resolvers incus nameserver incus 10.10.10.1:53 # Maximum size of a DNS answer allowed, in bytes accepted_payload_size 512 # Whether to add nameservers found in /etc/resolv.conf parse-resolv-conf # How long to "hold" a backend server's up/down status depending on the name resolution status. # For example, if an NXDOMAIN response is returned, keep the backend server in its current state (up) for # at least another 30 seconds before marking it as down due to DNS not having a record for it. hold valid 10s hold other 30s hold refused 30s hold nx 30s hold timeout 30s hold obsolete 30s # How many times to retry a query resolve_retries 3 # How long to wait between retries when no valid response has been received timeout retry 1s # How long to wait for a successful resolution timeout resolve 1s # Backends backend default tcp-request content reject backend letsencrypt server certbot 127.0.0.1:8899 backend laminar # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "cross-origin" http-response set-header Cache-Control max-age=31536000 server laminar laminar.incus:8080 check resolvers incus init-addr last,libc,none backend forgejo # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server forgejo forgejo.incus:3000 check resolvers incus init-addr last,libc,none backend mastodon # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server mastodon mastodon2.incus:80 send-proxy check resolvers incus init-addr last,libc,none backend linkding # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server linkding linkding.incus:9090 check resolvers incus init-addr last,libc,none backend archive # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" http-response set-header Cache-Control max-age=31536000 server archive archive.incus:80 check resolvers incus init-addr last,libc,none backend adguard # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server adguard adguard.incus:443 check ssl verify none resolvers incus init-addr last,libc,none backend vaultwarden # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server vaultwarden vaultwarden.incus:80 check resolvers incus init-addr last,libc,none backend kanboard # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server kanboard kanboard.incus:80 check resolvers incus init-addr last,libc,none backend photoprism # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server photoprism photoprism.incus:2342 check resolvers incus init-addr last,libc,none backend miniflux # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server miniflux miniflux.incus:8080 check resolvers incus init-addr last,libc,none backend www # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" http-response set-header Cache-Control max-age=31536000 server www www.incus:80 check resolvers incus init-addr last,libc,none backend navidrome # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server navidrome navidrome.incus:4533 check resolvers incus init-addr last,libc,none backend mailcow # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server mailcow mailcow.incus:80 check resolvers incus init-addr last,libc,none backend beszel # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "same-origin" server beszel beszel.incus:8090 check resolvers incus init-addr last,libc,none backend uptime-kuma # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" # add some Security headers http-response set-header X-Frame-Options "SAMEORIGIN" http-response set-header X-Content-Type-Options "nosniff" http-response set-header Referrer-Policy "strict-origin-when-cross-origin" http-response set-header Cross-Origin-Resource-Policy "cross-origin" server uptime-kuma mxmon.taile088c7.ts.net:3001 check resolvers incus init-addr last,libc,none backend nefarious # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" server nefarious nefarious.incus:8000 check resolvers incus init-addr last,libc,none backend nefarious-jackett # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" server nefarious-jackett nefarious.incus:9117 check resolvers incus init-addr last,libc,none backend nefarious-transmission # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" server nefarious-transmission nefarious.incus:9091 check resolvers incus init-addr last,libc,none backend jellyfin # set HSTS for one year after all responses http-response set-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" server jellyfin jellyfin.incus:8096 check resolvers incus init-addr last,libc,none