Update gipat

services/homeassist/configuration.example.yaml

@@ -0,0 +1,19 @@
+http:
+  # For extra security set this to only accept connections on localhost if NGINX is on the same machine
+  # Uncommenting this will mean that you can only reach Home Assistant using the proxy, not directly via IP from other clients.
+  # server_host: 127.0.0.1
+  use_x_forwarded_for: true
+  # You must set the trusted proxy IP address so that Home Assistant will properly accept connections
+  # Set this to your NGINX machine IP, or localhost if hosted on the same machine.
+  trusted_proxies: 192.168.0.101
+  
+# Loads default set of integrations. Do not remove.
+default_config:
+
+# Load frontend themes from the themes folder
+frontend:
+  themes: !include_dir_merge_named themes
+
+automation: !include automations.yaml
+script: !include scripts.yaml
+scene: !include scenes.yaml

services/homeassist/docker-compose.yaml

@@ -0,0 +1,11 @@
+services:
+  homeassistant:
+    container_name: homeassistant
+    image: "ghcr.io/home-assistant/home-assistant:stable"
+    volumes:
+      - /data/services/homeassistant:/config
+      - /etc/localtime:/etc/localtime:ro
+      - /run/dbus:/run/dbus:ro
+    restart: unless-stopped
+    privileged: true
+    network_mode: host

services/ingress/home-kush.conf

@@ -0,0 +1,23 @@
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+    }
+
+server {
+        server_name home-kush.maksim-pankov.ru;
+        location / {
+                proxy_pass http://192.168.0.101:8123/;
+
+                proxy_set_header Host $host;
+                proxy_http_version 1.1;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection $connection_upgrade;
+        }
+
+    listen 443 ssl; # managed by Certbot
+
+    ssl_certificate /etc/letsencrypt/live/home-kush.maksim-pankov.ru/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/home-kush.maksim-pankov.ru/privkey.pem; # managed by Certbot
+}
+

services/ingress/nextcloud.conf

@@ -2,12 +2,17 @@ server {
 	server_name cloud.maksim-pankov.ru;
 	location / {
 		proxy_pass http://gipat:5002/;
-        sub_filter "http://gipat:5002/" "https://cloud.maksim-pankov.ru/";
+		sub_filter "http://gipat:5002/" "https://cloud.maksim-pankov.ru/";
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Real-IP $remote_addr;
+
+		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 		client_max_body_size 0;
 	}
 
 
-    listen 443 ssl; # managed by Certbot
+    listen 443 ssl http2; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/cloud.maksim-pankov.ru/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/cloud.maksim-pankov.ru/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot

services/ingress/signaling.conf

@@ -0,0 +1,38 @@
+server {
+	server_name signaling.maksim-pankov.ru;
+	location / {
+		proxy_pass http://gipat:1988/;
+		proxy_set_header Host $host;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Real-IP $remote_addr;
+
+		proxy_http_version 1.1;
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection "upgrade";
+                # proxy_read_timeout 86400;
+
+		client_max_body_size 0;
+	}
+
+
+
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/signaling.maksim-pankov.ru/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/signaling.maksim-pankov.ru/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = signaling.maksim-pankov.ru) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+	server_name signaling.maksim-pankov.ru;
+    listen 80;
+    return 404; # managed by Certbot
+
+
+}

services/nextcloud/docker-compose.yml

@@ -12,5 +12,6 @@ services:
       - POSTGRES_DB=nextcloud
       - POSTGRES_USER=nextcloud
       - POSTGRES_PASSWORD=qw6MGQcaMkvG8sR9yVsU
+      - PHP_OPCACHE_MEMORY_CONSUMPTION=256
       - PHP_UPLOAD_LIMIT=16G
 

services/signaling/docker-compose.yaml

@@ -0,0 +1,17 @@
+services:
+    spreedbackend:
+      image: ghcr.io/nextcloud-releases/aio-talk:latest
+      environment:
+        NC_DOMAIN: cloud.maksim-pankov.ru
+        TALK_HOST: signaling.maksim-pankov.ru
+        TALK_PORT: 3478
+        TURN_SECRET: 928fa222f9c9d29b1bd25d968d81f9048716c7f69ea2d6592a4314768672e900
+        SIGNALING_SECRET: aed7780401fbc4a0f41584d594af16a1b8f2e7a53f71f157ce709079f0ab39a4
+        INTERNAL_SECRET: af887e5e85214e91b459ee82f62a0f57fcb30c8ecd0bca8641084d048644ac41
+      ports:
+        - 1988:8081
+        - 3478:3478/tcp
+        - 3478:3478/udp
+#      network_mode: host
+      restart: unless-stopped
+

services/turn/docker-compose.yaml

@@ -0,0 +1,20 @@
+services:
+  coturn:
+    image: coturn/coturn
+    command:
+      - "--realm"
+      - "cloud.maksim-pankov.ru"
+      - "--no-stdout-log"
+      - "--log-file"
+      - "stdout"
+      - "--stale-nonce=600"
+#      - "--use-auth-secret"
+#      - "--lt-cred-mech"
+      - "--fingerprint"
+      - "--no-software-attribute"
+      - "--no-multicast-peers"
+    environment:
+      DETECT_EXTERNAL_IP: yes
+      DETECT_RELAY_IP: yes
+      STATIC_AUTH_SECRET: fd838fd0efa4b53f243398e658dc55d7
+    network_mode: host