From 658f4739833367f4d5c08029acd777da2bdc6121 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Billet?= Date: Wed, 26 Nov 2025 23:07:37 +0100 Subject: [PATCH] Added back config-files that were lost. --- config-files/docker/hass/mosquitto.conf | 8 ++++ config-files/docker/traefik/headers.yaml | 20 ++++++++ config-files/docker/traefik/nextcloud.yaml | 41 ++++++++++++++++ config-files/docker/traefik/tls.yaml | 12 +++++ config-files/docker/traefik/traefik.yaml | 54 ++++++++++++++++++++++ deploy.sh | 24 +++++----- 6 files changed, 147 insertions(+), 12 deletions(-) create mode 100644 config-files/docker/hass/mosquitto.conf create mode 100644 config-files/docker/traefik/headers.yaml create mode 100644 config-files/docker/traefik/nextcloud.yaml create mode 100644 config-files/docker/traefik/tls.yaml create mode 100644 config-files/docker/traefik/traefik.yaml diff --git a/config-files/docker/hass/mosquitto.conf b/config-files/docker/hass/mosquitto.conf new file mode 100644 index 0000000..c1effb6 --- /dev/null +++ b/config-files/docker/hass/mosquitto.conf @@ -0,0 +1,8 @@ +persistence true +persistence_location /mosquitto/data/ +log_dest file /mosquitto/log/mosquitto.log +listener 1883 + +## Authentication ## +allow_anonymous false +password_file /mosquitto/config/password.txt \ No newline at end of file diff --git a/config-files/docker/traefik/headers.yaml b/config-files/docker/traefik/headers.yaml new file mode 100644 index 0000000..05b7d7e --- /dev/null +++ b/config-files/docker/traefik/headers.yaml @@ -0,0 +1,20 @@ +http: + middlewares: + passbolt: + headers: + FrameDeny: true + AccessControlAllowMethods: 'GET,OPTIONS,PUT' + AccessControlAllowOriginList: + - origin-list-or-null + AccessControlMaxAge: 100 + AddVaryHeader: true + BrowserXssFilter: true + ContentTypeNosniff: true + ForceSTSHeader: true + STSIncludeSubdomains: true + STSPreload: true + ContentSecurityPolicy: default-src 'self' 'unsafe-inline' + CustomFrameOptionsValue: SAMEORIGIN + ReferrerPolicy: same-origin + PermissionsPolicy: vibrate 'self' + STSSeconds: 315360000 \ No newline at end of file diff --git a/config-files/docker/traefik/nextcloud.yaml b/config-files/docker/traefik/nextcloud.yaml new file mode 100644 index 0000000..c1616fe --- /dev/null +++ b/config-files/docker/traefik/nextcloud.yaml @@ -0,0 +1,41 @@ +http: + routers: + nextcloud: + rule: "Host(`nextcloud.${DOMAIN_NAME}`)" + entrypoints: + - "websecure" + service: nextcloud + middlewares: + - nextcloud-chain + tls: + certresolver: "cloudflare" + + services: + nextcloud: + loadBalancer: + servers: + - url: "http://nextcloud-aio-apache:11000" + + middlewares: + nextcloud-secure-headers: + headers: + hostsProxyHeaders: + - "X-Forwarded-Host" + referrerPolicy: "same-origin" + BrowserXssFilter: true + ContentTypeNosniff: true + ForceSTSHeader: true + STSIncludeSubdomains: true + STSPreload: true + STSSeconds: 315360000 + + https-redirect: + redirectscheme: + scheme: https + + nextcloud-chain: + chain: + middlewares: + # - ... (e.g. rate limiting middleware) + - https-redirect + - nextcloud-secure-headers \ No newline at end of file diff --git a/config-files/docker/traefik/tls.yaml b/config-files/docker/traefik/tls.yaml new file mode 100644 index 0000000..ee52752 --- /dev/null +++ b/config-files/docker/traefik/tls.yaml @@ -0,0 +1,12 @@ +tls: + options: + default: + minVersion: VersionTLS12 + sniStrict: true + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ No newline at end of file diff --git a/config-files/docker/traefik/traefik.yaml b/config-files/docker/traefik/traefik.yaml new file mode 100644 index 0000000..5f67992 --- /dev/null +++ b/config-files/docker/traefik/traefik.yaml @@ -0,0 +1,54 @@ +global: + checkNewVersion: false + sendAnonymousUsage: false + +# - level: [TRACE, DEBUG, INFO, WARN, ERROR, FATAL] +log: + level: ERROR + +accesslog: {} + +api: + dashboard: true + insecure: true + +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + forwardedHeaders: + trustedIPs: + # Local IPs + - "127.0.0.1/32" + - "10.0.0.0/8" + - "192.168.0.0/16" + - "172.16.0.0/12" + +certificatesResolvers: + cloudflare: + acme: + email: ${EMAIL_ADDRESS} + storage: /var/traefik/certs/cloudflare-acme.json + caServer: "https://acme-v02.api.letsencrypt.org/directory" + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "9.9.9.9:53" + +serversTransport: + insecureSkipVerify: true + +providers: + docker: + exposedByDefault: false + network: nextcloud-aio, passbolt_frontend, pihole, hass_frontend, immich_frontend + file: + directory: "/etc/traefik/conf/" + watch: true \ No newline at end of file diff --git a/deploy.sh b/deploy.sh index 566510f..feda5de 100755 --- a/deploy.sh +++ b/deploy.sh @@ -1,5 +1,5 @@ #!/usr/bin/env nix-shell -#!nix-shell -i bash -p gum openssl sops ssh-to-age age sshpass envsubst pciutils usbutils +#!nix-shell -i bash -p gum openssl sops ssh-to-age age sshpass envsubst pciutils usbutils mosquitto prerun_action() { echo -e "$1" @@ -161,11 +161,11 @@ files_generation() { echo -e "\n\n ✅ Generating necessary folder tree..." mkdir -p extra-files/var/lib/sops-nix/ mkdir -p extra-files/etc/nixos/secrets/ - mkdir -p extra-files/mnt/config-storage/traefik/config/conf - mkdir -p extra-files/mnt/config-storage/hass/mqtt/config - mkdir -p extra-files/mnt/config-storage/hass/mqtt/data - mkdir -p extra-files/mnt/data-storage/nextcloud - mkdir -p extra-files/mnt/data-storage/immich + mkdir -p extra-files/mnt/config-storage/traefik/config/conf/ + mkdir -p extra-files/mnt/config-storage/hass/mqtt/config/ + mkdir -p extra-files/mnt/config-storage/hass/mqtt/data/ + mkdir -p extra-files/mnt/data-storage/nextcloud/ + mkdir -p extra-files/mnt/data-storage/immich/ echo -e "\n\n ✅ Generating sops-nix keys..." ssh-to-age -private-key -i extra-files/home/numbus-admin/.ssh/id_ed25519 > extra-files/var/lib/sops-nix/key.txt @@ -231,14 +231,14 @@ files_generation() { done echo -e "\n\n ✅ Writing docker configuration files..." - envsubst < config-files/traefik/headers.yaml > extra-files/mnt/config-storage/traefik/config/conf/headers.yaml - envsubst < config-files/traefik/nextcloud.yaml > extra-files/mnt/config-storage/traefik/config/conf/nextcloud.yaml - envsubst < config-files/traefik/tls.yaml > extra-files/mnt/config-storage/traefik/config/conf/tls.yaml - envsubst < config-files/traefik/traefik.yaml > extra-files/mnt/config-storage/traefik/config/traefik.yaml - envsubst < config-files/hass/mosquitto.conf > extra-files/mnt/config-storage/hass/mqtt/config/mosquitto.conf + envsubst < config-files/docker/traefik/headers.yaml > extra-files/mnt/config-storage/traefik/config/conf/headers.yaml + envsubst < config-files/docker/traefik/nextcloud.yaml > extra-files/mnt/config-storage/traefik/config/conf/nextcloud.yaml + envsubst < config-files/docker/traefik/tls.yaml > extra-files/mnt/config-storage/traefik/config/conf/tls.yaml + envsubst < config-files/docker/traefik/traefik.yaml > extra-files/mnt/config-storage/traefik/config/traefik.yaml + envsubst < config-files/docker/hass/mosquitto.conf > extra-files/mnt/config-storage/hass/mqtt/config/mosquitto.conf touch extra-files/mnt/config-storage/hass/mqtt/config/password.txt chmod 0700 extra-files/mnt/config-storage/hass/mqtt/config/password.txt - nix shell nixpkgs#mosquitto -c mosquitto_passwd -b extra-files/mnt/config-storage/hass/mqtt/config/password.txt $HOME_ASSISTANT_MQTT_USER $HOME_ASSISTANT_MQTT_PASSWORD + mosquitto_passwd -b extra-files/mnt/config-storage/hass/mqtt/config/password.txt $HOME_ASSISTANT_MQTT_USER $HOME_ASSISTANT_MQTT_PASSWORD } disk_config_generation() {