lab-ansible/roles/apps/templates/caddy/Caddyfile.j2

{# code: language=ansible-jinja #}
# THIS FILE IS MANAGED BY ANSIBLE

{% if 'searxng' in apps_proxied %}
{{ apps_vars.searxng.domain }} {
    tls {{ tls_email }}

    log {
        output discard
    }

    @api {
        path /config
        path /healthz
        path /stats/errors
        path /stats/checker
    }

    @static {
        path /static/*
    }

    @notstatic {
        not path /static/*
    }

    @imageproxy {
        path /image_proxy
    }

    @notimageproxy {
        not path /image_proxy
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
        X-Content-Type-Options "nosniff"
        Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=(),interest-cohort=()"
        Referrer-Policy "no-referrer"
        X-Robots-Tag "noindex, noarchive, nofollow"
        -Server
    }

    header @api {
        Access-Control-Allow-Methods "GET, OPTIONS"
        Access-Control-Allow-Origin  "*"
    }

    header @static {
        Cache-Control "public, max-age=31536000"
        defer
    }

    header @notstatic {
        Cache-Control "no-cache, no-store"
        Pragma "no-cache"
    }

    header @imageproxy {
        Content-Security-Policy "default-src 'none'; img-src 'self' data:"
    }

    header @notimageproxy {
        Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
    }

    handle {
        encode zstd gzip

        reverse_proxy searxng:{{ apps_vars.searxng.port }} {
            header_up X-Forwarded-Port {http.request.port}
            header_up X-Forwarded-Proto {http.request.scheme}
            header_up X-Real-IP {remote_host}
        }
    }
}
{% endif %}

{% if 'website' in apps_proxied %}
{{ apps_base_domain }},
www.{{ apps_base_domain }},
www.{{ apps_vars.website.domain }} {
    tls {{ tls_email }}

    log {
        output discard
    }


    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    	-Server
    }

    redir https://{{ apps_vars.website.domain }}{uri}
}

{{ apps_vars.website.domain }} {
    tls {{ tls_email }}

    log {
        output discard
    }

    header {
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
{% if 'tor' in apps_include and 'website' in apps_torified %}
        Onion-Location "http://{{ apps_vars.website.onion }}{uri}"
{% endif %}
    	-Server
    }

    reverse_proxy website:{{ apps_vars.website.port }}
}
{% endif %}
Add Caddy and SearXNG to apps role 2024-02-04 17:03:15 +00:00			`{# code: language=ansible-jinja #}`
			`# THIS FILE IS MANAGED BY ANSIBLE`

Add Tor 2024-02-10 19:03:04 +00:00			`{% if 'searxng' in apps_proxied %}`
Add Caddy and SearXNG to apps role 2024-02-04 17:03:15 +00:00			`{{ apps_vars.searxng.domain }} {`
			`tls {{ tls_email }}`

			`log {`
			`output discard`
			`}`

			`@api {`
			`path /config`
			`path /healthz`
			`path /stats/errors`
			`path /stats/checker`
			`}`

			`@static {`
			`path /static/*`
			`}`

			`@notstatic {`
			`not path /static/*`
			`}`

			`@imageproxy {`
			`path /image_proxy`
			`}`

			`@notimageproxy {`
			`not path /image_proxy`
			`}`

			`header {`
Fix SearXNG headers 2024-02-10 13:56:19 +00:00			`Strict-Transport-Security "max-age=31536000; includeSubDomains"`
Add Caddy and SearXNG to apps role 2024-02-04 17:03:15 +00:00			`X-Content-Type-Options "nosniff"`
			`Permissions-Policy "accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=(),interest-cohort=()"`
			`Referrer-Policy "no-referrer"`
			`X-Robots-Tag "noindex, noarchive, nofollow"`
			`-Server`
			`}`

			`header @api {`
			`Access-Control-Allow-Methods "GET, OPTIONS"`
			`Access-Control-Allow-Origin "*"`
			`}`

			`header @static {`
			`Cache-Control "public, max-age=31536000"`
			`defer`
			`}`

			`header @notstatic {`
			`Cache-Control "no-cache, no-store"`
			`Pragma "no-cache"`
			`}`

			`header @imageproxy {`
			`Content-Security-Policy "default-src 'none'; img-src 'self' data:"`
			`}`

			`header @notimageproxy {`
			Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://github.com/searxng/searxng/issues/new; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"
			`}`

			`handle {`
			`encode zstd gzip`

Add Tor 2024-02-10 19:03:04 +00:00			`reverse_proxy searxng:{{ apps_vars.searxng.port }} {`
Add Caddy and SearXNG to apps role 2024-02-04 17:03:15 +00:00			`header_up X-Forwarded-Port {http.request.port}`
			`header_up X-Forwarded-Proto {http.request.scheme}`
Fix SearXNG headers 2024-02-10 13:56:19 +00:00			`header_up X-Real-IP {remote_host}`
Add Caddy and SearXNG to apps role 2024-02-04 17:03:15 +00:00			`}`
			`}`
			`}`
Fix SearXNG headers 2024-02-10 13:56:19 +00:00			`{% endif %}`
Add personal website 2024-02-10 17:23:33 +00:00
Add Tor 2024-02-10 19:03:04 +00:00			`{% if 'website' in apps_proxied %}`
Add personal website 2024-02-10 17:23:33 +00:00			`{{ apps_base_domain }},`
			`www.{{ apps_base_domain }},`
			`www.{{ apps_vars.website.domain }} {`
			`tls {{ tls_email }}`

			`log {`
			`output discard`
			`}`


			`header {`
			`Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
			`-Server`
			`}`

			`redir https://{{ apps_vars.website.domain }}{uri}`
			`}`

			`{{ apps_vars.website.domain }} {`
			`tls {{ tls_email }}`

			`log {`
			`output discard`
			`}`

			`header {`
			`Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"`
Add Tor 2024-02-10 19:03:04 +00:00			`{% if 'tor' in apps_include and 'website' in apps_torified %}`
Add personal website 2024-02-10 17:23:33 +00:00			`Onion-Location "http://{{ apps_vars.website.onion }}{uri}"`
Add Tor 2024-02-10 19:03:04 +00:00			`{% endif %}`
Add personal website 2024-02-10 17:23:33 +00:00			`-Server`
			`}`

Add Tor 2024-02-10 19:03:04 +00:00			`reverse_proxy website:{{ apps_vars.website.port }}`
Add personal website 2024-02-10 17:23:33 +00:00			`}`
			`{% endif %}`