From dc5db0d15a6a7497ab0fe8b8199a963de7948513 Mon Sep 17 00:00:00 2001
From: hyungi <hyungi@HyungiuiMacmini.hyungi.net>
Date: Sat, 3 Jan 2026 19:10:52 +0900
Subject: [PATCH] feat: add VNC stream proxy & automate certbot renewal

---
 .gitignore                 |  17 +++++
 docker-compose-certbot.yml |  17 +++++
 docker-compose-ssl.yml     |  14 +---
 nginx-ssl.conf             | 143 ++++++++++++++++++++++++++++++++++++-
 4 files changed, 178 insertions(+), 13 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 docker-compose-certbot.yml

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..2f159dd
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,17 @@
+# Logs
+fail2ban-log/
+*.log
+
+# Data & Database
+fail2ban-data/
+rustdesk-data/
+omnifocus-data/
+*.sqlite3
+
+# SSL Certificates (Secrets)
+ssl-certs/
+certbot-webroot/
+archive/
+
+# OS specific
+.DS_Store
diff --git a/docker-compose-certbot.yml b/docker-compose-certbot.yml
new file mode 100644
index 0000000..5187677
--- /dev/null
+++ b/docker-compose-certbot.yml
@@ -0,0 +1,17 @@
+version: '3.8'
+
+services:
+  certbot:
+    image: certbot/certbot
+    container_name: home-service-certbot-daemon
+    restart: unless-stopped
+    volumes:
+      - ./ssl-certs:/etc/letsencrypt
+      - ./certbot-webroot:/var/www/certbot
+      - /var/run/docker.sock:/var/run/docker.sock
+    # 12시간마다 갱신 체크 + 갱신 성공 시 Nginx 자동 리로드 (--post-hook)
+    entrypoint: >
+      /bin/sh -c ' apk add --no-cache docker-cli && trap exit TERM; while :; do
+        certbot renew --webroot -w /var/www/certbot --post-hook "docker exec home-service-proxy-ssl nginx -s reload";
+        sleep 12h & wait $${!};
+      done;'
diff --git a/docker-compose-ssl.yml b/docker-compose-ssl.yml
index dd8bff3..ef2429b 100644
--- a/docker-compose-ssl.yml
+++ b/docker-compose-ssl.yml
@@ -7,8 +7,9 @@ services:
     container_name: home-service-proxy-ssl
     restart: unless-stopped
     ports:
-      - "8097:80" # HTTP (Let's Encrypt 인증용)
+      - "80:80" # HTTP (Let's Encrypt 인증용)
       - "8443:443" # HTTPS (최종 접속용)
+      - "5901:5901" # macOS Screen Sharing (TCP Stream)
     volumes:
       - ./nginx-ssl.conf:/etc/nginx/nginx.conf:ro
       - ./security.conf:/etc/nginx/conf.d/security.conf:ro
@@ -18,17 +19,6 @@ services:
     networks:
       - home-service-proxy-net
 
-  # Certbot (Let's Encrypt)
-  certbot:
-    image: certbot/certbot
-    container_name: home-service-certbot
-    volumes:
-      - ./ssl-certs:/etc/letsencrypt
-      - ./certbot-webroot:/var/www/certbot
-    command: certonly --webroot --webroot-path=/var/www/certbot --email ahn@hyungi.net --agree-tos --no-eff-email --expand -d jellyfin.hyungi.net -d komga.hyungi.net -d webdav.hyungi.net
-    profiles:
-      - ssl-setup
-
   # Fail2Ban 보안 모니터링
   fail2ban:
     image: crazymax/fail2ban:latest
diff --git a/nginx-ssl.conf b/nginx-ssl.conf
index fc5784a..b1ea9dc 100644
--- a/nginx-ssl.conf
+++ b/nginx-ssl.conf
@@ -9,6 +9,19 @@ events {
     multi_accept on;
 }
 
+stream {
+    upstream mac_screen_sharing {
+        server 192.168.1.122:5900;
+    }
+
+    server {
+        listen 5901;
+        proxy_pass mac_screen_sharing;
+        proxy_connect_timeout 60s;
+        proxy_timeout 300s;
+    }
+}
+
 http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
@@ -80,13 +93,38 @@ http {
         keepalive 16;
     }
 
+    upstream dsm_backend {
+        server 192.168.1.227:5000;
+        keepalive 16;
+    }
+
+    upstream document_backend {
+        server 192.168.1.122:8181;
+        keepalive 16;
+    }
+
+    upstream gitea_backend {
+        server 192.168.1.227:10300;
+        keepalive 16;
+    }
+
+    upstream vault_backend {
+        server 192.168.1.227:8443;
+        keepalive 16;
+    }
+
+    upstream news_backend {
+        server 192.168.1.227:8080;
+        keepalive 16;
+    }
+
 
 
 
     # HTTP → HTTPS 리다이렉트
     server {
         listen 80;
-        server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net;
+        server_name jellyfin.hyungi.net komga.hyungi.net webdav.hyungi.net ds1525.hyungi.net document.hyungi.net git.hyungi.net vault.hyungi.net news.hyungi.net;
         
         # Let's Encrypt 인증 경로
         location /.well-known/acme-challenge/ {
@@ -278,4 +316,107 @@ http {
         }
     }
 
+    # HTTPS 서버 - DSM (Synology)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name ds1525.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+        
+        client_max_body_size 0;
+
+        location / {
+            proxy_pass http://dsm_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - DevonThink (Document)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name document.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://document_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - Gitea
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name git.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+        
+        client_max_body_size 512M;
+
+        location / {
+            proxy_pass http://gitea_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
+    # HTTPS 서버 - Vaultwarden
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name vault.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://vault_backend;
+            include /etc/nginx/conf.d/security.conf;
+            
+            # WebSocket support for Vaultwarden notifications
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
+
+    # HTTPS 서버 - News (RSS)
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name news.hyungi.net;
+
+        ssl_certificate /etc/nginx/ssl/live/jellyfin.hyungi.net/fullchain.pem;
+        ssl_certificate_key /etc/nginx/ssl/live/jellyfin.hyungi.net/privkey.pem;
+        
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            proxy_pass http://news_backend;
+            include /etc/nginx/conf.d/security.conf;
+        }
+    }
+
 }