fixed sops decrypt path

refactor caddy config

hosts/home-morefine/docker/beszel/docker-compose.yaml

@@ -25,10 +25,11 @@
       #      - /dev/sdc:/dev/sdc #usb adapter - doуsn't work
       - /dev/nvme0:/dev/nvme0
       - /dev/dri/card0:/dev/dri/card0 # `ls /dev/dri` to find GPU name
+      - /dev/dri/renderD128:/dev/dri/renderD128 # intel gpu
     cap_add:
       - SYS_RAWIO # required for S.M.A.R.T. data
       - SYS_ADMIN # required for NVMe S.M.A.R.T. data
-      - CAP_PERFMON # monitor intel gpu
+      - PERFMON # monitor intel gpu
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /srv/rundata/beszel/beszel_agent_data:/var/lib/beszel-agent
@@ -43,6 +44,8 @@
       HUB_URL: http://localhost:8090
       KEY_FILE: /run/secrets/beszel/AGENT_KEY
       TOKEN_FILE: /run/secrets/beszel/AGENT_TOKEN
+    depends_on:
+      - beszel
 
 networks:
   caddy_internal:

hosts/home-morefine/docker/caddy/Caddyfile

@@ -1,155 +1,159 @@
 {
-    admin :2019
-    # email me@example.com
+    admin localhost:2019
+    email admin@catmedved.com
+    auto_https disable_redirects
+
+    servers {
+        trusted_proxies static 10.8.0.1
+    }
 }
 
+(tls_catmedved) {
+    tls /etc/caddy/certs/catmedved.com.crt /etc/caddy/certs/catmedved.com.key
+}
+
+(tls_kladovka52) {
+    tls /etc/caddy/certs/kladovka52.com.crt /etc/caddy/certs/kladovka52.com.key
+}
+
+(tls_ulakar) {
+    tls /etc/caddy/certs/ulakar.com.crt /etc/caddy/certs/ulakar.com.key
+}
+
+(apps) {
+
 # A
-ai.catmedved.com {
-    reverse_proxy http://librechat:3080
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-auth.catmedved.com {
+    @auth host              auth.catmedved.com
+    handle @auth {
         reverse_proxy http://authentik_server:9000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # B
-beszel.catmedved.com {
+    @backrest host          backrest.catmedved.com
+    handle @backrest {
+        reverse_proxy http://host.docker.internal:9898
+    }
+
+    @beszel host            beszel.catmedved.com
+    handle @beszel {
         reverse_proxy http://beszel:8090
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # C
-caddy-minipc.catmedved.com {
-    reverse_proxy http://caddyui:8000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+#    @copypaste host        copypaste.catmedved.com
+#    handle @copypaste {
+#        reverse_proxy http://microbin:8080
+#    }
 
+    @copypaste host         copypaste.kladovka52.com
+    handle @copypaste {
+        reverse_proxy http://microbin:8080
+    }
 # D
-databasus.catmedved.com {
+    @databasus host         databasus.catmedved.com
+    handle @databasus {
         reverse_proxy http://databasus:4005
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-drone.catmedved.com {
-    reverse_proxy http://drone:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # F
-filebrowser.catmedved.com {
+    @filebrowser host       filebrowser.catmedved.com
+    handle @filebrowser {
         reverse_proxy http://filebrowser:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+    }
 
-films.catmedved.com {
+    @films host             films.catmedved.com
+    handle @films {
         reverse_proxy http://jellyfin:8096
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # G
-gameyfin.catmedved.com {
+    @gameyfin host          gameyfin.catmedved.com
+    handle @gameyfin {
         reverse_proxy http://gameyfin:8080
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+    }
 
-gitea.catmedved.com {
+    @gitea host             gitea.catmedved.com
+    handle @gitea {
         reverse_proxy http://gitea:3000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+    }
 
-glances-minipc.catmedved.com {
+    @glancesminipc host             glances-minipc.catmedved.com
+    handle @glancesminipc {
         reverse_proxy http://glances:61208
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # H
-home.catmedved.com {
+    @homepage host          home.catmedved.com
+    handle @homepage {
         reverse_proxy http://homepage:3000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # M
-myspeed-minipc.catmedved.com {
-    reverse_proxy http://myspeed:5216
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-music.catmedved.com {
+    @music host             music.catmedved.com
+    handle @music {
         reverse_proxy http://navidrome:4533
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-# N
-nocodb.catmedved.com {
-    reverse_proxy http://nocodb:8080
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # P
-passwords.catmedved.com {
+    @passwords host          passwords.catmedved.com
+    handle @passwords {
         reverse_proxy http://vaultwarden:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+    }
 
-pdf-tools.catmedved.com {
+    @pdftools host          pdf-tools.catmedved.com
+    handle @pdftools {
         reverse_proxy http://stirling_pdf:8080
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+    }
 
-pihole.catmedved.com {
+    @pdftools_k host        pdf-tools.kladovka52.com
+    handle @pdftools_k {
+        reverse_proxy http://stirling_pdf:8080
+    }
+
+    @pihole host            pihole.catmedved.com
+    handle @pihole {
         reverse_proxy http://pihole:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-photo.catmedved.com {
-    reverse_proxy http://immich_server:2283
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
+    }
 
+    @photo host             photo.catmedved.com
+    handle @photo {
+        reverse_proxy immich_server:2283
+    }
 # R
-recepies.catmedved.com {
+    @recepies host          recepies.catmedved.com
+    handle @recepies {
         reverse_proxy http://mealie:9000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
+    }
 # S
-speedtest-minipc.catmedved.com {
-    reverse_proxy http://speedtest-tracker:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-sync-minipc.catmedved.com {
-    reverse_proxy http://172.24.0.1:8384 {
+    @syncminipc host        sync-minipc.catmedved.com
+    handle @syncminipc {
+        reverse_proxy http://host.docker.internal:8384 {
             header_up Host {upstream_hostport}
         }
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+    }
+
 }
 
-# T
-transmission.catmedved.com {
-    reverse_proxy transmission:9091
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+http://*.kladovka52.com {
+    @not_from_wg not remote_ip 10.8.0.0/24
+
+    redir @not_from_wg https://{host}{uri} permanent
+
+    import apps
 }
 
-# W
-weatherapp.catmedved.com {
-    reverse_proxy http://weatherapp:8080
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+http://*.catmedved.com {
+    @not_from_wg not remote_ip 10.8.0.0/24
+
+    redir @not_from_wg https://{host}{uri} permanent
+
+    import apps
 }
 
-wekan.catmedved.com {
-    reverse_proxy http://wekan:8080
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+https://*.catmedved.com {
+    import tls_catmedved
+    import apps
 }
 
-wikijs.catmedved.com {
-    reverse_proxy http://wikijs:3000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+https://*.kladovka52.com {
+    import tls_kladovka52
+    import apps
 }
 
-whatsupdocker-minipc.catmedved.com {
-    reverse_proxy http://whatsupdocker:3000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+https://*.ulakar.com {
+    import tls_ulakar
+    import apps
 }

hosts/home-morefine/docker/caddy/docker-compose.yml

@@ -5,12 +5,15 @@ services:
     restart: unless-stopped
     networks:
       - caddy_internal
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "80:80"
       - "443:443"
+      - "443:443/udp" # HTTP/3 (QUIC)
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile
-      - /home/vk/certs/catmedved.com:/etc/caddy/certs:ro
+      - /srv/tls/certificates:/etc/caddy/certs:ro
       - caddy_data:/data
       - caddy_config:/config
     environment:

hosts/home-morefine/docker/gitea/backrest_hook_begin.sh

@@ -0,0 +1,5 @@
+# run pg_dump
+bash /home/backups/docker/gitea/dump_db.sh
+
+# stop gitea
+docker compose -f /home/backups/docker/gitea/docker-compose.yaml stop

hosts/home-morefine/docker/gitea/backrest_hook_end.sh

@@ -0,0 +1,5 @@
+# start gitea
+docker compose -f /home/backups/docker/gitea/docker-compose.yaml start
+
+# remove temp backup file
+rm -f /srv/backups/pgdumps/gitea/pg.dump

hosts/home-morefine/docker/gitea/docker-compose.yaml

@@ -21,6 +21,7 @@
     ports:
       # SSHing Shim (with authorized_keys)
       - "127.0.0.1:2222:22"
+      - "10.8.0.3:3005:3000"
     depends_on:
       - gitea_db
     dns:

hosts/home-morefine/docker/gitea/dump_db.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+CONTAINER="gitea_pg_db"
+USER="gitea"
+DB="gitea"
+BACKUP_DIR="/srv/backups/pgdumps/gitea"
+TMP_FILE="$BACKUP_DIR/pg.dump.tmp"
+FINAL_FILE="$BACKUP_DIR/pg.dump"
+
+echo "Starting [$DB] pg_dump..."
+
+mkdir -p "$BACKUP_DIR"
+
+# remove old backup file
+rm -f "$TMP_FILE" "$FINAL_FILE"
+
+docker exec -t "$CONTAINER" \
+  sh -lc "pg_dump -U $USER -d $DB -Fc -Z 0 --no-owner --no-privileges" \
+  > "$TMP_FILE"
+
+mv "$TMP_FILE" "$FINAL_FILE"
+
+echo "Done: [$DB] backup saved to $FINAL_FILE"

hosts/home-morefine/docker/homepage/config/services.yaml

@@ -35,26 +35,20 @@
         statusStyle: 'dot'
 
 - Toolkit:
-#    - Librechat:
-#        href: https://ai.catmedved.com/
-#        description: LibreChat AI
-#        icon: librechat.png
-#        siteMonitor: http://librechat:3080
-#        statusStyle: 'dot'
-    - Databasus:
-        href: https://databasus.catmedved.com/
-        description: DB Backups
-        icon: databasus.png
-        siteMonitor: http://databasus:4005
+    - PDF Tools:
+        href: https://pdf-tools.catmedved.com/
+        description: Stirling-PDF
+        icon: stirling-pdf.png
+        siteMonitor: http://stirling_pdf:8080/api/v1/health
         statusStyle: 'dot'
     - Syncthing MINIPC:
         href: https://sync-minipc.catmedved.com/
         description: Syncthing on minipc
         icon: syncthing.png
-#        siteMonitor: http://192.168.1.131:8384/rest/noauth/health
-#        statusStyle: 'dot'
+        siteMonitor: http://host.docker.internal:8384/rest/noauth/health
+        statusStyle: 'dot'
     - Filebrowser:
-        href: https://files-minipc.catmedved.com/
+        href: https://filebrowser.catmedved.com/
         description: Files on minipc
         icon: filebrowser.png
         siteMonitor: http://filebrowser:80
@@ -72,8 +66,39 @@
         siteMonitor: http://vaultwarden:80
         statusStyle: 'dot'
 
+- Network:
+  - Keenetic:
+      href: http://192.168.1.1/
+      description: Keenetic Giga Admin
+      icon: /icons/keenetic-k.png
+  - HydraRoute Neo:
+      href: http://192.168.1.1:2000/
+      description: VPN Routing on Keenetic
+      icon: /icons/hydra-route-neo.png
+  - Pi-Hole:
+      href: https://pihole.catmedved.com/admin/login
+      description: Pi Hole DNS
+      icon: pi-hole.png
+  - WireGuard:
+      href: https://vpnwg.ulakar.com/
+      description: WG network
+      icon: wireguard.png
+      siteMonitor: https://vpnwg.ulakar.com/
+      statusStyle: 'dot'
 
 - Infrastructure:
+    - Databasus:
+        href: https://databasus.catmedved.com/
+        description: DB Backups
+        icon: databasus.png
+        siteMonitor: http://databasus:4005
+        statusStyle: 'dot'
+    - Backrest:
+        href: https://backrest.catmedved.com/
+        description: Backrest backup tool
+        icon: backrest.png
+        siteMonitor: http://host.docker.internal:9898
+        statusStyle: 'dot'
     - Monitoring:
         href: https://beszel.catmedved.com/
         description: Beszel
@@ -86,18 +111,6 @@
 #        icon: authentik.png
 #        siteMonitor: http://authentik_server:9000/outpost.goauthentik.io/ping
 #        statusStyle: 'dot'
-    - Pi-Hole:
-        href: https://pihole.catmedved.com/admin/login
-        description: Pi Hole DNS
-        icon: pi-hole.png
-#        siteMonitor: http://pihole:80
-#        statusStyle: 'dot'
-    - WireGuard:
-        href: https://vpnwg.ulakar.com/
-        description: WG network
-        icon: wireguard.png
-        siteMonitor: https://vpnwg.ulakar.com/
-        statusStyle: 'dot'
     - Glances minipc:
         href: https://glances-minipc.catmedved.com/
         description: Glances minipc

hosts/home-morefine/docker/homepage/docker-compose.yml

@@ -6,11 +6,13 @@ services:
       - caddy_internal
     dns:
       - 192.168.1.131 # host pi-hole
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 #    ports:
 #      - "3015:3000"
     environment:
-      - PUID=1000
-      - PGID=1000
+      - PUID=1000 # vk
+      - PGID=1007 # gitops
       - HOMEPAGE_ALLOWED_HOSTS=home.catmedved.com
       - LOG_TARGETS=stdout
     volumes:

hosts/home-morefine/docker/immich/.env

@@ -1,4 +1,4 @@
-# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
+# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables
 
 # The location where your uploaded files are stored
 UPLOAD_LOCATION=/srv/photo/immich

hosts/home-morefine/docker/immich/backrest_hook_begin.sh

@@ -0,0 +1,5 @@
+# run pg_dump
+bash /home/backups/docker/immich/dump_db.sh
+
+# stop immich
+docker compose -f /home/backups/docker/immich/docker-compose.yaml stop

hosts/home-morefine/docker/immich/backrest_hook_end.sh

@@ -0,0 +1,5 @@
+# start immich
+docker compose -f /home/backups/docker/immich/docker-compose.yaml start
+
+# remove temp backup file
+rm -f /srv/backups/pgdumps/immich/pg.dump

hosts/home-morefine/docker/immich/docker-compose.yaml

@@ -1,4 +1,4 @@
-#
+#
 # Immich install guide: https://immich.app/docs/install/docker-compose
 #
 
@@ -50,7 +50,7 @@ services:
     #   file: hwaccel.ml.yml
     #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
     volumes:
-      - ./model-cache:/cache
+      - /srv/rundata/immich/model-cache:/cache
     env_file:
       - .env
     restart: always

hosts/home-morefine/docker/immich/dump_db.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -e
+
+CONTAINER="immich_postgres"
+USER="postgres"
+DB="immich"
+BACKUP_DIR="/srv/backups/pgdumps/immich"
+TMP_FILE="$BACKUP_DIR/pg.dump.tmp"
+FINAL_FILE="$BACKUP_DIR/pg.dump"
+
+echo "Starting [$DB] pg_dump..."
+
+mkdir -p "$BACKUP_DIR"
+
+# remove old backup file
+rm -f "$TMP_FILE" "$FINAL_FILE"
+
+docker exec -t "$CONTAINER" \
+  sh -lc "pg_dump -U $USER -d $DB -Fc -Z 0 --no-owner --no-privileges" \
+  > "$TMP_FILE"
+
+mv "$TMP_FILE" "$FINAL_FILE"
+
+echo "Done: [$DB] backup saved to $FINAL_FILE"

hosts/home-morefine/docker/microbin/docker-compose.yaml

@@ -0,0 +1,24 @@
+services:
+  microbin:
+    image: danielszabo99/microbin:latest
+    restart: always
+    # ports:
+    #  - "${MICROBIN_PORT}:8080"
+    networks:
+      - caddy_internal
+    volumes:
+      - /srv/rundata/microbin/microbin-data:/app/microbin_data
+    environment:
+# https://microbin.eu/docs/installation-and-configuration/configuration
+      MICROBIN_PUBLIC_PATH: 'https://copypaste.kladovka52.com'
+      MICROBIN_TITLE: 'Copy & Paste'
+      MICROBIN_THREADS: 2
+      MICROBIN_GC_DAYS: 30
+      MICROBIN_WIDE: true
+      MICROBIN_QR: true
+      MICROBIN_ETERNAL_PASTA: false
+      MICROBIN_DISABLE_TELEMETRY: false
+
+networks:
+  caddy_internal:
+    external: true

hosts/home-morefine/docker/stirling/docker-compose.yaml

@@ -2,7 +2,8 @@
   stirling_pdf:
     image: stirlingtools/stirling-pdf:latest
     container_name: stirling_pdf
-    # ports:
+    ports:
+      - '10.8.0.3:8016:8080'
     #  - '8080:8080'
     volumes:
       - /srv/rundata/stirling/tessdata:/usr/share/tessdata  # OCR language files
@@ -10,7 +11,7 @@
       - /srv/rundata/stirling/logs:/logs                     # Application logs
       - /srv/rundata/stirling/pipeline:/pipeline             # Automation configs
     environment:
-      - SECURITY_ENABLELOGIN=false    # Set true to enable user authentication
+      - SECURITY_ENABLELOGIN=true    # Set true to enable user authentication
       - LANGS=en_GB                   # Interface language
     restart: unless-stopped
     networks:

hosts/home-morefine/systemd/backrest/backrest.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Backrest
+After=network.target docker.service
+
+[Service]
+Type=simple
+User=backups
+ExecStart=/usr/local/bin/backrest
+WorkingDirectory=/home/backups/backrest
+# wrap with caddy reverse proxy
+Environment="BACKREST_PORT=172.17.0.1:9898"
+AmbientCapabilities=CAP_DAC_READ_SEARCH
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH
+
+[Install]
+WantedBy=multi-user.target

hosts/home-morefine/systemd/backrest/install.sh

@@ -0,0 +1,28 @@
+#! /bin/bash
+set -euo pipefail
+
+BACKREST_VERSION='v1.11.2'
+TMPDIR="$(mktemp -d)"
+
+# backrest working directory
+sudo mkdir -p /home/backups/backrest
+sudo chown backups:backups /home/backups/backrest
+
+curl -fL -o "${TMPDIR}/backrest.tar.gz" \
+  "https://github.com/garethgeorge/backrest/releases/download/${BACKREST_VERSION}/backrest_Linux_x86_64.tar.gz"
+
+tar -xzf "${TMPDIR}/backrest.tar.gz" -C "${TMPDIR}"
+
+if systemctl is-active --quiet backrest; then
+  sudo systemctl stop backrest
+  echo "Paused backrest for update"
+fi
+
+sudo install -D -o root -g root -m 0644 ./backrest.service /etc/systemd/system/backrest.service
+sudo install -o root -g root -m 0755 "${TMPDIR}/backrest" /usr/local/bin/backrest
+
+echo "Reloading systemd service"
+sudo systemctl daemon-reload
+sudo systemctl enable --now backrest
+
+rm -rf "${TMPDIR}"

hosts/home-morefine/systemd/sops/sops-decrypt.service

@@ -11,7 +11,7 @@ WorkingDirectory=/srv/gitops
 Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt
 
 # твой скрипт расшифровки (держи в репо или в /usr/local/bin)
-ExecStart=/srv/gitops/homelab-infra/lab-home/sops-decrypt.sh
+ExecStart=/srv/gitops/shared/sops-decrypt.sh
 
 TimeoutStartSec=300
 

hosts/home-morefine/usr/local/bin/caddy-reload

@@ -0,0 +1,18 @@
+#!/bin/bash
+# check if caddy is up and running
+if [ "$(docker ps -q -f name=caddy)" ]; then
+  echo "🔍 Validating configuration inside 'caddy' container..."
+  if docker exec -w /etc/caddy caddy caddy validate; then
+    echo "✅ Validation successful. Reloading..."
+    docker exec -w /etc/caddy caddy caddy reload
+    echo "🚀 Done!"
+  else
+    echo "❌ Validation failed! Reload aborted."
+    exit 1
+  fi
+else
+  echo "⚠️  Error: Container 'caddy' is not running."
+  exit 1
+fi
+
+# sudo chmod +x /usr/local/bin/caddy-reload

hosts/lab-by-02/docker/caddy/Caddyfile

@@ -1,34 +1,52 @@
-{
 {
     email ulakar@fastmail.com
     admin off
 }
 
-beszel.catmedved.com {
-    reverse_proxy http://10.8.0.3:8090
-}
+(tls_catmedved) {
+    tls /etc/caddy/certs/catmedved.com.crt /etc/caddy/certs/catmedved.com.key
 }
 
-gameyfin.catmedved.com {
-    reverse_proxy http://10.8.0.3:8080
-}
+(tls_kladovka52) {
+    tls /etc/caddy/certs/kladovka52.com.crt /etc/caddy/certs/kladovka52.com.key
 }
 
-media.kladovka52.com {
-    reverse_proxy http://10.8.0.4:8096
-}
+(forward_to_home) {
+    reverse_proxy 10.8.0.3:80 {
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+    }
 }
 
-    reverse_proxy http://10.8.0.3:4533
-}
+(forward_to_kladovka) {
+    reverse_proxy 10.8.0.4:80 {
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+    }
 }
 
-photo.catmedved.com {
-    reverse_proxy http://10.8.0.3:2283
-}
+# HTTP -> HTTPS
+http://*.catmedved.com, http://*.kladovka52.com {
+    redir https://{host}{uri} permanent
 }
 
-vpnwg.ulakar.com {
+*.catmedved.com {
+    import tls_catmedved
+    import forward_to_home
+}
+
+copypaste.kladovka52.com,
+pdf-tools.kladovka52.com {
+    import tls_kladovka52
+    import forward_to_home
+}
+
+*.kladovka52.com {
+    import tls_kladovka52
+    import forward_to_kladovka
+}
+
+# wg-easy
 vpnwg.ulakar.com {
     reverse_proxy localhost:51821
 }

hosts/lab-by-02/docker/caddy/docker-compose.yml

@@ -11,6 +11,7 @@ services:
     #      - "443:443"
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile
+      - /home/vk/docker/lego/certs/certificates:/etc/caddy/certs:ro
       - caddy_data:/data
       - caddy_config:/config
     environment:

hosts/lab-by-02/docker/lego/catmedved-compose.yaml

@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=admin@catmedved.com
+      - --accept-tos
+      - --dns=namecheap
+      - --domains=catmedved.com
+      - --domains=*.catmedved.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60

hosts/lab-by-02/docker/lego/kladovka52-compose.yaml

@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=admin@kladovka52.com
+      - --accept-tos
+      - --dns=porkbun
+      - --domains=kladovka52.com
+      - --domains=*.kladovka52.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60

hosts/lab-by-02/docker/lego/run.sh

@@ -0,0 +1,5 @@
+docker compose -f catmedved-compose.yaml up
+
+docker compose -f kladovka42-compose.yaml up
+
+docker compose -f ulakar-compose.yaml up

hosts/lab-by-02/docker/lego/secrets.sops.env

@@ -0,0 +1,12 @@
+NAMECHEAP_API_USER=ENC[AES256_GCM,data:rg+INH0JJNcb,iv:RkdTvt2EZ8zovoReX7BPJkgXR0BC8cF5R1XuR2BoKEk=,tag:kHdkhUK/wLedphhblDQCJQ==,type:str]
+NAMECHEAP_API_KEY=ENC[AES256_GCM,data:4FNq87vNxlg6Xbzj4EaTKNv5j76FbDqjR40F0E8kkD0=,iv:EqjjK7AY479hc03dEVmYer0uI2j5+jDSwka9VF2BuBk=,tag:tSZE8p6QlVUWjcnvN+J92g==,type:str]
+PORKBUN_API_KEY=ENC[AES256_GCM,data:iQ2MBXQ3NWzNaKp0TQ052pi+ZsRqNSomCYLbORIo3oXQW2AmKwZIDotqo6ypD4p/SB9KS5ArshJRBW6wV+qHt6Sdt+c=,iv:SKzXkFI3krehAsrz6TJn8uy/EMY8zi/VMmAm3kumu5o=,tag:rZMqPIOCdqwp9sy1MqEWUw==,type:str]
+PORKBUN_SECRET_API_KEY=ENC[AES256_GCM,data:MohqAorMfVURpymTqJAPzF7FEWiNh2f75L4XwJjFNwaE3EKlXN/1WASFezoESv5/4/fw1S1XeuXPCdzAWWDlJeo0bpI=,iv:4PROOEMb0SDFaF760vDSyjNQPZQmUw20qsBFjb1lSBo=,tag:yAh/fbdF4ADP4tLX5fwTCA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SU05WXNFMWNrejMrVVFD\nMFUreitrNWhnbnlOUWtadkUyWjFHMG5MaFNnCitpZHNyRTBKdWZaNEJFd1JGaUl5\nWWVNS3djSmpxd2h5OEwrM2lQZ29LMkEKLS0tIHpRKzc1WWxDYlEvemROUDlubkhj\naFlZa2ExV2ZDekwwaW5xaWsyMlFXN1kK9NAxY5WcnIzpjJB4WyRoH37qx/grHdZX\nintmS85J4qzbKM5SqrQm5PCjie+LTdKkKhZAvSk9Xr/9Le/HxT14Ug==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWR0xjQ3FkSTI4Zm00djJX\ndlJqZ2F5UjgzM29wUEhGbmhudGtzcFhrR0M0Ckwybk9xcytKZnRPeTBITk1mK1RV\nTkhmandrYkZSNHhoMGd6S1h5N1lYZ28KLS0tIDVEdnp0TmgyTExNY05uL3kvalpO\ndG0ydlBHNWNXVG1aTHIwcFBFa2JNQnMKg3eqZbaZlgPMBydDI7NaLJh57+JT4EOY\nYCPZqcsFXfnogm2sJ7a7/fZcFy2vb0piz9QpTtBfDCYwNK0FJAK8Vw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+sops_lastmodified=2026-02-23T17:22:43Z
+sops_mac=ENC[AES256_GCM,data:lSsi/0ebF6z+jNNyULF1G0ZYcGGf6A/3jm0JeBbmPZOkFNJVeUC47hg+AB/itOUUYFT8kXT3+1HwWnZQfSjOzEDO7lPZH25D5IM1YhMU//TBN/7se81zjgvV2tA8kofeD03BxYWAbZeAG0J+MHkV1SAN4arL6NnRPV0F0iFAyQ0=,iv:ey7jo/P2SnIVuRyaEL+x9UfETjCMerniakDA4YWIwfo=,tag:NWUl2sFHLCnU5CfhAkrNMw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0

hosts/lab-by-02/docker/lego/ulakar-compose.yaml

@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=ulakar@fastmail.com
+      - --accept-tos
+      - --dns=porkbun
+      - --domains=ulakar.com
+      - --domains=*.ulakar.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60