellyfin.fakeowl1.com-0001/privkey.pem;
+    
+    #include /etc/letsencrypt/options-ssl-nginx.conf;
+    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+    # Security / XSS Mitigation Headers
+    # NOTE: X-Frame-Options may cause issues with the webOS app
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
+    add_header X-Content-Type-Options "nosniff";
+
+    # COOP/COEP. Disable if you use external plugins/images/assets
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+
+    # Permissions policy. May cause issues on some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+    # NOTE: The default CSP headers may cause issues with the webOS app
+    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+
+    location = / {
+        return 302 http://$host/web/;
+        #return 302 https://$host/web/;
+    }
+ 
+    location / {
+        # Proxy main Jellyfin traffic
+        proxy_pass http://jellyfin:8096;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+
+    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
+    location = /web {
+        # Proxy main Jellyfin traffic
+        proxy_pass http://jellyfin:8096/web/index.html;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+
+    location /jellyfin/socket {
+        # Proxy Jellyfin Websockets traffic
+        proxy_pass http://jellyfin:8096;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}
+
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jellyfin.homeserver.local;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 20M;
+
+    # Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
+    # ssl_protocols TLSv1.3 TLSv1.2;
+
+    # use a variable to store the upstream proxy
+    # in this example we are using a hostname which is resolved via DNS
+    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
+    resolver 127.0.0.1 valid=30s;
+
+    #ssl_certificate /etc/letsencrypt/live/jellyfin.fakeowl1.com/fullchain.pem;
+    #ssl_certificate_key /etc/letsencrypt/live/jellyfin.fakeowl1.com/privkey.pem;
+    
+		#include /etc/letsencrypt/options-ssl-nginx.conf;
+    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+    # Security / XSS Mitigation Headers
+    # NOTE: X-Frame-Options may cause issues with the webOS app
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
+    add_header X-Content-Type-Options "nosniff";
+
+    # COOP/COEP. Disable if you use external plugins/images/assets
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+
+    # Permissions policy. May cause issues on some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+    # NOTE: The default CSP headers may cause issues with the webOS app
+    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+
+    location = / {
+        return 302 http://$host/web/;
+        #return 302 https://$host/web/;
+    }
+ 
+    location / {
+        # Proxy main Jellyfin traffic
+        proxy_pass http://jellyfin:8096;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+
+    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
+    location = /web {
+        # Proxy main Jellyfin traffic
+        proxy_pass http://jellyfin:8096/web/index.html;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+
+    location /jellyfin/socket {
+        # Proxy Jellyfin Websockets traffic
+        proxy_pass http://jellyfin:8096;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}

nginx/configs/nginx/conf.d/nextcloud.conf

@@ -0,0 +1,173 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name nextcloud.homeserver.local;
+
+    location / {
+      return 301 http://$server_name:443$request_uri;
+    }
+}
+
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name cloud.fakeowl1.com;
+ 
+    location /.well-known/acme-challenge/ {
+       root /var/www/certbot/;
+    }
+    
+    location / {
+        return 301 https://$server_name:443$request_uri;
+    }
+}
+
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name cloud.fakeowl1.com;
+    
+    ssl_certificate     /etc/letsencrypt/live/cloud.fakeowl1.com-0001/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/cloud.fakeowl1.com-0001/privkey.pem;
+    
+    include /etc/nginx/certbot/options-ssl-nginx.conf;
+    ssl_dhparam /etc/nginx/certbot/ssl-dhparams.pem;
+    
+    access_log /var/log/nginx/access.log;
+    error_log  /var/log/nginx/error.log;
+
+    charset utf-8;
+    server_tokens off;
+
+    resolver 127.0.0.11;
+
+    # Add headers to serve security related headers
+    # Before enabling Strict-Transport-Security headers please read into this
+    # topic first.
+    add_header Strict-Transport-Security "max-age=15768000;
+    # includeSubDomains; preload;";
+    #
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    #add_header X-Robots-Tag "none" always;
+    add_header X-Robots-Tag "noindex, nofollow" always;
+    add_header X-Download-Options "noopen" always;
+    add_header X-Permitted-Cross-Domain-Policies "none" always;
+    add_header Referrer-Policy "no-referrer" always;
+
+    root /var/www/html;
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # The following 2 rules are only needed for the user_webfinger app.
+    # Uncomment it if you're planning to use this app.
+    #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+    #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
+    # last;
+
+    location = /.well-known/carddav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+    location = /.well-known/caldav {
+        return 301 $scheme://$host/remote.php/dav;
+    }
+    
+    rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger redirect;    
+    rewrite ^/.well-known/nodeinfo  /index.php/.well-known/nodeinfo  redirect;
+
+    # set max upload size
+    client_max_body_size 10G;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Uncomment if your server is build with the ngx_pagespeed module
+    # This module is currently not supported.
+    #pagespeed off;
+
+    location / {
+        rewrite ^ /index.php$request_uri;
+    }
+
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+        deny all;
+    }
+
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
+        deny all;
+    }
+
+    location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        # fastcgi_param HTTPS on;
+        #Avoid sending the security headers twice
+        fastcgi_param modHeadersAvailable true;
+        fastcgi_param front_controller_active true;
+        fastcgi_pass nextcloud:9000;
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ ^/(?:updater|ocs-provider)(?:$|/) {
+        try_files $uri/ =404;
+        index index.php;
+    }
+
+    # Adding the cache control header for js and css files
+    # Make sure it is BELOW the PHP block
+    location ~ \.(?:css|js|woff2?|svg|gif)$ {
+        try_files $uri /index.php$request_uri;
+        add_header Cache-Control "public, max-age=15778463";
+        # Add headers to serve security related headers (It is intended to
+        # have those duplicated to the ones above)
+        # Before enabling Strict-Transport-Security headers please read into
+        # this topic first.
+        add_header Strict-Transport-Security "max-age=15768000;
+        #  includeSubDomains; preload;";
+        #
+        # WARNING: Only add the preload option once you read about
+        # the consequences in https://hstspreload.org/. This option
+        # will add the domain to a hardcoded list that is shipped
+        # in all major browsers and getting removed from this list
+        # could take several months.
+        
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header X-Robots-Tag "noindex, nofollow" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Download-Options "noopen" always;
+        add_header X-Permitted-Cross-Domain-Policies "none" always;
+        add_header Referrer-Policy "no-referrer" always;
+        
+        # Optional: Don't log access to assets
+        access_log off;
+    }
+
+    location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
+        try_files $uri /index.php$request_uri;
+        # Optional: Don't log access to other assets
+        access_log off;
+    }
+}

nginx/configs/nginx/conf.d/pihole.conf

@@ -0,0 +1,27 @@
+server {  
+  listen 80;
+  # Remove '#' in the next line to enable IPv6
+  # listen [::]:443 ssl http2;
+  server_name pihole.homeserver.local;
+
+  location / {
+    proxy_pass http://192.168.1.158:8000/admin/;
+    proxy_set_header host $host;
+    proxy_set_header x-real-ip $remote_addr;
+    proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
+    proxy_hide_header x-frame-options;
+    proxy_set_header x-frame-options "sameorigin";
+    proxy_read_timeout 90;
+  }
+  
+  location /admin {
+    proxy_pass http://192.168.1.158:8000/admin/;
+    proxy_set_header host $host;
+    proxy_set_header x-real-ip $remote_addr;
+    proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
+    proxy_hide_header x-frame-options;
+    proxy_set_header x-frame-options "sameorigin";
+    proxy_read_timeout 90;
+  }
+
+}

nginx/configs/nginx/conf.d/transmission.conf

@@ -0,0 +1,30 @@
+server {
+  listen 80;
+  listen [::]:80;
+  server_name torrent.homeserver.local;
+
+  location / {
+    proxy_pass         http://transmission:9091;
+    proxy_http_version 1.1;
+
+    # headers recognized by qBittorrent
+    proxy_set_header   Host               $proxy_host;
+    proxy_set_header   X-Forwarded-For    $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Host   $http_host;
+    proxy_set_header   X-Forwarded-Proto  $scheme;
+
+    # optionally, you can adjust the POST request size limit, to allow adding a lot of torrents at once
+    #client_max_body_size 100M;
+
+    # No longer required since qBittorrent v5.1:
+    # Since v4.2.2, is possible to configure qBittorrent
+    # to set the "Secure" flag for the session cookie automatically.
+    # However, that option does nothing unless using qBittorrent's built-in HTTPS functionality.
+    # For this use case, where qBittorrent itself is using plain HTTP
+    # (and regardless of whether or not the external website uses HTTPS),
+    # the flag must be set here, in the proxy configuration itself.
+    # Note: If this flag is set while the external website uses only HTTP, this will cause
+    # the login mechanism to not work without any apparent errors in console/network resulting in "auth loops".
+    #proxy_cookie_path  /                  "/; Secure";
+  } 
+}

nginx/docker-compose.yaml

@@ -0,0 +1,22 @@
+services:
+  nginx:
+    image: nginx:latest
+    restart: unless-stopped
+    command: "/bin/sh -c 'while :; do sleep 8h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"   
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./configs/nginx/conf.d:/etc/nginx/conf.d:rw
+      - ./configs/certbot/letsencrypt:/etc/letsencrypt
+      - ./configs/certbot/www:/var/www/certbot
+      - ./configs/nginx/certbot:/etc/nginx/certbot:ro
+      - ../nextcloud/nextcloud:/var/www/html:ro
+      - ../myschoolproj:/var/www/myschoolproj
+    build: .
+    networks:
+      - net
+   
+networks:
+  net:
+    external: true

nginx/old_configs/gotify.conf

@@ -0,0 +1,42 @@
+server {
+    listen 80;
+    listen [::]:80;
+    #server_name gotify.fakeowl1.com;
+	server_name 192.168.1.102;    
+ 
+    location /gotify/.well-known/acme-challenge/ {
+        root /var/www/certbot/;
+    }
+    
+    location /gotify {
+        return 301 https://$server_name:443$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    #server_name gotify.fakeowl1.com;
+	server_name 192.168.1.102;    
+    
+	ssl_certificate     /etc/letsencrypt/live/gotify.fakeowl1.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gotify.fakeowl1.com/privkey.pem;  
+
+    location ~ / {
+        proxy_pass         http://gotify:80;
+        proxy_http_version 1.1;
+
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection "upgrade";
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto http;
+        proxy_redirect     http:// $scheme://;
+
+        proxy_set_header   Host $http_host;
+
+        proxy_connect_timeout   7m;
+        proxy_send_timeout      7m;
+        proxy_read_timeout      7m;
+    }
+}

nginx/old_configs/jellyfin

@@ -0,0 +1,93 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name jellyfin.home.local;
+
+    ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
+    client_max_body_size 20M;
+
+    # Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
+    # ssl_protocols TLSv1.3 TLSv1.2;
+
+    # use a variable to store the upstream proxy
+    # in this example we are using a hostname which is resolved via DNS
+    # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
+    resolver 127.0.0.1 valid=30s;
+
+    #ssl_certificate /etc/letsencrypt/live/jellyfin.fakeowl1.com/fullchain.pem;
+    #ssl_certificate_key /etc/letsencrypt/live/jellyfin.fakeowl1.com/privkey.pem;
+    
+		#include /etc/letsencrypt/options-ssl-nginx.conf;
+    #ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    add_header Strict-Transport-Security "max-age=31536000" always;
+    #ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+    # Security / XSS Mitigation Headers
+    # NOTE: X-Frame-Options may cause issues with the webOS app
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
+    add_header X-Content-Type-Options "nosniff";
+
+    # COOP/COEP. Disable if you use external plugins/images/assets
+    add_header Cross-Origin-Opener-Policy "same-origin" always;
+    add_header Cross-Origin-Embedder-Policy "require-corp" always;
+    add_header Cross-Origin-Resource-Policy "same-origin" always;
+
+    # Permissions policy. May cause issues on some clients
+    add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
+
+
+    # Content Security Policy
+    # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+    # Enforces https content and restricts JS/CSS to origin
+    # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+    # NOTE: The default CSP headers may cause issues with the webOS app
+    #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+
+    location = / {
+        return 302 http://$host/web/;
+        #return 302 https://$host/web/;
+    }
+ 
+    location / {
+        # Proxy main Jellyfin traffic
+        proxy_pass http://jellyfin:8096;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+    }
+
+    # location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
+    location = /web {
+        # Proxy main Jellyfin traffic
+        proxy_pass http://jellyfin:8096/web/index.html;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+
+    location /jellyfin/socket {
+        # Proxy Jellyfin Websockets traffic
+        proxy_pass http://jellyfin:8096;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+    }
+}

nginx/old_configs/memos.conf

@@ -0,0 +1,36 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name memos.fakeowl1.com;
+   	
+    # Certificates 
+    location /.well-known/acme-challenge/ {
+          root /var/www/certbot/;
+    }
+	
+    # enforce https
+    location / {
+    	return 301 https://$server_name:443$request_uri;
+    }
+}
+
+server {
+	listen 443 ssl;
+	listen [::]:443 ssl; 
+	server_name memos.fakeowl1.com;
+
+	ssl_certificate     /etc/letsencrypt/live/memos.fakeowl1.com-0001/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/memos.fakeowl1.com-0001/privkey.pem;
+	
+        # SSL Certificate configuration
+	# Reverse proxy to the Memos application running on memos:5230
+	location / {
+		proxy_pass http://memos:5230; 
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		# Enable gzip compression
+		gzip on;
+		gzip_types text/plain text/css application/json application/javascript;   
+	}
+}

nginx/old_configs/schoolproj.conf

@@ -0,0 +1,29 @@
+server {
+	listen 80;
+	listen [::]:80;
+	
+	location /.well-known/acme-challenge/ {
+    	root /var/www/certbot/;
+    }
+
+	location / {
+		return 301 https://schoolproj.fakeowl1.com$request_uri;	
+	} 
+}
+
+server {	
+	listen 443 ssl;
+	listen [::]:443 ssl;
+	server_name schoolproj.fakeowl1.com;	
+	
+	root /var/www/myschoolproj;
+	
+	ssl_certificate     /etc/letsencrypt/live/schoolproj.fakeowl1.com/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/schoolproj.fakeowl1.com/privkey.pem;
+	
+	location = / {
+    try_files /index.html =404;
+	}	
+	
+	location = /index      { return 404; }	
+}

transmission/.env.dist

@@ -0,0 +1,2 @@
+USER=fakeowl1
+PASS=# Your pass

transmission/docker-compose.yaml

@@ -0,0 +1,23 @@
+services:
+  transmission:
+    image: lscr.io/linuxserver/transmission:latest
+    container_name: transmission
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=Etc/UTC
+    volumes:
+      - ./data:/config
+      - /media/hda1/Torrents:/downloads/torrents
+      - /media/hda1/jellyfin:/downloads/complete/jellyfin:rw
+    ports:
+      - 9091:9091
+      - 51413:51413
+      - 51413:51413/udp
+    networks:
+      - net
+    restart: unless-stopped
+  
+networks: 
+  net:
+    external: true