add aws credentials secret

giskard
David Kebler 2020-05-17 19:33:35 -07:00
parent 8de0f0914c
commit c34205201a
15 changed files with 852 additions and 3 deletions

8
.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
/.config/
/.local/
/.step/
.gitsecret/keys/random_seed
!*.secret
env/AWS
env/aws.sh
.bash_history

BIN
.gitsecret/keys/pubring.kbx Normal file

Binary file not shown.

Binary file not shown.

BIN
.gitsecret/keys/trustdb.gpg Normal file

Binary file not shown.

View File

@ -0,0 +1,3 @@
env/AWS:02b947b25fe0dc38bbfba5fc66ead3d5b9b4f8d9000ccd9e4661a9ef81167ec5
env/aws.sh:3ecd809bd40066028fe08307be8de28c4ffe4f65b2d4041e9b69f6e00172b688
.bash_history

54
README.md Normal file
View File

@ -0,0 +1,54 @@
Official service files for systemd
==================================
This folder contains the officially-maintained systemd files that should be used as a basis for your own deployments.
**⚠️ Always review your service file before using it! Change anything that you need to customize.**
## Instructions
See our website for [installation instructions](https://caddyserver.com/docs/install).
## Prerequisites
Running Caddy as a systemd service requires the following:
Group named `caddy`:
```bash
$ groupadd --system caddy
```
User named `caddy` with a writeable home folder:
```bash
$ useradd --system \
--gid caddy \
--create-home \
--home-dir /var/lib/caddy \
--shell /usr/sbin/nologin \
--comment "Caddy web server" \
caddy
```
## Choosing a service file
- **`caddy.service`** - Use this one if you configure Caddy with a file (for example, the Caddyfile, or a .json file).
- **`caddy-api.service`** - Use this one if you configure Caddy solely through its API.
The two files are identical except for the ExecStart and ExecReload commands.
## Important
Caddy receives all configuration through its [admin API](https://caddyserver.com/docs/api), even when the [command line interface (CLI)](https://caddyserver.com/docs/command-line) is used, which simply wraps up the API calls for you.
Most users will use either config files and the CLI [mutually exclusively](https://caddyserver.com/docs/getting-started#api-vs-config-files) with the API because it is simpler to have only one source of truth. However, you may wish to provide Caddy an initial "bootstrapping" configuration with a config file, and use the API thereafter.
**⚠️ If you provide an initial config file with the `--config` flag and then update the config using the API, you risk losing your changes if the service is restarted unless you have the `--resume` flag in your ExecStart command.**
Without the `--resume` flag, the `--config` flag will overwrite any last-known configuration.
However, it is totally safe and normal to use both the `--config` and `--resume` options together if you need to use both a config file and the API. Just be aware that if you update your config file and want to apply those changes, _stopping and starting the server is the wrong way to do this_. Restarting the service is orthogonal to config changes; this is a unique safety feature that guarantees durability and prevents data loss. If the config file has the latest changes, you should use the reload command instead.

0
bin/arm64/caddy Normal file → Executable file
View File

2
caddy
View File

@ -1 +1 @@
/opt/caddy/bin/arm64/caddy /opt/caddy/bin/amd64/caddy

366
conf/caddy1.conf Normal file
View File

@ -0,0 +1,366 @@
##!/bin/bashit
# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
# 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
# TODO
# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
# COMMON DIRECTIVES (add by using import)
# Wildcard cert add to all
(wildcard_cert) {
tls /mnt/238/nas/opt/tls-certs/wc.kebler.net.crt /mnt/238/nas/opt/tls-certs/wc.kebler.net.key {
wildcard
}
}
# inject in all pages a <base href='url'>
(baseurl-gateway) {
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/gateway/'>"
}
}
# inject in all pages a <base href='url'>
(baseurl-nas) {
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/nas/'>"
}
}
# Only allow lan users access
(lan-only) {
ipfilter / {
rule allow
ip 10.0.0.0/24
}
}
# Only allow US users access
(US-only) {
ipfilter / {
rule allow
ip 10.0.0.0/24
database /opt/caddy/GeoLite2-Country.mmdb
country US
}
}
# Only allow US users access
(admin-login) {
basicauth "sysadmin" ccbigsismyfriend {
realm "kebler-admin"
/
}
}
#send logs to alternative location
(logs) {
log /opt/caddy/logs/log
# errors /opt/caddy/logs/errors
}
#send to stdout instead of logs
(logout) {
log stdout
errors stdout
}
## End Snippets ##############################
################ REDIRECT ########################
# Main http/https redirect for anything arriving on port 80/http
*.kebler.net:80 {
import logs
redir https://{label1}.kebler.net{uri}
}
# Git Server
https://git238.kebler.net {
import wildcard_cert
import US-only
proxy / http://nas.kebler.net:3000
}
# Home Assistant Server
https://ha.kebler.net https://ha238.kebler.net {
import wildcard_cert
import US-only
# import lan-only
import logs
proxy / hassio.kebler.net:8123 {
websocket
transparent
}
}
# NodeRed Server
https://nodered.kebler.net {
import wildcard_cert
import US-only
# import lan-only
proxy / trantor.kebler.net:1880 {
websocket
transparent
}
}
# portainer
https://docker.kebler.net {
import wildcard_cert
import lan-only
proxy / http://nas.kebler.net:9000
}
##################### TRANTOR ######################
# portainer on trantor
https://docker-trantor.kebler.net {
import wildcard_cert
import lan-only
proxy / http://trantor.kebler.net:9000
}
# discourse for nick and david
https://geeks.kebler.net {
import wildcard_cert
proxy / http://trantor.kebler.net:9292 {
transparent
}
}
# mqtt broker setup interface
#https://broker-ui.kebler.net {
# import wildcard_cert
# import lan-only
# proxy / http://nas.kebler.net:18083 {
# }
# }
https://social.kebler.net {
import wildcard_cert
# rewrite {
# if {path} is /
# to /proxy{path}
# }
# rewrite {
# if {path} not_has /graphql
# to {path} /proxy{path}
# }
proxy / 10.0.0.115:3000 {
}
proxy /graphql 10.0.0.115:4000 {
websocket
transparent
}
}
https://npm.kebler.net {
import wildcard_cert
proxy / localhost:4873 {
websocket
transparent
}
}
##### status.kebler.net ###########
https://status.kebler.net {
import wildcard_cert
import US-only
import admin-login
# route to phpfpm's status page here
fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
env SCRIPT_NAME /phpfpm
}
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/status/dist
}
# Router Status running on router
https://status.kebler.net/238/gateway {
import wildcard_cert
import US-only
import admin-login
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/gateway/'>"
}
proxy / http://router.kebler.net:19999
}
# NAS Status 238
https://status.kebler.net/238/nas {
import wildcard_cert
import US-only
import admin-login
# add base tag to all pages
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/nas/'>"
}
proxy / http://nas.kebler.net:19999
}
# Systemd Cockpit Access
https://system.kebler.net {
import wildcard_cert
import US-only
# add base tag to all pages
# filter rule {
# content_type text/html.*
# search_pattern <head>
# replacement "<head><base href='https://{request_host}/238/nas/'>"
# }
proxy / http://localhost:9090 {
insecure_skip_verify
websocket
transparent
}
}
# local redirect to 645
https://status.kebler.net/645/nas {
import wildcard_cert
import US-only
proxy / http://645.kebler.net/nas/status
}
################### LOCAL WEBS ############################
https://download.kebler.net {
import wildcard_cert
log /mnt/data/downloads/private/download-log
basicauth "elf" ccbigs {
realm "Protected Downloads"
/private
}
basicauth "download" espressobin {
/espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
}
root /mnt/data/downloads
browse /
}
https://lights.kebler.net {
import wildcard_cert
root /mnt/data/webs/lights-frontend
proxy /socket.io http://10.0.0.115:3031 {
websocket
transparent
}
}
https://wedding.kebler.net {
import wildcard_cert
root /mnt/data/cloud-user-files/david/files/wedding
index wedding.html
}
https://admin.kebler.net {
import wildcard_cert
import lan-only
root /mnt/data/webs/admin
}
https://phpmyadmin.kebler.net {
import wildcard_cert
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/phpmyadmin
}
https://smnordic.org {
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/smnordic
rewrite / {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?_url={uri}
}
}
https://nextcloud.kebler.net https://cloud.kebler.net {
# import logs
import US-only
tls d@kebler.net
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/nextcloud
# log /var/log/nextcloud_access.log
# errors /var/log/nextcloud_errors.log
# checks for images
rewrite {
ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
r ^/index.php/(.+)$
to /{1} /index.php?{1}
}
rewrite {
r ^/index.php/.*$
to /index.php?{query}
}
# client support (e.g. os x calendar / contacts)
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
# remove trailing / as it causes errors with php-fpm
rewrite {
r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
to /remote.php/{1}
}
rewrite {
r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
to /remote.php/{1}/{2}
}
rewrite {
r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
to /public.php/{1}
}
rewrite {
r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
to /public.php/{1}/{2}
}
# .htaccess / data / config / ... shouldn't be accessible from outside
status 403 {
/.htacces
/data
/config
/db_structure
/.xml
/README
}
header / {
Strict-Transport-Security "max-age=31536000;"
Referrer-Policy "no-referrer"
}
}

366
conf/caddy1.conf.bak Normal file
View File

@ -0,0 +1,366 @@
##!/bin/bashit
# KEBLER.NET WEB AND REVERSE PROXY SERVER RUNNING ON 238 NAS BOX
# 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238 238
# TODO
# change proxy to redirect for crontab-ui as it doesn't work as a proxy, add authorization
# COMMON DIRECTIVES (add by using import)
# Wildcard cert add to all
(wildcard_cert) {
tls /opt/tls-certs/wc.kebler.net.crt /opt/tls-certs/wc.kebler.net.key {
wildcard
}
}
# inject in all pages a <base href='url'>
(baseurl-gateway) {
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/gateway/'>"
}
}
# inject in all pages a <base href='url'>
(baseurl-nas) {
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/nas/'>"
}
}
# Only allow lan users access
(lan-only) {
ipfilter / {
rule allow
ip 10.0.0.0/24
}
}
# Only allow US users access
(US-only) {
ipfilter / {
rule allow
ip 10.0.0.0/24
database /opt/caddy/GeoLite2-Country.mmdb
country US
}
}
# Only allow US users access
(admin-login) {
basicauth "sysadmin" ccbigsismyfriend {
realm "kebler-admin"
/
}
}
#send logs to alternative location
(logs) {
log /opt/caddy/logs/log
errors /opt/caddy/logs/errors
}
#send to stdout instead of logs
(logout) {
log stdout
errors stdout
}
## End Snippets ##############################
################ REDIRECT ########################
# Main http/https redirect for anything arriving on port 80/http
*.kebler.net:80 {
import logs
redir https://{label1}.kebler.net{uri}
}
# Git Server
https://git238.kebler.net {
import wildcard_cert
import US-only
proxy / http://nas.kebler.net:3000
}
# Home Assistant Server
https://ha.kebler.net https://ha238.kebler.net {
import wildcard_cert
import US-only
# import lan-only
import logs
proxy / hassio.kebler.net:8123 {
websocket
transparent
}
}
# NodeRed Server
https://nodered.kebler.net {
import wildcard_cert
import US-only
# import lan-only
proxy / trantor.kebler.net:1880 {
websocket
transparent
}
}
# portainer
https://docker.kebler.net {
import wildcard_cert
import lan-only
proxy / http://nas.kebler.net:9000
}
##################### TRANTOR ######################
# portainer on trantor
https://docker-trantor.kebler.net {
import wildcard_cert
import lan-only
proxy / http://trantor.kebler.net:9000
}
# discourse for nick and david
https://geeks.kebler.net {
import wildcard_cert
proxy / http://trantor.kebler.net:9292 {
transparent
}
}
# mqtt broker setup interface
#https://broker-ui.kebler.net {
# import wildcard_cert
# import lan-only
# proxy / http://nas.kebler.net:18083 {
# }
# }
https://social.kebler.net {
import wildcard_cert
# rewrite {
# if {path} is /
# to /proxy{path}
# }
# rewrite {
# if {path} not_has /graphql
# to {path} /proxy{path}
# }
proxy / 10.0.0.115:3000 {
}
proxy /graphql 10.0.0.115:4000 {
websocket
transparent
}
}
https://npm.kebler.net {
import wildcard_cert
proxy / localhost:4873 {
websocket
transparent
}
}
##### status.kebler.net ###########
https://status.kebler.net {
import wildcard_cert
import US-only
import admin-login
# route to phpfpm's status page here
fastcgi /phpfpm /var/run/php/php7.2-fpm.sock {
env SCRIPT_NAME /phpfpm
}
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/status/dist
}
# Router Status running on router
https://status.kebler.net/238/gateway {
import wildcard_cert
import US-only
import admin-login
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/gateway/'>"
}
proxy / http://router.kebler.net:19999
}
# NAS Status 238
https://status.kebler.net/238/nas {
import wildcard_cert
import US-only
import admin-login
# add base tag to all pages
filter rule {
content_type text/html.*
search_pattern <head>
replacement "<head><base href='https://{request_host}/238/nas/'>"
}
proxy / http://nas.kebler.net:19999
}
# Systemd Cockpit Access
https://system.kebler.net {
import wildcard_cert
import US-only
# add base tag to all pages
# filter rule {
# content_type text/html.*
# search_pattern <head>
# replacement "<head><base href='https://{request_host}/238/nas/'>"
# }
proxy / http://localhost:9090 {
insecure_skip_verify
websocket
transparent
}
}
# local redirect to 645
https://status.kebler.net/645/nas {
import wildcard_cert
import US-only
proxy / http://645.kebler.net/nas/status
}
################### LOCAL WEBS ############################
https://download.kebler.net {
import wildcard_cert
log /mnt/data/downloads/private/download-log
basicauth "elf" ccbigs {
realm "Protected Downloads"
/private
}
basicauth "download" espressobin {
/espressobin-router/espressobin-router-ubuntu-18.04.tar.gz
}
root /mnt/data/downloads
browse /
}
https://lights.kebler.net {
import wildcard_cert
root /mnt/data/webs/lights-frontend
proxy /socket.io http://10.0.0.115:3031 {
websocket
transparent
}
}
https://wedding.kebler.net {
import wildcard_cert
root /mnt/data/cloud-user-files/david/files/wedding
index wedding.html
}
https://admin.kebler.net {
import wildcard_cert
import lan-only
root /mnt/data/webs/admin
}
https://phpmyadmin.kebler.net {
import wildcard_cert
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/phpmyadmin
}
https://smnordic.org {
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/smnordic
rewrite / {
if {path} not_match ^\/wp-admin
to {path} {path}/ /index.php?_url={uri}
}
}
https://nextcloud.kebler.net https://cloud.kebler.net {
# import logs
import US-only
tls d@kebler.net
fastcgi / /var/run/php/php7.2-fpm.sock php
root /mnt/data/webs/nextcloud
# log /var/log/nextcloud_access.log
# errors /var/log/nextcloud_errors.log
# checks for images
rewrite {
ext .svg .gif .png .html .ttf .woff .ico .jpg .jpeg
r ^/index.php/(.+)$
to /{1} /index.php?{1}
}
rewrite {
r ^/index.php/.*$
to /index.php?{query}
}
# client support (e.g. os x calendar / contacts)
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
# remove trailing / as it causes errors with php-fpm
rewrite {
r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)$
to /remote.php/{1}
}
rewrite {
r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)$
to /remote.php/{1}/{2}
}
rewrite {
r ^/public.php/(dav|webdav|caldav|carddav)(\/?)$
to /public.php/{1}
}
rewrite {
r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)$
to /public.php/{1}/{2}
}
# .htaccess / data / config / ... shouldn't be accessible from outside
status 403 {
/.htacces
/data
/config
/db_structure
/.xml
/README
}
header / {
Strict-Transport-Security "max-age=31536000;"
Referrer-Policy "no-referrer"
}
}

2
env/.gitignore vendored
View File

@ -1,2 +0,0 @@
/AWS
/aws.sh

BIN
env/AWS.secret vendored Normal file

Binary file not shown.

BIN
env/aws.sh.secret vendored Normal file

Binary file not shown.

54
systemd/README.md Normal file
View File

@ -0,0 +1,54 @@
Official service files for systemd
==================================
This folder contains the officially-maintained systemd files that should be used as a basis for your own deployments.
**⚠️ Always review your service file before using it! Change anything that you need to customize.**
## Instructions
See our website for [installation instructions](https://caddyserver.com/docs/install).
## Prerequisites
Running Caddy as a systemd service requires the following:
Group named `caddy`:
```bash
$ groupadd --system caddy
```
User named `caddy` with a writeable home folder:
```bash
$ useradd --system \
--gid caddy \
--create-home \
--home-dir /var/lib/caddy \
--shell /usr/sbin/nologin \
--comment "Caddy web server" \
caddy
```
## Choosing a service file
- **`caddy.service`** - Use this one if you configure Caddy with a file (for example, the Caddyfile, or a .json file).
- **`caddy-api.service`** - Use this one if you configure Caddy solely through its API.
The two files are identical except for the ExecStart and ExecReload commands.
## Important
Caddy receives all configuration through its [admin API](https://caddyserver.com/docs/api), even when the [command line interface (CLI)](https://caddyserver.com/docs/command-line) is used, which simply wraps up the API calls for you.
Most users will use either config files and the CLI [mutually exclusively](https://caddyserver.com/docs/getting-started#api-vs-config-files) with the API because it is simpler to have only one source of truth. However, you may wish to provide Caddy an initial "bootstrapping" configuration with a config file, and use the API thereafter.
**⚠️ If you provide an initial config file with the `--config` flag and then update the config using the API, you risk losing your changes if the service is restarted unless you have the `--resume` flag in your ExecStart command.**
Without the `--resume` flag, the `--config` flag will overwrite any last-known configuration.
However, it is totally safe and normal to use both the `--config` and `--resume` options together if you need to use both a config file and the API. Just be aware that if you update your config file and want to apply those changes, _stopping and starting the server is the wrong way to do this_. Restarting the service is orthogonal to config changes; this is a unique safety feature that guarantees durability and prevents data loss. If the config file has the latest changes, you should use the reload command instead.

0
systemd/persist Normal file → Executable file
View File