chriswin/vps-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: chriswin:e19f86a87de112df8aa5569df264767248549999
Branches Tags
chriswin:main
...
compare: chriswin:main
Branches Tags
chriswin:main

10 Commits
e19f86a87d ... main

Author SHA1 Message Date
chris
4bd56c7c90 change pdf url, add rss 2025-12-19 14:14:15 +00:00
chris
1bc7f2eb25 update subdomain 2025-11-12 21:44:56 +00:00
chris
6df9115f3d fix issue tailscale 2025-10-26 11:21:03 +00:00
debian
ea2334b8a4 config headscale 2025-10-24 01:01:37 +02:00
debian
b1f755f17d config template 2025-10-24 00:57:49 +02:00
debian
29772a655b create config template for headscale 2025-10-24 00:04:12 +02:00
debian
425de79c33 change port for headscale 2025-10-23 23:05:54 +02:00
debian
b37dda0b67 refine configuration file 2025-10-23 22:24:40 +02:00
debian
332ec260a1 add caddy to config 2025-10-23 20:13:06 +02:00
debian
79f7ccdf3f headscale config and caddy service 2025-10-22 18:15:04 +02:00
6 changed files with 229 additions and 11 deletions
Expand all files Collapse all files

1
.env
View File

@@ -22,3 +22,4 @@ PUBLIC_DOMAIN=crescentec.ch
# Personal info # Personal info
EMAIL=chris.windler@crescentec.ch EMAIL=chris.windler@crescentec.ch
MAIN_SERVER_NODE_IP=100.64.0.1:443

2
docker-compose.yml
View File

@@ -6,7 +6,7 @@
# Whenever I need to remove some service then I can comment out the lines here. # Whenever I need to remove some service then I can comment out the lines here.
include: include:
- path: - path:
# - ${SERVICE_PATH}/caddy/caddy.yml - ${SERVICE_PATH}/caddy/caddy.yml
- ${SERVICE_PATH}/headscale/headscale.yml - ${SERVICE_PATH}/headscale/headscale.yml
- ${SERVICE_PATH}/watchtower/watchtower.yml - ${SERVICE_PATH}/watchtower/watchtower.yml
env_file: ${SERVICE_PATH}/.env env_file: ${SERVICE_PATH}/.env

189
services/caddy/Caddyfile Normal file
View File

@@ -0,0 +1,189 @@
(forward_headers) {
header {
Permissions-Policy interest-cohort=()
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Robots-Tag noindex, nofollow
Referrer-Policy "same-origin"
Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
-Server
Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
}
}
auth.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
audiobookshelf.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
gitea.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
headscale.{$public_domain} {
reverse_proxy headscale:8080
tls {$email}
import forward_headers
}
immich.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
ldap.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
linkwarden.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
mealie.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
navidrome.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
ntfy.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
paperless.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
radicale.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
rss.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
pdf.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
superset.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
vaultwarden.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
vikunja.{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}
{$public_domain} {
reverse_proxy {$main_server_ip} {
transport http {
tls_insecure_skip_verify
}
}
tls {$email}
import forward_headers
}

30
services/caddy/caddy.yml
View File

@@ -0,0 +1,30 @@
services:
caddy:
extends:
file: ${TEMPLATES_PATH}
service: default
image: caddy
container_name: caddy
volumes:
- ${SERVICE_PATH}/caddy/config:/etc/headscale
- ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
- ${SERVICE_PATH}/caddy/site:/srv
- ${SERVICE_PATH}/caddy/data:/data
- ${SERVICE_PATH}/caddy/config:/config
- ${SERVICE_PATH}/caddy/certs:/certs
ports:
- "80:80"
- "443:443"
- "443:443/udp"
environment:
email: ${EMAIL}
public_domain: ${PUBLIC_DOMAIN}
private_domain: ${LOCAL_DOMAIN}
main_server_ip: ${MAIN_SERVER_NODE_IP:-10.10.10.2}
cap_add:
- NET_ADMIN
networks:
- ip4net
labels:
# Watchtower
- "com.centurylinklabs.watchtower.enable=true"

13
services/headscale/config/config.yaml → services/headscale/config-template.yaml.j2
View File

@@ -10,13 +10,13 @@
# #
# https://myheadscale.example.com:443 # https://myheadscale.example.com:443
# #
server_url: http://127.0.0.1:8080 server_url: {{ headscale_server_url }}
# Address to listen to / bind to on the server # Address to listen to / bind to on the server
# #
# For production: # For production:
listen_addr: 0.0.0.0:8080
#listen_addr: 127.0.0.1:8080 #listen_addr: 127.0.0.1:8080
listen_addr: {{ headscale_listen_addr }}
# Address to listen to /metrics and /debug, you may want # Address to listen to /metrics and /debug, you may want
# to keep this endpoint private to your internal network # to keep this endpoint private to your internal network
@@ -77,7 +77,7 @@ derp:
server: server:
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
enabled: false enabled: true
# Region ID to use for the embedded DERP server. # Region ID to use for the embedded DERP server.
# The local DERP prevails if the region ID collides with other region ID coming from # The local DERP prevails if the region ID collides with other region ID coming from
@@ -276,7 +276,7 @@ dns:
# `base_domain` must be a FQDN, without the trailing dot. # `base_domain` must be a FQDN, without the trailing dot.
# The FQDN of the hosts will be # The FQDN of the hosts will be
# `hostname.base_domain` (e.g., _myhost.example.com_). # `hostname.base_domain` (e.g., _myhost.example.com_).
base_domain: example.com base_domain: {{ headscale_base_domain }}
# Whether to use the local DNS settings of a node or override the local DNS # Whether to use the local DNS settings of a node or override the local DNS
# settings (default) and force the use of Headscale's DNS configuration. # settings (default) and force the use of Headscale's DNS configuration.
@@ -285,10 +285,7 @@ dns:
# List of DNS servers to expose to clients. # List of DNS servers to expose to clients.
nameservers: nameservers:
global: global:
- 1.1.1.1 - {{ dns_nameserver }}
- 1.0.0.1
- 2606:4700:4700::1111
- 2606:4700:4700::1001
# NextDNS (see https://tailscale.com/kb/1218/nextdns/). # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
# "abc123" is example NextDNS ID, replace with yours. # "abc123" is example NextDNS ID, replace with yours.

5
services/headscale/headscale.yml
View File

@@ -10,9 +10,10 @@ services:
- ${SERVICE_PATH}/headscale/lib:/var/lib/headscale - ${SERVICE_PATH}/headscale/lib:/var/lib/headscale
- ${SERVICE_PATH}/headscale/run:/var/run/headscale - ${SERVICE_PATH}/headscale/run:/var/run/headscale
ports: ports:
- 0.0.0.0:1000:8080 # api - 127.0.0.1:8080:8080 # api
- 0.0.0.0:1001:9090 # metrics - 127.0.0.1:9090:9090 # metrics
command: serve command: serve
environment:
networks: networks:
- ip4net - ip4net
labels: labels: