m

modified:   volumes/conf.d/zinomedia.de.conf

.gitignore

@@ -1,5 +1,20 @@
-# Ignore everything in the volume folder
+# Ignore everything in the volumes/html directory
-#volume/*
+volumes/html/*
 
-# But not the .gitkeep file
+# But not these directories
-!volume/.gitkeep
+!volumes/html/dl.zinomedia.de
+!volumes/html/pkrstarsbot.zinomedia.de
+!volumes/logs/
+!volumes/html/registry.zinomedia.de
+!volumes/html/registryui.zinomedia.de
+!volumes/html/mtail.zinomedia.de
+!volumes/html/metrics.registry.zinomedia.de
+!volumes/html/etherpad.zinomedia.de
+
+# Ignore contents of these directories
+volumes/html/dl.zinomedia.de/*
+volumes/html/pkrstarsbot.zinomedia.de/*
+volumes/logs/*
+
+# Do not ignore a special file name
+!.gitkeep

config/50x.html

@@ -1,28 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <title>Error</title>
-    <style>
-        html {
-            color-scheme: light dark;
-        }
-
-        body {
-            width: 35em;
-            margin: 0 auto;
-            font-family: Tahoma, Verdana, Arial, sans-serif;
-        }
-    </style>
-</head>
-
-<body>
-    <h1>An error occurred.</h1>
-    <p>Sorry, the page you are looking for is currently unavailable.<br />
-        Please try again later.</p>
-    <p>If you are the system administrator of this resource then you should check
-        the error log for details.</p>
-    <p><em>Faithfully yours, nginx.</em></p>
-</body>
-
-</html>

config/index.html

@@ -1,33 +0,0 @@
-<!DOCTYPE html>
-<html>
-
-<head>
-    <title>Welcome to nginx!</title>
-    <style>
-        html {
-            color-scheme: light dark;
-        }
-
-        body {
-            width: 35em;
-            margin: 0 auto;
-            font-family: Tahoma, Verdana, Arial, sans-serif;
-        }
-    </style>
-</head>
-
-<body>
-    <h1>Welcome to nginx!</h1>
-    <p>If you see this page, the nginx web server is successfully installed and
-        working. Further configuration is required.</p>
-
-    <p>For online documentation and support please refer to
-        <a href="http://nginx.org/">nginx.org</a>.<br />
-        Commercial support is available at
-        <a href="http://nginx.com/">nginx.com</a>.
-    </p>
-
-    <p><em>Thank you for using nginx.</em></p>
-</body>
-
-</html>

config/nginx.conf

@@ -1,31 +0,0 @@
-user  nginx;
-worker_processes  auto;
-
-error_log  /var/log/nginx/error.log notice;
-pid        /var/run/nginx.pid;
-
-
-events {
-    worker_connections  1024;
-}
-
-
-http {
-    include       /etc/nginx/mime.types;
-    default_type  application/octet-stream;
-
-    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
-                      '$status $body_bytes_sent "$http_referer" '
-                      '"$http_user_agent" "$http_x_forwarded_for"';
-
-    access_log  /var/log/nginx/access.log  main;
-
-    sendfile        on;
-    #tcp_nopush     on;
-
-    keepalive_timeout  65;
-
-    #gzip  on;
-
-    include /etc/nginx/conf.d/*.conf;
-}

config/portainer.armos.zinomedia.de.conf

@@ -1,18 +0,0 @@
-server {
-    server_name portainer.armos.zinomedia.de;
-
-    location / {
-        add_header Content-Security-Policy "font-src * data: blob: 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';" always;
-        proxy_set_header X-Forwarded-Host $host:$server_port;
-        proxy_set_header X-Forwarded-Server $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://127.0.0.1:9000;
-    }
-
-}
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name portainer.armos.zinomedia.de;
-}

docker-compose.yml

@@ -1,4 +1,3 @@
-version: '3.8'
 services:
   nginx:
     image: nginx:latest
@@ -6,15 +5,27 @@ services:
     restart: unless-stopped
     networks:
       - web
+    environment:
+      - TZ=Europe/Berlin
     ports:
       - 80:80
       - 443:443
     volumes:
       - ./volumes/conf.d:/etc/nginx/conf.d
+      - ./volumes/snippets:/etc/nginx/snippets
       - ./volumes/html:/usr/share/nginx/html
       - ./volumes/nginx.conf:/etc/nginx/nginx.conf
       - ./volumes/logs:/var/log/nginx
       - /etc/letsencrypt:/etc/letsencrypt
+      - ../docker-wordpress-4netplayers/volumes/wordpress:/usr/share/nginx/html/4netplayers.zinomedia.de
+      - ../docker-wordpress-zinomedia/volumes/wordpress:/usr/share/nginx/html/zinomedia.de
+      - ../docker-wordpress-autocutbot/volumes/wordpress:/usr/share/nginx/html/autocutbot.zinomedia.de
+      - ../docker-wordpress-pokerstarsbot/volumes/wordpress:/usr/share/nginx/html/pokerstarsbot.zinomedia.de
+      - ../docker-wordpress-pokerstarsbotx/volumes/wordpress:/usr/share/nginx/html/pokerstarsbotx.zinomedia.de
+      - ../docker-wordpress-seatmapv2/volumes/wordpress:/usr/share/nginx/html/seatmapv2.zinomedia.de
+      - ../docker-wordpress-terminsnipe/volumes/wordpress:/usr/share/nginx/html/terminsnipe.zinomedia.de
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
 
 networks:
   web:

volumes/conf.d/4netplayers.zinomedia.de.conf

@@ -0,0 +1,61 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name 4netplayers.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    root /usr/share/nginx/html/4netplayers.zinomedia.de;
+    index index.php;
+
+    client_max_body_size 32m;
+
+    ssl_certificate /etc/letsencrypt/live/4netplayers.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/4netplayers.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
+
+    location ~ /(\.user\.ini|debug\.log) {
+        deny all;
+    }
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "4netplayers-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://$upstream;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+        expires max;
+        log_not_found off;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name 4netplayers.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/autocutbot.zinomedia.de.conf

@@ -0,0 +1,46 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name autocutbot.zinomedia.de;
+
+    #access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/autocutbot.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/autocutbot.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/autocutbot.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "autocutbot-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name autocutbot.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/code.zinomedia.de.conf

@@ -0,0 +1,36 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name code.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log debug;
+
+    ssl_certificate /etc/letsencrypt/live/code.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/code.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/enable-vouch.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://code-server:8443";
+
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_set_header Connection upgrade;
+        proxy_headers_hash_max_size 512;
+        proxy_headers_hash_bucket_size 128;
+        proxy_read_timeout 3600;
+        proxy_pass $upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name code.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/dl.zinomedia.de.conf

@@ -0,0 +1,31 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name dl.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    root /usr/share/nginx/html/dl.zinomedia.de;
+    autoindex off;
+
+    ssl_certificate /etc/letsencrypt/live/dl.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dl.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'self';" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options "nosniff";
+
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name dl.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/drawio.zinomedia.de.conf

@@ -0,0 +1,42 @@
+server {
+    listen *:443 ssl;
+    listen [::]:443 ssl;
+    server_name drawio.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/drawio.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/drawio.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/enable-vouch.conf";
+
+    add_header Content-Security-Policy "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: http://drawio.zinomedia.de; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src *;" always;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "drawio:8080";
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+        proxy_redirect off;
+        proxy_buffering on;
+        proxy_buffers 16 32k;
+        proxy_buffer_size 64k;
+    }
+
+}
+
+server {
+    server_name drawio.zinomedia.de;
+    listen 80;
+    listen [::]:80;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/etherpad.zinomedia.de.conf

@@ -0,0 +1,66 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name etherpad.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/etherpad.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/etherpad.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    auth_basic "Protected";
+    auth_basic_user_file /usr/share/nginx/html/etherpad.zinomedia.de/.htpasswd;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://etherpad:9001";
+
+        rewrite ^/$ / break;
+        rewrite ^/locales/(.*) /locales/$1 break;
+        rewrite ^/locales.json /locales.json break;
+        rewrite ^/admin(.*) /admin$1 break;
+        rewrite ^/p/(.*) /p/$1 break;
+        rewrite ^/static/(.*) /static/$1 break;
+        rewrite ^/pluginfw/(.*) /pluginfw/$1 break;
+        rewrite ^/javascripts/(.*) /javascripts/$1 break;
+        rewrite ^/socket.io/(.*) /socket.io/$1 break;
+        rewrite ^/ep/(.*) /ep/$1 break;
+        rewrite ^/minified/(.*) /minified/$1 break;
+        rewrite ^/api/(.*) /api/$1 break;
+        rewrite ^/ro/(.*) /ro/$1 break;
+        rewrite ^/error/(.*) /error/$1 break;
+        rewrite ^/jserror(.*) /jserror$1 break;
+        rewrite ^/redirect(.*) /redirect$1 break;
+        rewrite ^/(.*\.js) /$1 break;
+        rewrite /favicon.ico /favicon.ico break;
+        rewrite /robots.txt /robots.txt break;
+        rewrite /(.*) /p/$1;
+
+        proxy_pass $upstream;
+
+        proxy_buffering off;
+        proxy_set_header Host $host;
+        proxy_pass_header Server;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name etherpad.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/git.zinomedia.de.conf

@@ -0,0 +1,41 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name git.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/git.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/git.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Gzip Compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "gitea:3000";
+
+        client_max_body_size 10000M; # Push large objects to gitea
+
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_pass http://$upstream;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        proxy_set_header Connection $http_connection;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name git.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/ha.zinomedia.de.conf

@@ -0,0 +1,34 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name ha.zinomedia.de;
+
+    ssl_certificate /etc/letsencrypt/live/ha.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/ha.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        proxy_pass http://host.docker.internal:8123;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Frame-Options SAMEORIGIN;
+        proxy_set_header X-Content-Type-Options nosniff;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_connect_timeout 15s;
+        proxy_read_timeout 30s;
+        proxy_send_timeout 30s;
+        send_timeout 30s;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name ha.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/joplin.zinomedia.de.conf

@@ -0,0 +1,40 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name joplin.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/joplin.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/joplin.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Gzip Compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "joplin:22300";
+
+        client_max_body_size 1000M; # allow large files
+
+        proxy_pass http://$upstream;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Accept-Encoding gzip;
+        proxy_headers_hash_max_size 512;
+        proxy_headers_hash_bucket_size 128;
+        proxy_read_timeout 3600;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name joplin.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/mail.zinomedia.de.conf

@@ -0,0 +1,54 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+    server_name mail.zinomedia.de autodiscover.* autoconfig.*;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/mail.zinomedia.de/cert.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mail.zinomedia.de/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5:!SHA1:!kRSA;
+    ssl_prefer_server_ciphers off;
+
+    # resolver 127.0.0.11;
+
+    location /Microsoft-Server-ActiveSync {
+        proxy_pass http://host.docker.internal:8080/Microsoft-Server-ActiveSync;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_connect_timeout 75;
+        proxy_send_timeout 3650;
+        proxy_read_timeout 3650;
+        proxy_buffers 64 512k;
+        client_body_buffer_size 512k;
+        client_max_body_size 0;
+    }
+
+    location / {
+        proxy_pass http://host.docker.internal:8080/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        client_max_body_size 0;
+        proxy_buffer_size 128k;
+        proxy_buffers 64 512k;
+        proxy_busy_buffers_size 512k;
+    }
+}
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name mail.zinomedia.de autodiscover.* autoconfig.*;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/metrics.registry.zinomedia.de.conf

@@ -0,0 +1,37 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name metrics.registry.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/metrics.registry.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/metrics.registry.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/metrics.registry.zinomedia.de/.htpasswd;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://registry:5001";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name metrics.registry.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/mtail.zinomedia.de.conf

@@ -0,0 +1,38 @@
+server {
+    listen *:443 ssl;
+    listen [::]:443 ssl;
+    server_name mtail.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/mtail.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/mtail.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "mtail:3903";
+
+        # Password protect
+        auth_basic "Protected";
+        auth_basic_user_file /usr/share/nginx/html/mtail.zinomedia.de/.htpasswd;
+
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_read_timeout 300s;
+
+        proxy_pass http://$upstream;
+    }
+
+}
+
+server {
+    server_name mtail.zinomedia.de;
+    listen 80;
+    listen [::]:80;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/pkrstarsbot.zinomedia.de.conf

@@ -0,0 +1,41 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name pkrstarsbot.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    root /usr/share/nginx/html/pkrstarsbot.zinomedia.de/www/htdocs;
+    index index.php index.html;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/pkrstarsbot.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/enable-php-fpm.conf";
+    
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; img-src 'self' data:; style-src 'self'; font-src 'self' data:;" always;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/pkrstarsbot.zinomedia.de/www/htdocs/.htpasswd;
+
+    # Static File Caching (Optional)
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name pkrstarsbot.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/pokerstarsbot.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name pokerstarsbot.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/pokerstarsbot.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/pokerstarsbot.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/pokerstarsbot.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "pokerstarsbot-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name pokerstarsbot.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/pokerstarsbotx.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name pokerstarsbotx.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/pokerstarsbotx.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/pokerstarsbotx.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/pokerstarsbotx.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "pokerstarsbotx-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name pokerstarsbotx.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/portainer.armos.zinomedia.de.conf

@@ -1,30 +1,37 @@
 server {
     listen *:443 ssl;
     listen [::]:443 ssl;
+    server_name portainer.armos.zinomedia.de;
 
-    server_name portainer.armos.zinomedia.de www.portainer.armos.zinomedia.de;
+    access_log off;
     error_log /var/log/nginx/error.log error;
 
     ssl_certificate /etc/letsencrypt/live/portainer.armos.zinomedia.de/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/portainer.armos.zinomedia.de/privkey.pem;
 
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/enable-vouch.conf";
+
     location / {
+        resolver 127.0.0.11;
+        set $upstream "portainer:9000";
+
         add_header Content-Security-Policy "font-src * data: blob: 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';" always;
         proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_pass http://portainer:9000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 300s;
+        proxy_pass http://$upstream;
     }
 
 }
 
 server {
-    if ($host = portainer.armos.zinomedia.de) {
+    server_name portainer.armos.zinomedia.de;
-        return 301 https://$host$request_uri;
-    }
-
-    server_name server_name portainer.armos.zinomedia.de www.portainer.armos.zinomedia.de;
     listen 80;
     listen [::]:80;
-    return 404;
+    return 301 https://$host$request_uri;
 }

volumes/conf.d/registry.zinomedia.de.conf

@@ -0,0 +1,95 @@
+## Set a variable to help us decide if we need to add the
+## 'Docker-Distribution-Api-Version' header.
+## The registry always sets this header.
+## In the case of nginx performing auth, the header is unset
+## since nginx is auth-ing before proxying.
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}
+
+## Record actual registry push/pull traffic
+include "snippets/registry-transfer-logging.conf";
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name registry.zinomedia.de;
+
+    access_log /var/log/nginx/registry.zinomedia.de.access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Record actual registry push/pull traffic
+    access_log /var/log/nginx/registry.zinomedia.de.access.json.log registry_json if=$is_transfer_loggable;
+
+    ssl_certificate /etc/letsencrypt/live/registry.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registry.zinomedia.de/privkey.pem;
+
+    # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_prefer_server_ciphers on;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/moby/moby/issues/1486)
+    chunked_transfer_encoding on;
+
+    location / {
+        return 403;
+    }
+
+    location /v2/ {
+        # disable any limits to avoid HTTP 413 for large image uploads
+        client_max_body_size 0;
+
+        # Password protect
+        auth_basic "Protected Registry";
+        auth_basic_user_file /usr/share/nginx/html/registry.zinomedia.de/.htpasswd;
+
+        if ($request_method = OPTIONS) {
+            add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de';
+            add_header 'Access-Control-Allow-Credentials' 'true';
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control';
+            add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE';
+            add_header 'Content-Length' '0';
+            add_header 'Content-Type' 'text/plain charset=UTF-8';
+            return 204;
+        }
+
+        if ($request_method = DELETE) {
+            add_header 'Access-Control-Allow-Origin' 'https://registryui.zinomedia.de' always;
+            add_header 'Access-Control-Allow-Credentials' 'true' always;
+            add_header 'Access-Control-Allow-Headers' 'Authorization, Accept, Cache-Control' always;
+            add_header 'Access-Control-Allow-Methods' 'HEAD, GET, OPTIONS, DELETE' always;
+        }
+
+        add_header Access-Control-Allow-Origin "https://registryui.zinomedia.de";
+        add_header Access-Control-Allow-Credentials "true";
+        add_header Access-Control-Allow-Headers "Authorization, Accept, Cache-Control";
+        add_header Access-Control-Allow-Methods "HEAD, GET, OPTIONS, DELETE";
+
+        # Do not allow connections from docker 1.5 and earlier
+        if ($http_user_agent ~ "^(docker\/1\.(3|4|5(?!\.[0-9]-dev))|Go ).*$" ) {
+            return 404;
+        }
+
+        ## If $docker_distribution_api_version is empty, the header is not added.
+        ## See the map directive above where this variable is defined.
+        add_header 'Docker-Distribution-Api-Version' $docker_distribution_api_version always;
+
+        resolver 127.0.0.11;
+        set $upstream "http://registry:5000";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name registry.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/registryui.zinomedia.de.conf

@@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name registryui.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    root /usr/share/nginx/html/registryui.zinomedia.de/www/htdocs;
+    index index.php index.html;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/registryui.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/registryui.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    # Password protect
+    auth_basic "Protected Area";
+    auth_basic_user_file /usr/share/nginx/html/registryui.zinomedia.de/.htpasswd;
+
+    location / {
+        add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src * 'unsafe-inline'; font-src * data:;" always;
+
+        resolver 127.0.0.11;
+        set $upstream "http://registryui:80";
+        proxy_pass $upstream;
+
+        client_max_body_size 0;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $server_name;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name registryui.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/seafile.zinomedia.de.conf

@@ -0,0 +1,36 @@
+log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name seafile.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/seafile.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/seafile.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    
+    add_header Content-Security-Policy "default-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: http://seafile.zinomedia.de; style-src 'self' 'unsafe-inline'; font-src 'self' data:;" always;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://seafile:80";
+        proxy_pass $upstream;
+
+        client_max_body_size 0;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-Host $server_name;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name seafile.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/seatmapv2.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name seatmapv2.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/seatmapv2.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/seatmapv2.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/seatmapv2.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "seatmapv2-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name seatmapv2.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/simhub.zinomedia.de.conf

@@ -0,0 +1,33 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name simhub.zinomedia.de;
+
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    # SSL Certificate Configuration
+    ssl_certificate /etc/letsencrypt/live/simhub.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/simhub.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://simracing-telemetry-hub-workspace:8000";
+        proxy_pass $upstream;
+
+        proxy_set_header Host $http_host; # required for docker client's sake
+        proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name simhub.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/terminsnipe.zinomedia.de.conf

@@ -0,0 +1,45 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name terminsnipe.zinomedia.de;
+
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/terminsnipe.zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/terminsnipe.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/terminsnipe.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "terminsnipe-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name terminsnipe.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/validate.vouch.armos.zinomedia.de.conf

@@ -0,0 +1,34 @@
+#log_format custom '[$time_iso8601] VALIDATE | host: $host | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount';
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name validate.vouch.armos.zinomedia.de;
+
+    #access_log /var/log/nginx/access.log custom;
+    access_log off;
+    error_log /var/log/nginx/error.log error;
+
+    ssl_certificate /etc/letsencrypt/live/validate.vouch.armos.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/validate.vouch.armos.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location = /validate {
+        # forward the /validate request to Vouch Proxy
+        resolver 127.0.0.11;
+        set $upstream "http://vouch:9090/validate";
+        proxy_pass $upstream;
+
+        # be sure to pass the original host header
+        proxy_set_header Host $http_host;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name validate.vouch.armos.zinomedia.de;
+    return 301 https://$host$request_uri;
+}
+

volumes/conf.d/vouch.armos.zinomedia.de.conf

@@ -0,0 +1,30 @@
+#log_format vouch '[$time_iso8601] VOUCH | request_uri: $request_uri | status: $status | http_host: $http_host | auth_resp_x_vouch_user: $auth_resp_x_vouch_user | upstream_http_x_vouch_user: $upstream_http_x_vouch_user | auth_resp_jwt: $auth_resp_jwt | upstream_http_x_vouch_jwt: $upstream_http_x_vouch_jwt | auth_resp_err: $auth_resp_err | upstream_http_x_vouch_err: $upstream_http_x_vouch_err | auth_resp_failcount: $auth_resp_failcount | upstream_http_x_vouch_failcount: $upstream_http_x_vouch_failcount';
+
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name vouch.armos.zinomedia.de;
+
+    #access_log /var/log/nginx/access.log vouch;
+    access_log off;
+    error_log /var/log/nginx/error.log debug;
+
+    ssl_certificate /etc/letsencrypt/live/vouch.armos.zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/vouch.armos.zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "http://vouch:9090";
+        proxy_pass $upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name vouch.armos.zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/conf.d/zinomedia.de.conf

@@ -0,0 +1,56 @@
+# Dynamically set CORS headers based on the request origin.
+# Needed for legacy wordoress migrations
+map $http_origin $allow_origin {
+    ~^https://(.*\.)?zinomedia\.de$ $http_origin;
+    default "";
+}
+
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name zinomedia.de;
+
+    #access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log error;
+    access_log off;
+
+    root /usr/share/nginx/html/zinomedia.de;
+
+    index index.php;
+
+    ssl_certificate /etc/letsencrypt/live/zinomedia.de/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/zinomedia.de/privkey.pem;
+
+    include "snippets/ssl-optimizations.conf";
+    include "snippets/wordpress-optimizations.conf";
+
+    add_header Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' data: blob: *; script-src 'unsafe-inline' 'unsafe-eval' data: blob: *; img-src 'unsafe-inline' data: blob: *; style-src 'unsafe-inline' data: blob: *; font-src 'unsafe-inline' data: blob: *;" always;
+
+    client_max_body_size 0;
+
+    # Dynamically set CORS headers based on the request origin.
+    add_header 'Access-Control-Allow-Origin' $allow_origin;
+
+    location / {
+        resolver 127.0.0.11;
+        set $upstream "zinomedia-wordpress:80";
+
+        try_files $uri $uri/ /index.php?$args;
+
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Server $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+
+        proxy_pass http://$upstream;
+    }
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name zinomedia.de;
+    return 301 https://$host$request_uri;
+}

volumes/html/etherpad.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/index.html

@@ -2,7 +2,7 @@
 <html>
 
 <head>
-    <title>Welcome to nginx!</title>
+    <title>Welcome to nginx 1337!</title>
     <style>
         html {
             color-scheme: light dark;
@@ -30,4 +30,4 @@
     <p><em>Thank you for using nginx.</em></p>
 </body>
 
-</html>
+</html>

volumes/html/metrics.registry.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/mtail.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/registry.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/html/registryui.zinomedia.de/.htpasswd

@@ -0,0 +1 @@
+zino:$apr1$XBzEVqBi$9SNhwAwBS2PJ47coYKoRH/

volumes/snippets/enable-php-fpm.conf

@@ -0,0 +1,9 @@
+location ~ \.php$ {
+    resolver 127.0.0.11;
+    set $upstream "php-fpm:9000";
+
+    include fastcgi_params;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_index index.php;
+    fastcgi_pass $upstream;
+}

volumes/snippets/enable-vouch-no-subdomain.conf

@@ -0,0 +1,31 @@
+
+# send all requests to the `/validate` endpoint for authorization
+auth_request /validate;
+
+location = /validate {
+    # forward the /validate request to Vouch Proxy
+    proxy_pass http://vouch:9090/validate;
+
+    # be sure to pass the original host header
+    proxy_set_header Host $http_host;
+
+    # Vouch Proxy only acts on the request headers
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+
+    # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+
+    # these return values are used by the @error401 call
+    auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+    auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+    auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+# if validate returns `401 not authorized` then forward the request to the error401block
+error_page 401 = @error401;
+
+location @error401 {
+    # redirect to Vouch Proxy for login
+    return 302 https://vouch.armos.zinomedia.de/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+}

volumes/snippets/enable-vouch.conf

@@ -0,0 +1,27 @@
+# send all requests to the `/validate` endpoint for authorization
+auth_request /validate;
+
+location = /validate {
+    internal;
+    proxy_pass "https://validate.vouch.armos.zinomedia.de/validate";
+
+    # Vouch Proxy only acts on the request headers
+    proxy_pass_request_body off;
+    proxy_set_header Content-Length "";
+
+    # optionally add X-Vouch-User as returned by Vouch Proxy along with the request
+    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
+
+    # these return values are used by the @error401 call
+    auth_request_set $auth_resp_jwt $upstream_http_x_vouch_jwt;
+    auth_request_set $auth_resp_err $upstream_http_x_vouch_err;
+    auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount;
+}
+
+# if validate returns `401 not authorized` then forward the request to the error401block
+error_page 401 = @error401;
+
+location @error401 {
+    # redirect to Vouch Proxy for login
+    return 302 https://vouch.armos.zinomedia.de/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
+}

volumes/snippets/registry-transfer-logging.conf

@@ -0,0 +1,78 @@
+log_format registry_json escape=json
+'{'
+'"timestamp":"$time_iso8601",'
+'"msec":"$msec",'
+'"remote_address":"$remote_addr",'
+'"remote_user":"$remote_user",'
+'"request_id":"$request_id",'
+'"method":"$request_method",'
+'"path":"$uri",'
+'"query_string":"$args",'
+'"http_version":"$server_protocol",'
+'"status":$status,'
+'"bytes_sent":$bytes_sent,'
+'"body_bytes_sent":$body_bytes_sent,'
+'"request_length":$request_length,'
+'"request_time":$request_time,'
+'"upstream_status":"$upstream_status",'
+'"upstream_time":"$upstream_response_time",'
+'"upstream_addr":"$upstream_addr",'
+'"referer":"$http_referer",'
+'"user_agent":"$http_user_agent",'
+'"x_forwarded_for":"$http_x_forwarded_for",'
+'"range":"$http_range",'
+'"content_range":"$sent_http_content_range",'
+'"content_length":"$sent_http_content_length",'
+'"etag":"$sent_http_etag",'
+'"docker_content_digest":"$sent_http_docker_content_digest",'
+'"arg_digest":"$arg_digest",'
+'"upstream_range":"$upstream_http_range",'
+'"docker_upload_uuid":"$upstream_http_docker_upload_uuid",'
+'"docker_distribution_api_version":"$docker_distribution_api_version",'
+'"transfer_direction":"$transfer_direction"'
+'}';
+
+map $body_bytes_sent $has_body_bytes_sent {
+    default 0;
+    ~^[1-9][0-9]*$ 1;
+}
+
+map "$request_method$uri" $is_blob_get {
+    default 0;
+    ~^GET/v2/.+/blobs/sha256:[a-f0-9]+$ 1;
+}
+
+map "$is_blob_get$has_body_bytes_sent" $is_pull_transfer {
+    default 0;
+    ~^11$ 1;
+}
+
+map $upstream_http_range $has_upstream_range {
+    default 0;
+    ~^[0-9]+-[0-9]+$ 1;
+}
+
+map "$request_method$uri" $is_upload_patch {
+    default 0;
+    ~^PATCH/v2/.+/blobs/uploads/[a-f0-9-]+$ 1;
+}
+
+map "$is_upload_patch$has_upstream_range" $is_push_transfer {
+    default 0;
+    ~^11$ 1;
+}
+
+map "$is_pull_transfer$is_push_transfer" $is_transfer_loggable {
+    default 0;
+    ~1 1;
+}
+
+map "$is_pull_transfer$is_push_transfer" $transfer_direction {
+    default "-";
+    "10" "pull";
+    "01" "push";
+}
+
+map $upstream_http_docker_distribution_api_version $docker_distribution_api_version {
+    '' 'registry/2.0';
+}

volumes/snippets/ssl-optimizations.conf

@@ -0,0 +1,5 @@
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_session_cache shared:SSL:50m;
+ssl_session_timeout 10m;
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

volumes/snippets/wordpress-optimizations.conf

@@ -0,0 +1,19 @@
+location ~ /(\.user\.ini|debug\.log) {
+    deny all;
+}
+
+location = /favicon.ico {
+    log_not_found off;
+    access_log off;
+}
+
+location = /robots.txt {
+    allow all;
+    log_not_found off;
+    access_log off;
+}
+
+location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
+    expires max;
+    log_not_found off;
+}