commit 3f9326e71f254a142decafaa4fbb050528955427 Author: Dmitry <124861781+ada-dmitry@users.noreply.github.com> Date: Mon Dec 1 18:44:10 2025 +0300 Добавить конфигурацию для развертывания Caddy и обновить файлы конфигурации для различных сервисов diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..25a17e1 --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,47 @@ +name: Deploy Caddy +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + validate: + runs-on: vps-runner + steps: + - uses: actions/checkout@v3 + + - name: Install Caddy + run: | + sudo apt update + sudo apt install -y caddy + + - name: Validate Caddyfile + run: caddy validate --config Caddyfile + + deploy: + needs: validate + if: github.event_name == 'push' + runs-on: self-hosted + steps: + - uses: actions/checkout@v3 + + - name: Backup current config + run: | + sudo cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.backup + sudo cp -r /etc/caddy/conf.d /etc/caddy/conf.d.backup + + - name: Deploy configs + run: | + sudo cp Caddyfile /etc/caddy/ + sudo cp -r conf.d/* /etc/caddy/conf.d/ + sudo cp ssl/*.pem /etc/caddy/ssl/ || true + + - name: Validate deployed config + run: sudo caddy validate --config /etc/caddy/Caddyfile + + - name: Reload Caddy + run: sudo systemctl reload caddy + + - name: Check Caddy status + run: sudo systemctl status caddy --no-pager \ No newline at end of file diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..565ae8c --- /dev/null +++ b/Caddyfile @@ -0,0 +1,14 @@ +(mtls_protect) { + tls { + client_auth { + mode require_and_verify + trusted_ca_cert_file /etc/caddy/ssl/rootCA.pem + } + } +} + +{ + email antip.ada@yandex.ru +} + +import conf.d/*.caddy \ No newline at end of file diff --git a/conf.d/gate.caddy b/conf.d/gate.caddy new file mode 100644 index 0000000..836a715 --- /dev/null +++ b/conf.d/gate.caddy @@ -0,0 +1,28 @@ +http://gate.ada-dev.ru { + redir https://gate.ada-dev.ru{uri} +} + +gate.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + reverse_proxy http://192.168.1.20:8013 { + transport http { + versions 1.1 + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/git.caddy b/conf.d/git.caddy new file mode 100644 index 0000000..e0deb95 --- /dev/null +++ b/conf.d/git.caddy @@ -0,0 +1,33 @@ +http://git.ada-dev.ru { + redir https://git.ada-dev.ru{uri} +} + +git.ada-dev.ru { + # Сжатие ответа + encode zstd gzip + + # Лимит на загрузки (артефакты/репы) + request_body { + max_size 10GB + } + + # Основной прокси на git-сервис + reverse_proxy 192.168.1.20:8005 { + # Таймауты ~ как в nginx (60s) + transport http { + dial_timeout 60s + response_header_timeout 60s + read_timeout 60s + write_timeout 60s + versions 1.1 + } + # Явные заголовки вверх + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + # Потоковая передача (хорошо для больших ответов) + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/notes.caddy b/conf.d/notes.caddy new file mode 100644 index 0000000..7b5f841 --- /dev/null +++ b/conf.d/notes.caddy @@ -0,0 +1,28 @@ +http://notes.ada-dev.ru { + redir https://trilium.ada-dev.ru{uri} +} + +notes.ada-dev.ru { + encode zstd gzip + + request_body { + max_size 1GB + } + + reverse_proxy 192.168.1.20:8012 { + transport http { + dial_timeout 60s + response_header_timeout 60s + read_timeout 60s + write_timeout 60s + versions 1.1 + } + + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/pass.caddy b/conf.d/pass.caddy new file mode 100644 index 0000000..b2059eb --- /dev/null +++ b/conf.d/pass.caddy @@ -0,0 +1,43 @@ +http://pass.ada-dev.ru { + redir https://pass.ada-dev.ru{uri} +} + +pass.ada-dev.ru { + encode zstd gzip + + # Увеличенный лимит для загрузки файлов и вложений + request_body { + max_size 525MB + } + + # Заголовки безопасности для Vaultwarden + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "same-origin" + } + + # WebSocket для уведомлений в реальном времени + @websocket { + header Connection *Upgrade* + header Upgrade websocket + path /notifications/hub + } + + reverse_proxy @websocket 192.168.1.20:8001 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + + # Основной HTTP трафик + reverse_proxy 192.168.1.20:8000 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/portainer.caddy b/conf.d/portainer.caddy new file mode 100644 index 0000000..17045de --- /dev/null +++ b/conf.d/portainer.caddy @@ -0,0 +1,28 @@ +http://portainer.ada-dev.ru { + redir https://portainer.ada-dev.ru{uri} +} + +portainer.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + reverse_proxy http://192.168.1.20:8010 { + transport http { + versions 1.1 + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/print.caddy b/conf.d/print.caddy new file mode 100644 index 0000000..5656006 --- /dev/null +++ b/conf.d/print.caddy @@ -0,0 +1,17 @@ +print.ada-dev.ru { + @lan { + remote_ip 192.168.1.0/24 + } + + handle @lan { + reverse_proxy 192.168.1.15:631 + } + + handle { + respond "Access denied" 403 + } +} + +http://print.ada-dev.ru { + redir https://print.ada-dev.ru{uri} +} \ No newline at end of file diff --git a/conf.d/pve.caddy b/conf.d/pve.caddy new file mode 100644 index 0000000..ad6b3dd --- /dev/null +++ b/conf.d/pve.caddy @@ -0,0 +1,33 @@ +http://pve.ada-dev.ru { + redir https://pve.ada-dev.ru{uri} +} + +pve.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + request_body { + max_size 10GB + } + + reverse_proxy https://192.168.1.10:8006 { + transport http { + versions 1.1 + tls_insecure_skip_verify + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/sync.caddy b/conf.d/sync.caddy new file mode 100644 index 0000000..121ac26 --- /dev/null +++ b/conf.d/sync.caddy @@ -0,0 +1,33 @@ +http://sync.ada-dev.ru { + redir https://sync.ada-dev.ru{uri} +} + +sync.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + request_body { + max_size 10GB + } + + reverse_proxy https://192.168.1.20:8003 { + transport http { + versions 1.1 + tls_insecure_skip_verify + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/uptime.caddy b/conf.d/uptime.caddy new file mode 100644 index 0000000..3e70d84 --- /dev/null +++ b/conf.d/uptime.caddy @@ -0,0 +1,28 @@ +http://uptime.ada-dev.ru { + redir https://uptime.ada-dev.ru{uri} +} + +uptime.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + reverse_proxy http://192.168.1.20:8011 { + transport http { + versions 1.1 + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file