flake/hosts/lightsail-tokyo/Caddyfile

{
	# Disables HTTP/3 for Hysteria
	# https://github.com/apernet/hysteria/issues/768
	servers :443 {
		protocols h1 h2 h2c
	}
}

(default) {
	encode zstd gzip

	header {
		# https://observatory.mozilla.org/analyze/ny4.dev
		# https://infosec.mozilla.org/guidelines/web_security
		# https://caddyserver.com/docs/caddyfile/directives/header#examples

		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
		?Permissions-Policy interest-Hpcohort=()
		?Strict-Transport-Security max-age=31536000;
		?X-Content-Type-Options nosniff
		?X-Frame-Options DENY
	}

	handle_path /robots.txt {
		file_server * {
			root /var/www/robots/robots.txt
		}
	}
}

www.ny4.dev {
	import default
	redir https://ny4.dev
}

# get the certificate for hysteria
tyo0.ny4.dev {
	import default
	redir https://ny4.dev
}

ny4.dev {
	import default

	# Synapse
	header /.well-known/matrix/* Content-Type application/json
	header /.well-known/matrix/* Access-Control-Allow-Origin *
	handle_path /.well-known/matrix/* {
		file_server * {
			root /var/www/matrix
		}
	}

	# Mastodon
	header /.well-known/webfinger Access-Control-Allow-Origin *
	redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent

	# Homepage Dashboard
	reverse_proxy localhost:9200
}

searx.ny4.dev {
	import default
	reverse_proxy localhost:8100
}

pb.ny4.dev {
	import default
	reverse_proxy localhost:8200
}

uptime.ny4.dev {
	import default
	reverse_proxy localhost:8300
}

ntfy.ny4.dev {
	import default
	reverse_proxy unix//run/ntfy-sh/ntfy.sock
}

pixiv.ny4.dev {
	import default
	basicauth {
		Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
	}
	reverse_proxy unix//run/pixivfe/pixiv.sock
}

id.ny4.dev {
	import default
	reverse_proxy localhost:8800
}

element.ny4.dev {
	import default
	root * @element@
	file_server
}

git.ny4.dev {
	import default
	reverse_proxy unix//run/forgejo/forgejo.sock
}

rss.ny4.dev {
	import default
	reverse_proxy localhost:9300
}