From c34205201add23df329ed2837ed6a8cc07aef94d Mon Sep 17 00:00:00 2001
From: David Kebler <d@kebler.net>
Date: Sun, 17 May 2020 19:33:35 -0700
Subject: [PATCH] add aws credentials secret

---
 .gitignore                   |   8 +
 .gitsecret/keys/pubring.kbx  | Bin 0 -> 2009 bytes
 .gitsecret/keys/pubring.kbx~ | Bin 0 -> 32 bytes
 .gitsecret/keys/trustdb.gpg  | Bin 0 -> 1200 bytes
 .gitsecret/paths/mapping.cfg |   3 +
 README.md                    |  54 ++++++
 bin/arm64/caddy              | Bin
 caddy                        |   2 +-
 conf/caddy1.conf             | 366 +++++++++++++++++++++++++++++++++++
 conf/caddy1.conf.bak         | 366 +++++++++++++++++++++++++++++++++++
 env/.gitignore               |   2 -
 env/AWS.secret               | Bin 0 -> 610 bytes
 env/aws.sh.secret            | Bin 0 -> 628 bytes
 systemd/README.md            |  54 ++++++
 systemd/persist              |   0
 15 files changed, 852 insertions(+), 3 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 .gitsecret/keys/pubring.kbx
 create mode 100644 .gitsecret/keys/pubring.kbx~
 create mode 100644 .gitsecret/keys/trustdb.gpg
 create mode 100644 .gitsecret/paths/mapping.cfg
 create mode 100644 README.md
 mode change 100644 => 100755 bin/arm64/caddy
 create mode 100644 conf/caddy1.conf
 create mode 100644 conf/caddy1.conf.bak
 delete mode 100644 env/.gitignore
 create mode 100644 env/AWS.secret
 create mode 100644 env/aws.sh.secret
 create mode 100644 systemd/README.md
 mode change 100644 => 100755 systemd/persist

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..0ecddee
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,8 @@
+/.config/
+/.local/
+/.step/
+.gitsecret/keys/random_seed
+!*.secret
+env/AWS
+env/aws.sh
+.bash_history
diff --git a/.gitsecret/keys/pubring.kbx b/.gitsecret/keys/pubring.kbx
new file mode 100644
index 0000000000000000000000000000000000000000..d9afcb8a1f21d61f547b7889e18d192be110ebf8
GIT binary patch
literal 2009
zcmaiz2{hYV9>@P#kc2VC*v1w`LTs(Q_Gef6FiPk{g%>FzmQWO_rKO=1p+Wknwz^P3
z&}ZNJP}-`RTB}WkYEfdXwe@JHXXebAbLMx>z4v?X@Atdso^wB6005965CC?t@CX17
z!l!d4<8U16@4?py27OZ$0N_IdU_knIy4VhBkAmSFRnoSDFJ6nqb;ci5AP=iB5%urP
z#*btULayX4F_TWAnn)rC$Hs@bg8%^n005RfP)^_WU;z4U{jcfA3kpG*P@m2m4oCnP
zqPP@pYKZKpFD797?Ne(g88CZhkGAea+L;x`X}}q6{ExJK2{hKIWc}SGO(csn-~IdU
z!Ujw;FMxd{$6qm)s_6U1&fXlpBJ_;DymKS9fKpX9#d<=atLeoU-7I7GoZnb=?vJxu
zB$Lq}*jq(<-Bs&`u5+O`<vbOpmxBhEmTkk0Jh`zR?yqGOyK=3iLm=)$y%v1)6`A|;
z^SKG{otqz}mn>fUn>nPWiFP)B%Wb+ZKinQ#wNq$`6pgoWsyw%rRzlB{S^4Q<2rC+{
zi)%EH5kL2}alPJUTIa3V?sy{<WpFY1&hTyGpzLfx=@DC^_u7<RKWEDECc<)_L0C-|
z!;#8Yh!jqT1&(n&W7^@u1L>BLNkey5rsegH!fchUDHCPVQSH8$CR))KOqIs&1GR85
zrB$x}PWTF=Cs3lgngJ}H7a3EJg@58o#vKz-Uy)Op?KHc1+(C>eYX5dIBk2u~pahC_
z8bTYFOp7nX8~9|CqtV%0G(ZRhfT|CEj}S)q&I3^AM2;onehmpEA%pRLM0^C2gpZ64
zjR;062ZTl-qsVw9p5z}98x|QzA|MHYkw`M$KLQ^~RzVtnZ_qesFeilI0*M;_p&_RK
zx*q(U1}bO(Dgr_P24eEi|Aib6_z(@S6oiK#4&wv!iXz}JelS!F3;}^<L16Jj00BSp
zgU`n({`~~i`+kTosE(oDIbch7?J+7xNtN2#Wi3?s*ZXZzz4&P`Y1dQ8J!+^u{F!Fc
zExCR?hX`#EQgClDtW>^%pfG2$833MZ31K42-I!aZZ5~{i(x*-!S@-0<EVCr{=GjS=
z+Ab}HUJzMOY`u)QH>(=;93l_uF;TDl!!rwUb>yE_vN^VklUn|;r(7#9D)&MU;_*f4
zxZMQN=A2GtyR1DktA*-G%y20Z_Ts9ihQwGvgY+rGT=wN?oP!}xZqZO3bo&ogY%;IT
zNWw->O>Q3Tu0!42s&-K@BZB{vl|E|$C?CWrc^F1_Gqc0jzmy>EBx#)$uabXGK#P`h
zf<N%4J1VlxT;c^z#9H4;th$$%f!RRiupD(aqg}CsY`?stEBjfxtcN|9?BAgk(BfQf
zo~phH8|X7-syTMJ$!ZYR6*t2;GlsPOUX4A)xF;Wb+a_r)zC&fB6Vx)Y1<DP*ef7*z
zZ7apyeJ2)-mW*@8IXO<&rrJHYS6IypKn~~u8vpI;iO>griTpC%pTp)dA5nvTS!G-!
z>3f7Zr|ivaYMnP%Ln?TmEW(G_rzn-ro7`}6oua^~TeF<42d|b_b?60HwFX!PuxuoQ
z`^|<%E2daGegeFB0*a`a^k>kSwd5BLWtP3;eXWu3hW6_AnbANDUC(MB%T!94?%m+d
zt9#iIzEV2CfoTGlrdL|uC#4DU;>S^aHd)2Ip=PX@<IhkeBT%LH<5b(Ej8AMz>6!?<
z*_<vC!`E_kZthf9XB|NgX!`QOq3j&nSSHP5e(G{q1A%BD={)d2QkcW-IBis)Es^FW
z=ocbin26KkH@y|a8`y5^QJToI9on(APg1^d;v~7k*2=40bX3lbyG3Nj7&P8NcNgoq
z)Zg7at}1mDC0rr*>mWM3Abl|iJ8F;2^JChGwxtS1wvhHvv`gOGb2233lTF8+K4vm$
zo+Rt^zr5>FKdWaK7te=Nd@AuXjP@HowK82=cT6yorxv?@W4jZDdG07S7FlNgn)=Pv
zRL~=+#DUR}|Ho(o|7oZIO95cOCs*;6)TtP_Q_j3_>5{Q;{wVB?&xe}#jRRLg-)}>n
zKl+-Vk>$GZaHJg3Ov_r&_N=hBGblLQX$tAKl)%&^c%pun(KO9xe10oi^5w(St=-D~
zV385Gda?>6?P0dX-_bu;Oi3&>c156vrA7+N#f9VxUdLRhwN8P09rLLc6!|)i2@eUp
zw=S;K#qm9V;>|M_#)?x?5~HR>p}#6ya~{=mv}t`=qjSX{MC=Q>_jDFx%pUado`Wn(
zGTura7dGq_I>{d-Zbe=DTs5J+gi_W?VDusG?uPeIp%*U8R!B{pF)%ph>$5Ri#hRP|
zYnEll{*qD<fU1EpX}Q5P^zcinBwtN6bgVDtBMxgD93VW{X7Kgn=Zh0!Lobyd%7BDl
zsHyeQS5(hTPr7W@#pt`^JhC{uP2A$6m?f{0>rq&7m5kZDV{*P6?5XO0+kJ3L@pKHD
z&s4NWpEB%NsC3&!$oLjItL0iEPwiR+-rT>#m25))sYY@dgle++VW`Z0Nuf`(qqq+G
O$N>DDgs0XMNb{eBA$r;X

literal 0
HcmV?d00001

diff --git a/.gitsecret/keys/pubring.kbx~ b/.gitsecret/keys/pubring.kbx~
new file mode 100644
index 0000000000000000000000000000000000000000..91703dd7f1b0b8d0f7e057135b6d3fc708c00bf6
GIT binary patch
literal 32
ecmZQzU{GLWWMJ}kib!Jsg1CcEx<MGk1_1zIK?aNf

literal 0
HcmV?d00001

diff --git a/.gitsecret/keys/trustdb.gpg b/.gitsecret/keys/trustdb.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..c8365ffd7bdf253476174f26eb15a8364d2f22fd
GIT binary patch
literal 1200
zcmZQfFGy!*W@Ke#Vql0n_@tWwJ7DC(E{-8OstzMazyhP;G8!(R5ExAdl%)dzqp1Y|

literal 0
HcmV?d00001

diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
new file mode 100644
index 0000000..0c56925
--- /dev/null
+++ b/.gitsecret/paths/mapping.cfg
@@ -0,0 +1,3 @@
+env/AWS:02b947b25fe0dc38bbfba5fc66ead3d5b9b4f8d9000ccd9e4661a9ef81167ec5
+env/aws.sh:3ecd809bd40066028fe08307be8de28c4ffe4f65b2d4041e9b69f6e00172b688
+.bash_history
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..b46bb93
--- /dev/null
+++ b/README.md
@@ -0,0 +1,54 @@
+Official service files for systemd
+==================================
+
+This folder contains the officially-maintained systemd files that should be used as a basis for your own deployments.
+
+**⚠️ Always review your service file before using it! Change anything that you need to customize.**
+
+## Instructions
+
+See our website for [installation instructions](https://caddyserver.com/docs/install).
+
+
+## Prerequisites
+
+Running Caddy as a systemd service requires the following:
+
+
+Group named `caddy`:
+
+```bash
+$ groupadd --system caddy
+```
+
+User named `caddy` with a writeable home folder:
+
+```bash
+$ useradd --system \
+    --gid caddy \
+    --create-home \
+    --home-dir /var/lib/caddy \
+    --shell /usr/sbin/nologin \
+    --comment "Caddy web server" \
+    caddy
+```
+
+
+## Choosing a service file
+
+- **`caddy.service`** - Use this one if you configure Caddy with a file (for example, the Caddyfile, or a .json file).
+- **`caddy-api.service`** - Use this one if you configure Caddy solely through its API.
+
+The two files are identical except for the ExecStart and ExecReload commands.
+
+## Important
+
+Caddy receives all configuration through its [admin API](https://caddyserver.com/docs/api), even when the [command line interface (CLI)](https://caddyserver.com/docs/command-line) is used, which simply wraps up the API calls for you.
+
+Most users will use either config files and the CLI [mutually exclusively](https://caddyserver.com/docs/getting-started#api-vs-config-files) with the API because it is simpler to have only one source of truth. However, you may wish to provide Caddy an initial "bootstrapping" configuration with a config file, and use the API thereafter.
+
+**⚠️ If you provide an initial config file with the `--config` flag and then update the config using the API, you risk losing your changes if the service is restarted unless you have the `--resume` flag in your ExecStart command.**
+
+Without the `--resume` flag, the `--config` flag will overwrite any last-known configuration.
+
+However, it is totally safe and normal to use both the `--config` and `--resume` options together if you need to use both a config file and the API. Just be aware that if you update your config file and want to apply those changes, _stopping and starting the server is the wrong way to do this_. Restarting the service is orthogonal to config changes; this is a unique safety feature that guarantees durability and prevents data loss. If the config file has the latest changes, you should use the reload command instead.
diff --git a/bin/arm64/caddy b/bin/arm64/caddy
old mode 100644
new mode 100755
diff --git a/caddy b/caddy
index b5003b5..e577173 120000
--- a/caddy
+++ b/caddy
@@ -1 +1 @@
-/opt/caddy/bin/arm64/caddy
\ No newline at end of file
+/opt/caddy/bin/amd64/caddy
\ No newline at end of file
diff --git a/conf/caddy1.conf b/conf/caddy1.conf
new file mode 100644
index 0000000..62c538c
--- /dev/null
+++ b/conf/caddy1.conf
@@ -0,0 +1,366 @@
+##!/bin/bashit
+# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
+
+# 238  238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
+
+# TODO
+# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
+
+
+# COMMON DIRECTIVES (add by using import)
+
+# Wildcard cert add to all
+(wildcard_cert) {
+   tls /mnt/238/nas/opt/tls-certs/wc.kebler.net.crt /mnt/238/nas/opt/tls-certs/wc.kebler.net.key  {
+        wildcard
+    }
+}
+
+# inject in all pages a <base href='url'>
+(baseurl-gateway) {
+    filter rule {
+       content_type text/html.*
+       search_pattern <head>
+       replacement "<head><base href='https://{request_host}/238/gateway/'>"
+    }
+}
+
+# inject in all pages a <base href='url'>
+(baseurl-nas) {
+    filter rule {
+       content_type text/html.*
+       search_pattern <head>
+       replacement "<head><base href='https://{request_host}/238/nas/'>"
+    }
+}
+
+# Only allow lan users access
+(lan-only) {
+    ipfilter / {
+       rule allow
+       ip 10.0.0.0/24
+    }
+}
+
+# Only allow US users access
+(US-only) {
+    ipfilter / {
+    	rule allow
+      ip 10.0.0.0/24
+    	database /opt/caddy/GeoLite2-Country.mmdb
+    	country US
+    }
+}
+
+# Only allow US users access
+(admin-login) {
+  basicauth "sysadmin" ccbigsismyfriend {
+  realm "kebler-admin"
+  /
+}
+}
+
+#send logs to alternative location
+(logs) {
+  log /opt/caddy/logs/log
+#  errors /opt/caddy/logs/errors
+}
+
+#send to stdout instead of logs
+(logout) {
+  log stdout
+  errors stdout
+}
+## End Snippets ##############################
+
+
+################ REDIRECT ########################
+
+# Main http/https redirect for anything arriving on port 80/http
+*.kebler.net:80 {
+   import logs
+   redir https://{label1}.kebler.net{uri}
+}
+
+
+# Git Server
+https://git238.kebler.net {
+         import wildcard_cert
+         import US-only
+         proxy / http://nas.kebler.net:3000
+         }
+
+# Home Assistant Server
+https://ha.kebler.net https://ha238.kebler.net {
+         import wildcard_cert
+         import US-only
+#        import lan-only
+         import logs
+         proxy / hassio.kebler.net:8123 {
+           websocket
+           transparent
+           }
+         }
+
+# NodeRed Server
+https://nodered.kebler.net {
+         import wildcard_cert
+         import US-only
+#        import lan-only
+         proxy / trantor.kebler.net:1880 {
+           websocket
+           transparent
+           }
+         }
+
+# portainer
+https://docker.kebler.net {
+       import wildcard_cert
+       import lan-only
+       proxy / http://nas.kebler.net:9000
+       }
+
+
+##################### TRANTOR ######################
+
+# portainer on trantor
+https://docker-trantor.kebler.net {
+       import wildcard_cert
+       import lan-only
+       proxy / http://trantor.kebler.net:9000
+       }
+
+# discourse for nick and david
+https://geeks.kebler.net {
+   import wildcard_cert
+    proxy / http://trantor.kebler.net:9292 {
+         transparent
+         }
+       }
+
+
+# mqtt broker setup interface
+#https://broker-ui.kebler.net {
+#  import wildcard_cert
+#   import lan-only
+#   proxy / http://nas.kebler.net:18083 {
+#    }
+#   }
+
+
+https://social.kebler.net {
+      import wildcard_cert
+
+#    rewrite {
+#    if {path} is /
+#    to /proxy{path}
+#    }
+
+#   rewrite {
+#        if {path} not_has /graphql
+#       to {path} /proxy{path}
+#   }
+
+   proxy / 10.0.0.115:3000 {
+    }
+
+   proxy /graphql 10.0.0.115:4000 {
+   websocket
+   transparent
+   }
+
+}
+
+https://npm.kebler.net {
+       import wildcard_cert
+       proxy / localhost:4873 {
+        websocket
+        transparent
+        }
+       }
+
+##### status.kebler.net ###########
+
+https://status.kebler.net {
+        import wildcard_cert
+        import US-only
+        import admin-login
+        # route to phpfpm's status page here
+        fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
+        env SCRIPT_NAME /phpfpm
+        }
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/status/dist
+        }
+
+
+# Router Status running on router
+https://status.kebler.net/238/gateway {
+              import wildcard_cert
+              import US-only
+              import admin-login
+              filter rule {
+                content_type text/html.*
+                search_pattern <head>
+                replacement "<head><base href='https://{request_host}/238/gateway/'>"
+                }
+              proxy / http://router.kebler.net:19999
+              }
+
+# NAS Status 238
+https://status.kebler.net/238/nas {
+              import wildcard_cert
+              import US-only
+              import admin-login
+              # add base tag to all pages
+              filter rule {
+                content_type text/html.*
+                search_pattern <head>
+                replacement "<head><base href='https://{request_host}/238/nas/'>"
+                }
+              proxy / http://nas.kebler.net:19999
+              }
+
+# Systemd Cockpit Access
+https://system.kebler.net {
+              import wildcard_cert
+              import US-only
+              # add base tag to all pages
+              # filter rule {
+              # content_type text/html.*
+              #  search_pattern <head>
+              # replacement "<head><base href='https://{request_host}/238/nas/'>"
+              #  }
+              proxy / http://localhost:9090 {
+                insecure_skip_verify
+                websocket
+                transparent
+                }
+              }
+
+# local redirect to 645
+https://status.kebler.net/645/nas {
+              import wildcard_cert
+              import US-only
+              proxy / http://645.kebler.net/nas/status
+              }
+
+
+################### LOCAL WEBS ############################
+
+https://download.kebler.net {
+   import wildcard_cert
+   log /mnt/data/downloads/private/download-log
+   basicauth "elf" ccbigs {
+   realm "Protected Downloads"
+   /private
+   }
+   basicauth "download" espressobin {
+   /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
+   }
+   root /mnt/data/downloads
+   browse /
+}
+
+https://lights.kebler.net {
+        import wildcard_cert
+        root /mnt/data/webs/lights-frontend
+        proxy /socket.io http://10.0.0.115:3031 {
+          websocket
+          transparent
+          }
+        }
+
+
+
+
+https://wedding.kebler.net {
+        import wildcard_cert
+        root /mnt/data/cloud-user-files/david/files/wedding
+        index wedding.html
+        }
+
+
+https://admin.kebler.net {
+        import wildcard_cert
+        import lan-only
+        root /mnt/data/webs/admin
+        }
+
+https://phpmyadmin.kebler.net {
+        import wildcard_cert
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/phpmyadmin
+        }
+
+https://smnordic.org {
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/smnordic
+    rewrite / {
+        if {path} not_match ^\/wp-admin
+        to {path} {path}/ /index.php?_url={uri}
+    }
+        }
+
+https://nextcloud.kebler.net https://cloud.kebler.net {
+        # import logs
+        import US-only
+        tls d@kebler.net
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/nextcloud
+        # log    /var/log/nextcloud_access.log
+        # errors /var/log/nextcloud_errors.log
+
+        # checks for images
+            rewrite {
+                ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
+            r ^/index.php/(.+)$
+            to /{1} /index.php?{1}
+            }
+
+            rewrite {
+                r ^/index.php/.*$
+                to /index.php?{query}
+            }
+
+        # client support (e.g. os x calendar / contacts)
+            redir /.well-known/carddav /remote.php/carddav 301
+            redir /.well-known/caldav /remote.php/caldav 301
+
+        # remove trailing / as it causes errors with php-fpm
+            rewrite {
+                r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
+                to /remote.php/{1}
+            }
+
+            rewrite {
+                r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
+                to /remote.php/{1}/{2}
+            }
+
+            rewrite {
+                r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
+                to /public.php/{1}
+            }
+
+            rewrite {
+                r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
+                to /public.php/{1}/{2}
+            }
+
+        # .htaccess / data / config / ... shouldn't be accessible from outside
+            status 403 {
+                /.htacces
+                /data
+                /config
+                /db_structure
+                /.xml
+                /README
+            }
+
+            header / {
+                Strict-Transport-Security "max-age=31536000;"
+                Referrer-Policy "no-referrer"
+            }
+
+        }
diff --git a/conf/caddy1.conf.bak b/conf/caddy1.conf.bak
new file mode 100644
index 0000000..250104b
--- /dev/null
+++ b/conf/caddy1.conf.bak
@@ -0,0 +1,366 @@
+##!/bin/bashit
+# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
+
+# 238  238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
+
+# TODO
+# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
+
+
+# COMMON DIRECTIVES (add by using import)
+
+# Wildcard cert add to all
+(wildcard_cert) {
+   tls /opt/tls-certs/wc.kebler.net.crt /opt/tls-certs/wc.kebler.net.key  {
+        wildcard
+    }
+}
+
+# inject in all pages a <base href='url'>
+(baseurl-gateway) {
+    filter rule {
+       content_type text/html.*
+       search_pattern <head>
+       replacement "<head><base href='https://{request_host}/238/gateway/'>"
+    }
+}
+
+# inject in all pages a <base href='url'>
+(baseurl-nas) {
+    filter rule {
+       content_type text/html.*
+       search_pattern <head>
+       replacement "<head><base href='https://{request_host}/238/nas/'>"
+    }
+}
+
+# Only allow lan users access
+(lan-only) {
+    ipfilter / {
+       rule allow
+       ip 10.0.0.0/24
+    }
+}
+
+# Only allow US users access
+(US-only) {
+    ipfilter / {
+    	rule allow
+      ip 10.0.0.0/24
+    	database /opt/caddy/GeoLite2-Country.mmdb
+    	country US
+    }
+}
+
+# Only allow US users access
+(admin-login) {
+  basicauth "sysadmin" ccbigsismyfriend {
+  realm "kebler-admin"
+  /
+}
+}
+
+#send logs to alternative location
+(logs) {
+  log /opt/caddy/logs/log
+  errors /opt/caddy/logs/errors
+}
+
+#send to stdout instead of logs
+(logout) {
+  log stdout
+  errors stdout
+}
+## End Snippets ##############################
+
+
+################ REDIRECT ########################
+
+# Main http/https redirect for anything arriving on port 80/http
+*.kebler.net:80 {
+   import logs
+   redir https://{label1}.kebler.net{uri}
+}
+
+
+# Git Server
+https://git238.kebler.net {
+         import wildcard_cert
+         import US-only
+         proxy / http://nas.kebler.net:3000
+         }
+
+# Home Assistant Server
+https://ha.kebler.net https://ha238.kebler.net {
+         import wildcard_cert
+         import US-only
+#        import lan-only
+         import logs
+         proxy / hassio.kebler.net:8123 {
+           websocket
+           transparent
+           }
+         }
+
+# NodeRed Server
+https://nodered.kebler.net {
+         import wildcard_cert
+         import US-only
+#        import lan-only
+         proxy / trantor.kebler.net:1880 {
+           websocket
+           transparent
+           }
+         }
+
+# portainer
+https://docker.kebler.net {
+       import wildcard_cert
+       import lan-only
+       proxy / http://nas.kebler.net:9000
+       }
+
+
+##################### TRANTOR ######################
+
+# portainer on trantor
+https://docker-trantor.kebler.net {
+       import wildcard_cert
+       import lan-only
+       proxy / http://trantor.kebler.net:9000
+       }
+
+# discourse for nick and david
+https://geeks.kebler.net {
+   import wildcard_cert
+    proxy / http://trantor.kebler.net:9292 {
+         transparent
+         }
+       }
+
+
+# mqtt broker setup interface
+#https://broker-ui.kebler.net {
+#  import wildcard_cert
+#   import lan-only
+#   proxy / http://nas.kebler.net:18083 {
+#    }
+#   }
+
+
+https://social.kebler.net {
+      import wildcard_cert
+
+#    rewrite {
+#    if {path} is /
+#    to /proxy{path}
+#    }
+
+#   rewrite {
+#        if {path} not_has /graphql
+#       to {path} /proxy{path}
+#   }
+
+   proxy / 10.0.0.115:3000 {
+    }
+
+   proxy /graphql 10.0.0.115:4000 {
+   websocket
+   transparent
+   }
+
+}
+
+https://npm.kebler.net {
+       import wildcard_cert
+       proxy / localhost:4873 {
+        websocket
+        transparent
+        }
+       }
+
+##### status.kebler.net ###########
+
+https://status.kebler.net {
+        import wildcard_cert
+        import US-only
+        import admin-login
+        # route to phpfpm's status page here
+        fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
+        env SCRIPT_NAME /phpfpm
+        }
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/status/dist
+        }
+
+
+# Router Status running on router
+https://status.kebler.net/238/gateway {
+              import wildcard_cert
+              import US-only
+              import admin-login
+              filter rule {
+                content_type text/html.*
+                search_pattern <head>
+                replacement "<head><base href='https://{request_host}/238/gateway/'>"
+                }
+              proxy / http://router.kebler.net:19999 
+              }
+
+# NAS Status 238
+https://status.kebler.net/238/nas {
+              import wildcard_cert
+              import US-only
+              import admin-login
+              # add base tag to all pages
+              filter rule {
+                content_type text/html.*
+                search_pattern <head>
+                replacement "<head><base href='https://{request_host}/238/nas/'>"
+                }
+              proxy / http://nas.kebler.net:19999
+              }
+
+# Systemd Cockpit Access
+https://system.kebler.net {
+              import wildcard_cert
+              import US-only
+              # add base tag to all pages
+              # filter rule {
+              # content_type text/html.*
+              #  search_pattern <head>
+              # replacement "<head><base href='https://{request_host}/238/nas/'>"
+              #  }
+              proxy / http://localhost:9090 {
+                insecure_skip_verify
+                websocket
+                transparent
+                }
+              }
+
+# local redirect to 645
+https://status.kebler.net/645/nas {
+              import wildcard_cert
+              import US-only
+              proxy / http://645.kebler.net/nas/status
+              }
+
+
+################### LOCAL WEBS ############################
+
+https://download.kebler.net {
+   import wildcard_cert
+   log /mnt/data/downloads/private/download-log
+   basicauth "elf" ccbigs {
+   realm "Protected Downloads"
+   /private
+   }
+   basicauth "download" espressobin {
+   /espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
+   }
+   root /mnt/data/downloads
+   browse /
+}
+
+https://lights.kebler.net {
+        import wildcard_cert
+        root /mnt/data/webs/lights-frontend
+        proxy /socket.io http://10.0.0.115:3031 {
+          websocket
+          transparent
+          }
+        }
+
+
+
+
+https://wedding.kebler.net {
+        import wildcard_cert
+        root /mnt/data/cloud-user-files/david/files/wedding
+        index wedding.html
+        }
+
+
+https://admin.kebler.net {
+        import wildcard_cert
+        import lan-only
+        root /mnt/data/webs/admin
+        }
+
+https://phpmyadmin.kebler.net {
+        import wildcard_cert
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/phpmyadmin
+        }
+
+https://smnordic.org {
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/smnordic
+    rewrite / {
+        if {path} not_match ^\/wp-admin
+        to {path} {path}/ /index.php?_url={uri}
+    }
+        }
+
+https://nextcloud.kebler.net https://cloud.kebler.net {
+        # import logs
+        import US-only
+        tls d@kebler.net
+        fastcgi / /var/run/php/php7.2-fpm.sock php
+        root /mnt/data/webs/nextcloud
+        # log    /var/log/nextcloud_access.log
+        # errors /var/log/nextcloud_errors.log
+
+        # checks for images
+            rewrite {
+                ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
+            r ^/index.php/(.+)$
+            to /{1} /index.php?{1}
+            }
+
+            rewrite {
+                r ^/index.php/.*$
+                to /index.php?{query}
+            }
+
+        # client support (e.g. os x calendar / contacts)
+            redir /.well-known/carddav /remote.php/carddav 301
+            redir /.well-known/caldav /remote.php/caldav 301
+
+        # remove trailing / as it causes errors with php-fpm
+            rewrite {
+                r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
+                to /remote.php/{1}
+            }
+
+            rewrite {
+                r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
+                to /remote.php/{1}/{2}
+            }
+
+            rewrite {
+                r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
+                to /public.php/{1}
+            }
+
+            rewrite {
+                r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
+                to /public.php/{1}/{2}
+            }
+
+        # .htaccess / data / config / ... shouldn't be accessible from outside
+            status 403 {
+                /.htacces
+                /data
+                /config
+                /db_structure
+                /.xml
+                /README
+            }
+
+            header / {
+                Strict-Transport-Security "max-age=31536000;"
+                Referrer-Policy "no-referrer"
+            }
+
+        }
diff --git a/env/.gitignore b/env/.gitignore
deleted file mode 100644
index 5f614e6..0000000
--- a/env/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-/AWS
-/aws.sh
diff --git a/env/AWS.secret b/env/AWS.secret
new file mode 100644
index 0000000000000000000000000000000000000000..2dbe2e51b7b86694be56a384118884e544a9fe6e
GIT binary patch
literal 610
zcmV-o0-gPZ0gMCgu7OP^x^5Ez3;>rWuD#ZxC-kI*54RbvNy<3`MRmi74oeP|$@$4K
zuG-bh*~{jO-qoJ1p?JzQn`s{1c`h@k+9t1Mxw?$yoFGB=0b#Nbn*#2@O~-mdeFR7H
zH?Nt=%f1OvbG)qlpbbZLSqE=F%m6A=AA+MCTTlSHUvke@wU-wS4<HM@ugllFk1)4M
zT@#j}R;l@4BW#6Lc~tXf?V$63$02RaMtN?+%-<C$jw{{9TBVf?g+Bj+>KtK^>EH^H
z(Kh_T{g{AT+J>3z^A@Y^$XqekPNBy_JPf%Mgql@u6qD|OoN#Eu2>GI;*b{>6S<&M*
z+Dh;~1?UjGCa*ANnX}J5K?;64|66JBQq@`UR5U-(LBH~nTM7-Rg6a%02b^>G8{+nf
ze`le^u}tDdz}eul_*-%}););(<4aF$jU)IOP3O$B@;qM3r)nUn6u#<Ev)JW&)R5vJ
z)>HqRZDApRVHFu%TZ?mr9F)Xpnmm|Bl|@k-;-D;736ObwJ1%!YrUKHy5CP?9-W>OQ
zo77J5L~A2Y%bpO~#7XSo=o?6zyYx>+`4jU&RVu_RheIj@i6ZR9y3NFOu&m@BM?xbs
z*6EHK4jcyop_}@~OgJeeLf@xpTgWF>TRM!{n6hy+g;t!FU6fK;R&QYMgJjwg=GrT~
zExP{3ZNc=V^stGl-vX>$1ejZqwPiPHxWJt<TeR8LHO6c=^7nh3-d+HtZ?r?=Ypgb2
wJMo3eoHD0bo_AS_QZ{z6T4zCB#!>J15`dlP2?pU6TMxd!e8u~4)lpj)faFgyd;kCd

literal 0
HcmV?d00001

diff --git a/env/aws.sh.secret b/env/aws.sh.secret
new file mode 100644
index 0000000000000000000000000000000000000000..e6e68eb1d721d7faf2e46ddb0a3c2e5a5bcdd0e2
GIT binary patch
literal 628
zcmV-)0*n2H0gMCgu7OP^x^5Ez3;@e+-3cT0{VgM6<O~d`GQz}ZB{Dn@Aq%zh88}B4
zJ1IGCr8w(=-s1vWhvCIdjup~Z#LkM9SD{pyo5l-9639j=iNmRN<0{(Eiu|ykhBev|
zbYH6JdKDMhvN#g%H0$^fGl9%wfyuUZe0<lCb<Xhx{h>|Z;zpua<solTNap%J1A&E=
zZKc<y0)VX|a**(1qMPCSEXhKiuk0s2Yb5gE6`K9OU6)qB8{W@NZ-{b%@R1d@y^ACs
z4qMdBr$aZPWDb|J4hciH?GZpYOQV;^E08{H0cGg3-8Ut!L5^LJiajSdB>X{|Og3%4
zY%PlA!h3G;OB+_D(vkQ8{7;geYL{?Qv%hI8O666%merS|a<{XZ`WkNQ@sK1-hQ&Ur
zbD+3l3k%2^9_kyJy^CHGLcNyq*A(uE=ICn7)j}u^VgGkXJe1w|B&ErBuYlk=E_T$l
zqLpTGH<j;vTZ)MVNFRvUn}>^|fUOr6`Ov+^^Yu0zhnjgX9bxS(&;ioGA^{#J99Rmm
zGJ=N{7tu|SvOv?~w{1_?l_FIMu`ESL);MNNos8_*+P7M4kZe7wM3cS?l>wT*w@3zp
zXfnz9s~L*>uG)`4amPd#8B<n2f+bmUA044y?Zf~Vpf`rEkbI!-ur0IOSiPjaUz};*
z@C9L1(lv|^f4%b(H>jWXpiut|yClPZqp(2WEkbz9^9Jp<j_5dYkZ<^7lgxF7H5dB+
zlTxta2<CU-#(mSapYNCQJbDQ%-g>E>V#6?)E11KXsd_Eh<S|RjSuT#60QKn!t~IN`
O?n1nEpG|i1ki%~voH`x=

literal 0
HcmV?d00001

diff --git a/systemd/README.md b/systemd/README.md
new file mode 100644
index 0000000..b46bb93
--- /dev/null
+++ b/systemd/README.md
@@ -0,0 +1,54 @@
+Official service files for systemd
+==================================
+
+This folder contains the officially-maintained systemd files that should be used as a basis for your own deployments.
+
+**⚠️ Always review your service file before using it! Change anything that you need to customize.**
+
+## Instructions
+
+See our website for [installation instructions](https://caddyserver.com/docs/install).
+
+
+## Prerequisites
+
+Running Caddy as a systemd service requires the following:
+
+
+Group named `caddy`:
+
+```bash
+$ groupadd --system caddy
+```
+
+User named `caddy` with a writeable home folder:
+
+```bash
+$ useradd --system \
+    --gid caddy \
+    --create-home \
+    --home-dir /var/lib/caddy \
+    --shell /usr/sbin/nologin \
+    --comment "Caddy web server" \
+    caddy
+```
+
+
+## Choosing a service file
+
+- **`caddy.service`** - Use this one if you configure Caddy with a file (for example, the Caddyfile, or a .json file).
+- **`caddy-api.service`** - Use this one if you configure Caddy solely through its API.
+
+The two files are identical except for the ExecStart and ExecReload commands.
+
+## Important
+
+Caddy receives all configuration through its [admin API](https://caddyserver.com/docs/api), even when the [command line interface (CLI)](https://caddyserver.com/docs/command-line) is used, which simply wraps up the API calls for you.
+
+Most users will use either config files and the CLI [mutually exclusively](https://caddyserver.com/docs/getting-started#api-vs-config-files) with the API because it is simpler to have only one source of truth. However, you may wish to provide Caddy an initial "bootstrapping" configuration with a config file, and use the API thereafter.
+
+**⚠️ If you provide an initial config file with the `--config` flag and then update the config using the API, you risk losing your changes if the service is restarted unless you have the `--resume` flag in your ExecStart command.**
+
+Without the `--resume` flag, the `--config` flag will overwrite any last-known configuration.
+
+However, it is totally safe and normal to use both the `--config` and `--resume` options together if you need to use both a config file and the API. Just be aware that if you update your config file and want to apply those changes, _stopping and starting the server is the wrong way to do this_. Restarting the service is orthogonal to config changes; this is a unique safety feature that guarantees durability and prevents data loss. If the config file has the latest changes, you should use the reload command instead.
diff --git a/systemd/persist b/systemd/persist
old mode 100644
new mode 100755