fakeowl1/homeserver-docker-compose
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

First commit

Browse source
This commit is contained in:
fakeowl1 2024-12-29 12:35:19 +02:00
parent ae0169fe06
commit 7abd107d08
22 changed files with 815 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.gitignore vendored Normal file
View file

@ -0,0 +1,10 @@
transmission/data
transmission/.env
jellyfin/cache
jellyfin/config
jellyfin/logs
homeassistant/config
nextcloud/databases
nextcloud/nextcloud
nextcloud/.env
nginx/configs/certbot

3
README.md
View file

@ -1,3 +0,0 @@
# docker-compose
My docker-compose files

30
homeassistant/docker-compose.yaml Normal file
View file

@ -0,0 +1,30 @@
services:
homeassistant:
container_name: homeassistant
image: "ghcr.io/home-assistant/home-assistant:stable"
ports:
- 8123:8123
volumes:
- ./config:/config
- /etc/localtime:/etc/localtime:ro
- /run/dbus:/run/dbus:ro
restart: unless-stopped
privileged: true
networks:
- net
mosquitto:
image: eclipse-mosquitto
hostname: mosquitto
container_name: mosquitto
restart: unless-stopped
ports:
- 1883:1883
- 9001:9001
volumes:
- ./mosquitto:/etc/mosquitto
- ./mosquitto/mosquitto.conf:/mosquitto/config/mosquitto.conf
- ./mosquitto/passwd:/etc/mosquitto/passwd
networks:
net:
external: true

3
homeassistant/mosquitto/mosquitto.conf Normal file
View file

@ -0,0 +1,3 @@
allow_anonymous true
listener 1883
#password_file /etc/mosquitto/passwd

1
homeassistant/mosquitto/passwd Normal file
View file

@ -0,0 +1 @@
fakeowl1:$7$101$y3UG7ZvU5ipWeW1o$CvCQvS4zhMe6EuNH2sEnw5gVhw1a5Doivy3/ybEdjjO//RqM7kkqKON1QwDigm5JDd1RjW6qyWldoKodQk5cZA==

23
jellyfin/docker-compose.yaml Normal file
View file

@ -0,0 +1,23 @@
services:
jellyfin:
image: jellyfin/jellyfin
user: "1000:1000"
ports:
- 8096:8096
volumes:
- ./config:/config
- ./cache:/cache
- type: bind
source: /media/hda1/jellyfin
target: /media
devices:
- /dev/dri/renderD128:/dev/dri/renderD128
environment:
- TZ=Europe/Kyiv
networks:
- net
restart: 'unless-stopped'
networks:
net:
external: true

3
nextcloud/.env.dist Normal file
View file

@ -0,0 +1,3 @@
MYSQL_ROOT_PASSWORD=
MYSQL_PASSWORD=
REDIS_PASSWORD=

8
nextcloud/.gitignore vendored Normal file
View file

@ -0,0 +1,8 @@
/.idea/
/logs/
/nextcloud/
/databases/
/configs/certbot/
/configs/nextcloud/
/docker-compose.yml
/configs/nginx/conf.d/default.conf

14
nginx/configs/nginx/certbot/options-ssl-nginx.conf Normal file
View file

@ -0,0 +1,14 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

8
nginx/configs/nginx/certbot/ssl-dhparams.pem Normal file
View file

@ -0,0 +1,8 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS-----

36
nginx/configs/nginx/conf.d/homeassistant.conf Normal file
View file

@ -0,0 +1,36 @@
server {
listen 80;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name hass.fakeowl1.local;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://192.168.1.158:8123/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 443 ssl;
# Remove '#' in the next line to enable IPv6
listen [::]:443 ssl;
server_name hass.fakeowl1.com;
ssl_certificate /etc/letsencrypt/live/hass.fakeowl1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hass.fakeowl1.com/privkey.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://192.168.1.158:8123/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

202
nginx/configs/nginx/conf.d/jellyfin.conf Normal file
View file

@ -0,0 +1,202 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.fakeowl1.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot/;
}
location / {
return 301 https://$server_name:443$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name jellyfin.fakeowl1.com;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
# ssl_protocols TLSv1.3 TLSv1.2;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
resolver 127.0.0.1 valid=30s;
ssl_certificate /etc/letsencrypt/live/jellyfin.fakeowl1.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jellyfin.fakeowl1.com-0001/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
#ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
#ssl_stapling on;
#ssl_stapling_verify on;
# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
add_header X-Content-Type-Options "nosniff";
# COOP/COEP. Disable if you use external plugins/images/assets
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Permissions policy. May cause issues on some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# NOTE: The default CSP headers may cause issues with the webOS app
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /jellyfin/socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}
server {
listen 80;
listen [::]:80;
server_name jellyfin.homeserver.local;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
# ssl_protocols TLSv1.3 TLSv1.2;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
resolver 127.0.0.1 valid=30s;
#ssl_certificate /etc/letsencrypt/live/jellyfin.fakeowl1.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/jellyfin.fakeowl1.com/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
#ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
#ssl_stapling on;
#ssl_stapling_verify on;
# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
add_header X-Content-Type-Options "nosniff";
# COOP/COEP. Disable if you use external plugins/images/assets
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Permissions policy. May cause issues on some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# NOTE: The default CSP headers may cause issues with the webOS app
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /jellyfin/socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}

173
nginx/configs/nginx/conf.d/nextcloud.conf Normal file
View file

@ -0,0 +1,173 @@
server {
listen 80;
listen [::]:80;
server_name nextcloud.homeserver.local;
location / {
return 301 http://$server_name:443$request_uri;
}
}
server {
listen 80;
listen [::]:80;
server_name cloud.fakeowl1.com;
location /.well-known/acme-challenge/ {
root /var/www/certbot/;
}
location / {
return 301 https://$server_name:443$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name cloud.fakeowl1.com;
ssl_certificate /etc/letsencrypt/live/cloud.fakeowl1.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cloud.fakeowl1.com-0001/privkey.pem;
include /etc/nginx/certbot/options-ssl-nginx.conf;
ssl_dhparam /etc/nginx/certbot/ssl-dhparams.pem;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
charset utf-8;
server_tokens off;
resolver 127.0.0.11;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this
# topic first.
add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
#add_header X-Robots-Tag "none" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Referrer-Policy "no-referrer" always;
root /var/www/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
# last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger redirect;
rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo redirect;
# set max upload size
client_max_body_size 10G;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
location / {
rewrite ^ /index.php$request_uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
deny all;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
deny all;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
# fastcgi_param HTTPS on;
#Avoid sending the security headers twice
fastcgi_param modHeadersAvailable true;
fastcgi_param front_controller_active true;
fastcgi_pass nextcloud:9000;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js|woff2?|svg|gif)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
# Add headers to serve security related headers (It is intended to
# have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into
# this topic first.
add_header Strict-Transport-Security "max-age=15768000;
# includeSubDomains; preload;";
#
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag "noindex, nofollow" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Download-Options "noopen" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header Referrer-Policy "no-referrer" always;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
try_files $uri /index.php$request_uri;
# Optional: Don't log access to other assets
access_log off;
}
}

27
nginx/configs/nginx/conf.d/pihole.conf Normal file
View file

@ -0,0 +1,27 @@
server {
listen 80;
# Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2;
server_name pihole.homeserver.local;
location / {
proxy_pass http://192.168.1.158:8000/admin/;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_hide_header x-frame-options;
proxy_set_header x-frame-options "sameorigin";
proxy_read_timeout 90;
}
location /admin {
proxy_pass http://192.168.1.158:8000/admin/;
proxy_set_header host $host;
proxy_set_header x-real-ip $remote_addr;
proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
proxy_hide_header x-frame-options;
proxy_set_header x-frame-options "sameorigin";
proxy_read_timeout 90;
}
}

30
nginx/configs/nginx/conf.d/transmission.conf Normal file
View file

@ -0,0 +1,30 @@
server {
listen 80;
listen [::]:80;
server_name torrent.homeserver.local;
location / {
proxy_pass http://transmission:9091;
proxy_http_version 1.1;
# headers recognized by qBittorrent
proxy_set_header Host $proxy_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
# optionally, you can adjust the POST request size limit, to allow adding a lot of torrents at once
#client_max_body_size 100M;
# No longer required since qBittorrent v5.1:
# Since v4.2.2, is possible to configure qBittorrent
# to set the "Secure" flag for the session cookie automatically.
# However, that option does nothing unless using qBittorrent's built-in HTTPS functionality.
# For this use case, where qBittorrent itself is using plain HTTP
# (and regardless of whether or not the external website uses HTTPS),
# the flag must be set here, in the proxy configuration itself.
# Note: If this flag is set while the external website uses only HTTP, this will cause
# the login mechanism to not work without any apparent errors in console/network resulting in "auth loops".
#proxy_cookie_path / "/; Secure";
}
}

22
nginx/docker-compose.yaml Normal file
View file

@ -0,0 +1,22 @@
services:
nginx:
image: nginx:latest
restart: unless-stopped
command: "/bin/sh -c 'while :; do sleep 8h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
ports:
- 80:80
- 443:443
volumes:
- ./configs/nginx/conf.d:/etc/nginx/conf.d:rw
- ./configs/certbot/letsencrypt:/etc/letsencrypt
- ./configs/certbot/www:/var/www/certbot
- ./configs/nginx/certbot:/etc/nginx/certbot:ro
- ../nextcloud/nextcloud:/var/www/html:ro
- ../myschoolproj:/var/www/myschoolproj
build: .
networks:
- net
networks:
net:
external: true

42
nginx/old_configs/gotify.conf Normal file
View file

@ -0,0 +1,42 @@
server {
listen 80;
listen [::]:80;
#server_name gotify.fakeowl1.com;
server_name 192.168.1.102;
location /gotify/.well-known/acme-challenge/ {
root /var/www/certbot/;
}
location /gotify {
return 301 https://$server_name:443$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
#server_name gotify.fakeowl1.com;
server_name 192.168.1.102;
ssl_certificate /etc/letsencrypt/live/gotify.fakeowl1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gotify.fakeowl1.com/privkey.pem;
location ~ / {
proxy_pass http://gotify:80;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect http:// $scheme://;
proxy_set_header Host $http_host;
proxy_connect_timeout 7m;
proxy_send_timeout 7m;
proxy_read_timeout 7m;
}
}

93
nginx/old_configs/jellyfin Normal file
View file

@ -0,0 +1,93 @@
server {
listen 80;
listen [::]:80;
server_name jellyfin.home.local;
## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
client_max_body_size 20M;
# Uncomment next line to Disable TLS 1.0 and 1.1 (Might break older devices)
# ssl_protocols TLSv1.3 TLSv1.2;
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address e.g `set $jellyfin 127.0.0.1`)
resolver 127.0.0.1 valid=30s;
#ssl_certificate /etc/letsencrypt/live/jellyfin.fakeowl1.com/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/jellyfin.fakeowl1.com/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
#ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
#ssl_trusted_certificate /etc/letsencrypt/live/DOMAIN_NAME/chain.pem;
#ssl_stapling on;
#ssl_stapling_verify on;
# Security / XSS Mitigation Headers
# NOTE: X-Frame-Options may cause issues with the webOS app
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "0"; # Do NOT enable. This is obsolete/dangerous
add_header X-Content-Type-Options "nosniff";
# COOP/COEP. Disable if you use external plugins/images/assets
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Permissions policy. May cause issues on some clients
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), display-capture=(), document-domain=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), serial=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always;
# Content Security Policy
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# Enforces https content and restricts JS/CSS to origin
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# NOTE: The default CSP headers may cause issues with the webOS app
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location / {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
location = /web {
# Proxy main Jellyfin traffic
proxy_pass http://jellyfin:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /jellyfin/socket {
# Proxy Jellyfin Websockets traffic
proxy_pass http://jellyfin:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}

36
nginx/old_configs/memos.conf Normal file
View file

@ -0,0 +1,36 @@
server {
listen 80;
listen [::]:80;
server_name memos.fakeowl1.com;
# Certificates
location /.well-known/acme-challenge/ {
root /var/www/certbot/;
}
# enforce https
location / {
return 301 https://$server_name:443$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name memos.fakeowl1.com;
ssl_certificate /etc/letsencrypt/live/memos.fakeowl1.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/memos.fakeowl1.com-0001/privkey.pem;
# SSL Certificate configuration
# Reverse proxy to the Memos application running on memos:5230
location / {
proxy_pass http://memos:5230;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Enable gzip compression
gzip on;
gzip_types text/plain text/css application/json application/javascript;
}
}

29
nginx/old_configs/schoolproj.conf Normal file
View file

@ -0,0 +1,29 @@
server {
listen 80;
listen [::]:80;
location /.well-known/acme-challenge/ {
root /var/www/certbot/;
}
location / {
return 301 https://schoolproj.fakeowl1.com$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name schoolproj.fakeowl1.com;
root /var/www/myschoolproj;
ssl_certificate /etc/letsencrypt/live/schoolproj.fakeowl1.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/schoolproj.fakeowl1.com/privkey.pem;
location = / {
try_files /index.html =404;
}
location = /index { return 404; }
}

2
transmission/.env.dist Normal file
View file

@ -0,0 +1,2 @@
USER=fakeowl1
PASS=# Your pass

23
transmission/docker-compose.yaml Normal file
View file

@ -0,0 +1,23 @@
services:
transmission:
image: lscr.io/linuxserver/transmission:latest
container_name: transmission
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- ./data:/config
- /media/hda1/Torrents:/downloads/torrents
- /media/hda1/jellyfin:/downloads/complete/jellyfin:rw
ports:
- 9091:9091
- 51413:51413
- 51413:51413/udp
networks:
- net
restart: unless-stopped
networks:
net:
external: true