Add system services and more

nginx/sites-available/debug.inv.zzls.xyz.conf

@@ -13,24 +13,20 @@ server {
 
 	location / {
 		proxy_pass http://inv-debug;
-		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header Host $host;    # so Invidious knows domain
-		proxy_http_version 1.1;     # to keep alive
-		proxy_set_header Connection ""; # to keep alive
+		include configs/proxy.conf;
 		limit_rate 12000k;
 		# Disable buffering and cache so i don't kill my 
 		# SSD and bandwidth usage
 		proxy_buffering off;
 		proxy_request_buffering off;
 		proxy_cache off;
+		proxy_intercept_errors on;
+ 		error_page 502 = @fallback;
 	}
 
 	location ~ ^/api/ {
 		proxy_pass http://inv-debug;
-		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header Host $host;    # so Invidious knows domain
-		proxy_http_version 1.1;     # to keep alive
-		proxy_set_header Connection ""; # to keep alive
+		include configs/proxy.conf;
 		limit_rate 12000k;
 		# Disable buffering and cache so i don't kill my 
 		# SSD and bandwidth usage
@@ -40,6 +36,31 @@ server {
 		limit_req zone=one;
 	}
 
+	location ~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/) {
+		proxy_buffering on;
+		proxy_buffers 1024 16k;
+		proxy_set_header X-Forwarded-For "";
+		proxy_hide_header "alt-svc";
+		sendfile_max_chunk 512k;
+		tcp_nopush on;
+		aio threads=default;
+		aio_write on;
+		directio 16m;
+		proxy_hide_header Cache-Control;
+		proxy_hide_header etag;
+		proxy_http_version 1.1;
+		proxy_set_header Connection keep-alive;
+		proxy_max_temp_file_size 32m;
+		access_log /var/log/nginx/http3-ytproxy.log;
+		proxy_pass http://unix:/opt/http3-ytproxy/socket/http-proxy.sock;
+		add_header Cache-Control private always;
+	}
+
+	location @fallback {
+		root /etc/nginx/errors;
+		try_files $uri /502.html = 502;
+	}
+
 	# QUIC
 	add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/i.ayaya.beauty.conf

@@ -1,4 +1,5 @@
 server {
+	access_log /var/log/nginx/i.ayaya.beauty.access.log;
 	server_name i.ayaya.beauty;
 	root /var/www/files2;
 	autoindex off;
@@ -8,8 +9,10 @@ server {
 	include configs/robotsNone.conf;
 
 	location / {
+		rewrite ^/(.*)/$ /\$1 break;
+   		try_files $uri $uri.jpg $uri.png $uri.gif $uri.css $uri.js $uri/ =404;
 		error_page 403 =301 https://ayaya.beauty;
-		error_page 404 = /404.gif;
+		error_page 404 =301 https://ayaya.beauty;
 	}
 
 	listen 443 ssl;

nginx/sites-available/inv.zzls.xyz.conf

@@ -6,9 +6,9 @@ limit_req_zone $binary_remote_addr zone=invidiousapi:10m rate=30r/s;
 
 upstream inv {
 	least_conn;
-	server 127.0.0.1:40015 max_fails=2 fail_timeout=2s;
-	server 127.0.0.1:40016 max_fails=2 fail_timeout=2s;
-	#server 127.0.0.1:40017 backup fail_timeout=3s;
+	server 127.0.0.1:40015 max_fails=2 fail_timeout=1s;
+	server 127.0.0.1:40016 max_fails=2 fail_timeout=1s;
+	server 127.0.0.1:40017 max_fails=2 fail_timeout=1s;
 }
 
 # CLEARNET
@@ -22,18 +22,37 @@ server {
 
 	location @upstream {
 		proxy_pass http://inv;
-		proxy_set_header X-Forwarded-For $remote_addr;
-		proxy_set_header Host $host;    # so Invidious knows domain
-		proxy_http_version 1.1;     # to keep alive
-		proxy_set_header Connection ""; # to keep alive
+		include configs/proxy.conf;
 		limit_rate 8000k;
 		# Disable buffering and cache so i don't kill my 
 		# SSD and bandwidth usage
 		proxy_buffering off;
 		proxy_request_buffering off;
 		proxy_cache off;
+		proxy_intercept_errors on;
+		error_page 502 = @fallback;
 	}
 
+        location ~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/) {
+		# Woops! Sorry. I don't want to kill my SSD lol!
+		#proxy_buffering on;
+		#proxy_buffers 1024 16k;
+                proxy_set_header X-Forwarded-For "";
+                proxy_hide_header "alt-svc";
+                sendfile_max_chunk 512k;
+                tcp_nopush on;
+                aio threads=default;
+                aio_write on;
+                directio 16m;
+                proxy_hide_header Cache-Control;
+                proxy_hide_header etag;
+                proxy_http_version 1.1;
+                proxy_set_header Connection keep-alive;
+                proxy_max_temp_file_size 32m;
+                proxy_pass http://unix:/opt/http3-ytproxy/socket/http-proxy.sock;
+                add_header Cache-Control private always;
+        }
+
 	location / {
 		try_files $uri @upstream;
 	}
@@ -48,6 +67,11 @@ server {
 		limit_req zone=invidiousapi;
 	}
 
+	location @fallback {
+		root /etc/nginx/errors;
+		try_files $uri /502.html = 502;
+	}
+
 	# QUIC
 	add_header Alt-Svc 'h3=":443"; ma=86400';
 

nginx/sites-available/matrix.zzls.xyz.conf

@@ -11,7 +11,7 @@ server {
 	location /.well-known/matrix/client {
 		default_type application/json;
 		add_header Access-Control-Allow-Origin '*';
-		return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" } }';
+		return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" }, "org.matrix.msc3575.proxy": {"url": "https://matrix.zzls.xyz"}}';
 	}
 
 	location / {
@@ -19,8 +19,15 @@ server {
 		index index.html;
 	}
 
+	location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
+		proxy_pass http://127.0.0.1:40022;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+	}
+
 	location ~ ^(/_matrix|/_synapse/client|/health) {
-		proxy_pass http://localhost:40020;
+		proxy_pass http://127.0.0.1:40020;
 		include configs/proxy.conf;
 		client_max_body_size 64M;
 	}

systemd/system/http3-ytproxy.service

@@ -0,0 +1,39 @@
+[Unit]
+Description=Http3 YTProxy for Invidious
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=http
+Group=http
+Environment="DISABLE_WEBP=1"
+Environment="DISABLE_IPV6=1"
+WorkingDirectory=/opt/http3-ytproxy
+ExecStart=/opt/http3-ytproxy/http3-ytproxy
+Restart=on-failure
+RestartSec=5s
+
+ReadWritePaths=/opt/http3-ytproxy/socket
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target

systemd/system/invidious-debug.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Invidious (An alternative YouTube front-end) DEBUG
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=invidious
+Group=invidious
+WorkingDirectory=/opt/invidious/invidious-debug
+ExecStart=/opt/invidious/invidious-debug/invidious
+Restart=always
+RuntimeMaxSec=1h
+
+[Install]
+WantedBy=multi-user.target

systemd/system/invidious@.service

@@ -0,0 +1,35 @@
+[Unit]
+Description=Invidious (An alternative YouTube front-end)
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=10s
+Type=simple
+User=invidious
+Group=invidious
+WorkingDirectory=/opt/invidious/invidious
+ExecStart=/opt/invidious/invidious/invidious -o invidious%i.log -p %i
+StandardOutput=null
+#StandardError=null
+Restart=always
+RuntimeMaxSec=1h
+LimitNOFILE=16384
+
+# Security
+#PrivateTmp=yes
+#NoNewPrivileges=true
+#ProtectSystem=yes
+#ProtectDevices=yes
+#DevicePolicy=closed
+#ProtectKernelTunables=yes
+#ProtectControlGroups=yes
+#ProtectHostname=yes
+#ProtectKernelLogs=true
+#PrivateUsers=yes
+#ReadWriteDirectories=/home/invidious/invidious
+#ProtectControlGroups=yes
+#RestrictNamespaces=net uts ipc pid user cgroup
+
+[Install]
+WantedBy=multi-user.target

systemd/system/matrix-sliding-sync.service

@@ -0,0 +1,19 @@
+[Unit]
+Description=Matrix sliding sync proxy (MSC3575)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+Environment=LANG=en_US.UTF-8
+WorkingDirectory=/opt/sliding-sync
+ExecStart=/opt/sliding-sync/syncv3
+ExecReload=/usr/bin/kill -HUP $MAINPID
+EnvironmentFile=/opt/sliding-sync/.env
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=multi-user.target

systemd/system/minecraft.service

@@ -0,0 +1,28 @@
+[Unit]
+Description=Minecraft Serber
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=forking
+User=mc
+Group=mc
+Environment=JAVA_HOME=/usr/lib/jvm/java-8-openjdk/bin/
+WorkingDirectory=/opt/mc/server/
+ExecStart=/usr/bin/tmux new-session -s minecraft -d 'java -Xmx512M -Xms512M -jar project-poseidon-1.1.8.jar nogui'
+ExecStop=/usr/bin/tmux send -t minecraft.0 stop ENTER
+#ExecRestart=/usr/bin/tmux send -t minecraft.0 stop ENTER; sleep 10; /usr/bin/tmux new-session -s minecraft -d 'java -Xmx512M -Xms512M -jar project-poseidon-1.1.8.jar nogui'
+TimeoutStopSec=10
+TimeoutStartSec=10
+StandardOutput=null
+StandardError=null
+RemainAfterExit=yes
+KillMode=none
+RestartMode=direct
+#KillSignal=SIGINT
+#RestartKillSignal=SIGINT
+Restart=always
+RestartSec=10
+
+[Install]
+WantedBy=multi-user.target

systemd/system/rimgo.service

@@ -0,0 +1,37 @@
+[Unit]
+Description=Rimgo - An Imgur Proxy
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=rimgo
+Group=rimgo
+WorkingDirectory=/opt/rimgo
+ExecStart=/opt/rimgo/rimgo
+Restart=on-failure
+RestartSec=3s
+
+ReadWritePaths=/opt/rimgo
+NoNewPrivileges=yes
+MemoryDenyWriteExecute=true
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectSystem=strict
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictRealtime=true
+LockPersonality=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectHostname=true
+ProtectKernelModules=true
+PrivateUsers=true
+ProtectClock=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+
+[Install]
+WantedBy=multi-user.target