From 448eb8b874afed13496f11730cf1a5951f727c25 Mon Sep 17 00:00:00 2001 From: c0mmando Date: Fri, 26 May 2023 18:25:19 +0000 Subject: [PATCH] inital commit --- docker-compose.yml | 742 ++++++++++++++++++++ files/config.yaml | 46 ++ files/homeserver.yaml | 218 ++++++ images/build.sh | 8 + images/matrix-dimension | 1 + images/mjolnir | 1 + images/pantalaimon | 1 + images/synapse-captcha | 1 + images/synapse-docker | 1 + images/synapse-worker-docker | 1 + swag/nginx/gzip.conf | 26 + swag/nginx/include.d/client_worker.conf | 90 +++ swag/nginx/include.d/encryption_worker.conf | 26 + swag/nginx/include.d/federation_worker.conf | 96 +++ swag/nginx/include.d/homepage.conf | 8 + swag/nginx/include.d/maubot.conf | 13 + swag/nginx/include.d/mjolnir-reports.conf | 19 + swag/nginx/include.d/register.conf | 24 + swag/nginx/include.d/synapse-proxy.conf | 7 + swag/nginx/include.d/upstream_workers.conf | 15 + swag/nginx/nginx.conf | 148 ++++ swag/nginx/proxy.conf | 35 + swag/nginx/security-headers.conf | 13 + swag/nginx/security-headers.csp.conf | 2 + swag/nginx/site-confs/blog.conf | 13 + swag/nginx/site-confs/chat.conf | 27 + swag/nginx/site-confs/cinny.conf | 20 + swag/nginx/site-confs/dimension.conf | 17 + swag/nginx/site-confs/docs.conf | 18 + swag/nginx/site-confs/element.conf | 27 + swag/nginx/site-confs/gitea.conf | 20 + swag/nginx/site-confs/grafana.conf | 18 + swag/nginx/site-confs/links.conf | 122 ++++ swag/nginx/site-confs/matrix.conf | 102 +++ swag/nginx/site-confs/maubot.conf | 17 + swag/nginx/site-confs/ots.conf | 48 ++ swag/nginx/site-confs/paste.conf | 18 + swag/nginx/site-confs/prometheus.conf | 17 + swag/nginx/ssl.conf | 30 + 39 files changed, 2056 insertions(+) create mode 100644 docker-compose.yml create mode 100644 files/config.yaml create mode 100644 files/homeserver.yaml create mode 100644 images/build.sh create mode 160000 images/matrix-dimension create mode 160000 images/mjolnir create mode 160000 images/pantalaimon create mode 160000 images/synapse-captcha create mode 160000 images/synapse-docker create mode 160000 images/synapse-worker-docker create mode 100644 swag/nginx/gzip.conf create mode 100644 swag/nginx/include.d/client_worker.conf create mode 100644 swag/nginx/include.d/encryption_worker.conf create mode 100644 swag/nginx/include.d/federation_worker.conf create mode 100644 swag/nginx/include.d/homepage.conf create mode 100644 swag/nginx/include.d/maubot.conf create mode 100644 swag/nginx/include.d/mjolnir-reports.conf create mode 100644 swag/nginx/include.d/register.conf create mode 100644 swag/nginx/include.d/synapse-proxy.conf create mode 100644 swag/nginx/include.d/upstream_workers.conf create mode 100644 swag/nginx/nginx.conf create mode 100644 swag/nginx/proxy.conf create mode 100644 swag/nginx/security-headers.conf create mode 100644 swag/nginx/security-headers.csp.conf create mode 100644 swag/nginx/site-confs/blog.conf create mode 100644 swag/nginx/site-confs/chat.conf create mode 100644 swag/nginx/site-confs/cinny.conf create mode 100644 swag/nginx/site-confs/dimension.conf create mode 100644 swag/nginx/site-confs/docs.conf create mode 100644 swag/nginx/site-confs/element.conf create mode 100644 swag/nginx/site-confs/gitea.conf create mode 100644 swag/nginx/site-confs/grafana.conf create mode 100644 swag/nginx/site-confs/links.conf create mode 100644 swag/nginx/site-confs/matrix.conf create mode 100644 swag/nginx/site-confs/maubot.conf create mode 100644 swag/nginx/site-confs/ots.conf create mode 100644 swag/nginx/site-confs/paste.conf create mode 100644 swag/nginx/site-confs/prometheus.conf create mode 100644 swag/nginx/ssl.conf diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..4f5b31f --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,742 @@ +version: '3.7' + +networks: + matrix: + registration: + dimension: + gitea: + privatebin: + ots: + element: + chat: + cinny: + lemmy: + bookstack: + tor: + write: + +services: + synapse: + build: ./images/synapse-docker + restart: unless-stopped + container_name: synapse + user: "991:991" + environment: + - SYNAPSE_CONFIG_DIR=/data + - SYNAPSE_CONFIG_PATH=/data/homeserver.yaml + volumes: + - ./files:/data:Z + depends_on: + - postgres + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + extra_hosts: + - "host.docker.internal:host-gateway" + labels: + - "com.centurylinklabs.watchtower.enable=false" + + postgres: + image: docker.io/postgres:14.5-alpine + container_name: postgres + user: "70:70" + restart: unless-stopped + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + - POSTGRES_DB=${POSTGRES_DB} + - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + volumes: + - ./schemas:/var/lib/postgresql/data:Z + ports: + - 127.0.0.1:5432:5432 + networks: + - matrix + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + tmpfs: + - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev + labels: + - "com.centurylinklabs.watchtower.enable=false" + + swag: + image: ghcr.io/linuxserver/swag + restart: unless-stopped + container_name: swag + cap_add: + - NET_ADMIN + environment: + - PUID=1000 + - PGID=1000 + - URL=${SWAG_URL} + - SUBDOMAINS=${SWAG_SUBDOMAINS} + - VALIDATION=http + - EMAIL=${SWAG_EMAIL} + - ONLY_SUBDOMAINS=false + volumes: + - ./swag:/config:Z + - /etc/localtime:/etc/localtime:ro + ports: + - 443:443 + - 80:80 + - 8448:8448 + networks: + - matrix + - registration + - gitea + - privatebin + - ots + - element + - chat + - lemmy + - cinny + - bookstack + - tor + - write + security_opt: + - no-new-privileges:true + labels: + - "com.centurylinklabs.watchtower.enable=false" + + pantalaimon: + build: ./images/pantalaimon + container_name: pantalaimon + user: "911:911" + restart: unless-stopped + volumes: + - ./pantalaimon_data:/data:Z + depends_on: + - synapse + networks: + - matrix + ports: + - 8008:8008 + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + mjolnir: + build: ./images/mjolnir + container_name: mjolnir + user: "911:911" + restart: unless-stopped + volumes: + - ./mjolnir:/data:Z + depends_on: + - pantalaimon + networks: + - matrix + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + maubot: + image: dock.mau.dev/maubot/maubot:latest + container_name: maubot + restart: unless-stopped + volumes: + - ./maubot:/data:Z + networks: + - matrix + + matrix-registration: + build: ./images/synapse-captcha + container_name: matrix-registration + restart: unless-stopped + command: [ + "--config-path=/data/config.yaml", + "serve" + ] + ports: + - 127.0.0.1:5000:5000 + volumes: + - ./matrix-registration_data:/data:Z + networks: + - matrix + - tor + labels: + - "com.centurylinklabs.watchtower.enable=false" + + redis: + image: redis:latest + container_name: redis + restart: unless-stopped + networks: + - matrix + labels: + - "com.centurylinklabs.watchtower.enable=false" + + dimension: + build: ./images/matrix-dimension + container_name: dimension + user: "1000:1000" + restart: unless-stopped + volumes: + - ./dimension:/data:Z + - ./dimension/config:/home/node/matrix-dimension/config/:Z + depends_on: + - dimension_db + networks: + - matrix + - dimension + ports: + - 127.0.0.1:8184:8184 + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + dimension_db: + image: docker.io/postgres:14.5-alpine + container_name: dimension_db + user: "70:70" + restart: unless-stopped + environment: + - POSTGRES_USER=${DIMENSION_DB_USER} + - POSTGRES_PASSWORD=${DIMENSION_DB_PASSWORD} + - POSTGRES_DB=${DIMENSION_DB_DB} + - POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C + volumes: + - ./dimension/db:/var/lib/postgresql/data:Z + ports: + - 127.0.0.1:5433:5432 + networks: + - dimension + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + tmpfs: + - /var/run/postgresql:size=50M,mode=0770,uid=70,gid=70,noexec,nosuid,nodev + labels: + - "com.centurylinklabs.watchtower.enable=false" + + grafana: + image: docker.io/grafana/grafana:latest + container_name: grafana + user: "472:472" + volumes: + - ./grafana-data:/var/lib/grafana:Z + restart: unless-stopped + ports: + - 3000:3000 + networks: + - matrix + + prometheus: + image: docker.io/prom/prometheus:latest + container_name: prometheus + restart: unless-stopped + ports: + - 9000:9090 + volumes: + - ./prometheus:/etc/prometheus:Z + networks: + - matrix + command: --web.config.file=/etc/prometheus/web.yml --config.file=/etc/prometheus/prometheus.yml + + node_exporter: + image: prom/node-exporter + container_name: node-exporter + restart: unless-stopped + volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro + - /:/rootfs:ro + command: + - '--path.procfs=/host/proc' + - '--path.rootfs=/rootfs' + - '--path.sysfs=/host/sys' + - '--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|host|etc)($$|/)' + restart: unless-stopped + expose: + - 9100 + networks: + - matrix + + cadvisor: + image: gcr.io/cadvisor/cadvisor:latest + container_name: cadvisor + command: + - '-port=9099' + - "--housekeeping_interval=30s" + - "--docker_only=true" + ports: + - 9099:9099 + volumes: + - /:/rootfs:ro + - /var/run:/var/run:rw + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + networks: + - matrix + + postgres-exporter: + image: quay.io/prometheuscommunity/postgres-exporter + container_name: postgres-exporter + restart: always + environment: + - DATA_SOURCE_URI=postgres:5432/synapse?sslmode=disable + - DATA_SOURCE_USER=${POSTGRES_USER} + - DATA_SOURCE_PASS=${POSTGRES_PASSWORD} + ports: + - "9187:9187" + networks: + - matrix + depends_on: + - postgres + + nginx-exporter: + image: nginx/nginx-prometheus-exporter:0.10.0 + container_name: nginx-exporter + restart: unless-stopped + ports: + - "4040:4040" + networks: + - matrix + depends_on: + - swag + command: + - -nginx.scrape-uri + - http://swag:81/nginx_status + + gitea: + image: gitea/gitea:latest + container_name: gitea + environment: + - USER_UID=1000 + - USER_GID=1000 + - GITEA__database__DB_TYPE=postgres + - GITEA__database__HOST=gitea-postgres:5432 + - GITEA__database__NAME=${GITEA_DB_NAME} + - GITEA__database__USER=${GITEA_POSTGRES_USER} + - GITEA__database__PASSWD=${GITEA_POSTGRES_PASSWORD} + restart: always + networks: + - gitea + - tor + volumes: + - ./gitea:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + ports: + - "3333:3333" + depends_on: + - gitea-postgres + + gitea-postgres: + image: postgres:14 + container_name: gitea-postgres + restart: always + environment: + - POSTGRES_USER=${GITEA_POSTGRES_USER} + - POSTGRES_PASSWORD=${GITEA_POSTGRES_PASSWORD} + - POSTGRES_DB=${GITEA_DB_NAME} + networks: + - gitea + volumes: + - ./gitea-postgres:/var/lib/postgresql/data + labels: + - "com.centurylinklabs.watchtower.enable=false" + + privatebin: + image: privatebin/fs:latest + container_name: privatebin + user: "882:882" + restart: unless-stopped + volumes: + - ./privatebin-data:/srv/data:Z + - ./privatebin-data/conf.php:/srv/cfg/conf.php:ro + networks: + - privatebin + - tor + read_only: true + + ots: + image: luzifer/ots:latest + container_name: ots + restart: unless-stopped + networks: + - ots + - tor + entrypoint: ["/usr/local/bin/ots"] + + element: + image: vectorim/element-web:latest + container_name: element + restart: unless-stopped + volumes: + - ./element-data/element-config.json:/app/config.json:ro + networks: + - element + + chat: + image: ghcr.io/schildichat/schildichat-web:latest + container_name: chat + restart: unless-stopped + volumes: + - ./chat-data/element-config.json:/app/config.json:ro + networks: + - chat + + cinny: + image: ghcr.io/cinnyapp/cinny:latest + container_name: cinny + restart: unless-stopped + volumes: + - ./cinny-data/config.json:/app/config.json:ro + networks: + - cinny + + lemmy-postgres: + image: postgres:15-alpine + user: "70:70" + container_name: lemmy-postgres + hostname: lemmy-postgres + environment: + - POSTGRES_USER=${LEMMY_POSTGRES_USER} + - POSTGRES_PASSWORD=${LEMMY_POSTGRES_PASSWORD} + - POSTGRES_DB=${LEMMY_POSTGRES_DB} + volumes: + - ./lemmy/volumes/postgres:/var/lib/postgresql/data + restart: unless-stopped + networks: + - lemmy + labels: + - "com.centurylinklabs.watchtower.enable=false" + + lemmy: + image: dessalines/lemmy:latest + container_name: lemmy + restart: unless-stopped + environment: + - RUST_LOG="warn,lemmy_server=info,lemmy_api=info,lemmy_api_common=info,lemmy_api_crud=info,lemmy_apub=info,lemmy_db_schema=info,lemmy_db_views=info,lemmy_db_views_actor=info,lemmy_db_views_moderator=info,lemmy_routes=info,lemmy_utils=info,lemmy_websocket=info" + volumes: + - ./lemmy/lemmy.hjson:/config/config.hjson + depends_on: + - postgres + - pictrs + networks: + - lemmy + + lemmy-ui: + image: dessalines/lemmy-ui:latest + container_name: lemmy-ui + restart: unless-stopped + environment: + - LEMMY_UI_LEMMY_INTERNAL_HOST=lemmy:8536 + - LEMMY_UI_LEMMY_EXTERNAL_HOST=links.hackliberty.org + - LEMMY_UI_HTTPS=true + depends_on: + - lemmy + networks: + - lemmy + + pictrs: + image: asonix/pictrs:0.3.1 + hostname: pictrs + container_name: pictrs + ports: + - "8537:8080" + - "6670:6669" + user: 991:991 + volumes: + - ./lemmy/volumes/pictrs:/mnt + restart: unless-stopped + networks: + - lemmy + labels: + - "com.centurylinklabs.watchtower.enable=false" + + protonmail-bridge: + image: shenxn/protonmail-bridge + container_name: protonmail-bridge + ports: + - "1025:25" + restart: unless-stopped + volumes: + - ./protonmail:/root + networks: + - lemmy + + bookstack: + image: lscr.io/linuxserver/bookstack:latest + container_name: bookstack + environment: + - PUID=1001 + - PGID=1001 + - APP_URL=https://docs.hackliberty.org + - DB_HOST=bookstack_db + - DB_PORT=3306 + - DB_USER=${BOOKSTACK_DB_USER} + - DB_PASS=${BOOKSTACK_DB_PASS} + - DB_DATABASE=${BOOKSTACK_DB_DB} + volumes: + - ./bookstack:/config:Z + restart: unless-stopped + depends_on: + - bookstack_db + networks: + - bookstack + + bookstack_db: + image: lscr.io/linuxserver/mariadb + container_name: bookstack_db + environment: + - PUID=1001 + - PGID=1001 + - MYSQL_ROOT_PASSWORD=${BOOKSTACK_DB_PASS} + - TZ=Europe/London + - MYSQL_DATABASE=${BOOKSTACK_DB_DB} + - MYSQL_USER=${BOOKSTACK_DB_USER} + - MYSQL_PASSWORD=${BOOKSTACK_DB_PASS} + volumes: + - ./bookstack:/config:Z + restart: unless-stopped + networks: + - bookstack + labels: + - "com.centurylinklabs.watchtower.enable=false" + + watchtower: + image: containrrr/watchtower + container_name: watchtower + volumes: + - /var/run/docker.sock:/var/run/docker.sock + command: --interval 14400 + + matrix-chatgpt4-bot: + image: ghcr.io/matrixgpt/matrix-chatgpt-bot:sha-b78cc35 + container_name: chatgpt4 + volumes: + - ./chatgpt:/storage + env_file: + - ./.env + + matrix-chatgpt3-bot: + image: ghcr.io/matrixgpt/matrix-chatgpt-bot:latest + container_name: chatgpt3 + volumes: + - ./chatgpt3:/storage + env_file: + - ./.chatgpt3 + + tor: + image: osminogin/tor-simple:latest + container_name: tor + volumes: + - ./tor-data:/var/lib/tor + - ./tor-data/torrc:/etc/tor + ports: + - 127.0.0.1:9050:9050 + networks: + - tor + - matrix + + writefreely: + image: algernon/writefreely + container_name: writefreely + user: "5000:5000" + volumes: + - ./writefreely:/data:Z + ports: + - 9999:9999 + networks: + - write + - tor + +# WORKERS + + synapse-generic-worker-4: + build: ./images/synapse-worker-docker + container_name: synapse-generic-worker-4 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker4.yaml"] + volumes: + - ./files:/data:Z + ports: + - 127.0.0.1:8083:8081 + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-generic-worker-3: + build: ./images/synapse-worker-docker + container_name: synapse-generic-worker-3 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker3.yaml"] + volumes: + - ./files:/data:Z + ports: + - 127.0.0.1:8082:8081 + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-generic-worker-2: + build: ./images/synapse-worker-docker + container_name: synapse-generic-worker-2 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker2.yaml"] + volumes: + - ./files:/data:Z + ports: + - 127.0.0.1:8081:8081 + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-generic-worker-1: + build: ./images/synapse-worker-docker + container_name: synapse-generic-worker-1 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/worker1.yaml"] + volumes: + - ./files:/data:Z + ports: + - 127.0.0.1:8080:8081 + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-federation-sender-4: + build: ./images/synapse-worker-docker + container_name: synapse-federation-sender-4 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation4.yaml"] + volumes: + - ./files:/data:Z + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-federation-sender-3: + build: ./images/synapse-worker-docker + container_name: synapse-federation-sender-3 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation3.yaml"] + volumes: + - ./files:/data:Z + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-federation-sender-2: + build: ./images/synapse-worker-docker + container_name: synapse-federation-sender-2 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation2.yaml"] + volumes: + - ./files:/data:Z + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" + + synapse-federation-sender-1: + build: ./images/synapse-worker-docker + container_name: synapse-federation-sender-1 + user: "991:991" + restart: unless-stopped + environment: + SYNAPSE_WORKER: synapse.app.generic_worker + entrypoint: ["/start.py", "run", "--config-path=/data/homeserver.yaml", "--config-path=/data/workers/federation1.yaml"] + volumes: + - ./files:/data:Z + depends_on: + - synapse + networks: + - matrix + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + labels: + - "com.centurylinklabs.watchtower.enable=false" diff --git a/files/config.yaml b/files/config.yaml new file mode 100644 index 0000000..f0fe8b6 --- /dev/null +++ b/files/config.yaml @@ -0,0 +1,46 @@ +server_location: 'http://synapse:8008' +server_name: 'hackliberty.org' +shared_secret: 'REDACTED' +admin_api_shared_secret: 'REDACTED' # to generate tokens via the web api +base_url: '' # e.g. '/element' for https://example.tld/element/register +client_redirect: 'https://element.hackliberty.org' +riot_instace: 'https://element.hackliberty.org' +#riot_instance: 'https://riot.im/app/' +db: 'sqlite:////data/db.sqlite3' +host: '0.0.0.0' +port: 5000 +rate_limit: ["10000 per day", "100 per minute"] +allow_cors: false +ip_logging: false +logging: + disable_existing_loggers: False + version: 1 + root: + level: DEBUG + handlers: [console, file] + formatters: + brief: + format: '%(name)s - %(levelname)s - %(message)s' + precise: + format: '%(asctime)s - %(name)s - %(levelname)s - %(message)s' + handlers: + console: + class: logging.StreamHandler + level: INFO + formatter: brief + stream: ext://sys.stdout + file: + class: logging.handlers.RotatingFileHandler + formatter: precise + level: INFO + filename: m_reg.log + maxBytes: 10485760 # 10MB + backupCount: 3 + encoding: utf8 +# password requirements +password: + min_length: 14 +# username requirements +username: + validation_regex: [ '[a-zA-Z0-9]' ] + invalidation_regex: [ '(info|admin|null|123456|mail|fuck|webmaster|root|test|guest|adm|mysql|user|administrator|oracle|ftp|pi|puppet|ansible|ec2-user|vagrant|azureuse|mod|moderator|host|postgres|synapse|support)' ] diff --git a/files/homeserver.yaml b/files/homeserver.yaml new file mode 100644 index 0000000..d7c9ce2 --- /dev/null +++ b/files/homeserver.yaml @@ -0,0 +1,218 @@ +# Configuration file for Synapse. +# +# For more information on how to configure Synapse, including a complete accounting of +# each option, go to docs/usage/configuration/config_documentation.md or +# https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html +# Configuration file for Synapse. + + + + +modules: + - module: mjolnir.Module + config: + # Prevent servers/users in the ban lists from inviting users on this + # server to rooms. Default true. + block_invites: true + # Flag messages sent by servers/users in the ban lists as spam. Currently + # this means that spammy messages will appear as empty to users. Default + # false. + block_messages: false + # Remove users from the user directory search by filtering matrix IDs and + # display names by the entries in the user ban list. Default false. + block_usernames: false + # The room IDs of the ban lists to honour. Unlike other parts of Mjolnir, + # this list cannot be room aliases or permalinks. This server is expected + # to already be joined to the room - Mjolnir will not automatically join + # these rooms. + ban_lists: + # EBL + - "!GGuqmQVLNyWASNjVQw:envs.net" + # matrix-coc-bl + #- "!WuBtumawCeOGEieRrp:matrix.org" + # matrix-tos-bl + #- "!tUPwPPmVTaiKXMiijj:matrix.org" + # Public Servers Shared Banlist + - "!RRGtWzzVKUJmDVRNnZ:aria-net.org" + # asragr-ban-list + - "!YImXsibeOfGBYVaElT:asra.gr" + # community-moderation-effort-bl:neko.dev + - "!fTjMjIzNKEsFlUIiru:neko.dev" + #message_max_length: + # Limit the characters in a message (event body) that a client can send in an event on this server. + # By default there is no limit (beyond the the limit the spec enforces on event size). + # Uncomment if you want messages to be limited to 510 characters. + #threshold: 510 + # Limit messages only in certain rooms rooms. + # By default all rooms will enforce the limit. + # Uncomment if you want messages to only be subject to character limits in certain rooms. + #rooms: + # - "!vMvyOCeCxHsggkmALd:localhost:9999" + # Also hide messages from remote servers that are over the `message_limit`. + # By default only events from this server will be limited. + # WARNING: Remote users on other servers will still be able to messages over the limit. + # Uncomment to enforce the `message_limit` on events from remote servers. + #remote_servers: true + +server_name: hackliberty.org +public_baseurl: https://hackliberty.org/ +web_client_location: https://element.hackliberty.org/ + +serve_server_wellknown: true + +pid_file: "/data/homeserver.pid" + +presence: + enabled: false +allow_device_name_lookup_over_federation: false +allow_public_rooms_over_federation: true +include_profile_data_on_invite: true +require_auth_for_profile_requests: true +allow_profile_lookup_over_federation: true +limit_profile_requests_to_users_who_share_rooms: false + +listeners: + - port: 9093 + type: http + resources: + - names: [replication] + bind_addresses: ['0.0.0.0'] + + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['0.0.0.0'] + + resources: + - names: [client, federation] + compress: false + + - port: 9000 + tls: false + type: metrics + bind_addresses: ['0.0.0.0'] + + +redaction_retention_period: 1m +user_ips_max_age: 1m + +retention: + + enabled: true + + purge_jobs: + - longest_max_lifetime: 1h + interval: 30m + - shortest_max_lifetime: 1h + longest_max_lifetime: 12h + interval: 1h + - shortest_max_lifetime: 12h + longest_max_lifetime: 1d + interval: 12h + - shortest_max_lifetime: 1d + longest_max_lifetime: 10y + interval: 24h + +federation_client_minimum_tls_version: 1.2 + +caches: + global_factor: 2.0 + + per_cache_factors: + get_users_who_share_room_with_user: 5.0 + + sync_response_cache_duration: 2m + +database: + name: psycopg2 + txn_limit: 10000 + args: + user: REDACTED + password: REDACTED + database: REDACTED + host: postgres + port: 5432 + cp_min: 5 + cp_max: 10 + +log_config: "/data/hackliberty.org.log.config" +rc_federation: + window_size: 1000 + sleep_limit: 10 + sleep_delay: 500 + reject_limit: 50 + concurrent: 3 + +federation_rr_transactions_per_room_per_second: 50 + +media_store_path: "/data/media_store" + +max_upload_size: 50M +max_image_pixels: 50M + +url_preview_enabled: true +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' + +url_preview_url_blacklist: + - netloc: 'google.com' + - netloc: '*.google.com' + - scheme: 'http' + - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' + +enable_registration: false +registration_requires_token: true +registration_shared_secret: "REDACTED" + +allow_guest_access: false + +auto_join_rooms: + - "#community:hackliberty.org" + +enable_metrics: true + + +signing_key_path: "/data/hackliberty.org.signing.key" +trusted_key_servers: + - server_name: "matrix.org" + +inhibit_user_in_use_error: true + +suppress_key_server_warning: true + +report_stats: false + +macaroon_secret_key: "REDACTED" + +form_secret: "REDACTED" + +send_federation: false +federation_sender_instances: + - federation1 + - federation2 + - federation3 + - federation4 + +redis: + enabled: true + host: redis + port: 6379 diff --git a/images/build.sh b/images/build.sh new file mode 100644 index 0000000..dbd55a9 --- /dev/null +++ b/images/build.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +docker build ./synapse-captcha/ +docker build ./mjolnir/ +docker build ./pantalaimon/ +docker build ./synapse-docker/ +docker build ./synapse-worker-docker/ +docker build ./matrix-dimension/ \ No newline at end of file diff --git a/images/matrix-dimension b/images/matrix-dimension new file mode 160000 index 0000000..1ee97be --- /dev/null +++ b/images/matrix-dimension @@ -0,0 +1 @@ +Subproject commit 1ee97be49d75f2d89275073963097409498ebcb1 diff --git a/images/mjolnir b/images/mjolnir new file mode 160000 index 0000000..2915757 --- /dev/null +++ b/images/mjolnir @@ -0,0 +1 @@ +Subproject commit 2915757b7d04308848061d4c048a9ee827fea9aa diff --git a/images/pantalaimon b/images/pantalaimon new file mode 160000 index 0000000..b5a419e --- /dev/null +++ b/images/pantalaimon @@ -0,0 +1 @@ +Subproject commit b5a419e488fe985b0d2ef9a8212e71c27ea6a7d6 diff --git a/images/synapse-captcha b/images/synapse-captcha new file mode 160000 index 0000000..1660b52 --- /dev/null +++ b/images/synapse-captcha @@ -0,0 +1 @@ +Subproject commit 1660b52a5d18e1c2f741348a803632a986beac74 diff --git a/images/synapse-docker b/images/synapse-docker new file mode 160000 index 0000000..53ae6a4 --- /dev/null +++ b/images/synapse-docker @@ -0,0 +1 @@ +Subproject commit 53ae6a44fea2ecc954fc7c57b68bbec320bae028 diff --git a/images/synapse-worker-docker b/images/synapse-worker-docker new file mode 160000 index 0000000..215f91b --- /dev/null +++ b/images/synapse-worker-docker @@ -0,0 +1 @@ +Subproject commit 215f91bbca874c4679f8bdd0b7f8ca502bd0003d diff --git a/swag/nginx/gzip.conf b/swag/nginx/gzip.conf new file mode 100644 index 0000000..aa2fccc --- /dev/null +++ b/swag/nginx/gzip.conf @@ -0,0 +1,26 @@ + gzip on; + gzip_disable "msie6"; + gzip_vary on; + gzip_proxied any; + gzip_min_length 256; + gzip_comp_level 7; + gzip_types + application/atom+xml + application/geo+json + application/javascript + application/x-javascript + application/json + application/ld+json + application/manifest+json + application/rdf+xml + application/rss+xml + application/xhtml+xml + application/xml + font/eot + font/otf + font/ttf + image/svg+xml + text/css + text/javascript + text/plain + text/xml; diff --git a/swag/nginx/include.d/client_worker.conf b/swag/nginx/include.d/client_worker.conf new file mode 100644 index 0000000..726b77d --- /dev/null +++ b/swag/nginx/include.d/client_worker.conf @@ -0,0 +1,90 @@ +## Client API requests +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/v1/rooms/.*/hierarchy$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/account/3pid$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/account/whoami$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/devices$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/versions$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/v1/rooms/.*/timestamp_to_event$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} \ No newline at end of file diff --git a/swag/nginx/include.d/encryption_worker.conf b/swag/nginx/include.d/encryption_worker.conf new file mode 100644 index 0000000..bbd7f63 --- /dev/null +++ b/swag/nginx/include.d/encryption_worker.conf @@ -0,0 +1,26 @@ +## Encryption requests +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/query$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/changes$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/claim$ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/client/(r0|v3|unstable)/room_keys/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +# Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` +location ~ ^/_matrix/client/(r0|v3|unstable)/keys/upload/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} \ No newline at end of file diff --git a/swag/nginx/include.d/federation_worker.conf b/swag/nginx/include.d/federation_worker.conf new file mode 100644 index 0000000..5c875cd --- /dev/null +++ b/swag/nginx/include.d/federation_worker.conf @@ -0,0 +1,96 @@ +## Federation requests +location ~ ^/_matrix/federation/v1/event/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/state/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/state_ids/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/backfill/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/get_missing_events/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/publicRooms { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/query/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/make_join/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/make_leave/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|v2)/send_join/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|v2)/send_leave/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/(v1|v2)/invite/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/event_auth/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/timestamp_to_event/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/exchange_third_party_invite/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/user/devices/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/key/v2/query { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +location ~ ^/_matrix/federation/v1/hierarchy/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_lc; +} + +# Inbound federation transaction request +location ~ ^/_matrix/federation/v1/send/ { + include /config/nginx/include.d/synapse-proxy.conf; + proxy_pass http://generic_worker_ih; +} diff --git a/swag/nginx/include.d/homepage.conf b/swag/nginx/include.d/homepage.conf new file mode 100644 index 0000000..c2b500b --- /dev/null +++ b/swag/nginx/include.d/homepage.conf @@ -0,0 +1,8 @@ + location / { + root /config/www/hackliberty.org; + include /config/nginx/gzip.conf; + include /config/nginx/security-headers.conf; + # Add Onion-Location Header + add_header Onion-Location http://kj3wvs3wyfhm3uhhuqxlrhhcp6dneuau4mmvptlor27ghmrqx63fqnid.onion$request_uri; + add_header Content-Security-Policy "default-src 'none'; frame-src https://trocador.app/; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'"; + } diff --git a/swag/nginx/include.d/maubot.conf b/swag/nginx/include.d/maubot.conf new file mode 100644 index 0000000..f9ed4d2 --- /dev/null +++ b/swag/nginx/include.d/maubot.conf @@ -0,0 +1,13 @@ + location /_matrix/maubot/v1/logs { + proxy_pass http://maubot:29316; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header X-Forwarded-For $remote_addr; + } + + location /_matrix/maubot { + proxy_pass http://maubot:29316; + proxy_set_header X-Forwarded-For $remote_addr; + } + diff --git a/swag/nginx/include.d/mjolnir-reports.conf b/swag/nginx/include.d/mjolnir-reports.conf new file mode 100644 index 0000000..c7cfa5c --- /dev/null +++ b/swag/nginx/include.d/mjolnir-reports.conf @@ -0,0 +1,19 @@ + location ~ ^/_matrix/client/r0/rooms/([^/]*)/report/(.*)$ { + # Abuse reports should be sent to Mjölnir. + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + include /config/nginx/include.d/synapse-proxy.conf; + set $upstream_app mjolnir; + set $upstream_port 8081; + set $upstream_proto http; + # Add CORS, otherwise a browser will refuse this request. + add_header 'Access-Control-Allow-Credentials' 'true' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always; + add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; + add_header 'Access-Control-Max-Age' 1728000; + # Alias the regexps, to ensure that they're not rewritten. + set $room_id $1; + set $event_id $2; + proxy_pass $upstream_proto://$upstream_app:$upstream_port/api/1/report/$room_id/$event_id; + } diff --git a/swag/nginx/include.d/register.conf b/swag/nginx/include.d/register.conf new file mode 100644 index 0000000..dd76c93 --- /dev/null +++ b/swag/nginx/include.d/register.conf @@ -0,0 +1,24 @@ + location /register { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + include /config/nginx/include.d/synapse-proxy.conf; + include /config/nginx/gzip.conf; + include /config/nginx/security-headers.conf; + add_header Onion-Location http://54ct5xaioq64ejuxfpyuxyuati4aplp2dlebr3t5ug7ck62i5tsaiuid.onion$request_uri; + set $upstream_app matrix-registration; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } + + location /static { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + include /config/nginx/include.d/synapse-proxy.conf; + include /config/nginx/gzip.conf; + include /config/nginx/security-headers.conf; + set $upstream_app matrix-registration; + set $upstream_port 5000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } diff --git a/swag/nginx/include.d/synapse-proxy.conf b/swag/nginx/include.d/synapse-proxy.conf new file mode 100644 index 0000000..eb97a2d --- /dev/null +++ b/swag/nginx/include.d/synapse-proxy.conf @@ -0,0 +1,7 @@ +proxy_set_header Host $http_host; +proxy_set_header X-Real-IP 0.0.0.0; +proxy_set_header X-Forwarded-For 0.0.0.0; +proxy_set_header X-Forwarded-Host 0.0.0.0; +proxy_set_header X-Forwarded-Proto $scheme; + +port_in_redirect off; diff --git a/swag/nginx/include.d/upstream_workers.conf b/swag/nginx/include.d/upstream_workers.conf new file mode 100644 index 0000000..dbb38d3 --- /dev/null +++ b/swag/nginx/include.d/upstream_workers.conf @@ -0,0 +1,15 @@ +upstream generic_worker_ih { + ip_hash; + server synapse-generic-worker-1:8080; + server synapse-generic-worker-2:8081; + server synapse-generic-worker-3:8082; + server synapse-generic-worker-4:8083; +} + +upstream generic_worker_lc { + least_conn; + server synapse-generic-worker-1:8080; + server synapse-generic-worker-2:8081; + server synapse-generic-worker-3:8082; + server synapse-generic-worker-4:8083; +} diff --git a/swag/nginx/nginx.conf b/swag/nginx/nginx.conf new file mode 100644 index 0000000..a7717ec --- /dev/null +++ b/swag/nginx/nginx.conf @@ -0,0 +1,148 @@ +## Version 2022/08/16 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/nginx.conf.sample + +### Based on alpine defaults +# https://git.alpinelinux.org/aports/tree/main/nginx/nginx.conf?h=3.15-stable + +user abc; + +# Set number of worker processes automatically based on number of CPU cores. +include /config/nginx/worker_processes.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +#error_log /config/log/nginx/error.log; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + +# Include files with config snippets into the root context. +include /etc/nginx/conf.d/*.conf; + +events { + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; +} + +http { + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001; + include /config/nginx/resolver.conf; + + # Don't tell nginx version to the clients. Default is 'on'. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. Default is '1m'. + client_max_body_size 0; + + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). Default is off. + sendfile on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. Default is 'off'. + tcp_nopush on; + + # all ssl related config moved to ssl.conf + include /config/nginx/ssl.conf; + + # Enable gzipping of responses. + #gzip on; + + # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'. + gzip_vary on; + + ## + # Anonymize the IP Address + ## + + map $remote_addr $remote_addr_anon { + ~(?P\d+\.\d+)\.\d+\. $ip.0.0; + ~(?P[^:]+:[^:]+): $ip::; + + # IP addresses to not anonymize (such as your server) + 127.0.0.1 $remote_addr; + ::1 $remote_addr; + 89.147.110.112 $remote_addr; + default 0.0.0.0; + } + # add $http_x_forwarded_for section if needed. + + ## + # Tag the Access as Normal or Record IP (Specified Error codes) + ## + + map $status $normal_access { + 400 0; + 401 0; + 403 0; + #404 0; + 405 0; + 406 0; + 410 0; + default 1; + } + + map $status $record_full_ip { + 400 1; + 401 1; + 403 1; + #404 1; + 405 1; + 406 1; + 410 1; + default 0; + } + + ## + # Set the Logs + ## + + log_format anon_ip '$remote_addr_anon - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_x_forwarded_for_anon"'; + + log_format real_ip '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + ## + # Do the Actual Logging ( Can be set in Server section(s) ) + ## + + # Anonymized IP Access Logs + access_log /config/log/nginx/access.log anon_ip if=$normal_access; + + # Record real IP address on specified errors codes + access_log /config/log/nginx/access.log real_ip if=$record_full_ip; + + # NGINX Error Logs + error_log /config/log/nginx/error.log; + + # Helper variable for proxying websockets. + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Sets the path, format, and configuration for a buffered log write. +# access_log /config/log/nginx/access.log; + + # Includes virtual hosts configs. + include /etc/nginx/http.d/*.conf; + include /config/nginx/site-confs/*.conf; +} + +daemon off; +pid /run/nginx.pid; diff --git a/swag/nginx/proxy.conf b/swag/nginx/proxy.conf new file mode 100644 index 0000000..2662186 --- /dev/null +++ b/swag/nginx/proxy.conf @@ -0,0 +1,35 @@ +## Version 2022/09/01 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx/proxy.conf.sample + +# Timeout if the real server is dead +proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + +# Proxy Connection Settings +proxy_buffers 32 4k; +proxy_connect_timeout 240; +proxy_headers_hash_bucket_size 128; +proxy_headers_hash_max_size 1024; +proxy_http_version 1.1; +proxy_read_timeout 240; +proxy_redirect http:// $scheme://; +proxy_send_timeout 240; + +# Proxy Cache and Cookie Settings +proxy_cache_bypass $cookie_session; +#proxy_cookie_path / "/; Secure"; # enable at your own risk, may break certain apps +proxy_no_cache $cookie_session; + +# Proxy Header Settings +proxy_set_header Connection $connection_upgrade; +proxy_set_header Early-Data $ssl_early_data; +proxy_set_header Host $host; +proxy_set_header Proxy ""; +proxy_set_header Upgrade $http_upgrade; +proxy_set_header X-Forwarded-For 0.0.0.0; +proxy_set_header X-Forwarded-Host $host:$server_port; +proxy_set_header X-Forwarded-Method $request_method; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-Server $host; +proxy_set_header X-Forwarded-Ssl on; +proxy_set_header X-Forwarded-Uri $request_uri; +proxy_set_header X-Original-URL $scheme://$http_host$request_uri; +proxy_set_header X-Real-IP 0.0.0.0; diff --git a/swag/nginx/security-headers.conf b/swag/nginx/security-headers.conf new file mode 100644 index 0000000..f3877a6 --- /dev/null +++ b/swag/nginx/security-headers.conf @@ -0,0 +1,13 @@ +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer" always; +add_header Cross-Origin-Opener-Policy "same-origin" always; +add_header Origin-Agent-Cluster "?1" always; + +# obsolete and replaced with Content-Security-Policy frame-ancestors 'none' +#add_header X-Frame-Options "DENY" always; + +# obsolete, unsafe and replaced with strong Content-Security-Policy +add_header X-XSS-Protection "0" always; + +add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()" always; \ No newline at end of file diff --git a/swag/nginx/security-headers.csp.conf b/swag/nginx/security-headers.csp.conf new file mode 100644 index 0000000..1bc0a2e --- /dev/null +++ b/swag/nginx/security-headers.csp.conf @@ -0,0 +1,2 @@ +add_header Cross-Origin-Embedder-Policy "require-corp" always; +add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'" always; \ No newline at end of file diff --git a/swag/nginx/site-confs/blog.conf b/swag/nginx/site-confs/blog.conf new file mode 100644 index 0000000..b27408d --- /dev/null +++ b/swag/nginx/site-confs/blog.conf @@ -0,0 +1,13 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name blog.*; + + include /config/nginx/ssl.conf; + include /config/nginx/gzip.conf; + + location / { + root /config/www/blog.hackliberty.org; + } +} diff --git a/swag/nginx/site-confs/chat.conf b/swag/nginx/site-confs/chat.conf new file mode 100644 index 0000000..b31a17e --- /dev/null +++ b/swag/nginx/site-confs/chat.conf @@ -0,0 +1,27 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name chat.*; + + include /config/nginx/ssl.conf; + include /config/nginx/gzip.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://hackliberty.org; font-src 'self'; img-src 'self' https://hackliberty.org blob: data:; manifest-src 'self'; media-src 'self' https://hackliberty.org; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), xr-spatial-tracking=()" always; + add_header Referrer-Policy "no-referrer" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + add_header Origin-Agent-Cluster "?1" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options SAMEORIGIN; + set $upstream_app chat; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/cinny.conf b/swag/nginx/site-confs/cinny.conf new file mode 100644 index 0000000..6aa1c2e --- /dev/null +++ b/swag/nginx/site-confs/cinny.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name cinny.*; + + include /config/nginx/ssl.conf; + include /config/nginx/gzip.conf; + + add_header Content-Security-Policy "frame-ancestors 'none'"; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app cinny; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/dimension.conf b/swag/nginx/site-confs/dimension.conf new file mode 100644 index 0000000..516a7db --- /dev/null +++ b/swag/nginx/site-confs/dimension.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name dimension.*; + + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app dimension; + set $upstream_port 8184; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/docs.conf b/swag/nginx/site-confs/docs.conf new file mode 100644 index 0000000..c834773 --- /dev/null +++ b/swag/nginx/site-confs/docs.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name docs.*; + + include /config/nginx/ssl.conf; + include /config/nginx/gzip.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app bookstack; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/element.conf b/swag/nginx/site-confs/element.conf new file mode 100644 index 0000000..7e23b38 --- /dev/null +++ b/swag/nginx/site-confs/element.conf @@ -0,0 +1,27 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name element.*; + + include /config/nginx/ssl.conf; + include /config/nginx/gzip.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://hackliberty.org; font-src 'self'; img-src 'self' https://hackliberty.org blob: data:; manifest-src 'self'; media-src 'self' https://hackliberty.org; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'"; + add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), xr-spatial-tracking=()" always; + add_header Referrer-Policy "no-referrer" always; + add_header Cross-Origin-Opener-Policy "same-origin" always; + add_header Origin-Agent-Cluster "?1" always; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options SAMEORIGIN; + set $upstream_app element; + set $upstream_port 80; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/gitea.conf b/swag/nginx/site-confs/gitea.conf new file mode 100644 index 0000000..b9f1b76 --- /dev/null +++ b/swag/nginx/site-confs/gitea.conf @@ -0,0 +1,20 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name git.*; + + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + include /config/nginx/security-headers.conf; + add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src * https: data:; img-src * https: data:; manifest-src * https: data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'"; + add_header Onion-Location http://vkp7367tcjpqdwwckigrdrvmwvispvbpg5rlsr2chjxvppfg7hipagyd.onion$request_uri; + set $upstream_app gitea; + set $upstream_port 3333; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/grafana.conf b/swag/nginx/site-confs/grafana.conf new file mode 100644 index 0000000..71e4278 --- /dev/null +++ b/swag/nginx/site-confs/grafana.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name grafana.*; + + include /config/nginx/ssl.conf; + include /config/nginx/gzip.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app grafana; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/links.conf b/swag/nginx/site-confs/links.conf new file mode 100644 index 0000000..7d8252c --- /dev/null +++ b/swag/nginx/site-confs/links.conf @@ -0,0 +1,122 @@ +# nginx example config +# replace {{yourdomain}} and review the certbot/letsencrypt config + +limit_req_zone $binary_remote_addr zone=links.hackliberty.org_ratelimit:10m rate=1r/s; + +upstream lemmy { + # this needs to map to the lemmy (server) docker service hostname + server "lemmy:8536"; +} +upstream lemmy-ui { + # this needs to map to the lemmy-ui docker service hostname + server "lemmy-ui:1234"; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name links.hackliberty.org; + + ssl_certificate /config/keys/cert.crt; + ssl_certificate_key /config/keys/cert.key; + + # Various TLS hardening settings + # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets on; + ssl_stapling on; + ssl_stapling_verify on; + + # Hide nginx version + server_tokens off; + + # Enable compression for JS/CSS/HTML bundle, for improved client load times. + # It might be nice to compress JSON, but leaving that out to protect against potential + # compression+encryption information leak attacks like BREACH. + gzip on; + gzip_types text/css application/javascript image/svg+xml; + gzip_vary on; + + # Only connect to this site via HTTPS for the two years + add_header Strict-Transport-Security "max-age=63072000"; + + # Various content security headers + add_header Referrer-Policy "same-origin"; + add_header X-Content-Type-Options "nosniff"; + add_header X-Frame-Options "DENY"; + add_header X-XSS-Protection "1; mode=block"; + + # Upload limit for pictrs + client_max_body_size 20M; + + # frontend + location / { + # distinguish between ui requests and backend + # don't change lemmy-ui or lemmy here, they refer to the upstream definitions on top + set $proxpass "http://lemmy-ui"; + + if ($http_accept = "application/activity+json") { + set $proxpass "http://lemmy"; + } + if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") { + set $proxpass "http://lemmy"; + } + if ($request_method = POST) { + set $proxpass "http://lemmy"; + } + proxy_pass $proxpass; + + rewrite ^(.+)/+$ $1 permanent; + + # Send actual client IP upstream + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # backend + location ~ ^/(api|feeds|nodeinfo|.well-known) { + proxy_pass "http://lemmy"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Rate limit + limit_req zone=links.hackliberty.org_ratelimit burst=30 nodelay; + + # Add IP forwarding headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # pictrs only - for adding browser cache control. + location ~ ^/(pictrs) { + # allow browser cache, images never update, we can apply long term cache + expires 120d; + add_header Pragma "public"; + add_header Cache-Control "public"; + + proxy_pass "http://lemmy"; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + + # Rate limit + limit_req zone=links.hackliberty.org_ratelimit burst=30 nodelay; + + # Add IP forwarding headers + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + # Redirect pictshare images to pictrs + location ~ /pictshare/(.*)$ { + return 301 /pictrs/image/$1; + } +} diff --git a/swag/nginx/site-confs/matrix.conf b/swag/nginx/site-confs/matrix.conf new file mode 100644 index 0000000..48429b9 --- /dev/null +++ b/swag/nginx/site-confs/matrix.conf @@ -0,0 +1,102 @@ + server { + listen 80 default_server; + listen [::]:80 default_server; + server_name hackliberty.org paste.* ots.* element.* git.* chat.*; + + location / { + return 307 https://$host$request_uri; + } +} + #Workers + include /config/nginx/include.d/upstream_workers.conf; + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + listen 8448 ssl http2 default_server; + listen [::]:8448 ssl http2 default_server; + + server_name hackliberty.org www.*; + + include /config/nginx/ssl.conf; + client_max_body_size 1024M; + + # Well-Known + location /.well-known/matrix/server { + default_type application/json; + add_header Access-Control-Allow-Origin *; + return 200 '{"m.server": "hackliberty.org:443"}'; + } + + location /.well-known/matrix/client { + default_type application/json; + add_header Access-Control-Allow-Origin *; + + } + + #Home Page + include /config/nginx/include.d/homepage.conf; + + # Mjolnir Reports + include /config/nginx/include.d/mjolnir-reports.conf; + + # Maubot + include /config/nginx/include.d/maubot.conf; + + # Federation_Worker + include /config/nginx/include.d/federation_worker.conf; + + # Encryption_Worker + include /config/nginx/include.d/encryption_worker.conf; + + # Client_Worker + include /config/nginx/include.d/client_worker.conf; + + # Register + include /config/nginx/include.d/register.conf; + + # Additional1_Worker | Typing Device Account + #include /config/nginx/include.d/additional1_worker.conf; + + # Additional2_Worker | Reciept + #include /config/nginx/include.d/additional2_worker.conf; + + # Event_worker + #include /config/nginx/include.d/event_worker.conf; + + # Extra Workers + #include /config/nginx/include.d/extra_worker.conf; + + # Media Repo + #include /config/nginx/include.d/media-repo.conf; + + # /synapse/admin + #include /config/nginx/include.d/synapse-admin.conf; + + # Sync_Worker + #include /config/nginx/include.d/sync_worker.conf; + + location ~ ^(/_matrix.*) { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + include /config/nginx/include.d/synapse-proxy.conf; + set $upstream_app synapse; + set $upstream_port 8008; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} + +server { + listen 8899; + server_name kj3wvs3wyfhm3uhhuqxlrhhcp6dneuau4mmvptlor27ghmrqx63fqnid.onion; + location ~ ^/.*$ { + root /config/www/hackliberty.org; + include /config/nginx/gzip.conf; + include /config/nginx/security-headers.conf; + # Add Onion-Location Header + add_header Onion-Location http://kj3wvs3wyfhm3uhhuqxlrhhcp6dneuau4mmvptlor27ghmrqx63fqnid.onion$request_uri; + add_header Content-Security-Policy "default-src 'none'; frame-src https://trocador.app/; connect-src 'self'; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'; require-trusted-types-for 'script'; trusted-types 'none'"; + } +} diff --git a/swag/nginx/site-confs/maubot.conf b/swag/nginx/site-confs/maubot.conf new file mode 100644 index 0000000..850c88c --- /dev/null +++ b/swag/nginx/site-confs/maubot.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name maubot.*; + + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app maubot; + set $upstream_port 29316; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/ots.conf b/swag/nginx/site-confs/ots.conf new file mode 100644 index 0000000..5a06b32 --- /dev/null +++ b/swag/nginx/site-confs/ots.conf @@ -0,0 +1,48 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name ots.*; + + ssl_certificate /config/keys/cert.crt; + ssl_certificate_key /config/keys/cert.key; + ssl_session_timeout 10m; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam + ssl_dhparam /config/nginx/dhparam4096.pem; + + # intermediate configuration + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_conf_command Options PrioritizeChaCha; + ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; + ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384; + ssl_ecdh_curve X25519:X448:secp521r1:secp384r1; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + # verify chain of trust of OCSP response using Root CA and Intermediate certs + ssl_trusted_certificate /config/keys/cert.crt; + + # Optional additional headers + add_header Permissions-Policy "interest-cohort=()"; + + # Add Onion-Location Header + add_header Onion-Location http://5bi7xhmcmji4gfuok5z4j4bgmif2cryuf6was6c7275i3wwfvoolbryd.onion$request_uri; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app ots; + set $upstream_port 3000; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/paste.conf b/swag/nginx/site-confs/paste.conf new file mode 100644 index 0000000..1c234db --- /dev/null +++ b/swag/nginx/site-confs/paste.conf @@ -0,0 +1,18 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name paste.*; + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + add_header Onion-Location http://z2hx4persafjkxw3u23dly24tzzynvkzrp5r3zbh6jrjvd7c7qjsgvyd.onion$request_uri; + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; + set $upstream_app privatebin; + set $upstream_port 8080; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/site-confs/prometheus.conf b/swag/nginx/site-confs/prometheus.conf new file mode 100644 index 0000000..ee4e99c --- /dev/null +++ b/swag/nginx/site-confs/prometheus.conf @@ -0,0 +1,17 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name prometheus.*; + + include /config/nginx/ssl.conf; + + location / { + include /config/nginx/proxy.conf; + include /config/nginx/resolver.conf; + set $upstream_app prometheus; + set $upstream_port 9090; + set $upstream_proto http; + proxy_pass $upstream_proto://$upstream_app:$upstream_port; + } +} diff --git a/swag/nginx/ssl.conf b/swag/nginx/ssl.conf new file mode 100644 index 0000000..473407f --- /dev/null +++ b/swag/nginx/ssl.conf @@ -0,0 +1,30 @@ +## Version 2022/08/20 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample + +### Mozilla Recommendations +# generated 2022-08-05, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration +# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6 + +ssl_certificate /config/keys/cert.crt; +ssl_certificate_key /config/keys/cert.key; +ssl_session_timeout 10m; +ssl_session_cache shared:MozSSL:10m; # about 40000 sessions +ssl_session_tickets off; + +# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam +ssl_dhparam /config/nginx/dhparam4096.pem; + +# intermediate configuration +ssl_prefer_server_ciphers on; +ssl_protocols TLSv1.2 TLSv1.3; +ssl_conf_command Options PrioritizeChaCha; +ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; + +# HSTS (ngx_http_headers_module is required) (63072000 seconds) +add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; + +# OCSP stapling +ssl_stapling on; +ssl_stapling_verify on; + +# verify chain of trust of OCSP response using Root CA and Intermediate certs +ssl_trusted_certificate /config/keys/cert.crt; \ No newline at end of file