7faa9098de
Restructure around a single entry point (automations.sh) with a Gum wizard and a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on Alpine/Debian/Alma; seed root keys from globals/. - ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec - daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and opt-in Alpine stable-branch upgrades - generic + per-deployment cloud-init; Gitea release workflow on tag - README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
51 lines
1.3 KiB
Caddyfile
51 lines
1.3 KiB
Caddyfile
# Caddyfile for the webfinger + redirect stack.
|
|
#
|
|
# - /.well-known/webfinger -> dynamic JRD response, echoing the queried
|
|
# resource as `subject` and pointing OIDC discovery at $ISSUER_URL.
|
|
# - everything else -> 301 to $REDIRECT_URL (preserving path + query).
|
|
#
|
|
# To also serve www: change `{$BASE_DOMAIN}` below to
|
|
# `{$BASE_DOMAIN}, www.{$BASE_DOMAIN}`.
|
|
{
|
|
email {$ACME_EMAIL}
|
|
# Staging CA for testing without burning LE rate limits:
|
|
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
|
|
}
|
|
|
|
{$BASE_DOMAIN} {
|
|
encode zstd gzip
|
|
|
|
@webfinger path /.well-known/webfinger
|
|
handle @webfinger {
|
|
header Content-Type "application/jrd+json"
|
|
header Cache-Control "public, max-age=3600"
|
|
templates
|
|
respond `{
|
|
"subject": "{{.Req.URL.Query.Get "resource"}}",
|
|
"links": [
|
|
{
|
|
"rel": "http://openid.net/specs/connect/1.0/issuer",
|
|
"href": "{$ISSUER_URL}"
|
|
}
|
|
]
|
|
}` 200
|
|
}
|
|
|
|
handle {
|
|
redir {$REDIRECT_URL}{uri} permanent
|
|
}
|
|
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
X-Content-Type-Options "nosniff"
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
-Server
|
|
}
|
|
|
|
log {
|
|
output stdout
|
|
format console
|
|
}
|
|
}
|