Been getting config files downloaded

2026-02-23 22:01:38 +01:00
parent 56591b2c53
commit 359bd210ff
9021 changed files with 4554 additions and 118044 deletions
@@ -0,0 +1,181 @@
+# Global options
+{
+  email info@data-pro.nu
+  # Optional: acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+}
+
+# Common security headers
+(nextcloud_security_headers) {
+  header {
+    # HTTPS only: instruct browser to only access via HTTPS for 180+ days
+    Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
+
+    # Prevent MIME-type sniffing
+    X-Content-Type-Options "nosniff"
+
+    # Disallow embedding in iframes (Clickjacking)
+    X-Frame-Options "SAMEORIGIN"
+
+    # Search engine no-index
+    X-Robots-Tag "noindex, nofollow"
+
+    # Cross-domain policy restrictions
+    X-Permitted-Cross-Domain-Policies "none"
+
+    # Basic XSS protection (legacy)
+    X-XSS-Protection "1; mode=block"
+
+    # No referrer leakage
+    Referrer-Policy "no-referrer"
+  }
+}
+
+# KEYCLOAK
+
+keycloak.data-pro.nu {
+  import nextcloud_security_headers
+
+  reverse_proxy keycloak:8080
+
+  log {
+    output file /var/log/caddy/keycloak-access.log {
+      roll_size 10mb
+      roll_keep 5
+      roll_keep_for 720h
+    }
+    format json
+  }
+
+  tls caddy@data-pro.nu
+}
+
+
+# NEXTCLOUD
+Nextcloud.data-pro.nu {
+  import nextcloud_security_headers
+
+  # Enable compression
+  encode zstd gzip
+
+  # Permanent redirects for CalDAV/CardDAV discovery
+  redir /.well-known/carddav /remote.php/dav 301
+  redir /.well-known/caldav /remote.php/dav 301
+
+  # WebSocket for Janus subpath (optional)
+  handle_path /janus* {
+    reverse_proxy janus:8088
+  }
+
+  handle /ws {
+    reverse_proxy janus:8188 {
+      header_up Host {host}
+      header_up Connection upgrade
+      header_up Upgrade {header.Upgrade}
+    }
+  }
+
+  # Main Nextcloud reverse proxy
+  reverse_proxy nextcloud:80
+
+  # Access logging
+  log {
+    output file /var/log/caddy/access.log {
+      roll_size 10mb
+      roll_keep 5
+      roll_keep_for 720h
+    }
+    format json
+  }
+}
+
+# GITLAB
+gitlab.data-pro.nu {
+    reverse_proxy gitlab:443 {
+        transport http {
+            tls_insecure_skip_verify
+        }
+    }
+}
+
+# SIGNALING (JANUS WS fallback)
+signaling.data-pro.nu {
+  encode gzip
+  reverse_proxy localhost:8090
+  tls info@data-pro.nu
+
+  handle_path /janus* {
+    reverse_proxy janus:8088
+  }
+
+  handle_path /ws {
+    reverse_proxy janus:8188 {
+      header_up Host {host}
+      header_up Connection "upgrade"
+      header_up Upgrade {header.Upgrade}
+    }
+  }
+
+  handle {
+    reverse_proxy signaling:8090
+  }
+
+  log {
+    output file /var/log/caddy/signaling-access.log
+    format console
+  }
+}
+
+
+# COLLABORA
+collabora.data-pro.nu {
+    reverse_proxy collabora:9980
+    encode gzip
+    tls caddy@data-pro.nu
+}
+
+
+# JANUS DIRECT
+janus.data-pro.nu {
+  reverse_proxy janus:8188
+  encode gzip
+}
+
+turn.data-pro.nu {
+  tls {
+    on_demand
+  }
+  respond "TURN server is running on UDP 3478 and TLS 5349" 200
+}
+
+# GITEA
+gitea.data-pro.nu {
+
+  # Optional but recommended: same security header set you use elsewhere
+  import nextcloud_security_headers
+
+  encode zstd gzip
+
+  reverse_proxy gitea:3000
+
+  log {
+    output file /var/log/caddy/gitea-access.log {
+      roll_size 10mb
+      roll_keep 5
+      roll_keep_for 720h
+    }
+    format json
+  }
+
+  tls caddy@data-pro.nu
+}
+
+# n8n
+n8n.data-pro.nu {
+  # (Optional but nice) reuse your common security headers snippet
+  import nextcloud_security_headers
+
+  # (Optional) gzip/zstd
+  encode zstd gzip
+
+  reverse_proxy n8n:5678
+}