fixed sops decrypt path

add script to reload caddy
enable admin interface to reload caddy
2026-03-15 16:17:39 +03:00 · 2026-02-24 18:43:23 +03:00 · 2026-02-24 18:24:22 +03:00 · 2026-02-24 18:20:48 +03:00 · 2026-02-24 18:18:06 +03:00 · 2026-02-24 18:13:19 +03:00
15 changed files with 191 additions and 82 deletions
--- a/hosts/home-morefine/docker/caddy/Caddyfile
+++ b/hosts/home-morefine/docker/caddy/Caddyfile
@@ -1,5 +1,5 @@
 {
-    admin off
+    admin localhost:2019
    email admin@catmedved.com
    auto_https disable_redirects

@@ -8,8 +8,26 @@
    }
 }

+(tls_catmedved) {
+    tls /etc/caddy/certs/catmedved.com.crt /etc/caddy/certs/catmedved.com.key
+}
+
+(tls_kladovka52) {
+    tls /etc/caddy/certs/kladovka52.com.crt /etc/caddy/certs/kladovka52.com.key
+}
+
+(tls_ulakar) {
+    tls /etc/caddy/certs/ulakar.com.crt /etc/caddy/certs/ulakar.com.key
+}
+
 (apps) {

+# A
+    @auth host              auth.catmedved.com
+    handle @auth {
+        reverse_proxy http://authentik_server:9000
+    }
+# B
    @backrest host          backrest.catmedved.com
    handle @backrest {
        reverse_proxy http://host.docker.internal:9898
@@ -19,7 +37,7 @@
    handle @beszel {
        reverse_proxy http://beszel:8090
    }
-
+# C
 #    @copypaste host        copypaste.catmedved.com
 #    handle @copypaste {
 #        reverse_proxy http://microbin:8080
@@ -29,7 +47,22 @@
    handle @copypaste {
        reverse_proxy http://microbin:8080
    }
+# D
+    @databasus host         databasus.catmedved.com
+    handle @databasus {
+        reverse_proxy http://databasus:4005
+    }
+# F
+    @filebrowser host       filebrowser.catmedved.com
+    handle @filebrowser {
+        reverse_proxy http://filebrowser:80
+    }

+    @films host             films.catmedved.com
+    handle @films {
+        reverse_proxy http://jellyfin:8096
+    }
+# G
    @gameyfin host          gameyfin.catmedved.com
    handle @gameyfin {
        reverse_proxy http://gameyfin:8080
@@ -40,10 +73,25 @@
        reverse_proxy http://gitea:3000
    }

+    @glancesminipc host             glances-minipc.catmedved.com
+    handle @glancesminipc {
+        reverse_proxy http://glances:61208
+    }
+# H
+    @homepage host          home.catmedved.com
+    handle @homepage {
+        reverse_proxy http://homepage:3000
+    }
+# M
    @music host             music.catmedved.com
    handle @music {
        reverse_proxy http://navidrome:4533
    }
+# P
+    @passwords host          passwords.catmedved.com
+    handle @passwords {
+        reverse_proxy http://vaultwarden:80
+    }

    @pdftools host          pdf-tools.catmedved.com
    handle @pdftools {
@@ -55,15 +103,28 @@
        reverse_proxy http://stirling_pdf:8080
    }

+    @pihole host            pihole.catmedved.com
+    handle @pihole {
+        reverse_proxy http://pihole:80
+    }
+
    @photo host             photo.catmedved.com
    handle @photo {
        reverse_proxy immich_server:2283
    }
-
+# R
    @recepies host          recepies.catmedved.com
    handle @recepies {
        reverse_proxy http://mealie:9000
    }
+# S
+    @syncminipc host        sync-minipc.catmedved.com
+    handle @syncminipc {
+        reverse_proxy http://host.docker.internal:8384 {
+            header_up Host {upstream_hostport}
+        }
+    }
+
 }

 http://*.kladovka52.com {
@@ -83,65 +144,16 @@ http://*.catmedved.com {
 }

 https://*.catmedved.com {
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-
+    import tls_catmedved
    import apps
 }

-
-auth.catmedved.com {
-    reverse_proxy http://authentik_server:9000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+https://*.kladovka52.com {
+    import tls_kladovka52
+    import apps
 }

-# D
-databasus.catmedved.com {
-    reverse_proxy http://databasus:4005
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-drone.catmedved.com {
-    reverse_proxy http://drone:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-# F
-filebrowser.catmedved.com {
-    reverse_proxy http://filebrowser:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-films.catmedved.com {
-    reverse_proxy http://jellyfin:8096
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-glances-minipc.catmedved.com {
-    reverse_proxy http://glances:61208
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-# H
-home.catmedved.com {
-    reverse_proxy http://homepage:3000
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-# P
-passwords.catmedved.com {
-    reverse_proxy http://vaultwarden:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-pihole.catmedved.com {
-    reverse_proxy http://pihole:80
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
-}
-
-# S
-sync-minipc.catmedved.com {
-    reverse_proxy http://host.docker.internal:8384 {
-        header_up Host {upstream_hostport}
-    }
-    tls /etc/caddy/certs/fullchain.pem /etc/caddy/certs/privkey.pem
+https://*.ulakar.com {
+    import tls_ulakar
+    import apps
 }
--- a/hosts/home-morefine/docker/caddy/docker-compose.yml
+++ b/hosts/home-morefine/docker/caddy/docker-compose.yml
@@ -10,9 +10,10 @@ services:
    ports:
      - "80:80"
      - "443:443"
+      - "443:443/udp" # HTTP/3 (QUIC)
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
-      - /srv/ssl/catmedved.com:/etc/caddy/certs:ro
+      - /srv/tls/certificates:/etc/caddy/certs:ro
      - caddy_data:/data
      - caddy_config:/config
    environment:
--- a/hosts/home-morefine/docker/homepage/config/services.yaml
+++ b/hosts/home-morefine/docker/homepage/config/services.yaml
@@ -48,7 +48,7 @@
        siteMonitor: http://host.docker.internal:8384/rest/noauth/health
        statusStyle: 'dot'
    - Filebrowser:
-        href: https://files-minipc.catmedved.com/
+        href: https://filebrowser.catmedved.com/
        description: Files on minipc
        icon: filebrowser.png
        siteMonitor: http://filebrowser:80
@@ -70,11 +70,11 @@
  - Keenetic:
      href: http://192.168.1.1/
      description: Keenetic Giga Admin
-      icon: keenetic-alt.png
+      icon: /icons/keenetic-k.png
  - HydraRoute Neo:
      href: http://192.168.1.1:2000/
-      descryption: HydarRoute Neo - VPN Routing on Keenetic
-      icon: hydra-route-neo.png
+      description: VPN Routing on Keenetic
+      icon: /icons/hydra-route-neo.png
  - Pi-Hole:
      href: https://pihole.catmedved.com/admin/login
      description: Pi Hole DNS
--- a/hosts/home-morefine/docker/homepage/icons/hydra-route-neo.png
+++ b/hosts/home-morefine/docker/homepage/icons/hydra-route-neo.png
--- a/hosts/home-morefine/docker/homepage/icons/keenetic-k.png
+++ b/hosts/home-morefine/docker/homepage/icons/keenetic-k.png
--- a/hosts/home-morefine/docker/immich/docker-compose.yaml
+++ b/hosts/home-morefine/docker/immich/docker-compose.yaml
@@ -50,7 +50,7 @@ services:
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
-      - ./model-cache:/cache
+      - /srv/rundata/immich/model-cache:/cache
    env_file:
      - .env
    restart: always
--- a/hosts/home-morefine/systemd/sops/sops-decrypt.service
+++ b/hosts/home-morefine/systemd/sops/sops-decrypt.service
@@ -11,7 +11,7 @@ WorkingDirectory=/srv/gitops
 Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt

 # твой скрипт расшифровки (держи в репо или в /usr/local/bin)
-ExecStart=/srv/gitops/homelab-infra/lab-home/sops-decrypt.sh
+ExecStart=/srv/gitops/shared/sops-decrypt.sh

 TimeoutStartSec=300

--- a/hosts/home-morefine/usr/local/bin/caddy-reload
+++ b/hosts/home-morefine/usr/local/bin/caddy-reload
@@ -0,0 +1,18 @@
+#!/bin/bash
+# check if caddy is up and running
+if [ "$(docker ps -q -f name=caddy)" ]; then
+  echo "🔍 Validating configuration inside 'caddy' container..."
+  if docker exec -w /etc/caddy caddy caddy validate; then
+    echo "✅ Validation successful. Reloading..."
+    docker exec -w /etc/caddy caddy caddy reload
+    echo "🚀 Done!"
+  else
+    echo "❌ Validation failed! Reload aborted."
+    exit 1
+  fi
+else
+  echo "⚠️  Error: Container 'caddy' is not running."
+  exit 1
+fi
+
+# sudo chmod +x /usr/local/bin/caddy-reload
--- a/hosts/lab-by-02/docker/caddy/Caddyfile
+++ b/hosts/lab-by-02/docker/caddy/Caddyfile
@@ -3,6 +3,14 @@
    admin off
 }

+(tls_catmedved) {
+    tls /etc/caddy/certs/catmedved.com.crt /etc/caddy/certs/catmedved.com.key
+}
+
+(tls_kladovka52) {
+    tls /etc/caddy/certs/kladovka52.com.crt /etc/caddy/certs/kladovka52.com.key
+}
+
 (forward_to_home) {
    reverse_proxy 10.8.0.3:80 {
        header_up Host {host}
@@ -17,28 +25,26 @@
    }
 }

+# HTTP -> HTTPS
+http://*.catmedved.com, http://*.kladovka52.com {
+    redir https://{host}{uri} permanent
+}

-# catmedved.com
-
-beszel.catmedved.com,
-copypaste.kladovka52.com,
-gameyfin.catmedved.com,
-gitea.catmedved.com,
-music.catmedved.com,
-pdf-tools.catmedved.com,
-pdf-tools.kladovka52.com,
-photo.catmedved.com,
-recepies.catmedved.com {
+*.catmedved.com {
+    import tls_catmedved
    import forward_to_home
 }

-# kladovka52.com
-
-media.kladovka52.com,
-photo.kladovka52.com {
-    import forward_to_kladovka
+copypaste.kladovka52.com,
+pdf-tools.kladovka52.com {
+    import tls_kladovka52
+    import forward_to_home
 }

+*.kladovka52.com {
+    import tls_kladovka52
+    import forward_to_kladovka
+}

 # wg-easy
 vpnwg.ulakar.com {
--- a/hosts/lab-by-02/docker/caddy/docker-compose.yml
+++ b/hosts/lab-by-02/docker/caddy/docker-compose.yml
@@ -11,6 +11,7 @@ services:
    #      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /home/vk/docker/lego/certs/certificates:/etc/caddy/certs:ro
      - caddy_data:/data
      - caddy_config:/config
    environment:
--- a/hosts/lab-by-02/docker/lego/catmedved-compose.yaml
+++ b/hosts/lab-by-02/docker/lego/catmedved-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=admin@catmedved.com
+      - --accept-tos
+      - --dns=namecheap
+      - --domains=catmedved.com
+      - --domains=*.catmedved.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60
--- a/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml
+++ b/hosts/lab-by-02/docker/lego/kladovka52-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=admin@kladovka52.com
+      - --accept-tos
+      - --dns=porkbun
+      - --domains=kladovka52.com
+      - --domains=*.kladovka52.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60
--- a/hosts/lab-by-02/docker/lego/run.sh
+++ b/hosts/lab-by-02/docker/lego/run.sh
@@ -0,0 +1,5 @@
+docker compose -f catmedved-compose.yaml up
+
+docker compose -f kladovka42-compose.yaml up
+
+docker compose -f ulakar-compose.yaml up
--- a/hosts/lab-by-02/docker/lego/secrets.sops.env
+++ b/hosts/lab-by-02/docker/lego/secrets.sops.env
@@ -0,0 +1,12 @@
+NAMECHEAP_API_USER=ENC[AES256_GCM,data:rg+INH0JJNcb,iv:RkdTvt2EZ8zovoReX7BPJkgXR0BC8cF5R1XuR2BoKEk=,tag:kHdkhUK/wLedphhblDQCJQ==,type:str]
+NAMECHEAP_API_KEY=ENC[AES256_GCM,data:4FNq87vNxlg6Xbzj4EaTKNv5j76FbDqjR40F0E8kkD0=,iv:EqjjK7AY479hc03dEVmYer0uI2j5+jDSwka9VF2BuBk=,tag:tSZE8p6QlVUWjcnvN+J92g==,type:str]
+PORKBUN_API_KEY=ENC[AES256_GCM,data:iQ2MBXQ3NWzNaKp0TQ052pi+ZsRqNSomCYLbORIo3oXQW2AmKwZIDotqo6ypD4p/SB9KS5ArshJRBW6wV+qHt6Sdt+c=,iv:SKzXkFI3krehAsrz6TJn8uy/EMY8zi/VMmAm3kumu5o=,tag:rZMqPIOCdqwp9sy1MqEWUw==,type:str]
+PORKBUN_SECRET_API_KEY=ENC[AES256_GCM,data:MohqAorMfVURpymTqJAPzF7FEWiNh2f75L4XwJjFNwaE3EKlXN/1WASFezoESv5/4/fw1S1XeuXPCdzAWWDlJeo0bpI=,iv:4PROOEMb0SDFaF760vDSyjNQPZQmUw20qsBFjb1lSBo=,tag:yAh/fbdF4ADP4tLX5fwTCA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SU05WXNFMWNrejMrVVFD\nMFUreitrNWhnbnlOUWtadkUyWjFHMG5MaFNnCitpZHNyRTBKdWZaNEJFd1JGaUl5\nWWVNS3djSmpxd2h5OEwrM2lQZ29LMkEKLS0tIHpRKzc1WWxDYlEvemROUDlubkhj\naFlZa2ExV2ZDekwwaW5xaWsyMlFXN1kK9NAxY5WcnIzpjJB4WyRoH37qx/grHdZX\nintmS85J4qzbKM5SqrQm5PCjie+LTdKkKhZAvSk9Xr/9Le/HxT14Ug==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ua9qahphsqf2x8ew2n4umapp23a66t0eccccc0d5etp82n8tsqgsfc8qjk
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWR0xjQ3FkSTI4Zm00djJX\ndlJqZ2F5UjgzM29wUEhGbmhudGtzcFhrR0M0Ckwybk9xcytKZnRPeTBITk1mK1RV\nTkhmandrYkZSNHhoMGd6S1h5N1lYZ28KLS0tIDVEdnp0TmgyTExNY05uL3kvalpO\ndG0ydlBHNWNXVG1aTHIwcFBFa2JNQnMKg3eqZbaZlgPMBydDI7NaLJh57+JT4EOY\nYCPZqcsFXfnogm2sJ7a7/fZcFy2vb0piz9QpTtBfDCYwNK0FJAK8Vw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1nw388umnlxfj3cg9lqjyltghfx6w709nam8s2x826c3nxla9famq3uya73
+sops_lastmodified=2026-02-23T17:22:43Z
+sops_mac=ENC[AES256_GCM,data:lSsi/0ebF6z+jNNyULF1G0ZYcGGf6A/3jm0JeBbmPZOkFNJVeUC47hg+AB/itOUUYFT8kXT3+1HwWnZQfSjOzEDO7lPZH25D5IM1YhMU//TBN/7se81zjgvV2tA8kofeD03BxYWAbZeAG0J+MHkV1SAN4arL6NnRPV0F0iFAyQ0=,iv:ey7jo/P2SnIVuRyaEL+x9UfETjCMerniakDA4YWIwfo=,tag:NWUl2sFHLCnU5CfhAkrNMw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/hosts/lab-by-02/docker/lego/ulakar-compose.yaml
+++ b/hosts/lab-by-02/docker/lego/ulakar-compose.yaml
@@ -0,0 +1,18 @@
+services:
+  lego:
+    image: goacme/lego:latest
+    container_name: lego
+    restart: "no"
+    env_file: .env
+    volumes:
+      - ./certs:/.lego
+    command:
+      - --email=ulakar@fastmail.com
+      - --accept-tos
+      - --dns=porkbun
+      - --domains=ulakar.com
+      - --domains=*.ulakar.com
+      - run
+      # use renew to update existing certificate(s)
+      # - renew u
+#      - --days=60
Author	SHA1	Message	Date
v.karaychentsev	6c69fb0ace	fixed sops decrypt path	2026-03-15 16:17:39 +03:00
v.karaychentsev	0b0ea9b288	add script to reload caddy	2026-02-24 18:43:23 +03:00
v.karaychentsev	687fb17038	enable admin interface to reload caddy	2026-02-24 18:24:22 +03:00
v.karaychentsev	f16acb6aea	fixes	2026-02-24 18:20:48 +03:00
Uladzimir K	ac3712b722	fixes	2026-02-24 18:18:06 +03:00
v.karaychentsev	e4f623ffa7	caddy: update config. Move sites to the (apps) section. Use existing certificates.	2026-02-24 18:13:19 +03:00
v.karaychentsev	d00f4f65c4	fix typo	2026-02-24 16:35:18 +03:00
v.karaychentsev	3d1f6375e3	fix typo	2026-02-24 16:34:45 +03:00
v.karaychentsev	211c19ff41	homepage: add keenetic icon	2026-02-24 16:33:39 +03:00
Uladzimir K	59091880e4	homepage: fixed hydra route icon	2026-02-24 16:32:47 +03:00
v.karaychentsev	f5205fc5d1	add hydra-route-neo.png	2026-02-24 16:15:39 +03:00
v.karaychentsev	7106df52f1	use lego to renew certificates on vps refactor caddy config	2026-02-24 16:15:18 +03:00