zet.home.arpa: document all services and SSL/nginx setup

- Server overview (README.md) with services, storage, and network summary - Storage layout with disk/fstab/mount details (storage.md) - Service docs: Samba, NFS, Squid, Pi-hole (with DHCP/split-DNS notes) - Let's Encrypt cert via acme.sh + GoDaddy DNS-01 (ssl/) - nginx SSL reverse proxy config and virtual host guide (nginx/) - Pi-hole moved to port 8081; split DNS overrides documented for both Pi-hole and pfSense Unbound to avoid hairpin NAT issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19 14:37:04 +00:00
parent 060219d161
commit 7c4c786e7b
10 changed files with 948 additions and 0 deletions
--- a/zet.home.arpa/nginx/kenjim.conf
+++ b/zet.home.arpa/nginx/kenjim.conf
@@ -0,0 +1,99 @@
+# /etc/nginx/sites-available/kenjim.conf
+#
+# SSL reverse proxy for kenjim.com subdomains.
+# Certificate managed by acme.sh (DNS-01 via GoDaddy).
+# Cert path: /etc/nginx/ssl/kenjim.com/
+
+# Redirect all HTTP to HTTPS
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    return 301 https://$host$request_uri;
+}
+
+# Drop requests for unknown hostnames at SSL level (no response)
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+
+    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
+
+    return 444;
+}
+
+# Gitea — git.kenjim.com
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name git.kenjim.com;
+
+    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    # Gitea runs directly on the host (systemd), not in Docker
+    location / {
+        proxy_pass         http://127.0.0.1:3000;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}
+
+# www.kenjim.com — update proxy_pass when container is running
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name www.kenjim.com;
+
+    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    location / {
+        proxy_pass         http://127.0.0.1:8080;  # update port to match container
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}
+
+# kenji.kenjim.com — update proxy_pass when container is running
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name kenji.kenjim.com;
+
+    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
+
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+    location / {
+        proxy_pass         http://127.0.0.1:8082;  # update port to match container
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}
+
+# gt.kenjim.com — CNAME pointing elsewhere; reject cleanly if it lands here
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    server_name gt.kenjim.com;
+
+    ssl_certificate     /etc/nginx/ssl/kenjim.com/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
+
+    return 444;
+}