.gitignore

@@ -0,0 +1,6 @@
+# Ignore everything
+*
+
+# But not NGINX
+!nginx
+!nginx/**/*

README.md

@@ -1,11 +0,0 @@
-You can find my server configs in this repo, they are split in different branches.
-
-- [🕋 Selfhost Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/selfhost)
-
-- [🧱 VPS Branch](https://git.zzls.xyz/Fijxu/etc-configs/src/branch/vpsus)
-
-#### Suggestions or Issues?
-
-If you got any suggestions to the nginx configs or something that is not to your liking within the privacy-focused services I provide; Open an issue or a pull request in any config. You can either create an account with your real E-mail or with a throw away one (But probably you will be considered as a bad actor for me if you don't provide any real identity like GitHub, GitLab, Codeberg or anything like that, so make sure to link any of those).
-
-*Contact*: [https://nadeko.net/contact](https://nadeko.net/contact)

nginx/conf.d/4get.conf

@@ -0,0 +1,72 @@
+# CLEARNET
+server {
+  error_log /var/log/nginx/4get.error.log;
+  server_name 4get.nadeko.net;
+  include configs/general.conf;
+  include configs/robotsNone.conf;
+  include configs/security.conf;
+
+  location @upstream {
+	  proxy_pass http://127.0.0.1:10031;
+  }
+
+  location / {
+    try_files $uri @upstream;
+  }
+
+  location /web {
+    try_files $uri @upstream;
+
+    if ($server_protocol ~* "HTTP/1.1") {
+      return 444;
+    }
+
+    include snippets/torblacklist.conf;
+    error_page 403 =302 /torisblocked;
+    error_page 429 =302 /rl;
+  }
+
+  location /torisblocked {
+    alias errors/$request_uri.txt;
+  }
+
+  location /rl {
+    alias errors/$request_uri.txt;
+  }
+
+  location /data {
+    return 444;
+  }
+
+  # Tor Header
+  add_header Onion-Location http://4get.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion$request_uri;
+
+  # QUIC
+  # include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+}
+
+# TOR
+server {
+  listen 10040;
+  server_name 4get.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion 4get.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion;
+  root /var/www/4get-zzls;
+
+  location @upstream {
+    try_files $uri.php $uri/index.php =404;
+    fastcgi_pass php-fpm-8.1;
+    fastcgi_index index.php;
+    include fastcgi.conf;
+    fastcgi_intercept_errors on;
+  }
+
+  location / {
+    try_files $uri @upstream;
+  }
+
+  location ~* ^(.*)\.php$ {
+    return 301 $1;
+  }
+}

nginx/conf.d/datamining.conf

@@ -0,0 +1,19 @@
+# CLEARNET
+server {
+  access_log /var/log/nginx/datamining.nadeko.net.access.log;
+  server_name datamining.nadeko.net;
+  include configs/general.conf;
+  include configs/robotsNone.conf;
+  #include configs/security.conf;
+
+  location / {
+    proxy_pass http://umami;
+    include configs/proxy.conf;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+}

nginx/conf.d/git.conf

@@ -0,0 +1,21 @@
+server {
+  access_log /var/log/nginx/git.access.log;
+  error_log /var/log/nginx/git.error.log;
+  server_name git.nadeko.net;
+  include configs/general.conf;
+  include configs/security.conf;
+  include configs/robots.conf;
+
+  location / {
+    proxy_pass http://forgejo;
+    include configs/proxy.conf;
+    client_max_body_size 1024M;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+
+}

nginx/conf.d/inv-i2p.conf.locations

@@ -0,0 +1,83 @@
+location @upstream-i2p {
+  proxy_pass http://inv-i2p;
+  include configs/proxy.conf;
+  limit_rate 1000k;
+  # Disable buffering and cache so i don't kill my
+  # SSD and bandwidth usage
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_cache off;
+  proxy_intercept_errors on;
+  proxy_connect_timeout 10s;
+  proxy_read_timeout 20s;
+  #error_page 502 = @fallback;
+
+  if ($request_method = OPTIONS) {
+    return 204;
+  }
+}
+
+location @http3-proxy {
+  # Woops! Sorry. I don't want to kill my SSD lol!
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_cache off;
+  #proxy_buffers 1024 16k;
+  proxy_set_header X-Forwarded-For "";
+  proxy_hide_header "alt-svc";
+  sendfile_max_chunk 512k;
+  proxy_hide_header Cache-Control;
+  proxy_hide_header etag;
+  proxy_http_version 1.1;
+  proxy_intercept_errors on;
+  proxy_set_header Connection keep-alive;
+  #proxy_max_temp_file_size 32m;
+  proxy_pass http://http3-ytproxy;
+  add_header Cache-Control private always;
+  limit_rate 8000k;
+}
+
+location ~ (^/videoplayback/) {
+  try_files $uri @http3-proxy;
+}
+
+location ~ (^/vi/) {
+  try_files $uri @http3-proxy;
+}
+
+location ~ (^/vi) {
+  try_files $uri @upstream-i2p;
+}
+
+location / {
+  try_files $uri @upstream-i2p;
+}
+
+location /search {
+  try_files $uri @upstream-i2p;
+}
+
+location /watch {
+  try_files $uri @upstream-i2p;
+}
+
+location /api/v1 {
+  try_files $uri @upstream-i2p;
+}
+
+location /api/v1/storyboards {
+  try_files $uri @upstream-i2p;
+}
+
+location /api/v1/captions {
+  try_files $uri @upstream-i2p;
+}
+
+location /api/v1/comments {
+  try_files $uri @upstream-i2p;
+}
+
+location ~ ^/api/v1/channels/(.+)/shorts {
+  try_files $uri @upstream-i2p;
+}
+

nginx/conf.d/inv-tor.conf.locations

@@ -0,0 +1,89 @@
+location @upstream-tor {
+  proxy_pass http://inv-tor;
+  include configs/proxy.conf;
+  limit_rate 1000k;
+  # Disable buffering and cache so i don't kill my
+  # SSD and bandwidth usage
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_cache off;
+  proxy_intercept_errors on;
+  proxy_connect_timeout 10s;
+  proxy_read_timeout 20s;
+  #error_page 502 = @fallback;
+
+  if ($request_method = OPTIONS) {
+    return 204;
+  }
+}
+
+location @http3-proxy {
+  # Woops! Sorry. I don't want to kill my SSD lol!
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_cache off;
+  #proxy_buffers 1024 16k;
+  proxy_set_header X-Forwarded-For "";
+  proxy_hide_header "alt-svc";
+  sendfile_max_chunk 512k;
+  proxy_hide_header Cache-Control;
+  proxy_hide_header etag;
+  proxy_http_version 1.1;
+  proxy_intercept_errors on;
+  proxy_set_header Connection keep-alive;
+  #proxy_max_temp_file_size 32m;
+  proxy_pass http://http3-ytproxy;
+  add_header Cache-Control private always;
+  limit_rate 8000k;
+}
+
+location ~ (^/videoplayback/) {
+  try_files $uri @http3-proxy;
+}
+
+location ~ (^/vi/) {
+  try_files $uri @http3-proxy;
+}
+
+location ~ (^/vi) {
+  try_files $uri @upstream-tor;
+}
+
+location / {
+  try_files $uri @upstream-tor;
+}
+
+location /search {
+  try_files $uri @upstream-tor;
+}
+
+location /watch {
+  try_files $uri @upstream-tor;
+  #limit_req zone=invidious-watchrl nodelay burst=5;
+}
+
+location /api/v1 {
+  try_files $uri @upstream-tor;
+  #limit_req zone=invidious-apirl nodelay burst=10;
+}
+
+location /api/v1/storyboards {
+  try_files $uri @upstream-tor;
+}
+
+location /api/v1/captions {
+  try_files $uri @upstream-tor;
+}
+
+location /api/v1/comments {
+  try_files $uri @upstream-tor;
+}
+
+location ~ ^/api/v1/channels/(.+)/shorts {
+  try_files $uri @upstream-tor;
+}
+
+#location @fallback {
+#	root /etc/nginx/errors;
+#	try_files $uri /502.html = 502;
+#}

nginx/conf.d/inv.conf

@@ -0,0 +1,40 @@
+# CLEARNET
+server {
+	# Enabled due to Fail2Ban
+	error_log /var/log/nginx/inv.nadeko.net.error.log;
+	#access_log /var/log/nginx/inv.nadeko.net.access.log;
+	server_name inv.nadeko.net;
+	include configs/general.conf;
+	include configs/robotsNone.conf;
+	# MAINTENANCE MODE
+	# include configs/maintenance-mode.conf;
+
+	# The messed up invidious configuration
+	include conf.d/inv.conf.locations;
+
+	# QUIC
+	#include configs/http3.conf;
+
+	listen 443 ssl;
+	http2 on;
+}
+
+# TOR
+server {
+	listen 10040;
+	server_name inv.zzlsghu6mvvwyy75mvga6gaf4znbp3erk5xwfzedb4gg6qqh2j6rlvid.onion inv.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion;
+	include configs/general.conf;
+	include configs/robotsNone.conf;
+
+	include conf.d/inv-tor.conf.locations;
+}
+
+# I2P
+server {
+	listen 10051;
+	server_name zzlsbhhfvwg3oh36tcvx4r7n6jrw7zibvyvfxqlodcwn3mfrvzuq.b32.i2p;
+	include configs/general.conf;
+	include configs/robotsNone.conf;
+
+	include conf.d/inv.conf.locations;
+}

nginx/conf.d/inv.conf.locations

@@ -0,0 +1,168 @@
+location @upstream {
+  proxy_pass http://inv;
+  include configs/proxy.conf;
+  limit_rate 1000k;
+  # Disable buffering and cache so i don't kill my
+  # SSD and bandwidth usage
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_cache off;
+  #proxy_intercept_errors on;
+  #proxy_connect_timeout 10s;
+  #proxy_read_timeout 20s;
+  #error_page 502 = @fallback;
+
+  if ($request_method = OPTIONS) {
+    return 204;
+  }
+
+  proxy_hide_header Access-Control-Allow-Origin;
+  add_header Access-Control-Allow-Credentials true;
+  add_header Access-Control-Allow-Origin "*" always;
+  add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always;
+  add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always;
+
+  # TOR
+  add_header Onion-Location http://inv.nadekonw7plitnjuawu6ytjsl7jlglk2t6pyq6eftptmiv3dvqndwvyd.onion$request_uri;
+
+  # QUIC
+  # add_header Alt-Svc 'h3=":443"; ma=86400';
+}
+
+location @http3-proxy {
+  # Woops! Sorry. I don't want to kill my SSD lol!
+  proxy_buffering off;
+  proxy_request_buffering off;
+  proxy_cache off;
+  #proxy_buffers 1024 16k;
+  proxy_set_header X-Forwarded-For "";
+  proxy_hide_header "alt-svc";
+  sendfile_max_chunk 512k;
+  proxy_hide_header Cache-Control;
+  proxy_hide_header etag;
+  proxy_http_version 1.1;
+  proxy_intercept_errors on;
+  proxy_set_header Connection keep-alive;
+  #proxy_max_temp_file_size 32m;
+  proxy_pass http://http3-ytproxy;
+  add_header Cache-Control private always;
+  limit_rate 8000k;
+  #limit_req zone=invidious-videoplaybackrl nodelay burst=10;
+  #limit_conn invgloballimit 64;
+
+  # proxy_hide_header Access-Control-Allow-Origin;
+  # add_header Access-Control-Allow-Credentials true;
+  # add_header Access-Control-Allow-Origin "*" always;
+  # add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always;
+  # add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always;
+
+  # QUIC
+  # add_header Alt-Svc 'h3=":443"; ma=86400';
+}
+
+# location ~ (^/videoplayback/) {
+# 	# Woops! Sorry. I don't want to kill my SSD lol!
+# 	proxy_buffering off;
+# 	proxy_request_buffering off;
+# 	proxy_cache off;
+# 	#proxy_buffers 1024 16k;
+# 	proxy_set_header X-Forwarded-For "";
+# 	proxy_hide_header "alt-svc";
+# 	sendfile_max_chunk 512k;
+# 	proxy_hide_header Cache-Control;
+# 	proxy_hide_header etag;
+# 	proxy_http_version 1.1;
+# 	proxy_intercept_errors on;
+# 	proxy_set_header Connection keep-alive;
+# 	#proxy_max_temp_file_size 32m;
+# 	proxy_pass http://http3-ytproxy;
+# 	add_header Cache-Control private always;
+# 	limit_rate 8000k;
+# 	#limit_req zone=invidious-videoplaybackrl nodelay burst=10;
+# 	#limit_conn invgloballimit 64;
+#
+# 	# proxy_hide_header Access-Control-Allow-Origin;
+# 	# add_header Access-Control-Allow-Credentials true;
+# 	# add_header Access-Control-Allow-Origin "*" always;
+# 	# add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD, PATCH, PUT, DELETE" always;
+# 	# add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always;
+#
+# 	# QUIC
+# 	add_header Alt-Svc 'h3=":443"; ma=86400';
+# }
+#
+# location ~ (^/vi/) {
+# 	# Woops! Sorry. I don't want to kill my SSD lol!
+# 	proxy_buffering off;
+# 	proxy_request_buffering off;
+# 	proxy_cache off;
+# 	#proxy_buffers 1024 16k;
+# 	proxy_set_header X-Forwarded-For "";
+# 	proxy_hide_header "alt-svc";
+# 	sendfile_max_chunk 512k;
+# 	proxy_hide_header Cache-Control;
+# 	proxy_hide_header etag;
+# 	proxy_http_version 1.1;
+# 	proxy_intercept_errors on;
+# 	proxy_set_header Connection keep-alive;
+# 	#proxy_max_temp_file_size 32m;
+# 	proxy_pass http://http3-ytproxy;
+# 	add_header Cache-Control private always;
+# 	limit_rate 1000k;
+#
+# 	# QUIC
+# 	add_header Alt-Svc 'h3=":443"; ma=86400';
+#
+# 	limit_conn invgloballimit 128;
+# }
+#
+#
+
+location ~ (^/videoplayback/) {
+  try_files $uri @http3-proxy;
+}
+
+location ~ (^/vi/) {
+  try_files $uri @http3-proxy;
+}
+
+location / {
+	try_files $uri @upstream;
+	limit_conn invgloballimit 256;
+}
+
+location /search {
+	try_files $uri @upstream;
+	limit_req zone=invidious-searchrl nodelay burst=5;
+}
+
+location /watch {
+	try_files $uri @upstream;
+	limit_req zone=invidious-watchrl nodelay burst=5;
+}
+
+location /api/v1 {
+	limit_req zone=invidious-apirl nodelay burst=10;
+	try_files $uri @upstream;
+}
+
+location /api/v1/storyboards {
+	try_files $uri @upstream;
+}
+
+location /api/v1/captions {
+	try_files $uri @upstream;
+}
+
+location /api/v1/comments {
+	try_files $uri @upstream;
+}
+
+location ~ ^/api/v1/channels/(.+)/shorts {
+	try_files $uri @upstream;
+}
+
+#location @fallback {
+#	root /etc/nginx/errors;
+#	try_files $uri /502.html = 502;
+#}

nginx/conf.d/keygenmusic.conf

@@ -0,0 +1,31 @@
+server {
+	access_log /var/log/nginx/keygenmusic.access.log;
+	root /var/www/keygenmusic.tk-mirror;
+	index index.html;
+	server_name keygenmusic.nadeko.net;
+	include configs/general.conf;
+	include configs/security.conf;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+
+	location /kgm {
+		alias /mnt/ssd/luna/keygenmusic.tk/kgm;
+	}
+
+	location /kgm/ver.txt {
+		alias /var/www/keygenmusic.tk-mirror/kgm/ver.txt;
+	}
+
+	location /kgm/lib.txt {
+		alias /var/www/keygenmusic.tk-mirror/kgm/lib.txt;
+	}
+
+	# QUIC
+	include configs/http3.conf;
+
+	listen 443 ssl;
+	http2 on;
+}
+

nginx/conf.d/luna.conf

@@ -0,0 +1,35 @@
+server {
+  access_log /var/log/nginx/luna.zzls.xyz.access.log combined;
+  error_log /var/log/nginx/luna.zzls.xyz.error.log;
+  server_name luna.nadeko.net;
+  index index.php /_h5ai/public/index.php;
+  root /mnt/ssd/luna/;
+  include configs/general.conf;
+  include configs/security.conf;
+  default_type "application/octet-stream";
+
+  location /_h5ai/private {
+    return 403;
+  }
+
+  location ~ [^/]\.php(/|$) {
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f $document_root$fastcgi_script_name) {
+      return 404;
+    }
+    fastcgi_param HTTP_PROXY "";
+    fastcgi_pass php-fpm-8.1;
+    fastcgi_index index.php;
+    include fastcgi_params;
+    fastcgi_param  SCRIPT_FILENAME   $document_root$fastcgi_script_name;
+    fastcgi_param  PATH_INFO         $fastcgi_path_info;
+    add_header Access-Control-Allow-Origin *;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+
+}

nginx/conf.d/materialious.conf

@@ -0,0 +1,72 @@
+# CLEARNET
+server {
+  #error_log /var/log/nginx/materialious.nadeko.net.error.log;
+  #access_log /var/log/nginx/materialious.nadeko.net.access.log;
+  server_name materialious.nadeko.net;
+  include configs/general.conf;
+  include configs/robotsNone.conf;
+  include configs/security.conf;
+
+  location / {
+    proxy_pass http://materialious;
+    include configs/proxy.conf;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+}
+
+server {
+  #error_log /var/log/nginx/materialious.nadeko.net.error.log;
+  #access_log /var/log/nginx/materialious.nadeko.net.access.log;
+  server_name syncious.nadeko.net;
+  include configs/general.conf;
+  include configs/robotsNone.conf;
+  include configs/security.conf;
+
+  location / {
+    proxy_pass http://syncious;
+    # include configs/proxy.conf;
+
+    if ($request_method = OPTIONS) {
+      return 204;
+    }
+    # proxy_hide_header Access-Control-Allow-Origin;
+    add_header Access-Control-Allow-Credentials true;
+    add_header Access-Control-Allow-Origin "https://materialious.nadeko.net" always;
+    # add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
+    add_header Access-Control-Allow-Headers "User-Agent, Authorization, Content-Type" always;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+}
+
+server {
+  #error_log /var/log/nginx/materialious.nadeko.net.error.log;
+  #access_log /var/log/nginx/materialious.nadeko.net.access.log;
+  server_name peerjs.nadeko.net;
+  include configs/general.conf;
+  include configs/robotsNone.conf;
+  include configs/security.conf;
+
+  location / {
+    proxy_pass http://peerjs;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    #include configs/proxy.conf;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+}

nginx/conf.d/matrix.conf

@@ -0,0 +1,88 @@
+# server {
+# 	server_name matrix.zzls.xyz;
+# 	include configs/general.conf;
+# 	include configs/robotsNone.conf;
+# 	include configs/security.conf;
+#
+# 	location /.well-known/matrix/server {
+# 		return 200 '{ "m.server": "matrix.zzls.xyz:8448" }';
+# 	}
+#
+# 	location /.well-known/matrix/client {
+# 		default_type application/json;
+# 		add_header Access-Control-Allow-Origin '*';
+# 		return 200 '{ "m.homeserver": { "base_url": "https://matrix.zzls.xyz" }, "org.matrix.msc3575.proxy": {"url": "https://matrix.zzls.xyz"}}';
+# 	}
+#
+# 	#location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
+# 	#	proxy_pass http://127.0.0.1:40022;
+# 	#	proxy_set_header X-Forwarded-For $remote_addr;
+# 	#	proxy_set_header X-Forwarded-Proto $scheme;
+# 	#		proxy_set_header Host $host;
+# 	#}
+#
+# 	location ~ ^(/_matrix|/_synapse/client|/health|/_synapse/metrics) {
+# 		proxy_pass http://matrix;
+# 		include configs/proxy.conf;
+# 		client_max_body_size 64M;
+# 	}
+#
+# 	# QUIC
+# 	include configs/http3.conf;
+#
+# 	listen 443 ssl;
+# 	listen 8448 ssl;
+# 	listen 8448 quic;
+# 	http2 on;
+# }
+#
+server {
+	server_name matrix.nadeko.net;
+	include configs/general.conf;
+	include configs/robotsNone.conf;
+	include configs/security.conf;
+
+	location /.well-known/matrix/support {
+		return 200 '{"contacts": [{"matrix_id": "@fijxu:nadeko.net","email_address": "fijxu@nadeko.net","role": "m.role.admin"},{"email_address": "fijxu@nadeko.net","role": "m.role.security"}],"support_page": "https://nadeko.net/contact" }';
+	}
+
+	location /.well-known/matrix/server {
+		return 200 '{ "m.server": "matrix.nadeko.net:8448" }';
+	}
+
+	location /.well-known/matrix/client {
+		default_type application/json;
+		add_header Access-Control-Allow-Origin '*';
+		return 200 '{ "m.homeserver": { "base_url": "https://matrix.nadeko.net" }, "org.matrix.msc3575.proxy": {"url": "https://matrix.nadeko.net"}}';
+	}
+
+  location ~ ^/(client/|_matrix/client/unstable/org.matrix.msc3575/sync) {
+    proxy_pass http://127.0.0.1:10024;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+  }
+
+	location ~ ^(/_matrix|/_synapse/client|/health|/_synapse/metrics) {
+		proxy_pass http://127.0.0.1:10022;
+		include configs/proxy.conf;
+		client_max_body_size 64M;
+	}
+
+	location / {
+		proxy_pass http://127.0.0.1:10023;
+		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_set_header Host $host;
+		client_max_body_size 64M;
+		proxy_http_version 1.1;
+	}
+
+	# QUIC
+	include configs/http3.conf;
+
+	listen 443 ssl reuseport;
+	listen 8448 ssl default_server reuseport;
+	listen 8448 quic default_server reuseport;
+	http2 on;
+}

nginx/conf.d/pbin.conf

@@ -0,0 +1,20 @@
+# CLEARNET
+server {
+  server_name pbin.zzls.xyz pbin.nadeko.net;
+  include configs/general.conf;
+  include configs/security.conf;
+  include configs/robotsNone.conf;
+  client_max_body_size 128M;
+
+  location / {
+    proxy_pass http://privatebin;
+    include configs/proxy.conf;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+
+}

nginx/conf.d/peertube.conf

@@ -0,0 +1,26 @@
+# CLEARNET
+server {
+  #error_log /var/log/nginx/peertube.nadeko.net.error.log;
+  access_log /var/log/nginx/peertube.nadeko.net.access.log;
+  server_name peertube.nadeko.net;
+  include configs/general.conf;
+  include configs/robotsNone.conf;
+  #include configs/security.conf;
+  # security headers
+  add_header X-Content-Type-Options    "nosniff" always;
+  add_header Referrer-Policy           "same-origin" always;
+  add_header Permissions-Policy        "interest-cohort=()" always;
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+  location / {
+    proxy_pass http://peertube;
+    include configs/proxy.conf;
+    client_max_body_size 1024M;
+  }
+
+  # QUIC
+  include configs/http3.conf;
+
+  listen 443 ssl;
+  http2 on;
+}

nginx/conf.d/redirector.conf

@@ -0,0 +1,14 @@
+# https://stackoverflow.com/a/39563133
+server {
+    server_name ~^(?<name>\w+)\.zzls\.xyz$;
+    rewrite ^ https://$name.nadeko.net$request_uri? permanent;
+    listen 443 ssl;
+    listen 80;
+}
+
+# HTTPS Redirector
+server {
+    listen 80 default_server;
+    server_name _;
+    return 301 https://$host$request_uri;
+}

nginx/configs/general.conf

@@ -0,0 +1,22 @@
+# ZSTD
+# https://github.com/tokers/zstd-nginx-module
+zstd		on;
+zstd_comp_level 1;
+zstd_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+# BROTLI
+brotli            on;
+brotli_comp_level 6;
+brotli_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+# GZIP
+gzip              on;
+gzip_vary         on;
+gzip_proxied      any;
+gzip_comp_level   6;
+gzip_types        text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+# fuck bots .kill
+# if ($poop) {
+# 	return 444;
+# }

nginx/configs/http3.conf

@@ -0,0 +1,2 @@
+add_header Alt-Svc 'h3=":8443"; ma=86400';
+listen 8443 quic;

nginx/configs/proxy.conf

@@ -0,0 +1,21 @@
+proxy_http_version                 1.1;
+proxy_cache_bypass                 $http_upgrade;
+
+# Proxy SSL
+proxy_ssl_server_name              on;
+
+# Proxy headers
+proxy_set_header Upgrade           $http_upgrade;
+#proxy_set_header Connection        $connection_upgrade;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header Forwarded         $proxy_add_forwarded;
+proxy_set_header X-Forwarded-For   $remote_addr;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header X-Forwarded-Port  $server_port;
+proxy_set_header Host $host;
+
+# Proxy timeouts
+#proxy_connect_timeout              60s;
+#proxy_send_timeout                 60s;
+#proxy_read_timeout                 60s;

nginx/configs/robots.conf

@@ -0,0 +1,58 @@
+if ($http_user_agent ~* "(AdsBot-Google|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|AwarioRssBot|AwarioSmartBot|Bytespider|CCBot|ChatGPT-User|ClaudeBot|Claude-Web|cohere-ai|DataForSeoBot|Diffbot|FacebookBot|FriendlyCrawler|Google-Extended|GoogleOther|GPTBot|img2dataset|ImagesiftBot|magpie-crawler|Meltwater|omgili|omgilibot|peer39_crawler|peer39_crawler/1.0|PerplexityBot|PiplBot|scoop.it|Seekr|YouBot|facebookexternalhit)"){
+  return 403;
+}
+
+location /robots.txt { return 200 "
+  User-agent: AhrefsBot
+  Disallow: /
+
+  User-agent: dotbot
+  Disallow: /
+
+  User-agent: SiteAuditBot
+  Disallow: /
+
+  User-agent: SemrushBot-BA
+  Disallow: /
+
+  User-agent: SemrushBot-SI
+  Disallow: /
+
+  User-agent: SemrushBot-SWA
+  Disallow: /
+
+  User-agent: SemrushBot-CT
+  Disallow: /
+
+  User-agent: SplitSignalBot
+  Disallow: /
+
+  User-agent: SemrushBot-COUB
+  Disallow: /
+
+  User-agent: AdsBot-Google
+  User-agent: Amazonbot
+  User-agent: anthropic-ai
+  User-agent: Applebot-Extended
+  User-agent: Bytespider
+  User-agent: CCBot
+  User-agent: ChatGPT-User
+  User-agent: ClaudeBot
+  User-agent: Claude-Web
+  User-agent: cohere-ai
+  User-agent: Diffbot
+  User-agent: FacebookBot
+  User-agent: FriendlyCrawler
+  User-agent: Google-Extended
+  User-agent: GoogleOther
+  User-agent: GPTBot
+  User-agent: img2dataset
+  User-agent: omgili
+  User-agent: omgilibot
+  User-agent: peer39_crawler
+  User-agent: peer39_crawler/1.0
+  User-agent: PerplexityBot
+  User-agent: YouBot
+  User-agent: facebookexternalhit/1.1
+  Disallow: /";
+}

nginx/configs/robotsNone.conf

@@ -0,0 +1 @@
+location /robots.txt { return 200 "User-agent: *\nDisallow: /";}

nginx/configs/security.conf

@@ -0,0 +1,6 @@
+# security headers
+add_header X-Content-Type-Options    "nosniff" always;
+add_header Referrer-Policy           "same-origin" always;
+add_header X-Frame-Options           "sameorigin" always;
+add_header Permissions-Policy        "interest-cohort=()" always;
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

nginx/configs/ssl.conf

@@ -0,0 +1,5 @@
+# ECDSA
+ssl_certificate /etc/ssl/nadeko.net/fullchain.ec.crt;
+ssl_certificate_key /etc/ssl/nadeko.net/nadeko.net.ec.key;
+
+include configs/sslConfig.conf;

nginx/configs/sslConfig.conf

@@ -0,0 +1,12 @@
+# SSL
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
+ssl_prefer_server_ciphers off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_early_data on;
+
+# Custom 4096bits Diffie-Hellman parameter for DHE ciphersuites (Not the one bundled with letsencrypt
+# Changed to a custom one for trust purposes
+ssl_dhparam /etc/nginx/dhparam.pem;

nginx/configs/upstreams.conf

@@ -0,0 +1,81 @@
+upstream php-fpm-8.3 {
+  server unix:/run/php-fpm/php-fpm.sock;
+}
+
+upstream php-fpm-8.1 {
+  server unix:/run/php-fpm-legacy/php-fpm.sock;
+}
+
+upstream inv {
+  server unix:/run/invidious-haproxy/invidious.sock;
+  server 127.0.0.1:10011 backup;
+}
+
+upstream inv-tor {
+  server unix:/run/invidious-haproxy/invidious-tor.sock;
+  server 127.0.0.1:10098 backup;
+}
+
+upstream inv-i2p {
+  server unix:/run/invidious-haproxy/invidious-i2p.sock;
+  server 127.0.0.1:10099 backup;
+}
+
+upstream http3-ytproxy {
+  server unix:/run/invidious-haproxy/http3-proxy.sock;
+  server 127.0.0.1:10012 backup;
+}
+
+upstream materialious {
+  server 127.0.0.1:10013;
+}
+
+upstream syncious {
+  server 127.0.0.1:10014;
+}
+
+upstream peerjs {
+  server 127.0.0.1:10015;
+}
+
+upstream rimgo {
+  server 127.0.0.1:10001;
+}
+
+upstream privatebin {
+  server 127.0.0.1:10002;
+}
+
+upstream rustlog {
+  server 127.0.0.1:10003;
+}
+
+upstream matrix {
+  server 127.0.0.1:10020;
+}
+
+upstream matrix-nadeko {
+  server 127.0.0.1:10022;
+}
+
+upstream peertube {
+  server 127.0.0.1:10016;
+}
+
+upstream umami {
+  server 127.0.0.1:10005;
+}
+
+upstream forgejo {
+  server unix:/run/forgejo/forgejo.sock;
+}
+
+# DEVELOPMENT
+
+upstream inv-debug {
+  server 127.0.0.1:40050 max_fails=2 fail_timeout=2s;
+}
+
+upstream http3-ytproxy-debug {
+  server 127.0.0.1:10012 max_fails=2 fail_timeout=1s;
+}

nginx/dhparam.pem

@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICDAKCAgEAiK/Y67KsiSrOlySdj5iBvVc64vUPIZOBWxQ05ggVhuTWJeZKGjes
+/R6VA43Zh9Yo1U2cQl5semyPNzseEk5cwiK1ZOXz9WJiCmrdOFkB9uIpcL0Gz/r6
+56m4F9ki1/ikJZzKRiBxvt6rQS9K4FMjkMliOFqwqVCt1Bh3EYYXebUjWrkKHb4t
+kraEorQbObFodvKcBVG7dcI4EVZhL6wgznp/xZdHYG65jo1GPC7yTJHiTuvD7Ng9
+EsMssnfpdss3f6SmtWGuAkH7vWht7NJse3oePiTRVRiFuW4i4wO5Omu4CJ8kKlwi
+dmG8/o4eQbYWNqfMsCZFBx04i33SsUFQAPZXUQGGmLeNNFdncA0g3agN457ZQvuS
+buhMpiZUw2sI13UH1D7vZBZSTvc+cleRk2w24wHqcMJ8HAuHQ4WhdrC24w8uD8H8
+hJu78K4FibQ7no1syZEhHR/8AkRPAj/dGMlgJQ/dpI07cll/yMiICkytUydYPwT4
++lXbT+oN1rwA7HSttkMFt+z2Oi3RtH9VaIl3zY5bRCk28+GW2mo8+bL5JGl0qooe
+OQsYn+mbZLdtUYhYaaYktJaLyPyQ6WtrssJas+gSdW/1RmT+WRkARaIC201WS+aS
+guGOj0Lr0My+pW/Jj3wB8Hi6tpm+02KNaQUFubNWgcQZU33Ejj1rnfcCAQICAgFF
+-----END DH PARAMETERS-----

nginx/errors/502.html

@@ -0,0 +1,187 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+	<meta charset="UTF-8">
+	<meta http-equiv="X-UA-Compatible" content="IE=edge">
+	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+	<link rel="stylesheet" href="https://zzls.xyz/style.css" type="text/css">
+	<link rel="icon" type="image/gif" href="./favicon.gif">
+	<style>
+		@font-face {
+			font-family: "Gaiatype";
+			src: url("./Gaiatype.woff2") format('woff');
+		}
+
+		html {
+			background-image: linear-gradient(to bottom,
+					rgba(11, 11, 11, 0.85),
+					rgba(11, 11, 11, 0.85)),
+				url(./bg.gif);
+			background-attachment: fixed;
+			height: 100%;
+			/* filter: invert(0); */
+		}
+
+		h1 {
+			color: rgb(220, 100, 170);
+			font-family: 'Gaiatype';
+			font-size: 2em;
+		}
+
+		h2 {
+			color: #bde0e4;
+			text-align: center;
+			font-family: 'Gaiatype';
+		}
+
+		@keyframes xd {
+			0% {
+				letter-spacing: normal;
+				/* transform: rotate(2deg); */
+			}
+
+			50% {
+				letter-spacing: 3px;
+				/* transform: rotate(0deg); */
+			}
+
+			100% {
+				letter-spacing: normal;
+				/* transform: rotate(2deg); */
+			}
+		}
+
+		@keyframes erm {
+			0% {
+				transform: rotate(2deg);
+			}
+
+			50% {
+				transform: rotate(-2deg);
+			}
+
+			100% {
+				transform: rotate(2deg);
+			}
+		}
+
+		p {
+			text-align: center;
+		}
+
+		.lol {
+			animation: erm 10s infinite;
+		}
+		/* .lol2 {
+			animation: erm 8s infinite;
+		} */
+
+		body {
+			opacity: 0;
+			transition: opacity 1s;
+		}
+
+		/* .content {
+			min-height: 100%;
+			display: grid;
+			grid-template-rows: auto 1fr auto;
+		} */
+
+		.lain {
+			position: absolute;
+			right: 0;
+			bottom: 0;
+			width: 50%;
+			pointer-events: none;
+			z-index: -1;
+		}
+
+		ul {
+			list-style-type: none;
+		}
+
+		audio {
+			position: fixed;
+			top: 0;
+			left: -100;
+			right: 0;
+			opacity: 0.2;
+			transition: opacity 0.5s ease;
+			/* font-family: 'Gaiatype'; */
+			--box-shadow1: rgba(249, 249, 250, 0);
+			--box-shadow2: rgba(91, 91, 102, 0.0);
+			--box-shadow3: rgba(82, 82, 94, 0.0);
+		}
+
+		audio:hover {
+			opacity: 8;
+		}
+
+		audio::-webkit-media-controls-panel{
+background-color: rgba(200,200,200,1);
+width:350px;
+}
+
+footer {
+	display: flex;
+  flex-direction: column;
+  align-items: center;
+  text-align: center;
+}
+
+footer img {
+  /* width: 100%; */
+  max-width: 100%;
+}
+
+footer p {
+  margin-top: 10px;
+  max-width: 315px;
+  /* margin: 0 auto; */
+}
+	</style>
+
+
+	<title>502 Bad Gateway</title>
+</head>
+
+<body onload="document.body.style.opacity='1'">
+	<audio controls autoplay loop>
+		<source src="./kahgy.ogg" type="audio/ogg">
+	</audio>
+	</div>
+	<div class="overlay fade-out"></div>
+	<div style="font-size: 1.2ch;margin: 0 auto;">
+		<a>Go to zzls.xyz?: </a><a href="https://zzls.xyz">Yes</a>
+	</div>
+
+	<div class="content">
+
+		<h1 class="lol lol2">502 Bad Gateway</h1>
+		<p style="text-align: center; font-size: large;"><b>You just reached an <span style="color: rgb(255, 100, 100);">error page</span>... Great, enjoy the music.</b></p>
+
+		<p>This does not mean that the server is down, or else you would not have been able access this error page.</p>
+		<h2>Contact</h2>
+		<p>Notify me about this shitty error in case I haven't noticed about it yet xD</p>
+		<ul>
+			<li>E-mail: <a style="font-size: large;"
+					href="mailto:admin [at] zzls.xyz"><code>admin [at] zzls.xyz</code></a> <a>PGP Key: <a
+						href="./admin@zzls.xyz.asc">76C578BB918EB8F556C0ABDEA9CB7D007A846255</a></a></li>
+			<li>Mastodon: <a href="https://noc.social/@fijxu">https://noc.social/@fijxu</a></li>
+			<li>Twitter: <a href="https://twitter.com/fijxu__">https://twitter.com/fijxu__</a> <a>Just @ me. No DMs</a>
+			</li>
+		</ul>
+	</div>
+</body>
+
+<footer>
+	<img src="https://count.ayaya.beauty/get/@502zzlsreal2?theme=rule34" alt="The counter is dead or your browser doesn't support the <img> element , xDDDd.">
+	<p>This counter resets every 5 minutes, so if this number is higher than 10, you are clearly not the only one with this error. CONTACT THE ADMIN TO FIX HIS SHIT xD</p>
+</footer>
+
+<script>
+	document.getElementById("domain").innerText = "(" + window.location.hostname + ")";
+</script>
+
+</html>

nginx/errors/admin@zzls.xyz.asc

@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xjMEZUDy0BYJKwYBBAHaRw8BAQdAL9RfyeA84n+J0GyVfJpPHPqtw9e4ZGQVt/l+
+qUs0qrDNH3p6bHMueHl6IEFkbWluIDxhZG1pbkB6emxzLnh5ej7CjwQTFggANxYh
+BHbFeLuRjrj1VsCr3qnLfQB6hGJVBQJlQPLQBQkDwmcAAhsDBAsJCAcFFQgJCgsF
+FgIDAQAACgkQqct9AHqEYlUugAD8CLpr1tqosErf0KDqG5nWkHBj/lcixwQ/Ii4Y
+soa+q+kBAN9bKzUkma9yVGwlDg/pDW6sKztgB8MU+FKPRgxSPwEJzjgEZUDy0RIK
+KwYBBAGXVQEFAQEHQCa0sUBxzKEikQvxiPjgpEVpprMWELgs3eB+T1YrkYkrAwEI
+B8J+BBgWCAAmFiEEdsV4u5GOuPVWwKveqct9AHqEYlUFAmVA8tEFCQPCZwACGwwA
+CgkQqct9AHqEYlVlbAD/U2gC6NG4ueUxeEVTpbNfhs8zDnIrq9YrecGpKtpAbCcA
+/0Z/z7XtD73hJtfEqqzzjtLccugoTzx88dVEEAutDEIJ
+=eQVs
+-----END PGP PUBLIC KEY BLOCK-----

nginx/errors/torisblocked.txt

@@ -0,0 +1,5 @@
+Tor and Proxies are not allowed in this service, sorry. 
+Check if this service offers a Tor version instead, if yes, use it, if not, well, there is no way to use this service.
+
+Tor y Proxies no estan permitidos en este servicio, lo siento. 
+Revisa si este servicio ofrece una version para Tor, si es asi, usalo, si no, pues no hay forma de usar este servicio.

nginx/fastcgi.conf

@@ -0,0 +1,26 @@
+
+fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

nginx/nginx.conf

@@ -0,0 +1,79 @@
+worker_processes auto;
+worker_rlimit_nofile 65535;
+
+include /etc/nginx/modules-enabled/*.conf;
+load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
+load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
+load_module /usr/lib/nginx/modules/ngx_http_zstd_filter_module.so; # for compressing responses on-the-fly
+load_module /usr/lib/nginx/modules/ngx_http_zstd_static_module.so; # for serving pre-compressed files
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; # ngx_lua
+
+quic_bpf on;
+
+events {
+	worker_connections 4096;
+	multi_accept off;
+}
+
+http {
+	log_format limited '$remote_addr - $remote_user [$time_local] '
+		'"$request_method /bogus $server_protocol" $status $body_bytes_sent '
+		'"-" "Bogus/66.6" - "$http_host"';
+
+	access_log off;
+	error_log /dev/null;
+
+	# Basic Settings
+	charset utf-8;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	server_tokens off;
+	log_not_found off;
+	types_hash_max_size 1024;
+	types_hash_bucket_size 128;
+	server_names_hash_bucket_size 128;
+
+	# MIME
+	include mime.types;
+
+	# SSL
+	include configs/ssl.conf;
+
+	# reset timed out connections freeing ram
+	reset_timedout_connection on;
+	# maximum time between packets the client can pause when sending nginx any data
+	client_body_timeout 10s;
+	# maximum time the client has to send the entire header to nginx
+	client_header_timeout 10s;
+	# timeout which a single keep-alive client connection will stay open
+	keepalive_timeout 60s;
+	# maximum time between packets nginx is allowed to pause when sending the client data
+	send_timeout 10s;
+
+	client_body_buffer_size 32k;
+	client_max_body_size 2m;
+
+	open_file_cache max=1024 inactive=10s;
+	open_file_cache_valid 60s;
+	open_file_cache_min_uses 2;
+	open_file_cache_errors on;
+
+	# PERFORMANCE / ASYNC I/O
+	aio threads=default;
+	aio_write on;
+	directio 2m;
+
+	# QUIC settings
+	# https://nginx.org/en/docs/http/ngx_http_v3_module.html
+	quic_gso on;
+
+	# Maps
+	include /etc/nginx/snippets/maps.conf;
+	include /etc/nginx/snippets/poop.conf;
+
+	include /etc/nginx/configs/general.conf;
+	include /etc/nginx/configs/upstreams.conf;
+	include /etc/nginx/configs/limits.conf;
+	include /etc/nginx/conf.d/*.conf;
+}

nginx/snippets/maps.conf

@@ -0,0 +1,27 @@
+# Connection header for WebSocket reverse proxy
+
+map $http_upgrade $connection_upgrade {
+	default upgrade;
+	""      close;
+}
+
+map $remote_addr $proxy_forwarded_elem {
+
+	# IPv4 addresses can be sent as-is
+	~^[0-9.]+$        "for=$remote_addr";
+
+	# IPv6 addresses need to be bracketed and quoted
+	~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
+
+	# Unix domain socket names cannot be represented in RFC 7239 syntax
+	default           "for=unknown";
+}
+
+map $http_forwarded $proxy_add_forwarded {
+
+	# If the incoming Forwarded header is syntactically valid, append to it
+	"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
+
+	# Otherwise, replace it
+	default "$proxy_forwarded_elem";
+}

nginx/snippets/poop.conf

@@ -0,0 +1,11 @@
+map $http_user_agent $poop {
+    default			0;
+    ~*my-tiny-bot		1;
+    ~*thesis-research-bot	1;
+    ~*SemrushBot		1;
+    ~*Bytespider		1;
+    ~*PetalBot			1;
+    ~*Amazonbot			1;
+    ~*FriendlyCrawler			1;
+    ~*ImagesiftBot		1;
+}

tmpfiles.d/docker-unix-socket-binds.conf

@@ -0,0 +1,3 @@
+d /run/http3-proxy-nginx 0755 root root
+d /run/invidious-nginx 0755 root root
+d /run/invidious-haproxy 0777 root root