Add system services and more
This commit is contained in:
parent
93ea14ec50
commit
37f5b589a7
|
@ -13,24 +13,20 @@ server {
|
|||
|
||||
location / {
|
||||
proxy_pass http://inv-debug;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host; # so Invidious knows domain
|
||||
proxy_http_version 1.1; # to keep alive
|
||||
proxy_set_header Connection ""; # to keep alive
|
||||
include configs/proxy.conf;
|
||||
limit_rate 12000k;
|
||||
# Disable buffering and cache so i don't kill my
|
||||
# SSD and bandwidth usage
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
proxy_cache off;
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 = @fallback;
|
||||
}
|
||||
|
||||
location ~ ^/api/ {
|
||||
proxy_pass http://inv-debug;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host; # so Invidious knows domain
|
||||
proxy_http_version 1.1; # to keep alive
|
||||
proxy_set_header Connection ""; # to keep alive
|
||||
include configs/proxy.conf;
|
||||
limit_rate 12000k;
|
||||
# Disable buffering and cache so i don't kill my
|
||||
# SSD and bandwidth usage
|
||||
|
@ -40,6 +36,31 @@ server {
|
|||
limit_req zone=one;
|
||||
}
|
||||
|
||||
location ~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/) {
|
||||
proxy_buffering on;
|
||||
proxy_buffers 1024 16k;
|
||||
proxy_set_header X-Forwarded-For "";
|
||||
proxy_hide_header "alt-svc";
|
||||
sendfile_max_chunk 512k;
|
||||
tcp_nopush on;
|
||||
aio threads=default;
|
||||
aio_write on;
|
||||
directio 16m;
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header etag;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection keep-alive;
|
||||
proxy_max_temp_file_size 32m;
|
||||
access_log /var/log/nginx/http3-ytproxy.log;
|
||||
proxy_pass http://unix:/opt/http3-ytproxy/socket/http-proxy.sock;
|
||||
add_header Cache-Control private always;
|
||||
}
|
||||
|
||||
location @fallback {
|
||||
root /etc/nginx/errors;
|
||||
try_files $uri /502.html = 502;
|
||||
}
|
||||
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
server {
|
||||
access_log /var/log/nginx/i.ayaya.beauty.access.log;
|
||||
server_name i.ayaya.beauty;
|
||||
root /var/www/files2;
|
||||
autoindex off;
|
||||
|
@ -8,8 +9,10 @@ server {
|
|||
include configs/robotsNone.conf;
|
||||
|
||||
location / {
|
||||
rewrite ^/(.*)/$ /\$1 break;
|
||||
try_files $uri $uri.jpg $uri.png $uri.gif $uri.css $uri.js $uri/ =404;
|
||||
error_page 403 =301 https://ayaya.beauty;
|
||||
error_page 404 = /404.gif;
|
||||
error_page 404 =301 https://ayaya.beauty;
|
||||
}
|
||||
|
||||
listen 443 ssl;
|
||||
|
|
|
@ -6,9 +6,9 @@ limit_req_zone $binary_remote_addr zone=invidiousapi:10m rate=30r/s;
|
|||
|
||||
upstream inv {
|
||||
least_conn;
|
||||
server 127.0.0.1:40015 max_fails=2 fail_timeout=2s;
|
||||
server 127.0.0.1:40016 max_fails=2 fail_timeout=2s;
|
||||
#server 127.0.0.1:40017 backup fail_timeout=3s;
|
||||
server 127.0.0.1:40015 max_fails=2 fail_timeout=1s;
|
||||
server 127.0.0.1:40016 max_fails=2 fail_timeout=1s;
|
||||
server 127.0.0.1:40017 max_fails=2 fail_timeout=1s;
|
||||
}
|
||||
|
||||
# CLEARNET
|
||||
|
@ -22,18 +22,37 @@ server {
|
|||
|
||||
location @upstream {
|
||||
proxy_pass http://inv;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header Host $host; # so Invidious knows domain
|
||||
proxy_http_version 1.1; # to keep alive
|
||||
proxy_set_header Connection ""; # to keep alive
|
||||
include configs/proxy.conf;
|
||||
limit_rate 8000k;
|
||||
# Disable buffering and cache so i don't kill my
|
||||
# SSD and bandwidth usage
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
proxy_cache off;
|
||||
proxy_intercept_errors on;
|
||||
error_page 502 = @fallback;
|
||||
}
|
||||
|
||||
location ~ (^/videoplayback|^/vi/|^/ggpht/|^/sb/) {
|
||||
# Woops! Sorry. I don't want to kill my SSD lol!
|
||||
#proxy_buffering on;
|
||||
#proxy_buffers 1024 16k;
|
||||
proxy_set_header X-Forwarded-For "";
|
||||
proxy_hide_header "alt-svc";
|
||||
sendfile_max_chunk 512k;
|
||||
tcp_nopush on;
|
||||
aio threads=default;
|
||||
aio_write on;
|
||||
directio 16m;
|
||||
proxy_hide_header Cache-Control;
|
||||
proxy_hide_header etag;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Connection keep-alive;
|
||||
proxy_max_temp_file_size 32m;
|
||||
proxy_pass http://unix:/opt/http3-ytproxy/socket/http-proxy.sock;
|
||||
add_header Cache-Control private always;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri @upstream;
|
||||
}
|
||||
|
@ -48,6 +67,11 @@ server {
|
|||
limit_req zone=invidiousapi;
|
||||
}
|
||||
|
||||
location @fallback {
|
||||
root /etc/nginx/errors;
|
||||
try_files $uri /502.html = 502;
|
||||
}
|
||||
|
||||
# QUIC
|
||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||
|
||||
|
|
|
@ -11,7 +11,7 @@ server {
|
|||
location /.well-known/matrix/client {
|
||||
default_type application/json;
|
||||
add_header Access-Control-Allow-Origin '*';
|
||||
return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" } }';
|
||||
return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" }, "org.matrix.msc3575.proxy": {"url": "https://matrix.zzls.xyz"}}';
|
||||
}
|
||||
|
||||
location / {
|
||||
|
@ -19,8 +19,15 @@ server {
|
|||
index index.html;
|
||||
}
|
||||
|
||||
location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
|
||||
proxy_pass http://127.0.0.1:40022;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
|
||||
location ~ ^(/_matrix|/_synapse/client|/health) {
|
||||
proxy_pass http://localhost:40020;
|
||||
proxy_pass http://127.0.0.1:40020;
|
||||
include configs/proxy.conf;
|
||||
client_max_body_size 64M;
|
||||
}
|
||||
|
|
|
@ -0,0 +1,39 @@
|
|||
[Unit]
|
||||
Description=Http3 YTProxy for Invidious
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=http
|
||||
Group=http
|
||||
Environment="DISABLE_WEBP=1"
|
||||
Environment="DISABLE_IPV6=1"
|
||||
WorkingDirectory=/opt/http3-ytproxy
|
||||
ExecStart=/opt/http3-ytproxy/http3-ytproxy
|
||||
Restart=on-failure
|
||||
RestartSec=5s
|
||||
|
||||
ReadWritePaths=/opt/http3-ytproxy/socket
|
||||
NoNewPrivileges=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictRealtime=true
|
||||
LockPersonality=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelModules=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallFilter=@system-service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,17 @@
|
|||
[Unit]
|
||||
Description=Invidious (An alternative YouTube front-end) DEBUG
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
RestartSec=2s
|
||||
Type=simple
|
||||
User=invidious
|
||||
Group=invidious
|
||||
WorkingDirectory=/opt/invidious/invidious-debug
|
||||
ExecStart=/opt/invidious/invidious-debug/invidious
|
||||
Restart=always
|
||||
RuntimeMaxSec=1h
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,35 @@
|
|||
[Unit]
|
||||
Description=Invidious (An alternative YouTube front-end)
|
||||
After=syslog.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
RestartSec=10s
|
||||
Type=simple
|
||||
User=invidious
|
||||
Group=invidious
|
||||
WorkingDirectory=/opt/invidious/invidious
|
||||
ExecStart=/opt/invidious/invidious/invidious -o invidious%i.log -p %i
|
||||
StandardOutput=null
|
||||
#StandardError=null
|
||||
Restart=always
|
||||
RuntimeMaxSec=1h
|
||||
LimitNOFILE=16384
|
||||
|
||||
# Security
|
||||
#PrivateTmp=yes
|
||||
#NoNewPrivileges=true
|
||||
#ProtectSystem=yes
|
||||
#ProtectDevices=yes
|
||||
#DevicePolicy=closed
|
||||
#ProtectKernelTunables=yes
|
||||
#ProtectControlGroups=yes
|
||||
#ProtectHostname=yes
|
||||
#ProtectKernelLogs=true
|
||||
#PrivateUsers=yes
|
||||
#ReadWriteDirectories=/home/invidious/invidious
|
||||
#ProtectControlGroups=yes
|
||||
#RestrictNamespaces=net uts ipc pid user cgroup
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,19 @@
|
|||
[Unit]
|
||||
Description=Matrix sliding sync proxy (MSC3575)
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=root
|
||||
Group=root
|
||||
Environment=LANG=en_US.UTF-8
|
||||
WorkingDirectory=/opt/sliding-sync
|
||||
ExecStart=/opt/sliding-sync/syncv3
|
||||
ExecReload=/usr/bin/kill -HUP $MAINPID
|
||||
EnvironmentFile=/opt/sliding-sync/.env
|
||||
Restart=always
|
||||
RestartSec=3
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,28 @@
|
|||
[Unit]
|
||||
Description=Minecraft Serber
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
User=mc
|
||||
Group=mc
|
||||
Environment=JAVA_HOME=/usr/lib/jvm/java-8-openjdk/bin/
|
||||
WorkingDirectory=/opt/mc/server/
|
||||
ExecStart=/usr/bin/tmux new-session -s minecraft -d 'java -Xmx512M -Xms512M -jar project-poseidon-1.1.8.jar nogui'
|
||||
ExecStop=/usr/bin/tmux send -t minecraft.0 stop ENTER
|
||||
#ExecRestart=/usr/bin/tmux send -t minecraft.0 stop ENTER; sleep 10; /usr/bin/tmux new-session -s minecraft -d 'java -Xmx512M -Xms512M -jar project-poseidon-1.1.8.jar nogui'
|
||||
TimeoutStopSec=10
|
||||
TimeoutStartSec=10
|
||||
StandardOutput=null
|
||||
StandardError=null
|
||||
RemainAfterExit=yes
|
||||
KillMode=none
|
||||
RestartMode=direct
|
||||
#KillSignal=SIGINT
|
||||
#RestartKillSignal=SIGINT
|
||||
Restart=always
|
||||
RestartSec=10
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,37 @@
|
|||
[Unit]
|
||||
Description=Rimgo - An Imgur Proxy
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=rimgo
|
||||
Group=rimgo
|
||||
WorkingDirectory=/opt/rimgo
|
||||
ExecStart=/opt/rimgo/rimgo
|
||||
Restart=on-failure
|
||||
RestartSec=3s
|
||||
|
||||
ReadWritePaths=/opt/rimgo
|
||||
NoNewPrivileges=yes
|
||||
MemoryDenyWriteExecute=true
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
ProtectHome=yes
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictRealtime=true
|
||||
LockPersonality=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectHostname=true
|
||||
ProtectKernelModules=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallFilter=@system-service
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue