jackos1998
a7ea91f529
Add a top-level `README.md` mapping the boxes and per-machine docs under `docs/boxes/` (grouped `colony/`, `home/`, `misc/`), one file per host, VM and container documenting role, services and networking with source pointers. Also point `AGENTS.md` at the new docs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
3.3 KiB
3.3 KiB
middleman
The front-end reverse proxy for all public colony web services — the single
ingress that estuary forwards HTTP/HTTPS to.
- Source:
shill/containers/middleman/(default.nix,vhosts.nix) - Host: NixOS container on
shill
Role
- nginx reverse proxy (
vhosts.nixholds the per-service vhosts) with VTS stats, fancyindex, brotli, caching, and a dynamic resolver pointed atestuaryso upstreams can be re-resolved at runtime. It is the single public ingress for almost every web service — colony, home, and beyond. - ACME — issues the wildcard certificates that its own vhosts are served
with (it is not a shared CA for the other boxes;
git,britway,kelder-spoder, etc. each run their own ACME):nul.ie/*.nul.ie(+*.s3.nul.ie) via the Cloudflare DNS challenge,- the internal
ams1.int.nul.ie/*via anexecchallenge that callsestuary's pdns over SSH. - As a one-off consumer, it then pushes the public cert to the
mail(Mailcow) VM viascp+ a remotemailcow-ssl-reload.
- nginx-sso — single-sign-on (
sso.nul.ie) with Google OAuth and a simple username/password provider; protects the SSO-gated vhosts below. - librespeed — speed-test frontend + backend (
librespeed.${domain}/speed.nul.ie).
Published vhosts
All under *.nul.ie with the wildcard cert unless noted. Upstreams are addressed
by their internal container/VM hostnames. "SSO" = gated behind nginx-sso.
| Host(s) | Upstream | Notes |
|---|---|---|
nul.ie (default _) |
static | landing page (CV, SSH pubkey) + Matrix/atproto .well-known |
sso.nul.ie |
nginx-sso | SSO endpoint |
pass.nul.ie |
vaultwarden |
password manager |
matrix.nul.ie (+:8448) |
chatterbox |
Matrix client + federation |
element.nul.ie |
element-web | Matrix web client |
toot.nul.ie |
toot :80 |
Mastodon (currently disabled — see toot.md) |
pds.nul.ie |
toot :3000 |
Bluesky PDS |
jackflix.nul.ie |
jackflix Jellyfin |
streaming |
torrents / jackett / radarr / sonarr .nul.ie |
jackflix |
*arr stack (SSO) |
gib.nul.ie |
jackflix Jellyseerr |
requests |
photos.nul.ie |
jackflix PhotoPrism |
|
stuff / public / p.nul.ie |
jackflix copyparty + /mnt/media |
file sharing / index |
share.nul.ie |
object :9090 |
|
minio / s3 / *.s3.nul.ie |
object MinIO |
S3 + console (Docker manifest MIME hack) |
nix-cache.nul.ie |
object Harmonia |
Nix binary cache (immutable cache headers) |
md.nul.ie / pb.nul.ie |
object |
HedgeDoc / wastebin |
mc-map / mc-rail / mc-map-kink .nul.ie |
whale2 OCI |
Minecraft maps |
netdata-colony.nul.ie |
many hosts :19999 | netdata fan-out (SSO) |
pront.nul.ie |
stream-hi (home) |
print/webcam (SSO) |
hass.nul.ie |
hass (home) |
Home Assistant |
hass-john.nul.ie |
john-valorant-tun |
remote HASS over WireGuard tunnel |
Networking
internalassignment on thectrsnetwork; bind-mounts/mnt/mediafor serving static/media content.- nginx waits for
colony-psqlbefore starting (DNS bootstrap hack).