hyungi/home-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add VNC stream proxy & automate certbot renewal

Browse Source
This commit is contained in:
hyungi
2026-01-03 19:10:52 +09:00
parent 07ba73e329
commit dc5db0d15a
4 changed files with 178 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.gitignore vendored Normal file
View File

@@ -0,0 +1,17 @@
# Logs
fail2ban-log/
*.log
# Data & Database
fail2ban-data/
rustdesk-data/
omnifocus-data/
*.sqlite3
# SSL Certificates (Secrets)
ssl-certs/
certbot-webroot/
archive/
# OS specific
.DS_Store

17
docker-compose-certbot.yml Normal file
View File

@@ -0,0 +1,17 @@
version: '3.8'
services:
certbot:
image: certbot/certbot
container_name: home-service-certbot-daemon
restart: unless-stopped
volumes:
- ./ssl-certs:/etc/letsencrypt
- ./certbot-webroot:/var/www/certbot
- /var/run/docker.sock:/var/run/docker.sock
# 12시간마다 갱신 체크 + 갱신 성공 시 Nginx 자동 리로드 (--post-hook)
entrypoint: >
/bin/sh -c ' apk add --no-cache docker-cli && trap exit TERM; while :; do
certbot renew --webroot -w /var/www/certbot --post-hook "docker exec home-service-proxy-ssl nginx -s reload";
sleep 12h & wait $${!};
done;'

14
docker-compose-ssl.yml
View File

@@ -7,8 +7,9 @@ services:
container_name: home-service-proxy-ssl
restart: unless-stopped
ports:
- "8097:80" # HTTP (Let's Encrypt 인증용)
- "80:80" # HTTP (Let's Encrypt 인증용)
- "8443:443" # HTTPS (최종 접속용)
- "5901:5901" # macOS Screen Sharing (TCP Stream)
volumes:
- ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro
- ./security.conf:/etc/nginx/conf.d/security.conf:ro
@@ -18,17 +19,6 @@ services:
networks:
- home-service-proxy-net
# Certbot (Let's Encrypt)
certbot:
image: certbot/certbot
container_name: home-service-certbot
volumes:
- ./ssl-certs:/etc/letsencrypt
- ./certbot-webroot:/var/www/certbot
command: certonly --webroot --webroot-path=/var/www/certbot --email ahn@hyungi.net --agree-tos --no-eff-email --expand -d jellyfin.hyungi.net -d komga.hyungi.net -d webdav.hyungi.net
profiles:
- ssl-setup
# Fail2Ban 보안 모니터링
fail2ban:
image: crazymax/fail2ban:latest

143
nginx-ssl.conf
View File

@@ -9,6 +9,19 @@ events {
multi_accept on;
}
stream {
upstream mac_screen_sharing {
server 192.168.1.122:5900;
}
server {
listen 5901;
proxy_pass mac_screen_sharing;
proxy_connect_timeout 60s;
proxy_timeout 300s;
}
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
@@ -80,13 +93,38 @@ http {
keepalive 16;
}
upstream dsm_backend {
server 192.168.1.227:5000;
keepalive 16;
}
upstream document_backend {
server 192.168.1.122:8181;
keepalive 16;
}
upstream gitea_backend {
server 192.168.1.227:10300;
keepalive 16;
}
upstream vault_backend {
server 192.168.1.227:8443;
keepalive 16;
}
upstream news_backend {
server 192.168.1.227:8080;
keepalive 16;
}
# HTTP → HTTPS 리다이렉트
server {
listen 80;
server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net;
server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net news.hyungi.net;
# Let's Encrypt 인증 경로
location /.well-known/acme-challenge/ {
@@ -278,4 +316,107 @@ http {
}
}
# HTTPS 서버 - DSM (Synology)
server {
listen 443 ssl;
http2 on;
server_name ds1525.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 0;
location / {
proxy_pass http://dsm_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - DevonThink (Document)
server {
listen 443 ssl;
http2 on;
server_name document.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://document_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - Gitea
server {
listen 443 ssl;
http2 on;
server_name git.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
client_max_body_size 512M;
location / {
proxy_pass http://gitea_backend;
include /etc/nginx/conf.d/security.conf;
}
}
# HTTPS 서버 - Vaultwarden
server {
listen 443 ssl;
http2 on;
server_name vault.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://vault_backend;
include /etc/nginx/conf.d/security.conf;
# WebSocket support for Vaultwarden notifications
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# HTTPS 서버 - News (RSS)
server {
listen 443 ssl;
http2 on;
server_name news.hyungi.net;
ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://news_backend;
include /etc/nginx/conf.d/security.conf;
}
}
}