From 440e1406181cc6a7908d32452a9e5211c064b32a Mon Sep 17 00:00:00 2001 From: Maksim Pankov Date: Sat, 1 Nov 2025 15:12:25 +0000 Subject: [PATCH] Update gipat --- services/homeassist/.gitignore | 0 .../homeassist/configuration.example.yaml | 19 ++++++++++ services/homeassist/docker-compose.yaml | 11 ++++++ services/ingress/home-kush.conf | 23 +++++++++++ services/ingress/nextcloud.conf | 11 ++++-- services/ingress/signaling.conf | 38 +++++++++++++++++++ services/nextcloud/docker-compose.yml | 1 + services/signaling/docker-compose.yaml | 17 +++++++++ services/turn/docker-compose.yaml | 20 ++++++++++ 9 files changed, 137 insertions(+), 3 deletions(-) create mode 100644 services/homeassist/.gitignore create mode 100644 services/homeassist/configuration.example.yaml create mode 100644 services/homeassist/docker-compose.yaml create mode 100644 services/ingress/home-kush.conf create mode 100644 services/ingress/signaling.conf create mode 100644 services/signaling/docker-compose.yaml create mode 100644 services/turn/docker-compose.yaml diff --git a/services/homeassist/.gitignore b/services/homeassist/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/services/homeassist/configuration.example.yaml b/services/homeassist/configuration.example.yaml new file mode 100644 index 0000000..75fda3a --- /dev/null +++ b/services/homeassist/configuration.example.yaml @@ -0,0 +1,19 @@ +http: + # For extra security set this to only accept connections on localhost if NGINX is on the same machine + # Uncommenting this will mean that you can only reach Home Assistant using the proxy, not directly via IP from other clients. + # server_host: 127.0.0.1 + use_x_forwarded_for: true + # You must set the trusted proxy IP address so that Home Assistant will properly accept connections + # Set this to your NGINX machine IP, or localhost if hosted on the same machine. + trusted_proxies: 192.168.0.101 + +# Loads default set of integrations. Do not remove. +default_config: + +# Load frontend themes from the themes folder +frontend: + themes: !include_dir_merge_named themes + +automation: !include automations.yaml +script: !include scripts.yaml +scene: !include scenes.yaml diff --git a/services/homeassist/docker-compose.yaml b/services/homeassist/docker-compose.yaml new file mode 100644 index 0000000..26bb6b8 --- /dev/null +++ b/services/homeassist/docker-compose.yaml @@ -0,0 +1,11 @@ +services: + homeassistant: + container_name: homeassistant + image: "ghcr.io/home-assistant/home-assistant:stable" + volumes: + - /data/services/homeassistant:/config + - /etc/localtime:/etc/localtime:ro + - /run/dbus:/run/dbus:ro + restart: unless-stopped + privileged: true + network_mode: host diff --git a/services/ingress/home-kush.conf b/services/ingress/home-kush.conf new file mode 100644 index 0000000..96ea0e3 --- /dev/null +++ b/services/ingress/home-kush.conf @@ -0,0 +1,23 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + +server { + server_name home-kush.maksim-pankov.ru; + location / { + proxy_pass http://192.168.0.101:8123/; + + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + } + + listen 443 ssl; # managed by Certbot + + ssl_certificate /etc/letsencrypt/live/home-kush.maksim-pankov.ru/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/home-kush.maksim-pankov.ru/privkey.pem; # managed by Certbot +} + diff --git a/services/ingress/nextcloud.conf b/services/ingress/nextcloud.conf index 29dc77a..a0f8df0 100644 --- a/services/ingress/nextcloud.conf +++ b/services/ingress/nextcloud.conf @@ -2,12 +2,17 @@ server { server_name cloud.maksim-pankov.ru; location / { proxy_pass http://gipat:5002/; - sub_filter "http://gipat:5002/" "https://cloud.maksim-pankov.ru/"; + sub_filter "http://gipat:5002/" "https://cloud.maksim-pankov.ru/"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; client_max_body_size 0; } - listen 443 ssl; # managed by Certbot + listen 443 ssl http2; # managed by Certbot ssl_certificate /etc/letsencrypt/live/cloud.maksim-pankov.ru/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/cloud.maksim-pankov.ru/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot @@ -25,4 +30,4 @@ server { return 404; # managed by Certbot -} \ No newline at end of file +} diff --git a/services/ingress/signaling.conf b/services/ingress/signaling.conf new file mode 100644 index 0000000..0ae5588 --- /dev/null +++ b/services/ingress/signaling.conf @@ -0,0 +1,38 @@ +server { + server_name signaling.maksim-pankov.ru; + location / { + proxy_pass http://gipat:1988/; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Real-IP $remote_addr; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + # proxy_read_timeout 86400; + + client_max_body_size 0; + } + + + + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/signaling.maksim-pankov.ru/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/signaling.maksim-pankov.ru/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + +} +server { + if ($host = signaling.maksim-pankov.ru) { + return 301 https://$host$request_uri; + } # managed by Certbot + + + server_name signaling.maksim-pankov.ru; + listen 80; + return 404; # managed by Certbot + + +} diff --git a/services/nextcloud/docker-compose.yml b/services/nextcloud/docker-compose.yml index 0a6528d..173dc88 100644 --- a/services/nextcloud/docker-compose.yml +++ b/services/nextcloud/docker-compose.yml @@ -12,5 +12,6 @@ services: - POSTGRES_DB=nextcloud - POSTGRES_USER=nextcloud - POSTGRES_PASSWORD=qw6MGQcaMkvG8sR9yVsU + - PHP_OPCACHE_MEMORY_CONSUMPTION=256 - PHP_UPLOAD_LIMIT=16G diff --git a/services/signaling/docker-compose.yaml b/services/signaling/docker-compose.yaml new file mode 100644 index 0000000..9d07e09 --- /dev/null +++ b/services/signaling/docker-compose.yaml @@ -0,0 +1,17 @@ +services: + spreedbackend: + image: ghcr.io/nextcloud-releases/aio-talk:latest + environment: + NC_DOMAIN: cloud.maksim-pankov.ru + TALK_HOST: signaling.maksim-pankov.ru + TALK_PORT: 3478 + TURN_SECRET: 928fa222f9c9d29b1bd25d968d81f9048716c7f69ea2d6592a4314768672e900 + SIGNALING_SECRET: aed7780401fbc4a0f41584d594af16a1b8f2e7a53f71f157ce709079f0ab39a4 + INTERNAL_SECRET: af887e5e85214e91b459ee82f62a0f57fcb30c8ecd0bca8641084d048644ac41 + ports: + - 1988:8081 + - 3478:3478/tcp + - 3478:3478/udp +# network_mode: host + restart: unless-stopped + diff --git a/services/turn/docker-compose.yaml b/services/turn/docker-compose.yaml new file mode 100644 index 0000000..03776a2 --- /dev/null +++ b/services/turn/docker-compose.yaml @@ -0,0 +1,20 @@ +services: + coturn: + image: coturn/coturn + command: + - "--realm" + - "cloud.maksim-pankov.ru" + - "--no-stdout-log" + - "--log-file" + - "stdout" + - "--stale-nonce=600" +# - "--use-auth-secret" +# - "--lt-cred-mech" + - "--fingerprint" + - "--no-software-attribute" + - "--no-multicast-peers" + environment: + DETECT_EXTERNAL_IP: yes + DETECT_RELAY_IP: yes + STATIC_AUTH_SECRET: fd838fd0efa4b53f243398e658dc55d7 + network_mode: host