Files
57_Wolve 7faa9098de feat: unified launcher, multi-OS hardening, login alerts & auto-updates
Restructure around a single entry point (automations.sh) with a Gum wizard and
a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the
provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on
Alpine/Debian/Alma; seed root keys from globals/.

- ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec
- daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and
  opt-in Alpine stable-branch upgrades
- generic + per-deployment cloud-init; Gitea release workflow on tag
- README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
2026-06-12 14:56:02 -05:00

51 lines
1.3 KiB
Caddyfile

# Caddyfile for the webfinger + redirect stack.
#
# - /.well-known/webfinger -> dynamic JRD response, echoing the queried
# resource as `subject` and pointing OIDC discovery at $ISSUER_URL.
# - everything else -> 301 to $REDIRECT_URL (preserving path + query).
#
# To also serve www: change `{$BASE_DOMAIN}` below to
# `{$BASE_DOMAIN}, www.{$BASE_DOMAIN}`.
{
email {$ACME_EMAIL}
# Staging CA for testing without burning LE rate limits:
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
{$BASE_DOMAIN} {
encode zstd gzip
@webfinger path /.well-known/webfinger
handle @webfinger {
header Content-Type "application/jrd+json"
header Cache-Control "public, max-age=3600"
templates
respond `{
"subject": "{{.Req.URL.Query.Get "resource"}}",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "{$ISSUER_URL}"
}
]
}` 200
}
handle {
redir {$REDIRECT_URL}{uri} permanent
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
-Server
}
log {
output stdout
format console
}
}