feat: add pauline ghost and wp

Caddyfile

@@ -9,33 +9,6 @@
 	}
 }
 
-jenkins.lucasroyer.fr {
-	# Security
-	header {
-		X-Frame-Options "SAMEORIGIN"
-		X-Content-Type-Options "nosniff"
-		X-XSS-Protection "1; mode=block"
-	}
-
-	# Large files
-	request_body {
-		max_size 512MB
-	}
-
-	# Compression
-	encode zstd gzip
-
-	# Log
-	log {
-		output file /data/jenkins_access.log
-	}
-
-	# Redirect
-	reverse_proxy jenkins:8080 {
-		flush_interval -1
-	}
-}
-
 portfolio.lucasroyer.fr {
 	# Server cache
 	cache {
@@ -119,11 +92,34 @@ kuma.lucasroyer.fr {
 
 	# Log
 	log {
-		output file /data/kuma_access.log
+		output file /data/uptime-kuma-lucas_access.log
 	}
 
 	# Redirect
-	reverse_proxy uptime-kuma:3001 {
+	reverse_proxy uptime-kuma-lucas:3001 {
+	}
+}
+
+uptime-cyrus.lucasroyer.fr {
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-XSS-Protection "1; mode=block"
+		X-Content-Type-Options "nosniff"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/uptime-kuma-cyrus_access.log
+	}
+
+	# Redirect
+	reverse_proxy uptime-kuma-cyrus:3001 {
 	}
 }
 
@@ -184,3 +180,297 @@ ntfy.lucasroyer.fr {
 		flush_interval -1
 	}
 }
+
+syncthing.lucasroyer.fr {
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-Content-Type-Options "nosniff"
+		X-XSS-Protection "1; mode=block"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/syncthing_access.log
+	}
+
+	# Redirect
+	reverse_proxy syncthing:8384 {
+		header_up Host {host}
+		header_up X-Real-IP {remote_host}
+	}
+}
+
+vaultwarden.lucasroyer.fr {
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-Content-Type-Options "nosniff"
+		X-XSS-Protection "1; mode=block"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		Permissions-Policy "geolocation=(), microphone=(), camera=()"
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/vaultwarden_access.log
+	}
+
+	# Redirect
+	reverse_proxy vaultwarden-lucas:80 {
+		header_up Host {host}
+		header_up X-Real-IP {remote_host}
+	}
+}
+
+motsdepasse.interstices.pro {
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-Content-Type-Options "nosniff"
+		X-XSS-Protection "1; mode=block"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		Permissions-Policy "geolocation=(), microphone=(), camera=()"
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/vaultwarden_access.log
+	}
+
+	# Redirect
+	reverse_proxy vaultwarden-interstices:80 {
+		header_up Host {host}
+		header_up X-Real-IP {remote_host}
+	}
+}
+
+nextcloud.lucasroyer.fr {
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-Content-Type-Options "nosniff"
+		X-XSS-Protection "1; mode=block"
+		Referrer-Policy "no-referrer"
+		Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
+		-Server
+	}
+
+	# Large files
+	request_body {
+		max_size 10GB
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/nextcloud_access.log
+	}
+
+	# Redirect
+	reverse_proxy nextcloud-web:80 {
+		header_up Host {host}
+		header_up X-Real-IP {remote_host}
+		header_down X-Frame-Options "SAMEORIGIN"
+		header_down X-Content-Type-Options "nosniff"
+	}
+}
+
+onlyoffice.lucasroyer.fr {
+	# Security
+	header {
+		Content-Security-Policy "frame-ancestors 'self' nextcloud.lucasroyer.fr"
+		X-Frame-Options "ALLOW-FROM https://nextcloud.lucasroyer.fr"
+		X-Content-Type-Options nosniff
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Redirect
+	reverse_proxy onlyoffice:80 {
+		header_up Host {host}
+		header_up X-Real-IP {remote_host}
+	}
+}
+
+spationautes.fr {
+	root * /srv/site-spationautes/html
+
+	# Server cache
+	cache {
+		ttl 24h
+		stale 12h
+	}
+	# Security
+	header {
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+		X-Content-Type-Options "nosniff"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	}
+
+	# Errors
+	handle_errors {
+		@service_out expression {err.status_code} >= 502 && {err.status_code} <= 504
+		handle @service_out {
+			root * /srv
+			rewrite * /error.html
+			file_server
+		}
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/site-spationautes_access.log
+	}
+
+	# Redirect
+	file_server
+}
+
+veloboomboom.internantes.ovh, veloboomboom.lucasroyer.fr {
+	# Server cache
+	cache {
+		ttl 24h
+		stale 12h
+	}
+
+	# Security
+	header {
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+		X-Content-Type-Options "nosniff"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+	}
+
+	# Errors
+	handle_errors {
+		# If error is 502, 503 or 504, show error.html without changing client URL
+		@service_out expression {err.status_code} >= 502 && {err.status_code} <= 504
+		handle @service_out {
+			root * /srv
+			rewrite * /error.html
+			file_server
+		}
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/site-veloboomboom_access.log
+	}
+
+	# Prod redirect
+	@prod host veloboomboom.internantes.ovh
+	handle @prod {
+		root * /srv/site-veloboomboom/html-prod
+		file_server
+	}
+
+	# Test redirect
+	@test host veloboomboom.lucasroyer.fr
+	handle @test {
+		basic_auth {
+			testuser $2a$14$hNv5hbag695p/jcyB.7qeOoCvqxQ0L6zyBptfHU15qnTtmivfXAea
+		}
+		root * /srv/site-veloboomboom/html
+		file_server
+	}
+
+	# Fallback
+	handle {
+		respond "Not Found" 404
+	}
+}
+
+csv.lucasroyer.fr {
+	root * /srv/csv
+	file_server browse
+
+	header Content-Type "text/csv; charset=utf-8"
+	header Access-Control-Allow-Origin "*"
+}
+
+ghost.pauline.lucasroyer.fr {
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-Content-Type-Options "nosniff"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		X-XSS-Protection "1; mode=block"
+		Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com;"
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Log
+	log {
+		output file /data/pauline_ghost_access.log
+	}
+
+	# Redirect
+	reverse_proxy ghost:2368
+}
+
+paulinebouillaud.fr {
+	root * /var/www/html
+
+	# Security
+	header {
+		X-Frame-Options "SAMEORIGIN"
+		X-Content-Type-Options "nosniff"
+		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+		Referrer-Policy "strict-origin-when-cross-origin"
+		X-XSS-Protection "1; mode=block"
+		Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; frame-src 'self' https://*.youtube-nocookie.com https://*.youtube.com https://*.vimeo.com https://*.doubleclick.net; img-src 'self' data: https:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'self';"
+	}
+
+	# Compression
+	encode zstd gzip
+
+	# Logs
+	log {
+		output file /data/pauline_wordpress_access.log
+	}
+
+	# --- Wordpress FPM ---
+	file_server
+
+	php_fastcgi wordpress-app:9000 {
+		resolve_root_symlink
+	}
+
+	# Security
+	@forbidden {
+		path /xmlrpc.php
+		path /.htaccess
+		path /wp-config.php
+		path /readme.html
+	}
+	respond @forbidden 403
+}

Dockerfile

@@ -1,4 +1,4 @@
-ARG CADDY_VERSION=2.10.2
+ARG CADDY_VERSION=2.10.2-alpine
 
 # --- BUILD ---
 # Add cache plugin

Jenkinsfile

@@ -4,6 +4,7 @@ pipeline {
     environment {
         GITEA_REPO_PATH = "lucas/reverse-proxy"
         GITEA_API_URL = "https://gitea.lucasroyer.fr/api/v1"
+        DOCKER_HOST = "unix:///run/user/1001/docker.sock"
     }
 
     stages {
@@ -42,6 +43,19 @@ pipeline {
     post {
         always {
             script {
+                echo "Waiting for Gitea to be online..."
+                
+                // Try to reac gitea API for 12 tries of 10s (2 minutes)
+                timeout(time: 2, unit: 'MINUTES') {
+                    waitUntil {
+                        def status = sh(
+                            script: "curl -s -o /dev/null -w '%{http_code}' ${GITEA_API_URL}/version || true",
+                            returnStdout: true
+                        ).trim()
+                        return (status == '200')
+                    }
+                }
+                
                 echo "Send Gitea check..."
                 // Get and store SHA
                 def commitSha = sh(script: 'git rev-parse HEAD', returnStdout: true).trim()

docker-compose.yml

@@ -12,24 +12,25 @@ services:
       - caddy_config:/config
       - /home/lucas/services/reverse-proxy/Caddyfile:/etc/caddy/Caddyfile
       - /home/lucas/services/reverse-proxy/error.html:/srv/error.html:ro
-      - /home/lucas/services/exposed_files/n8n/csv:/srv/csv:ro
+      - /home/lucas/services/n8n/local-files/csv:/srv/csv:ro
+      - /home/lucas/services/static-sites/site-spationautes:/srv/site-spationautes:ro
+      - /home/lucas/services/static-sites/site-veloboomboom:/srv/site-veloboomboom:ro
+      - wp_data:/var/www/html:ro
     networks:
       - reverse-proxy
     ports:
       - "80:80"
       - "443:443"
       - "443:443/udp"
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "10m"
-        max-file: "3"
 
 volumes:
   caddy_data:
     name: caddy_data
   caddy_config:
     name: caddy_config
+  wp_data:
+    external: true
+    name : wordpress_wp_data
 
 networks:
   reverse-proxy:

refresh-caddyfile

@@ -1,6 +1,11 @@
 #!/bin/bash
 
 docker exec caddy-reverse-proxy caddy fmt --overwrite /etc/caddy/Caddyfile
+if docker exec caddy-reverse-proxy caddy validate --config /etc/caddy/Caddyfile; then
+    echo "File checked, reloading..."
     docker exec caddy-reverse-proxy caddy reload --config /etc/caddy/Caddyfile
-
+    echo "Caddyfile reloaded."
-echo 'Caddyfile reloaded'
+else
+    echo "ERREUR : invalid config."
+    docker exec caddy-reverse-proxy caddy validate --config /etc/caddy/Caddyfile
+fi