chore: audit and fix service configurations and allowedOrigins

2026-05-06 13:23:51 -04:00
parent f52b4ae2b4
commit ccb9d44c04
13 changed files with 522 additions and 0 deletions
@@ -0,0 +1,70 @@
+# Global options
+{
+    auto_https disable_redirects
+    email k.radikal@gmail.com
+}
+
+# Consolidated wildcard site block
+*.klhoud.com, http://*.klhoud.com {
+    # Automatic HTTPS via DNS challenge for all subdomains
+    tls {
+        dns cloudflare {$CLOUDFLARE_API_TOKEN}
+    }
+    
+    # Proxmox
+    @proxmox host proxmox.klhoud.com
+    handle @proxmox {
+        reverse_proxy https://192.168.0.112:8006 {
+            # Required for connecting to Proxmox's self-signed/untrusted certificate
+            transport http {
+                tls_insecure_skip_verify
+                versions 1.1
+            }
+        }
+    }
+    
+    # AdGuard Home
+    @adguard host adguard.klhoud.com
+    handle @adguard {
+        reverse_proxy 192.168.0.170:80
+    }
+    
+    # Dockge
+    @dockge host dockge.klhoud.com
+    handle @dockge {
+        reverse_proxy 192.168.0.12:5001
+    }
+    
+    # Nextcloud
+    @cloud host cloud.klhoud.com
+    handle @cloud {
+        reverse_proxy 192.168.0.12:8080
+        # Nextcloud-specific headers
+        header Strict-Transport-Security "max-age=31536000;"
+        
+        # Handle large file uploads
+        request_body {
+            max_size 10GB
+        }
+    }
+
+    # Coolify (control plane runs on LXC 103). Upstream HTTPS to 443 because
+    # coolify-proxy's HTTP entry forces a redirect-to-https which would loop
+    # back through us. HTTPS upstream hits the no-redirect routes; cert is
+    # self-signed since coolify-proxy's ACME for coolify.klhoud.com fails
+    # (DNS points at us, not it), so we skip verify.
+    # coolify-proxy (Traefik) on LXC 103 listens on :80. We added a custom
+    # higher-priority router in /data/coolify/proxy/dynamic/coolify-noredirect.yaml
+    # there to bypass Coolify's auto-generated http->https redirect (which would
+    # loop us). WebSocket routes (/app, /terminal/ws) work natively on :80.
+    @coolify host coolify.klhoud.com
+    handle @coolify {
+        reverse_proxy 192.168.0.47:80
+    }
+
+    # IMPORTANT: Fallback Handler
+    # This prevents non-matching requests from falling through and failing.
+    handle {
+        respond "Not Found" 404
+    }
+}