From 3f9326e71f254a142decafaa4fbb050528955427 Mon Sep 17 00:00:00 2001 From: Dmitry <124861781+ada-dmitry@users.noreply.github.com> Date: Mon, 1 Dec 2025 18:44:10 +0300 Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20=D0=BA=D0=BE=D0=BD=D1=84=D0=B8=D0=B3=D1=83=D1=80=D0=B0?= =?UTF-8?q?=D1=86=D0=B8=D1=8E=20=D0=B4=D0=BB=D1=8F=20=D1=80=D0=B0=D0=B7?= =?UTF-8?q?=D0=B2=D0=B5=D1=80=D1=82=D1=8B=D0=B2=D0=B0=D0=BD=D0=B8=D1=8F=20?= =?UTF-8?q?Caddy=20=D0=B8=20=D0=BE=D0=B1=D0=BD=D0=BE=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20=D1=84=D0=B0=D0=B9=D0=BB=D1=8B=20=D0=BA=D0=BE=D0=BD?= =?UTF-8?q?=D1=84=D0=B8=D0=B3=D1=83=D1=80=D0=B0=D1=86=D0=B8=D0=B8=20=D0=B4?= =?UTF-8?q?=D0=BB=D1=8F=20=D1=80=D0=B0=D0=B7=D0=BB=D0=B8=D1=87=D0=BD=D1=8B?= =?UTF-8?q?=D1=85=20=D1=81=D0=B5=D1=80=D0=B2=D0=B8=D1=81=D0=BE=D0=B2?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/deploy.yml | 47 +++++++++++++++++++++++++++++++++++++ Caddyfile | 14 +++++++++++ conf.d/gate.caddy | 28 ++++++++++++++++++++++ conf.d/git.caddy | 33 ++++++++++++++++++++++++++ conf.d/notes.caddy | 28 ++++++++++++++++++++++ conf.d/pass.caddy | 43 +++++++++++++++++++++++++++++++++ conf.d/portainer.caddy | 28 ++++++++++++++++++++++ conf.d/print.caddy | 17 ++++++++++++++ conf.d/pve.caddy | 33 ++++++++++++++++++++++++++ conf.d/sync.caddy | 33 ++++++++++++++++++++++++++ conf.d/uptime.caddy | 28 ++++++++++++++++++++++ 11 files changed, 332 insertions(+) create mode 100644 .gitea/workflows/deploy.yml create mode 100644 Caddyfile create mode 100644 conf.d/gate.caddy create mode 100644 conf.d/git.caddy create mode 100644 conf.d/notes.caddy create mode 100644 conf.d/pass.caddy create mode 100644 conf.d/portainer.caddy create mode 100644 conf.d/print.caddy create mode 100644 conf.d/pve.caddy create mode 100644 conf.d/sync.caddy create mode 100644 conf.d/uptime.caddy diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml new file mode 100644 index 0000000..25a17e1 --- /dev/null +++ b/.gitea/workflows/deploy.yml @@ -0,0 +1,47 @@ +name: Deploy Caddy +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + validate: + runs-on: vps-runner + steps: + - uses: actions/checkout@v3 + + - name: Install Caddy + run: | + sudo apt update + sudo apt install -y caddy + + - name: Validate Caddyfile + run: caddy validate --config Caddyfile + + deploy: + needs: validate + if: github.event_name == 'push' + runs-on: self-hosted + steps: + - uses: actions/checkout@v3 + + - name: Backup current config + run: | + sudo cp /etc/caddy/Caddyfile /etc/caddy/Caddyfile.backup + sudo cp -r /etc/caddy/conf.d /etc/caddy/conf.d.backup + + - name: Deploy configs + run: | + sudo cp Caddyfile /etc/caddy/ + sudo cp -r conf.d/* /etc/caddy/conf.d/ + sudo cp ssl/*.pem /etc/caddy/ssl/ || true + + - name: Validate deployed config + run: sudo caddy validate --config /etc/caddy/Caddyfile + + - name: Reload Caddy + run: sudo systemctl reload caddy + + - name: Check Caddy status + run: sudo systemctl status caddy --no-pager \ No newline at end of file diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..565ae8c --- /dev/null +++ b/Caddyfile @@ -0,0 +1,14 @@ +(mtls_protect) { + tls { + client_auth { + mode require_and_verify + trusted_ca_cert_file /etc/caddy/ssl/rootCA.pem + } + } +} + +{ + email antip.ada@yandex.ru +} + +import conf.d/*.caddy \ No newline at end of file diff --git a/conf.d/gate.caddy b/conf.d/gate.caddy new file mode 100644 index 0000000..836a715 --- /dev/null +++ b/conf.d/gate.caddy @@ -0,0 +1,28 @@ +http://gate.ada-dev.ru { + redir https://gate.ada-dev.ru{uri} +} + +gate.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + reverse_proxy http://192.168.1.20:8013 { + transport http { + versions 1.1 + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/git.caddy b/conf.d/git.caddy new file mode 100644 index 0000000..e0deb95 --- /dev/null +++ b/conf.d/git.caddy @@ -0,0 +1,33 @@ +http://git.ada-dev.ru { + redir https://git.ada-dev.ru{uri} +} + +git.ada-dev.ru { + # Сжатие ответа + encode zstd gzip + + # Лимит на загрузки (артефакты/репы) + request_body { + max_size 10GB + } + + # Основной прокси на git-сервис + reverse_proxy 192.168.1.20:8005 { + # Таймауты ~ как в nginx (60s) + transport http { + dial_timeout 60s + response_header_timeout 60s + read_timeout 60s + write_timeout 60s + versions 1.1 + } + # Явные заголовки вверх + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + # Потоковая передача (хорошо для больших ответов) + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/notes.caddy b/conf.d/notes.caddy new file mode 100644 index 0000000..7b5f841 --- /dev/null +++ b/conf.d/notes.caddy @@ -0,0 +1,28 @@ +http://notes.ada-dev.ru { + redir https://trilium.ada-dev.ru{uri} +} + +notes.ada-dev.ru { + encode zstd gzip + + request_body { + max_size 1GB + } + + reverse_proxy 192.168.1.20:8012 { + transport http { + dial_timeout 60s + response_header_timeout 60s + read_timeout 60s + write_timeout 60s + versions 1.1 + } + + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/pass.caddy b/conf.d/pass.caddy new file mode 100644 index 0000000..b2059eb --- /dev/null +++ b/conf.d/pass.caddy @@ -0,0 +1,43 @@ +http://pass.ada-dev.ru { + redir https://pass.ada-dev.ru{uri} +} + +pass.ada-dev.ru { + encode zstd gzip + + # Увеличенный лимит для загрузки файлов и вложений + request_body { + max_size 525MB + } + + # Заголовки безопасности для Vaultwarden + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + X-Content-Type-Options "nosniff" + X-Frame-Options "SAMEORIGIN" + Referrer-Policy "same-origin" + } + + # WebSocket для уведомлений в реальном времени + @websocket { + header Connection *Upgrade* + header Upgrade websocket + path /notifications/hub + } + + reverse_proxy @websocket 192.168.1.20:8001 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + } + + # Основной HTTP трафик + reverse_proxy 192.168.1.20:8000 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/portainer.caddy b/conf.d/portainer.caddy new file mode 100644 index 0000000..17045de --- /dev/null +++ b/conf.d/portainer.caddy @@ -0,0 +1,28 @@ +http://portainer.ada-dev.ru { + redir https://portainer.ada-dev.ru{uri} +} + +portainer.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + reverse_proxy http://192.168.1.20:8010 { + transport http { + versions 1.1 + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/print.caddy b/conf.d/print.caddy new file mode 100644 index 0000000..5656006 --- /dev/null +++ b/conf.d/print.caddy @@ -0,0 +1,17 @@ +print.ada-dev.ru { + @lan { + remote_ip 192.168.1.0/24 + } + + handle @lan { + reverse_proxy 192.168.1.15:631 + } + + handle { + respond "Access denied" 403 + } +} + +http://print.ada-dev.ru { + redir https://print.ada-dev.ru{uri} +} \ No newline at end of file diff --git a/conf.d/pve.caddy b/conf.d/pve.caddy new file mode 100644 index 0000000..ad6b3dd --- /dev/null +++ b/conf.d/pve.caddy @@ -0,0 +1,33 @@ +http://pve.ada-dev.ru { + redir https://pve.ada-dev.ru{uri} +} + +pve.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + request_body { + max_size 10GB + } + + reverse_proxy https://192.168.1.10:8006 { + transport http { + versions 1.1 + tls_insecure_skip_verify + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/sync.caddy b/conf.d/sync.caddy new file mode 100644 index 0000000..121ac26 --- /dev/null +++ b/conf.d/sync.caddy @@ -0,0 +1,33 @@ +http://sync.ada-dev.ru { + redir https://sync.ada-dev.ru{uri} +} + +sync.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + request_body { + max_size 10GB + } + + reverse_proxy https://192.168.1.20:8003 { + transport http { + versions 1.1 + tls_insecure_skip_verify + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file diff --git a/conf.d/uptime.caddy b/conf.d/uptime.caddy new file mode 100644 index 0000000..3e70d84 --- /dev/null +++ b/conf.d/uptime.caddy @@ -0,0 +1,28 @@ +http://uptime.ada-dev.ru { + redir https://uptime.ada-dev.ru{uri} +} + +uptime.ada-dev.ru { + import mtls_protect + + header { + Strict-Transport-Security "max-age=31536000; includeSubDomains" + } + + encode zstd gzip + + reverse_proxy http://192.168.1.20:8011 { + transport http { + versions 1.1 + read_timeout 3600s + write_timeout 3600s + response_header_timeout 3600s + dial_timeout 3600s + } + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + flush_interval -1 + } +} \ No newline at end of file