set specific conf files as secrets

2020-10-26 10:43:32 -07:00 · 2020-10-26 10:43:32 -07:00 · 5e7c0e94a0
parent 69e4d51c2a
commit 5e7c0e94a0
18 changed files with 11 additions and 909 deletions
--- a/.bash_history.secret
+++ b/.bash_history.secret
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,7 @@ env/AWS
 env/aws.sh
 .bash_history
 /caddy
 conf/238lights.conf
 conf/645lights.conf
 conf/trantor.conf
 conf/nadal.conf
--- a/.gitsecret/paths/mapping.cfg
+++ b/.gitsecret/paths/mapping.cfg
@ -1,3 +1,7 @@
 env/AWS:02b947b25fe0dc38bbfba5fc66ead3d5b9b4f8d9000ccd9e4661a9ef81167ec5
 env/aws.sh:3ecd809bd40066028fe08307be8de28c4ffe4f65b2d4041e9b69f6e00172b688
-.bash_history
+.bash_history:a33f4bf632fecde92b533ce06c80e71afeb8ffd242ee0f6cdc9cac73a5114348
 conf/238lights.conf:f7ac34b98b3beb05fd90a462aa3c80b957dec0476ece0e742ca8ba1fd6edfec1
 conf/645lights.conf:e37404eb092cb174edabc80f4a52e8deb04db6e86597ece99aa26dfc2a5d87ff
 conf/trantor.conf:7e3bffc96f071aa70ed554f16a5e53ec4b5fc3a81c51d5e53754c6dadbca00f5
 conf/nadal.conf:de7deabe33ffc65ca7a9e92fce59190f96bed294098830adae8203bf7f5a4d45
--- a/conf/238lights.conf
+++ b/conf/238lights.conf
@ -1,32 +0,0 @@
 #!/bin/bash
 (r53) {
  tls {
      dns route53 {
        max_retries 10
      }
  }
 }
 (errors) {
 handle_errors {
  	rewrite * /{http.error.status_code}.html
  	file_server
  }
 }
 # Dev Lights Frontend Server
 https://dev.lights.kebler.net https://dev.lights.238.kebler.net  {
    import r53
    reverse_proxy http://lights.net:8080
    }
 https://lights.kebler.net https://lights.238.kebler.net {
    import r53
    root * /opt/lights/web
    handle /socket.io/* {
        reverse_proxy http://lights.net:3030
    }
    handle {
        try_files {path} {path}/ /index.html
        file_server
    }
 }
--- a/conf/238lights.conf.secret
+++ b/conf/238lights.conf.secret
--- a/conf/645lights.conf
+++ b/conf/645lights.conf
@ -1,32 +0,0 @@
 #!/bin/bash
 (r53) {
  tls {
      dns route53 {
        max_retries 10
      }
  }
 }
 (errors) {
 handle_errors {
  	rewrite * /{http.error.status_code}.html
  	file_server
  }
 }
 # Dev Lights Frontend Server
 https://dev.lights.kebler.net https://dev.lights.645.kebler.net  {
    import r53
    reverse_proxy http://lights.net:8080
    }
 https://lights.kebler.net https://lights.645.kebler.net {
    import r53
    root * /opt/lights/web
    handle /socket.io/* {
        reverse_proxy http://lights.net:3030
    }
    handle {
        try_files {path} {path}/ /index.html
        file_server
    }
 }
--- a/conf/645lights.conf.secret
+++ b/conf/645lights.conf.secret
--- a/conf/caddy1.conf
+++ b/conf/caddy1.conf
@ -1,366 +0,0 @@
 ##!/bin/bashit
 # KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
 # 238  238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
 # TODO
 # change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
 # COMMON DIRECTIVES (add by using import)
 # Wildcard cert add to all
 (wildcard_cert) {
   tls /mnt/238/nas/opt/tls-certs/wc.kebler.net.crt /mnt/238/nas/opt/tls-certs/wc.kebler.net.key  {
        wildcard
    }
 }
 # inject in all pages a <base href='url'>
 (baseurl-gateway) {
    filter rule {
       content_type text/html.*
       search_pattern <head>
       replacement "<head><base href='https://{request_host}/238/gateway/'>"
    }
 }
 # inject in all pages a <base href='url'>
 (baseurl-nas) {
    filter rule {
       content_type text/html.*
       search_pattern <head>
       replacement "<head><base href='https://{request_host}/238/nas/'>"
    }
 }
 # Only allow lan users access
 (lan-only) {
    ipfilter / {
       rule allow
       ip 10.0.0.0/24
    }
 }
 # Only allow US users access
 (US-only) {
    ipfilter / {
    	rule allow
      ip 10.0.0.0/24
    	database /opt/caddy/GeoLite2-Country.mmdb
    	country US
    }
 }
 # Only allow US users access
 (admin-login) {
  basicauth "sysadmin" ccbigsismyfriend {
  realm "kebler-admin"
  /
 }
 }
 #send logs to alternative location
 (logs) {
  log /opt/caddy/logs/log
 #  errors /opt/caddy/logs/errors
 }
 #send to stdout instead of logs
 (logout) {
  log stdout
  errors stdout
 }
 ## End Snippets ##############################
 ################ REDIRECT ########################
 # Main http/https redirect for anything arriving on port 80/http
 *.kebler.net:80 {
   import logs
   redir https://{label1}.kebler.net{uri}
 }
 # Git Server
 https://git238.kebler.net {
         import wildcard_cert
         import US-only
         proxy / http://nas.kebler.net:3000
         }
 # Home Assistant Server
 https://ha.kebler.net https://ha238.kebler.net {
         import wildcard_cert
         import US-only
 #        import lan-only
         import logs
         proxy / hassio.kebler.net:8123 {
           websocket
           transparent
           }
         }
 # NodeRed Server
 https://nodered.kebler.net {
         import wildcard_cert
         import US-only
 #        import lan-only
         proxy / trantor.kebler.net:1880 {
           websocket
           transparent
           }
         }
 # portainer
 https://docker.kebler.net {
       import wildcard_cert
       import lan-only
       proxy / http://nas.kebler.net:9000
       }
 ##################### TRANTOR ######################
 # portainer on trantor
 https://docker-trantor.kebler.net {
       import wildcard_cert
       import lan-only
       proxy / http://trantor.kebler.net:9000
       }
 # discourse for nick and david
 https://geeks.kebler.net {
   import wildcard_cert
    proxy / http://trantor.kebler.net:9292 {
         transparent
         }
       }
 # mqtt broker setup interface
 #https://broker-ui.kebler.net {
 #  import wildcard_cert
 #   import lan-only
 #   proxy / http://nas.kebler.net:18083 {
 #    }
 #   }
 https://social.kebler.net {
      import wildcard_cert
 #    rewrite {
 #    if {path} is /
 #    to /proxy{path}
 #    }
 #   rewrite {
 #        if {path} not_has /graphql
 #       to {path} /proxy{path}
 #   }
   proxy / 10.0.0.115:3000 {
    }
   proxy /graphql 10.0.0.115:4000 {
   websocket
   transparent
   }
 }
 https://npm.kebler.net {
       import wildcard_cert
       proxy / localhost:4873 {
        websocket
        transparent
        }
       }
 ##### status.kebler.net ###########
 https://status.kebler.net {
        import wildcard_cert
        import US-only
        import admin-login
        # route to phpfpm's status page here
        fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
        env SCRIPT_NAME /phpfpm
        }
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/status/dist
        }
 # Router Status running on router
 https://status.kebler.net/238/gateway {
              import wildcard_cert
              import US-only
              import admin-login
              filter rule {
                content_type text/html.*
                search_pattern <head>
                replacement "<head><base href='https://{request_host}/238/gateway/'>"
                }
              proxy / http://router.kebler.net:19999
              }
 # NAS Status 238
 https://status.kebler.net/238/nas {
              import wildcard_cert
              import US-only
              import admin-login
              # add base tag to all pages
              filter rule {
                content_type text/html.*
                search_pattern <head>
                replacement "<head><base href='https://{request_host}/238/nas/'>"
                }
              proxy / http://nas.kebler.net:19999
              }
 # Systemd Cockpit Access
 https://system.kebler.net {
              import wildcard_cert
              import US-only
              # add base tag to all pages
              # filter rule {
              # content_type text/html.*
              #  search_pattern <head>
              # replacement "<head><base href='https://{request_host}/238/nas/'>"
              #  }
              proxy / http://localhost:9090 {
                insecure_skip_verify
                websocket
                transparent
                }
              }
 # local redirect to 645
 https://status.kebler.net/645/nas {
              import wildcard_cert
              import US-only
              proxy / http://645.kebler.net/nas/status
              }
 ################### LOCAL WEBS ############################
 https://download.kebler.net {
   import wildcard_cert
   log /mnt/data/downloads/private/download-log
   basicauth "elf" ccbigs {
   realm "Protected Downloads"
   /private
   }
   basicauth "download" espressobin {
   /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
   }
   root /mnt/data/downloads
   browse /
 }
 https://lights.kebler.net {
        import wildcard_cert
        root /mnt/data/webs/lights-frontend
        proxy /socket.io http://10.0.0.115:3031 {
          websocket
          transparent
          }
        }
 https://wedding.kebler.net {
        import wildcard_cert
        root /mnt/data/cloud-user-files/david/files/wedding
        index wedding.html
        }
 https://admin.kebler.net {
        import wildcard_cert
        import lan-only
        root /mnt/data/webs/admin
        }
 https://phpmyadmin.kebler.net {
        import wildcard_cert
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/phpmyadmin
        }
 https://smnordic.org {
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/smnordic
    rewrite / {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?_url={uri}
    }
        }
 https://nextcloud.kebler.net https://cloud.kebler.net {
        # import logs
        import US-only
        tls d@kebler.net
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/nextcloud
        # log    /var/log/nextcloud_access.log
        # errors /var/log/nextcloud_errors.log
        # checks for images
            rewrite {
                ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
            r ^/index.php/(.+)$
            to /{1} /index.php?{1}
            }
            rewrite {
                r ^/index.php/.*$
                to /index.php?{query}
            }
        # client support (e.g. os x calendar / contacts)
            redir /.well-known/carddav /remote.php/carddav 301
            redir /.well-known/caldav /remote.php/caldav 301
        # remove trailing / as it causes errors with php-fpm
            rewrite {
                r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
                to /remote.php/{1}
            }
            rewrite {
                r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
                to /remote.php/{1}/{2}
            }
            rewrite {
                r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
                to /public.php/{1}
            }
            rewrite {
                r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
                to /public.php/{1}/{2}
            }
        # .htaccess / data / config / ... shouldn't be accessible from outside
            status 403 {
                /.htacces
                /data
                /config
                /db_structure
                /.xml
                /README
            }
            header / {
                Strict-Transport-Security "max-age=31536000;"
                Referrer-Policy "no-referrer"
            }
        }
--- a/conf/caddy1.conf.bak
+++ b/conf/caddy1.conf.bak
@ -1,366 +0,0 @@
 ##!/bin/bashit
 # KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
 # 238  238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
 # TODO
 # change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
 # COMMON DIRECTIVES (add by using import)
 # Wildcard cert add to all
 (wildcard_cert) {
   tls /opt/tls-certs/wc.kebler.net.crt /opt/tls-certs/wc.kebler.net.key  {
        wildcard
    }
 }
 # inject in all pages a <base href='url'>
 (baseurl-gateway) {
    filter rule {
       content_type text/html.*
       search_pattern <head>
       replacement "<head><base href='https://{request_host}/238/gateway/'>"
    }
 }
 # inject in all pages a <base href='url'>
 (baseurl-nas) {
    filter rule {
       content_type text/html.*
       search_pattern <head>
       replacement "<head><base href='https://{request_host}/238/nas/'>"
    }
 }
 # Only allow lan users access
 (lan-only) {
    ipfilter / {
       rule allow
       ip 10.0.0.0/24
    }
 }
 # Only allow US users access
 (US-only) {
    ipfilter / {
    	rule allow
      ip 10.0.0.0/24
    	database /opt/caddy/GeoLite2-Country.mmdb
    	country US
    }
 }
 # Only allow US users access
 (admin-login) {
  basicauth "sysadmin" ccbigsismyfriend {
  realm "kebler-admin"
  /
 }
 }
 #send logs to alternative location
 (logs) {
  log /opt/caddy/logs/log
  errors /opt/caddy/logs/errors
 }
 #send to stdout instead of logs
 (logout) {
  log stdout
  errors stdout
 }
 ## End Snippets ##############################
 ################ REDIRECT ########################
 # Main http/https redirect for anything arriving on port 80/http
 *.kebler.net:80 {
   import logs
   redir https://{label1}.kebler.net{uri}
 }
 # Git Server
 https://git238.kebler.net {
         import wildcard_cert
         import US-only
         proxy / http://nas.kebler.net:3000
         }
 # Home Assistant Server
 https://ha.kebler.net https://ha238.kebler.net {
         import wildcard_cert
         import US-only
 #        import lan-only
         import logs
         proxy / hassio.kebler.net:8123 {
           websocket
           transparent
           }
         }
 # NodeRed Server
 https://nodered.kebler.net {
         import wildcard_cert
         import US-only
 #        import lan-only
         proxy / trantor.kebler.net:1880 {
           websocket
           transparent
           }
         }
 # portainer
 https://docker.kebler.net {
       import wildcard_cert
       import lan-only
       proxy / http://nas.kebler.net:9000
       }
 ##################### TRANTOR ######################
 # portainer on trantor
 https://docker-trantor.kebler.net {
       import wildcard_cert
       import lan-only
       proxy / http://trantor.kebler.net:9000
       }
 # discourse for nick and david
 https://geeks.kebler.net {
   import wildcard_cert
    proxy / http://trantor.kebler.net:9292 {
         transparent
         }
       }
 # mqtt broker setup interface
 #https://broker-ui.kebler.net {
 #  import wildcard_cert
 #   import lan-only
 #   proxy / http://nas.kebler.net:18083 {
 #    }
 #   }
 https://social.kebler.net {
      import wildcard_cert
 #    rewrite {
 #    if {path} is /
 #    to /proxy{path}
 #    }
 #   rewrite {
 #        if {path} not_has /graphql
 #       to {path} /proxy{path}
 #   }
   proxy / 10.0.0.115:3000 {
    }
   proxy /graphql 10.0.0.115:4000 {
   websocket
   transparent
   }
 }
 https://npm.kebler.net {
       import wildcard_cert
       proxy / localhost:4873 {
        websocket
        transparent
        }
       }
 ##### status.kebler.net ###########
 https://status.kebler.net {
        import wildcard_cert
        import US-only
        import admin-login
        # route to phpfpm's status page here
        fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
        env SCRIPT_NAME /phpfpm
        }
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/status/dist
        }
 # Router Status running on router
 https://status.kebler.net/238/gateway {
              import wildcard_cert
              import US-only
              import admin-login
              filter rule {
                content_type text/html.*
                search_pattern <head>
                replacement "<head><base href='https://{request_host}/238/gateway/'>"
                }
              proxy / http://router.kebler.net:19999 
              }
 # NAS Status 238
 https://status.kebler.net/238/nas {
              import wildcard_cert
              import US-only
              import admin-login
              # add base tag to all pages
              filter rule {
                content_type text/html.*
                search_pattern <head>
                replacement "<head><base href='https://{request_host}/238/nas/'>"
                }
              proxy / http://nas.kebler.net:19999
              }
 # Systemd Cockpit Access
 https://system.kebler.net {
              import wildcard_cert
              import US-only
              # add base tag to all pages
              # filter rule {
              # content_type text/html.*
              #  search_pattern <head>
              # replacement "<head><base href='https://{request_host}/238/nas/'>"
              #  }
              proxy / http://localhost:9090 {
                insecure_skip_verify
                websocket
                transparent
                }
              }
 # local redirect to 645
 https://status.kebler.net/645/nas {
              import wildcard_cert
              import US-only
              proxy / http://645.kebler.net/nas/status
              }
 ################### LOCAL WEBS ############################
 https://download.kebler.net {
   import wildcard_cert
   log /mnt/data/downloads/private/download-log
   basicauth "elf" ccbigs {
   realm "Protected Downloads"
   /private
   }
   basicauth "download" espressobin {
   /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
   }
   root /mnt/data/downloads
   browse /
 }
 https://lights.kebler.net {
        import wildcard_cert
        root /mnt/data/webs/lights-frontend
        proxy /socket.io http://10.0.0.115:3031 {
          websocket
          transparent
          }
        }
 https://wedding.kebler.net {
        import wildcard_cert
        root /mnt/data/cloud-user-files/david/files/wedding
        index wedding.html
        }
 https://admin.kebler.net {
        import wildcard_cert
        import lan-only
        root /mnt/data/webs/admin
        }
 https://phpmyadmin.kebler.net {
        import wildcard_cert
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/phpmyadmin
        }
 https://smnordic.org {
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/smnordic
    rewrite / {
        if {path} not_match ^\/wp-admin
        to {path} {path}/ /index.php?_url={uri}
    }
        }
 https://nextcloud.kebler.net https://cloud.kebler.net {
        # import logs
        import US-only
        tls d@kebler.net
        fastcgi / /var/run/php/php7.2-fpm.sock php
        root /mnt/data/webs/nextcloud
        # log    /var/log/nextcloud_access.log
        # errors /var/log/nextcloud_errors.log
        # checks for images
            rewrite {
                ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
            r ^/index.php/(.+)$
            to /{1} /index.php?{1}
            }
            rewrite {
                r ^/index.php/.*$
                to /index.php?{query}
            }
        # client support (e.g. os x calendar / contacts)
            redir /.well-known/carddav /remote.php/carddav 301
            redir /.well-known/caldav /remote.php/caldav 301
        # remove trailing / as it causes errors with php-fpm
            rewrite {
                r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
                to /remote.php/{1}
            }
            rewrite {
                r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
                to /remote.php/{1}/{2}
            }
            rewrite {
                r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
                to /public.php/{1}
            }
            rewrite {
                r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
                to /public.php/{1}/{2}
            }
        # .htaccess / data / config / ... shouldn't be accessible from outside
            status 403 {
                /.htacces
                /data
                /config
                /db_structure
                /.xml
                /README
            }
            header / {
                Strict-Transport-Security "max-age=31536000;"
                Referrer-Policy "no-referrer"
            }
        }
--- a/conf/example.conf
+++ b/conf/example.conf
@ -13,9 +13,9 @@ handle_errors {
  }
 }
-https://testweb.kebler.net {
+https://example.<mydomain.com> {
 import r53
-root * /opt/caddy/testweb
+root * /opt/caddy/example-web
 file_server
 import errors
  }
--- a/conf/nadal.conf
+++ b/conf/nadal.conf
@ -1,53 +0,0 @@
 #!/bin/bash
 # ABSOLUTELY DON'T MESS WITH THIS FILE IF YOU DON'T KNOW WHAT YOU ARE DOING
 # Caddy Server Configuration for Nadal Server
 # After making changes from terminal 
 # sdr caddy@nadal
 # make sure there are now errors with
 # sdjuf caddy@nadal
 (r53) {
  tls {
      dns route53 {
        max_retries 10
      }
  }
 }
 (errors) {
 handle_errors {
  	rewrite * /{http.error.status_code}.html
  	file_server
  }
 }
 # Git Server
 https://git.kebler.net, https://git.645.kebler.net {
    import r53
    reverse_proxy http://nas.kebler.net:3000
    }
 # Home Assistant Server
 https://ha.kebler.net, https://ha.645.kebler.net {
    import r53
    reverse_proxy /* hassio.kebler.net:8123
    }
 https://gateway.kebler.net, https://gateway.645.kebler.net {
    import r53
    reverse_proxy /* router.kebler.net:8080
  }
 https://docker.kebler.net, https://docker.645.kebler.net {
   import r53
   reverse_proxy /* http://nadal.kebler.net:9000
 }
 https://power.kebler.net, https://power.645.kebler.net {
   import r53
   reverse_proxy /* http://192.168.0.10:8081
 }
 # Temp Lights Frontend Server (using dev)
  https://lights.645.kebler.net https://lights.kebler.net {
     import r53
     reverse_proxy http://nadal.kebler.net:8080
     }
--- a/conf/nadal.conf.secret
+++ b/conf/nadal.conf.secret
--- a/conf/trantor.conf
+++ b/conf/trantor.conf
@ -1,57 +0,0 @@
 #!/bin/bash
 (r53) {
  tls {
      dns route53 {
        max_retries 10
      }
  }
 }
 (errors) {
 handle_errors {
  	rewrite * /{http.error.status_code}.html
  	file_server
  }
 }
 # Git Server
 https://git.238.kebler.net {
    import r53
    reverse_proxy http://nas.kebler.net:3000
    }
 # Home Assistant Server
 https://ha.kebler.net, https://ha.238.kebler.net {
    import r53
    reverse_proxy /* hassio.kebler.net:8123
    }
 https://docker.kebler.net {
   import r53
   reverse_proxy /* http://trantor.kebler.net:9000
 }
 https://geeks.kebler.net {
    import r53
    reverse_proxy /* http://trantor.kebler.net:9292
    }
 # not working
 https://dashboard.nodered.kebler.net {
    import r53
    log {
 	     output stdout
 	     format console
    }
    # @ui {
 	  #    header Connection *Upgrade*
    #    header Upgrade websocket
    #    }
    rewrite /* /ui/{path}
    reverse_proxy * http://trantor.kebler.net:1880
    }
 https://nodered.kebler.net {
    import r53
    reverse_proxy /* http://trantor.kebler.net:1880
    }
--- a/conf/trantor.conf.secret
+++ b/conf/trantor.conf.secret
--- a/env/AWS.secret
+++ b/env/AWS.secret
--- a/env/aws.sh.secret
+++ b/env/aws.sh.secret
--- a/example-web/404.html
+++ b/example-web/404.html
--- a/example-web/index.html
+++ b/example-web/index.html