2024-01-27 14:18:37 +00:00
|
|
|
# {{ ansible_managed }}
|
|
|
|
|
|
2024-01-31 21:40:43 +00:00
|
|
|
limit_req_zone $binary_remote_addr zone=headscale:10m rate=1r/m;
|
|
|
|
|
|
2024-01-27 14:18:37 +00:00
|
|
|
server {
|
2024-02-29 19:46:32 +00:00
|
|
|
listen 8888 ssl http2 proxy_protocol;
|
2024-01-27 14:18:37 +00:00
|
|
|
|
|
|
|
|
server_name headscale.jakehoward.tech;
|
|
|
|
|
|
|
|
|
|
ssl_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/fullchain.pem;
|
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/headscale.jakehoward.tech/privkey.pem;
|
|
|
|
|
ssl_trusted_certificate /etc/letsencrypt/live/headscale.jakehoward.tech/chain.pem;
|
|
|
|
|
include includes/ssl.conf;
|
|
|
|
|
|
2024-02-29 17:41:29 +00:00
|
|
|
real_ip_header proxy_protocol;
|
|
|
|
|
|
|
|
|
|
set_real_ip_from 127.0.0.1;
|
|
|
|
|
|
2024-01-27 14:18:37 +00:00
|
|
|
location / {
|
|
|
|
|
proxy_pass http://localhost:8416;
|
|
|
|
|
}
|
2024-01-31 21:40:43 +00:00
|
|
|
|
|
|
|
|
location /oidc {
|
|
|
|
|
# 3 should be enough for the redirect, callback plus 1 error
|
|
|
|
|
limit_req zone=headscale burst=3 nodelay;
|
|
|
|
|
limit_req_status 429;
|
|
|
|
|
|
|
|
|
|
proxy_pass http://localhost:8416;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# Block access to the API entirely - I'm not using it
|
|
|
|
|
location /api {
|
|
|
|
|
return 403;
|
|
|
|
|
}
|
2024-01-27 14:18:37 +00:00
|
|
|
}
|
