Sanitized mirror from private repository - 2026-04-20 01:32:01 UTC

2026-04-20 01:32:01 +00:00
commit e7652c8dab
1445 changed files with 364095 additions and 0 deletions
--- a/hosts/physical/concord-nuc/nginx/client.spotify.vish.gg.conf
+++ b/hosts/physical/concord-nuc/nginx/client.spotify.vish.gg.conf
@@ -0,0 +1,28 @@
+# Redirect all HTTP traffic to HTTPS
+server {
+    listen 80;
+    server_name client.spotify.vish.gg;
+
+    return 301 https://$host$request_uri;
+}
+
+# HTTPS configuration for the subdomain
+server {
+    listen 443 ssl;
+    server_name client.spotify.vish.gg;
+
+    # SSL Certificates (managed by Certbot)
+    ssl_certificate /etc/letsencrypt/live/client.spotify.vish.gg/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/client.spotify.vish.gg/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+    # Proxy to Docker container
+    location / {
+        proxy_pass http://127.0.0.1:4000; # Maps to your Docker container
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/hosts/physical/concord-nuc/nginx/in.vish.gg.conf
+++ b/hosts/physical/concord-nuc/nginx/in.vish.gg.conf
@@ -0,0 +1,63 @@
+server {
+    if ($host = in.vish.gg) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name in.vish.gg;
+
+    # Redirect all HTTP traffic to HTTPS
+    return 301 https://$host$request_uri;
+
+
+}
+
+server {
+    listen 443 ssl http2;
+    server_name in.vish.gg;
+
+    # SSL Certificates (Certbot paths)
+    ssl_certificate /etc/letsencrypt/live/in.vish.gg/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/in.vish.gg/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # --- Reverse Proxy to Invidious ---
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+
+        # Required headers for reverse proxying
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket and streaming stability
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Disable buffering for video streams
+        proxy_buffering off;
+        proxy_request_buffering off;
+
+        # Avoid premature timeouts during long playback
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+    }
+
+    # Cache static assets (images, css, js) for better performance
+    location ~* \.(?:jpg|jpeg|png|gif|ico|css|js|webp)$ {
+        expires 30d;
+        add_header Cache-Control "public, no-transform";
+        proxy_pass http://127.0.0.1:3000;
+    }
+
+    # Security headers (optional but sensible)
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header Referrer-Policy same-origin;
+
+}
--- a/hosts/physical/concord-nuc/nginx/spotify.conf
+++ b/hosts/physical/concord-nuc/nginx/spotify.conf
@@ -0,0 +1,28 @@
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    server_name spotify.vish.gg;
+
+    return 301 https://$host$request_uri;
+}
+
+# HTTPS server block
+server {
+    listen 443 ssl;
+    server_name spotify.vish.gg;
+
+    # SSL Certificates (managed by Certbot)
+    ssl_certificate /etc/letsencrypt/live/spotify.vish.gg/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/spotify.vish.gg/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # Proxy requests to backend API
+    location / {
+        proxy_pass http://127.0.0.1:15000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/hosts/physical/concord-nuc/nginx/vp.vish.gg.conf
+++ b/hosts/physical/concord-nuc/nginx/vp.vish.gg.conf
@@ -0,0 +1,74 @@
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    server_name vp.vish.gg api.vp.vish.gg proxy.vp.vish.gg;
+
+    return 301 https://$host$request_uri;
+}
+
+# HTTPS Reverse Proxy for Piped
+server {
+    listen 443 ssl http2;
+    server_name vp.vish.gg;
+
+    # SSL Certificates (managed by Certbot)
+    ssl_certificate /etc/letsencrypt/live/vp.vish.gg/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vp.vish.gg/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # Proxy requests to Piped Frontend (use Docker service name, NOT 127.0.0.1)
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# HTTPS Reverse Proxy for Piped API
+server {
+    listen 443 ssl http2;
+    server_name api.vp.vish.gg;
+
+    # SSL Certificates
+    ssl_certificate /etc/letsencrypt/live/vp.vish.gg/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vp.vish.gg/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # Proxy requests to Piped API backend
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# HTTPS Reverse Proxy for Piped Proxy (for video streaming)
+server {
+    listen 443 ssl http2;
+    server_name proxy.vp.vish.gg;
+
+    # SSL Certificates
+    ssl_certificate /etc/letsencrypt/live/vp.vish.gg/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vp.vish.gg/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+    # Proxy video playback requests through ytproxy
+    location ~ (/videoplayback|/api/v4/|/api/manifest/) {
+        include snippets/ytproxy.conf;
+        add_header Cache-Control private always;
+        proxy_hide_header Access-Control-Allow-Origin;
+    }
+
+    location / {
+        include snippets/ytproxy.conf;
+        add_header Cache-Control "public, max-age=604800";
+        proxy_hide_header Access-Control-Allow-Origin;
+    }
+}