mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-30 12:06:13 +01:00
c09fea6f75
Signed-off-by: Magic_RB <magic_rb@redalder.org>
277 lines
5.4 KiB
Plaintext
277 lines
5.4 KiB
Plaintext
upstream jellyfin {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
|
|
}
|
|
|
|
upstream zigbee2mqtt {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
|
|
}
|
|
|
|
upstream home-assistant {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
|
|
}
|
|
|
|
upstream syncthing {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }};
|
|
}
|
|
|
|
upstream influx {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_influx" }};
|
|
}
|
|
|
|
upstream grafana {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_grafana" }};
|
|
}
|
|
|
|
upstream mainsail {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_mainsail" }};
|
|
}
|
|
|
|
upstream matrix-synapse {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_matrix_synapse" }};
|
|
}
|
|
|
|
upstream matrix-mautrix-facebook {
|
|
server {{ env "NOMAD_UPSTREAM_ADDR_matrix-mautrix-facebook" }};
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name jellyfin.in.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
|
|
client_max_body_size 100M;
|
|
|
|
location / {
|
|
# Proxy main Jellyfin traffic
|
|
|
|
# The / at the end is significant.
|
|
# https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/
|
|
|
|
proxy_pass http://jellyfin/;
|
|
|
|
proxy_pass_request_headers on;
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $http_connection;
|
|
|
|
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
|
proxy_buffering off;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name syncthing.in.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
|
|
proxy_pass http://syncthing/;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name hass.in.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_pass http://home-assistant/;
|
|
|
|
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
|
proxy_buffering off;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name zigbee2mqtt.in.redalder.org;
|
|
|
|
include /local/security.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_pass http://zigbee2mqtt/;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name grafana.in.redalder.org;
|
|
|
|
# Grafana really doesn't like that CSP policy
|
|
# include /local/security.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_pass http://grafana/;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name influx.in.redalder.org;
|
|
|
|
# Influx doesn't like it either
|
|
# include /local/security.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_pass http://influx/;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name mainsail.in.redalder.org;
|
|
|
|
# Influx doesn't like it either
|
|
include /local/security.conf;
|
|
|
|
location / {
|
|
include /local/headers.conf;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_pass http://mainsail/;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name matrix.in.redalder.org;
|
|
|
|
location ~ ^/_synapse/admin {
|
|
# note: do not add a path (even a single /) after the port in `proxy_pass`,
|
|
# otherwise nginx will canonicalise the URI and cause signature verification
|
|
# errors.
|
|
proxy_pass http://matrix-synapse;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
# Nginx by default only allows file uploads up to 1M in size
|
|
# Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
|
|
client_max_body_size 50M;
|
|
|
|
# Synapse responses may be chunked, which is an HTTP/1.1 feature.
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /mufb/ {
|
|
proxy_pass http://matrix-mautrix-facebook$request_uri;
|
|
proxy_set_header Host $http_host;
|
|
proxy_buffering off;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name nomad.in.redalder.org;
|
|
|
|
location / {
|
|
proxy_pass http://blowhole.hosts.in.redalder.org:4646;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name consul.in.redalder.org;
|
|
|
|
location / {
|
|
proxy_pass http://blowhole.hosts.in.redalder.org:8500;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name vault.in.redalder.org;
|
|
|
|
location / {
|
|
proxy_pass http://blowhole.hosts.in.redalder.org:8200;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
|
|
server_name _;
|
|
include /local/security.conf;
|
|
|
|
location / {
|
|
return 404;
|
|
}
|
|
}
|
|
|
|
# server {
|
|
# listen 443;
|
|
|
|
# server_name _;
|
|
|
|
# include /local/security.conf;
|
|
|
|
# location / {
|
|
# return 404;
|
|
# }
|
|
# }
|