hosting: some config files for host: shadow, some named conf for

utility-101-shadow vm

docker-30/lab-proxy/nginx.conf

@@ -0,0 +1,46 @@
+# nginx.conf
+
+error_log /dev/stderr;
+
+http {
+
+    server {
+        listen 9080;
+
+	location / {
+        	proxy_pass http://192.168.0.35:80;
+                proxy_set_header Host $host;
+        }
+    }
+
+    log_format detailed '$remote_addr - [$time_local] '
+                        '"$request_method $host$request_uri" '
+                        '$status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';	
+
+    access_log /dev/stdout detailed;
+}
+
+stream {
+    # Stream doesn't log by default, enable explicitly:
+    log_format stream_log '$remote_addr [$time_local] '
+                          '$protocol $ssl_preread_server_name '
+                          '$status $bytes_sent $bytes_received $session_time';
+    
+    access_log /dev/stdout stream_log;
+
+    # Nginx ingress in kubernetes
+    server {
+        listen 9443;
+        proxy_pass 192.168.0.35:443;
+    }
+
+    # Gateway provided by cilium/envoy
+    server {
+        listen 9444;
+        proxy_pass 192.168.0.36:443;
+    }
+}
+
+
+events {}

docker-30/lab-proxy/run.sh

@@ -0,0 +1,9 @@
+docker rm -f lab-proxy || /usr/bin/true
+
+docker run -d --name lab-proxy \
+  --restart unless-stopped \
+  -v /srv/docker/lab-proxy/nginx.conf:/etc/nginx/nginx.conf:ro \
+  -p 9443:9443 \
+  -p 9444:9444 \
+  -p 9080:9080 \
+  nginx:alpine

docker-30/maru-hleda-byt/run.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+docker rm -f maru-hleda-byt
+
+# gitea registry login with kacerr / token
+docker run -d --name maru-hleda-byt \
+  -p 8080:8080 \
+  -v /srv/maru-hleda-byt/data:/app/data \
+  gitea.home.hrajfrisbee.cz/littlemeat/maru-hleda-byt:0.01

docker-30/nginx/001-gitea.conf

@@ -0,0 +1,22 @@
+server {
+    listen 443 ssl http2;
+    server_name gitea.home.hrajfrisbee.cz;
+
+    ssl_certificate /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    location / {
+        proxy_pass http://192.168.0.30:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Gitea Git over HTTP
+    client_max_body_size 512m;
+}

docker-30/nginx/002-jellyfin.conf

@@ -0,0 +1,35 @@
+server {
+    listen 443 ssl http2;
+    server_name jellyfin.home.hrajfrisbee.cz;
+
+    ssl_certificate /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+
+    # Security headers for media streaming
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+
+    # Increase body size for high-res movie posters
+    client_max_body_size 20M;
+
+    location / {
+        # Proxy to your Synology or VM IP and Jellyfin port (default 8096)
+        proxy_pass http://192.168.0.2:8096;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering for smoother streaming
+        proxy_buffering off;
+    }
+}

docker-30/vault/vault-backup.sh

@@ -29,10 +29,10 @@ log "Backup size: ${BACKUP_SIZE} bytes"
 # --- Upload to MinIO ---
 log "Uploading to ${MC_ALIAS}/${S3_BUCKET}..."
 set -x
-mc cp --quiet "${BACKUP_FILE}" "${MC_ALIAS}/${S3_BUCKET}/vault-backup-${TIMESTAMP}.tar.gz"
+minio-cli cp --quiet "${BACKUP_FILE}" "${MC_ALIAS}/${S3_BUCKET}/vault-backup-${TIMESTAMP}.tar.gz"
 
 # --- Prune old backups ---
 log "Pruning backups older than ${RETENTION_DAYS} days..."
-mc rm --quiet --recursive --force --older-than "${RETENTION_DAYS}d" "${MC_ALIAS}/${S3_BUCKET}/"
+minio-cli rm --quiet --recursive --force --older-than "${RETENTION_DAYS}d" "${MC_ALIAS}/${S3_BUCKET}/"
 
 log "Backup complete: vault-backup-${TIMESTAMP}.tar.gz"

gitops/home-kubernetes/cilium/certificate_wildcard-lab-home-hrajfrisbee.yaml

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-lab-home-hrajfrisbee
+  namespace: kube-system
+spec:
+  secretName: wildcard-lab-home-hrajfrisbee-tls
+  issuerRef:
+    name: letsencrypt-prod-dns
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.lab.home.hrajfrisbee.cz"

gitops/home-kubernetes/cilium/gateway.yaml

@@ -13,14 +13,15 @@ spec:
       allowedRoutes:
         namespaces:
           from: All
-    - name: https
+    - name: lab-home-hrajfrisbee-https-wildcard
+      hostname: "*.lab.home.hrajfrisbee.cz"
       port: 443
       protocol: HTTPS
-      allowedRoutes:
-        namespaces:
-          from: All
       tls:
         mode: Terminate
         certificateRefs:
           - kind: Secret
-            name: gateway-tls
+            name: wildcard-lab-home-hrajfrisbee-tls
+      allowedRoutes:
+        namespaces:
+          from: All

gitops/home-kubernetes/ghost-on-kubernetes/07-httproute-notls.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: ghost-on-kubernetes-redirect
+  namespace: ghost-on-kubernetes
+  labels:
+    app: ghost-on-kubernetes
+    app.kubernetes.io/name: ghost-on-kubernetes-httproute
+    app.kubernetes.io/instance: ghost-on-kubernetes
+    app.kubernetes.io/version: '6.0'
+    app.kubernetes.io/component: httproute
+    app.kubernetes.io/part-of: ghost-on-kubernetes
+spec:
+  parentRefs:
+    - name: cilium-gateway
+      namespace: kube-system
+      sectionName: http
+  hostnames:
+    - ghost.lab.home.hrajfrisbee.cz
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301

gitops/home-kubernetes/ghost-on-kubernetes/07-httproute.yaml

@@ -15,6 +15,7 @@ spec:
   parentRefs:
     - name: cilium-gateway
       namespace: kube-system
+      sectionName: lab-home-hrajfrisbee-https-wildcard
   hostnames:
     - ghost.lab.home.hrajfrisbee.cz
   rules:
@@ -24,4 +25,5 @@ spec:
             value: /
       backendRefs:
         - name: ghost-on-kubernetes-service
+          namespace: ghost-on-kubernetes
           port: 2368

gitops/home-kubernetes/ghost-on-kubernetes/07-ingress.yaml

@@ -25,7 +25,7 @@ spec:
     http:
       paths:
       - path: /
-        pathType: ImplementationSpecific
+        pathType: Prefix
         backend:
           service:
             name: ghost-on-kubernetes-service

shadow/iptables/rules.v4

@@ -0,0 +1,134 @@
+# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024
+*mangle
+:PREROUTING ACCEPT [756:126788]
+:INPUT ACCEPT [715:122089]
+:FORWARD ACCEPT [40:4623]
+:OUTPUT ACCEPT [420:58795]
+:POSTROUTING ACCEPT [460:63418]
+:LIBVIRT_PRT - [0:0]
+-A POSTROUTING -j LIBVIRT_PRT
+-A LIBVIRT_PRT -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+COMMIT
+# Completed on Sun Nov 17 01:37:49 2024
+# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024
+*filter
+:INPUT DROP [387:104781]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [42:5859]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+:DOCKER-USER - [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+:f2b-sshd - [0:0]
+-A INPUT -j LIBVIRT_INP
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i virbr100 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 5353 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 5353 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 1022 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 2022 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT
+-A FORWARD -i eno1 -p tcp -m tcp --dport 5353 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 5353 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 51820 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 1194 -j ACCEPT
+-A FORWARD -j DOCKER-USER
+-A FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o docker0 -j DOCKER
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+-A FORWARD -o br-8be00fb1442a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o br-8be00fb1442a -j DOCKER
+-A FORWARD -i br-8be00fb1442a ! -o br-8be00fb1442a -j ACCEPT
+-A FORWARD -i br-8be00fb1442a -o br-8be00fb1442a -j ACCEPT
+-A FORWARD -d 192.168.123.141/32 -p tcp -m tcp --dport 80 -j ACCEPT
+-A OUTPUT -j LIBVIRT_OUT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -o virbr100 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -i br-8be00fb1442a ! -o br-8be00fb1442a -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -j RETURN
+-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -o br-8be00fb1442a -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -j RETURN
+-A DOCKER-USER -j RETURN
+-A LIBVIRT_FWI -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A LIBVIRT_FWI -o virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -s 192.168.123.0/24 -i virbr100 -j ACCEPT
+-A LIBVIRT_FWO -i virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWX -i virbr100 -o virbr100 -j ACCEPT
+-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
+-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
+-A LIBVIRT_INP -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -p udp -m udp --dport 5353 -j ACCEPT
+-A LIBVIRT_INP -p tcp -m tcp --dport 5353 -j ACCEPT
+-A LIBVIRT_INP -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -p tcp -m tcp --dport 67 -j ACCEPT
+-A LIBVIRT_OUT -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -p udp -m udp --dport 5353 -j ACCEPT
+-A LIBVIRT_OUT -p tcp -m tcp --dport 5353 -j ACCEPT
+-A LIBVIRT_OUT -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -p tcp -m tcp --dport 68 -j ACCEPT
+-A f2b-sshd -j RETURN
+COMMIT
+# Completed on Sun Nov 17 01:37:49 2024
+# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024
+*nat
+:PREROUTING ACCEPT [409:105569]
+:INPUT ACCEPT [22:1288]
+:OUTPUT ACCEPT [1:76]
+:POSTROUTING ACCEPT [12:818]
+:DOCKER - [0:0]
+:LIBVIRT_PRT - [0:0]
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 5353 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 5353 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 51820 -j DNAT --to-destination 192.168.123.101:51820
+-A PREROUTING -i eno1 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.123.101:1194
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 21080 -j DNAT --to-destination 192.168.123.141:80
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
+-A POSTROUTING -j LIBVIRT_PRT
+-A POSTROUTING -s 172.18.0.0/16 ! -o br-8be00fb1442a -j MASQUERADE
+-A DOCKER -i docker0 -j RETURN
+-A DOCKER -i br-8be00fb1442a -j RETURN
+-A LIBVIRT_PRT -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+COMMIT
+# Completed on Sun Nov 17 01:37:49 2024

shadow/iptables/rules.v4.backup

@@ -0,0 +1,248 @@
+# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024
+*mangle
+:PREROUTING ACCEPT [756:126788]
+:INPUT ACCEPT [715:122089]
+:FORWARD ACCEPT [40:4623]
+:OUTPUT ACCEPT [420:58795]
+:POSTROUTING ACCEPT [460:63418]
+:LIBVIRT_PRT - [0:0]
+-A POSTROUTING -j LIBVIRT_PRT
+-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A POSTROUTING -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A LIBVIRT_PRT -o virbr100 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+COMMIT
+# Completed on Sun Nov 17 01:37:49 2024
+# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024
+*filter
+:INPUT DROP [387:104781]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [42:5859]
+:DOCKER - [0:0]
+:DOCKER-ISOLATION-STAGE-1 - [0:0]
+:DOCKER-ISOLATION-STAGE-2 - [0:0]
+:DOCKER-USER - [0:0]
+:LIBVIRT_FWI - [0:0]
+:LIBVIRT_FWO - [0:0]
+:LIBVIRT_FWX - [0:0]
+:LIBVIRT_INP - [0:0]
+:LIBVIRT_OUT - [0:0]
+:f2b-sshd - [0:0]
+-A INPUT -j LIBVIRT_INP
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -i virbr100 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i virbr100 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i virbr100 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i virbr100 -p tcp -m tcp --dport 67 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+-A INPUT -i virbr100 -j ACCEPT
+-A INPUT -i virbr100 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i virbr100 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i virbr100 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i virbr100 -p tcp -m tcp --dport 67 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 1022 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 2022 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i virbr100 -j ACCEPT
+-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 51820 -j ACCEPT
+-A FORWARD -j DOCKER-USER
+-A FORWARD -j DOCKER-ISOLATION-STAGE-1
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o docker0 -j DOCKER
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A FORWARD -j LIBVIRT_FWX
+-A FORWARD -j LIBVIRT_FWI
+-A FORWARD -j LIBVIRT_FWO
+-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT
+-A FORWARD -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -s 192.168.123.0/24 -i virbr100 -j ACCEPT
+-A FORWARD -i virbr100 -o virbr100 -j ACCEPT
+-A FORWARD -o virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -i virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
+-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -i eno1 -p udp -m udp --dport 1194 -j ACCEPT
+-A FORWARD -i eno1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A FORWARD -i eno1 -p udp -m udp --dport 53 -j ACCEPT
+-A FORWARD -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -s 192.168.123.0/24 -i virbr100 -j ACCEPT
+-A FORWARD -i virbr100 -o virbr100 -j ACCEPT
+-A FORWARD -o virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -i virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
+-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -o br-8be00fb1442a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -o br-8be00fb1442a -j DOCKER
+-A FORWARD -i br-8be00fb1442a ! -o br-8be00fb1442a -j ACCEPT
+-A FORWARD -i br-8be00fb1442a -o br-8be00fb1442a -j ACCEPT
+-A FORWARD -d 192.168.123.141/32 -p tcp -m tcp --dport 80 -j ACCEPT
+-A OUTPUT -j LIBVIRT_OUT
+-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -o virbr100 -j ACCEPT
+-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
+-A OUTPUT -o virbr100 -j ACCEPT
+-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -i br-8be00fb1442a ! -o br-8be00fb1442a -j DOCKER-ISOLATION-STAGE-2
+-A DOCKER-ISOLATION-STAGE-1 -j RETURN
+-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -o br-8be00fb1442a -j DROP
+-A DOCKER-ISOLATION-STAGE-2 -j RETURN
+-A DOCKER-USER -j RETURN
+-A LIBVIRT_FWI -d 192.168.123.0/24 -o virbr100 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A LIBVIRT_FWI -o virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWI -o virbr1 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -s 192.168.123.0/24 -i virbr100 -j ACCEPT
+-A LIBVIRT_FWO -i virbr100 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -i virbr1 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
+-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
+-A LIBVIRT_FWX -i virbr100 -o virbr100 -j ACCEPT
+-A LIBVIRT_FWX -i virbr1 -o virbr1 -j ACCEPT
+-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
+-A LIBVIRT_INP -i virbr100 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr100 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr100 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr100 -p tcp -m tcp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr1 -p tcp -m tcp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
+-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
+-A LIBVIRT_OUT -o virbr100 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr100 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr100 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr100 -p tcp -m tcp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr1 -p tcp -m tcp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
+-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
+-A f2b-sshd -s 222.187.254.41/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 207.46.227.197/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 125.77.23.30/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.175.216/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 94.200.202.26/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 103.80.36.218/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 62.234.126.132/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 106.52.248.175/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 104.248.5.69/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 129.211.49.227/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 112.85.42.176/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.15.62/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.30.112/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.175.167/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.52.39/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 207.154.215.119/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 36.91.76.171/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 134.175.19.71/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 144.217.243.216/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 210.206.92.137/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.30.76/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 49.51.90.173/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -s 222.186.190.2/32 -j REJECT --reject-with icmp-port-unreachable
+-A f2b-sshd -j RETURN
+-A f2b-sshd -j RETURN
+-A f2b-sshd -j RETURN
+-A f2b-sshd -j RETURN
+COMMIT
+# Completed on Sun Nov 17 01:37:49 2024
+# Generated by iptables-save v1.8.10 (nf_tables) on Sun Nov 17 01:37:49 2024
+*nat
+:PREROUTING ACCEPT [409:105569]
+:INPUT ACCEPT [22:1288]
+:OUTPUT ACCEPT [1:76]
+:POSTROUTING ACCEPT [12:818]
+:DOCKER - [0:0]
+:LIBVIRT_PRT - [0:0]
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 51820 -j DNAT --to-destination 192.168.123.101:51820
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 1194 -j DNAT --to-destination 192.168.123.101:1194
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.123.101:53
+-A PREROUTING -i eno1 -p tcp -m tcp --dport 21080 -j DNAT --to-destination 192.168.123.141:80
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
+-A POSTROUTING -j LIBVIRT_PRT
+-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+-A POSTROUTING -s 172.18.0.0/16 ! -o br-8be00fb1442a -j MASQUERADE
+-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+-A POSTROUTING -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A POSTROUTING -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+-A DOCKER -i docker0 -j RETURN
+-A DOCKER -i br-8be00fb1442a -j RETURN
+-A LIBVIRT_PRT -s 192.168.123.0/24 -d 224.0.0.0/24 -j RETURN
+-A LIBVIRT_PRT -s 192.168.123.0/24 -d 255.255.255.255/32 -j RETURN
+-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
+-A LIBVIRT_PRT -s 192.168.123.0/24 ! -d 192.168.123.0/24 -j MASQUERADE
+COMMIT
+# Completed on Sun Nov 17 01:37:49 2024

shadow/nginx-sites-enabled-default

@@ -212,6 +212,88 @@ server {
     return 404; # managed by Certbot
 }
 
+server {
+    server_name jellyfin.home.hrajfrisbee.cz; # managed by Certbot
+
+
+    # Security headers for media streaming
+    add_header X-Frame-Options "SAMEORIGIN";
+    add_header X-XSS-Protection "1; mode=block";
+    add_header X-Content-Type-Options "nosniff";
+
+    # Increase body size for high-res movie posters
+    client_max_body_size 20M;
+
+    location / {
+        # Proxy to your Synology or VM IP and Jellyfin port (default 8096)
+        proxy_pass https://docker-30:443;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Protocol $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+
+        # Disable buffering for smoother streaming
+        proxy_buffering off;
+    }
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/jellyfin.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/jellyfin.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = jellyfin.home.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+        listen 80 ;
+    server_name jellyfin.home.hrajfrisbee.cz;
+    return 404; # managed by Certbot
+
+
+}
+
+
+server {
+
+	root /srv/webs/random-shit;
+	server_name random-shit.hrajfrisbee.cz; # managed by Certbot
+	
+	# Enable directory browsing
+	autoindex on;
+
+	# Optional: Show file sizes in MB/GB instead of bytes
+	autoindex_exact_size off;
+
+	# Optional: Show file timestamps in your local server time
+	autoindex_localtime on;
+	
+	# Optional: Choose format (html, xml, json, or jsonp)
+	autoindex_format html;
+
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/random-shit.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/random-shit.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = random-shit.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+	listen 80 ;
+    server_name random-shit.hrajfrisbee.cz;
+    return 404; # managed by Certbot
+}
 
 server {
 
@@ -240,8 +322,8 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/vault.hrajfrisbee.cz/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }
+
 server {
     if ($host = vault.hrajfrisbee.cz) {
         return 301 https://$host$request_uri;
@@ -250,6 +332,32 @@ server {
 	listen 80 ;
     server_name vault.hrajfrisbee.cz;
     return 404; # managed by Certbot
-
-
+}
+
+server {
+    server_name maru-hleda-byt.home.hrajfrisbee.cz; # managed by Certbot
+
+	location / {
+		proxy_pass http://docker-30:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/maru-hleda-byt.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/maru-hleda-byt.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+    if ($host = maru-hleda-byt.home.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+	listen 80 ;
+    server_name maru-hleda-byt.home.hrajfrisbee.cz;
+    return 404; # managed by Certbot
 }

shadow/nginx.conf

@@ -64,7 +64,10 @@ http {
 stream {
     map $ssl_preread_server_name $backend {
         # Passthrough to K8s
+		ghost.lab.home.hrajfrisbee.cz   k8s_gatewayapi;
+
         ~^.+\.lab\.home\.hrajfrisbee\.cz$    k8s_ingress;
+        lab\.home\.hrajfrisbee\.cz$    		 k8s_ingress;
 
         default                               local_https;
     }
@@ -73,6 +76,10 @@ stream {
         server docker-30:9443;
     }
 
+    upstream k8s_gatewayapi {
+        server docker-30:9444;
+    }
+
     upstream local_https {
         server 127.0.0.1:8443;  # Loop back to http block
     }

vms/utility-101-shadow/named.conf.local

@@ -0,0 +1,54 @@
+//
+// Do any local configuration here
+//
+
+// Consider adding the 1918 zones here, if they are not used in your
+// organization
+//include "/etc/bind/zones.rfc1918";
+
+key "acme-update-key" {
+	algorithm hmac-sha512;
+	secret "T6R1TpLGegHwFWO/I1LwtdGePRD+w00Oe4mJECW7qfheKJ/7FxlINH+Yk2vMvJCVNojj8BWoFAyEFCwGBpGROQ==";
+};
+
+zone "czechultimate.cz" {
+        type master;
+        file "/etc/bind/zones/czechultimate.cz.dns";
+        inline-signing yes;
+        auto-dnssec maintain;
+        key-directory "/etc/bind/keys";
+        allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+        also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+};
+
+zone "hrajfrisbee.cz" {
+        type master;
+        file "/etc/bind/zones/hrajfrisbee.cz.dns";
+        allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+        also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+
+        update-policy {
+            // Allow ACME challenges only for lab.home subdomain
+            grant acme-update-key name _acme-challenge.lab.home.hrajfrisbee.cz. TXT;
+
+            // If you need wildcards under lab.home (e.g. _acme-challenge.foo.lab.home.hrajfrisbee.cz):
+            grant acme-update-key subdomain _acme-challenge.lab.home.hrajfrisbee.cz. TXT;
+        };        
+};
+
+// points at zlutazimnice nameservers @nic.cz - cannot be working
+zone "fraktalbar.cz" {
+        type master;
+        file "/etc/bind/zones/fraktalbar.cz.dns";
+        allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+        also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+};
+
+// points at zlutazimnice nameservers @nic.cz - cannot be working
+zone "vegtral.cz" {
+        type master;
+        file "/etc/bind/zones/vegtral.cz.dns";
+        allow-transfer {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+        also-notify {87.236.197.83; 89.187.144.180; 87.236.196.85; };
+};
+

vms/utility-101-shadow/readme.md

@@ -0,0 +1,7 @@
+## named tweaks
+
+1. Generate TSIG key
+
+```bash
+tsig-keygen -a hmac-sha512 acme-update-key
+```