Kenji M
7c4c786e7b
- Server overview (README.md) with services, storage, and network summary - Storage layout with disk/fstab/mount details (storage.md) - Service docs: Samba, NFS, Squid, Pi-hole (with DHCP/split-DNS notes) - Let's Encrypt cert via acme.sh + GoDaddy DNS-01 (ssl/) - nginx SSL reverse proxy config and virtual host guide (nginx/) - Pi-hole moved to port 8081; split DNS overrides documented for both Pi-hole and pfSense Unbound to avoid hairpin NAT issues Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
4.0 KiB
nginx — zet.home.arpa
SSL-terminating reverse proxy. Handles all inbound HTTPS traffic and routes to backend services by hostname.
Overview
| Field | Value |
|---|---|
| Package | nginx (Ubuntu apt) |
| Config | /etc/nginx/sites-available/kenjim.conf |
| SSL cert | /etc/nginx/ssl/kenjim.com/ (managed by acme.sh) |
| Ports | 80/tcp (HTTP→HTTPS redirect), 443/tcp (HTTPS) |
| Service | nginx.service (systemd, enabled) |
Architecture
Internet → pfSense NAT (80,443) → nginx on 172.27.0.35
│
┌────────┴─────────┐
git.kenjim.com (future)
│
Gitea :3000
LAN clients resolve *.kenjim.com subdomains directly to 172.27.0.35 via split DNS (Pi-hole + pfSense Unbound host overrides), avoiding hairpin NAT through pfSense's WAN interface.
Virtual Hosts
| Hostname | Backend | Notes |
|---|---|---|
git.kenjim.com |
http://127.0.0.1:3000 |
Gitea (systemd service) |
www.kenjim.com |
http://127.0.0.1:8080 |
Update port when container is running |
kenji.kenjim.com |
http://127.0.0.1:8082 |
Update port when container is running |
gt.kenjim.com |
— | Returns 444 (CNAME points elsewhere) |
| default (unknown host) | — | Returns 444 (drops connection) |
Config File
Location: /etc/nginx/sites-available/kenjim.conf
Repo copy: kenjim.conf
To add a new Docker container backend, add a new server {} block following the existing pattern and update the proxy_pass port to match the container's host port mapping.
SSL Certificate
Certificate is managed by acme.sh — see ../ssl/.
| File | Path |
|---|---|
| Full chain | /etc/nginx/ssl/kenjim.com/fullchain.pem |
| Private key | /etc/nginx/ssl/kenjim.com/key.pem |
Directory: owned by kenjim:www-data, mode 750.
Sudoers rule at /etc/sudoers.d/acme-nginx-reload allows acme.sh to reload nginx without a password on cert renewal.
Service Management
sudo systemctl status nginx
sudo systemctl reload nginx # reload config (no downtime)
sudo systemctl restart nginx # full restart
sudo nginx -t # test config syntax before applying
pfSense NAT Rules
| WAN Port | Redirect to | Port | Description |
|---|---|---|---|
| 80/tcp | 172.27.0.35 | 80 | HTTP → nginx (redirects to HTTPS) |
| 443/tcp | 172.27.0.35 | 443 | HTTPS → nginx |
Adding a New Docker Container
- Start the container with a host port mapping, e.g.
-p 8083:80 - Add a server block to
/etc/nginx/sites-available/kenjim.conf:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name newservice.kenjim.com;
ssl_certificate /etc/nginx/ssl/kenjim.com/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/kenjim.com/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
proxy_pass http://127.0.0.1:8083;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
- Add the domain to the cert's SAN list if not already covered (see ../ssl/)
- Add a CNAME in GoDaddy:
newservice→lair.kenjim.com - Add split DNS overrides in Pi-hole and pfSense Unbound
- Test and reload:
sudo nginx -t && sudo systemctl reload nginx
Migration Notes
To move nginx to a new server:
sudo apt install nginx- Copy
/etc/nginx/sites-available/kenjim.conf - Copy
/etc/nginx/ssl/kenjim.com/(cert files) - Copy
/etc/sudoers.d/acme-nginx-reload - Re-run
acme.sh --install-certto wire up the renewal hook to the new host - Update pfSense NAT rules to point to the new host IP
- Update split DNS overrides to the new host IP