Initial commit

lxc-configs/haproxy-redxen-lxc/APKBUILD

@@ -0,0 +1,22 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=haproxy-redxen-lxc
+pkgver=1
+pkgrel=0
+pkgdesc="HAProxy LXC configuration files"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="lxc"
+options="!check"
+install="$pkgname.post-install $pkgname.post-deinstall"
+source="
+	config
+"
+
+package() {
+	install -dm755 "$pkgdir"/containers/haproxy
+	install -Dm644 config "$pkgdir"/var/lib/lxc/haproxy/config
+}
+
+sha512sums="08ed912da89e439fd4194af2f74b150272c8ce00a98b3906e09d020d022870b431ba4e0613061c2f960c0fa50ecde33daf7d3277d9f1aadbfa7670e4d6c4a08f  config"

lxc-configs/haproxy-redxen-lxc/config

@@ -0,0 +1,13 @@
+lxc.net.0.type = none
+lxc.rootfs.path = dir:/containers/haproxy
+lxc.init.cmd = /usr/sbin/haproxy -Wf /etc/haproxy/main.cfg -p /run/haproxy.pid
+lxc.signal.halt = SIGTERM
+lxc.signal.reboot = SIGTERM
+lxc.tty.max = 1
+lxc.pty.max = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = shm dev/shm tmpfs defaults,create=dir 0 0
+lxc.mount.entry = tmpfs run tmpfs defaults,create=dir 0 0
+lxc.mount.entry = mqueue dev/mqueue mqueue defaults,optional,create=dir 0 0
+lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0

lxc-configs/haproxy-redxen-lxc/haproxy-redxen-lxc.post-deinstall

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/rm /containers/haproxy -rf

lxc-configs/haproxy-redxen-lxc/haproxy-redxen-lxc.post-install

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/apk --allow-untrusted -p /containers/haproxy -X http://dl-cdn.alpinelinux.org/alpine/edge/main -X http://dl-cdn.alpinelinux.org/alpine/edge/community -X https://redxen.eu/pub/alpine/software-configs add --initdb haproxy-redxen-config

lxc-configs/hitch-redxen-lxc/APKBUILD

@@ -0,0 +1,22 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=hitch-redxen-lxc
+pkgver=1
+pkgrel=0
+pkgdesc="Hitch LXC configuration files"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="lxc"
+options="!check"
+install="$pkgname.post-install $pkgname.post-deinstall"
+source="
+	config
+"
+
+package() {
+	install -dm755 "$pkgdir"/containers/hitch
+	install -Dm644 config "$pkgdir"/var/lib/lxc/hitch/config
+}
+
+sha512sums="3ffa1ad21c273a248a8d7884b32216bf4fe565d27fac9a5787a9ce14adfa04739cd2cd41871d3a79923d76a358a377ea1d71284f807434e5a5dfa0d46204ae82  config"

lxc-configs/hitch-redxen-lxc/config

@@ -0,0 +1,12 @@
+lxc.net.0.type = none
+lxc.rootfs.path = dir:/containers/hitch
+lxc.init.cmd = /usr/sbin/hitch --config=/etc/hitch/main.conf
+lxc.signal.halt = SIGTERM
+lxc.signal.reboot = SIGTERM
+lxc.tty.max = 1
+lxc.pty.max = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = shm dev/shm tmpfs defaults,create=dir 0 0
+lxc.mount.entry = mqueue dev/mqueue mqueue defaults,optional,create=dir 0 0
+lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0

lxc-configs/hitch-redxen-lxc/hitch-redxen-lxc.post-deinstall

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/rm /containers/hitch -rf

lxc-configs/hitch-redxen-lxc/hitch-redxen-lxc.post-install

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/apk --allow-untrusted -p /containers/hitch -X http://dl-cdn.alpinelinux.org/alpine/edge/main -X http://dl-cdn.alpinelinux.org/alpine/edge/community -X https://redxen.eu/pub/alpine/software-configs add --initdb hitch-redxen-config

lxc-configs/unbound-redxen-lxc/APKBUILD

@@ -0,0 +1,22 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=unbound-redxen-lxc
+pkgver=1
+pkgrel=0
+pkgdesc="Unbound LXC configuration files"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="lxc"
+options="!check"
+install="$pkgname.post-install $pkgname.post-deinstall"
+source="
+	config
+"
+
+package() {
+	install -dm755 "$pkgdir"/containers/unbound
+	install -Dm644 config "$pkgdir"/var/lib/lxc/unbound/config
+}
+
+sha512sums="8f0200fb4f116fbc330ca42c54f86b7abed3eb69f8b7a91028f05e47348408fb7d67c8ffa2ceabfa6715ad4ae44c1873ad917ce5f288be1a779db9852ddb9110  config"

lxc-configs/unbound-redxen-lxc/config

@@ -0,0 +1,12 @@
+lxc.net.0.type = none
+lxc.rootfs.path = dir:/containers/unbound
+lxc.init.cmd = /usr/sbin/unbound -c /etc/unbound/main.conf
+lxc.signal.halt = SIGTERM
+lxc.signal.reboot = SIGTERM
+lxc.tty.max = 1
+lxc.pty.max = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = shm dev/shm tmpfs defaults,create=dir 0 0
+lxc.mount.entry = mqueue dev/mqueue mqueue defaults,optional,create=dir 0 0
+lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0

lxc-configs/unbound-redxen-lxc/unbound-redxen-lxc.post-deinstall

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/rm /containers/unbound -rf

lxc-configs/unbound-redxen-lxc/unbound-redxen-lxc.post-install

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/apk --allow-untrusted -p /containers/unbound -X http://dl-cdn.alpinelinux.org/alpine/edge/main -X http://dl-cdn.alpinelinux.org/alpine/edge/community -X https://redxen.eu/pub/alpine/software-configs add --initdb unbound-redxen-config

lxc-configs/varnish-redxen-lxc/APKBUILD

@@ -0,0 +1,22 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=varnish-redxen-lxc
+pkgver=1
+pkgrel=0
+pkgdesc="Varnish LXC configuration files"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="lxc"
+options="!check"
+install="$pkgname.post-install $pkgname.post-deinstall"
+source="
+	config
+"
+
+package() {
+	install -dm755 "$pkgdir"/containers/varnish
+	install -Dm644 config "$pkgdir"/var/lib/lxc/varnish/config
+}
+
+sha512sums="f104312ae8f546b05aa090a0928211f2329fc5691bc42eab1b55a28a2228987c0c8377eb2f4868fd90b662add9e54e02a7e4b5f0771dc37d27b99e07a5376fdb  config"

lxc-configs/varnish-redxen-lxc/config

@@ -0,0 +1,12 @@
+lxc.net.0.type = none
+lxc.rootfs.path = dir:/containers/varnish
+lxc.init.cmd = /usr/sbin/varnishd -F -a localhost:7102,PROXY -p default_ttl=300 -p default_grace=240 -p default_keep=120 -p feature=+http2 -p tcp_fastopen=on -p nuke_limit=0 -f /etc/varnish/main.vcl
+lxc.signal.halt = SIGTERM
+lxc.signal.reboot = SIGTERM
+lxc.tty.max = 1
+lxc.pty.max = 1
+lxc.cap.drop = sys_module mac_admin mac_override sys_time
+lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
+lxc.mount.entry = shm dev/shm tmpfs defaults,create=dir 0 0
+lxc.mount.entry = mqueue dev/mqueue mqueue defaults,optional,create=dir 0 0
+lxc.mount.entry = /sys/kernel/security sys/kernel/security none ro,bind,optional 0 0

lxc-configs/varnish-redxen-lxc/varnish-redxen-lxc.post-deinstall

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/rm /containers/varnish -rf

lxc-configs/varnish-redxen-lxc/varnish-redxen-lxc.post-install

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/sbin/apk --allow-untrusted -p /containers/varnish -X http://dl-cdn.alpinelinux.org/alpine/edge/main -X http://dl-cdn.alpinelinux.org/alpine/edge/community -X https://redxen.eu/pub/alpine/software-configs add --initdb varnish-redxen-config

software-configs/haproxy-redxen-config/APKBUILD

@@ -0,0 +1,23 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=haproxy-redxen-config
+pkgver=1
+pkgrel=0
+pkgdesc="HAProxy frontend configuration"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="haproxy"
+source="main.cfg"
+
+check() {
+	haproxy -c -f main.cfg
+}
+
+package() {
+	install -d "$pkgdir"/etc/haproxy
+	install -Dm644 *.cfg "$pkgdir"/etc/haproxy
+}
+
+
+sha512sums="33d7b52a068edc80311ab7437d74928cc21812d830166e94de170c8f2ce7eab42a665631cf06efc39c525d7bfff78a85754633b8b5b5f2f49c108b9a60501e43  main.cfg"

software-configs/haproxy-redxen-config/main.cfg

@@ -0,0 +1,109 @@
+global
+  maxconn 2048
+  maxconnrate 40
+
+defaults
+  mode http
+  retries 1
+  option forwardfor
+  option http-keep-alive
+  option tcp-smart-connect
+  option tcpka
+  balance roundrobin
+  compression algo gzip
+  timeout http-request 10s
+  timeout connect 10s
+  timeout client 60s
+  timeout server 240s
+  timeout http-keep-alive 240s
+  default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check
+
+  #errorfile 400 /etc/haproxy/errors/400.http
+  #errorfile 403 /etc/haproxy/errors/403.http
+  #errorfile 408 /etc/haproxy/errors/408.http
+  #errorfile 500 /etc/haproxy/errors/500.http
+  #errorfile 502 /etc/haproxy/errors/502.http
+  #errorfile 503 /etc/haproxy/errors/503.http
+  #errorfile 504 /etc/haproxy/errors/504.http
+
+resolvers local
+  nameserver unbound 127.0.0.1:53
+  resolve_retries 2
+  timeout retry 300ms
+  hold other           100ms
+  hold refused         100ms
+  hold nx              100ms
+  hold timeout         3s
+  hold valid           5s
+
+listen 0-dev
+  mode tcp
+  bind ipv4@*:2442,ipv6@*:2442
+  option tcp-check
+  server dev-0 10.0.0.10:2443 
+
+listen 1-social
+  mode tcp
+  bind ipv4@*:64738,ipv6@*:64738
+  option tcp-check
+  server social-0 10.0.0.10:6401 
+
+listen 2-games
+  mode tcp
+  bind ipv4@*:25565,ipv6@*:25565
+  option tcp-check
+  server games-0 10.0.0.7:25560 
+
+listen 3-games
+  mode tcp
+  bind ipv4@*:7777,ipv6@*:7777
+  option tcp-check
+  server games-0 10.0.0.7:7776 
+
+frontend http
+  mode http
+  bind /haproxy.sock mode 660 alpn h2,http/1.1
+
+  acl root url /
+
+  use_backend backend-grafana if { hdr_beg(host) -i stats }
+  use_backend backend-gitea if { hdr_beg(host) -i git }
+  use_backend backend-transmission if { hdr_beg(host) -i seed }
+  use_backend backend-seedown if { hdr_beg(host) -i sd }
+  use_backend backend-pleroma if { hdr_beg(host) -i social }
+  use_backend backend-homepage if { hdr(host) -i redxen.eu }
+  use_backend backend-deavmi-proxy if { hdr_beg(host) -i deavmi-proxy }
+
+  redirect prefix /web code 302  if { hdr_beg(host) -i seed } { url / }
+  http-response add-header X-Forwarded-Proto https
+  http-response set-header X-XSS-Protection 1;\ mode=block
+  http-response set-header X-Content-Type-Options nosniff
+  http-response set-header Referrer-Policy no-referrer-when-downgrade
+  http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
+
+backend backend-grafana
+  server-template grafana 5 _grafana._tcp.redxen.localhost
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ stats.redxen.eu
+
+backend backend-gitea
+  server-template gitea 1 _gitea._tcp.redxen.localhost
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ git.redxen.eu
+
+backend backend-transmission
+  server-template transmission 1 _transmission._tcp.redxen.localhost
+
+backend backend-seedown
+  server-template seedown 1 _seedown._tcp.redxen.localhost
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ sd.redxen.eu
+
+backend backend-pleroma
+  server-template pleroma 1 _pleroma._tcp.redxen.localhost
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ social.redxen.eu
+
+backend backend-homepage
+  server-template homepage 1 _homepage._tcp.redxen.localhost
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ root.redxen.eu
+
+backend backend-deavmi-proxy
+  server-template deavmi-proxy 1 _deavmi-proxy._tcp.redxen.localhost
+  option httpchk HEAD / HTTP/1.1\r\nHost:\ deavmi-proxy.redxen.eu

software-configs/hitch-redxen-config/APKBUILD

@@ -0,0 +1,23 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=hitch-redxen-config
+pkgver=1
+pkgrel=0
+pkgdesc="Hitch frontend configuration"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="hitch"
+source="main.conf"
+options="!check" # Certificate is not included in package
+
+check() {
+	hitch -t --config main.conf
+}
+
+package() {
+	install -Dm644 main.conf "$pkgdir"/etc/hitch/main.conf
+}
+
+
+sha512sums="0fc54fbc598b49d7d21cd536a96f0995b2abca1fe12fe13ca6d8b5d944de2ebcfba18a652633fd02b902b8c2621ed3cea001b6ef5555d68d6250dba23496741f  main.conf"

software-configs/hitch-redxen-config/main.conf

@@ -0,0 +1,6 @@
+alpn-protos = "h2,http/1.1"
+tls-protos = TLSv1.1 TLSv1.2
+ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+pem-file = "/cert.pem"
+workers = 2
+write-proxy-v2 = on

software-configs/unbound-redxen-config/APKBUILD

@@ -0,0 +1,33 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=unbound-redxen-config
+pkgver=1
+pkgrel=0
+pkgdesc="Unbound configurations and some other stuff."
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+depends="alpine-baselayout unbound ca-certificates-bundle dns-root-hints dnssec-root"
+source="
+	main.conf
+	base.conf
+	internal.conf
+	redxen-dns.conf
+"
+
+check() {
+	/usr/sbin/unbound-checkconf base.conf
+	/usr/sbin/unbound-checkconf internal.conf
+	/usr/sbin/unbound-checkconf redxen-dns.conf
+}
+
+package() {
+	install -d "$pkgdir"/etc/unbound
+	install -Dm644 *.conf "$pkgdir"/etc/unbound
+}
+
+
+sha512sums="0741bc9c6e94a656f35ae452288f0212a2a2df9eda3688a2d3f04012d686adee5f03e3e9f4c72685626f672baaacbd00be71ee0d8699989f47abfd34b72b2b3d  main.conf
+1c10935777559c174fc36a966e224e5e0ed23f197c209ce40e15312d28e1650293a487017f765da9ea5979ae8720af6af34aa4c6edbb4d0db1c3b00c1bcd7954  base.conf
+8b46eaad1ff1cde6d97ef12549b34da0d58f44ec08a9f47965e006f56e80c6a045a88b30ffd9c0f2b8051dd298861dc717bd98fe4c509d136fc9e1580c359713  internal.conf
+dc2ea0e9e1d4552927ea78f8cb2754284f3d9ce1c2390b3030e08ed6dfc63162764665579726fef8a27a52f12a89181a5008ccdb0b2f39886e11b2c898e0fc12  redxen-dns.conf"

software-configs/unbound-redxen-config/base.conf

@@ -0,0 +1,37 @@
+server:
+	access-control: 0.0.0.0/0 refuse_non_local
+	access-control: ::/0 refuse_non_local
+
+	# Local Host
+	access-control: 127.0.0.0/8 allow
+	#log-replies: yes
+	interface: 0.0.0.0
+	interface: ::0
+	extended-statistics: yes
+	rrset-roundrobin: yes
+	root-hints: /usr/share/dns-root-hints/named.root
+	trust-anchor-file: /usr/share/dnssec-root/trusted-key.key
+	tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	port: 53
+	prefetch: yes
+	prefetch-key: yes
+	do-daemonize: no
+	minimal-responses: no
+	logfile: ""
+	cache-min-ttl: 60
+	harden-glue: yes
+	aggressive-nsec: yes
+	serve-expired: yes
+	serve-expired-ttl: 86400
+	serve-expired-ttl-reset: yes
+remote-control:
+	control-enable: yes
+	control-use-cert: no
+	control-interface: 127.0.0.1
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+	forward-addr: 1.1.1.1@853#cloudflare-dns.com

software-configs/unbound-redxen-config/internal.conf

@@ -0,0 +1,2 @@
+server:
+	local-zone: "redxen.localhost." static

software-configs/unbound-redxen-config/main.conf

@@ -0,0 +1,3 @@
+include: "/etc/unbound/base.conf"
+include: "/etc/unbound/internal.conf"
+include: "/etc/unbound/redxen-dns.conf"

software-configs/unbound-redxen-config/redxen-dns.conf

@@ -0,0 +1,28 @@
+server:
+	local-zone: "redxen.eu." static
+	local-data: "redxen.eu. IN SOA 8101153.nbg1-dc3.hetzner.redxen.eu admin.redxen.eu 2020102501 1800 120 604800 3600"
+
+	# Name servers
+	local-data: "redxen.eu. 10800 IN NS 8101153.nbg1-dc3.hetzner.redxen.eu"
+	local-data: "redxen.eu. 10800 IN NS 8201371.fsn1-dc14.hetzner.redxen.eu"
+
+	# Machines
+	local-data: "8101153.nbg1-dc3.hetzner.redxen.eu. 86400 IN A 94.130.110.3"
+	local-data: "8101153.nbg1-dc3.hetzner.redxen.eu. 86400 IN AAAA 2a01:4f8:c0c:9a10::1"
+	local-data: "8201371.fsn1-dc14.hetzner.redxen.eu. 86400 IN A 78.46.207.237"
+	local-data: "8201371.fsn1-dc14.hetzner.redxen.eu. 86400 IN AAAA 2a01:4f8:c17:436e::1"
+
+	# Familiar records
+	local-data: "lain.nurnberg.redxen.eu. 86400 IN CNAME 8101153.nbg1-dc3.hetzner.redxen.eu."
+	local-data: "arisu.falkenstein.redxen.eu. 86400 IN CNAME 8201371.fsn1-dc14.hetzner.redxen.eu."
+
+	# Services
+
+	# Mail
+	local-data: "redxen.eu. 86400 IN MX 10 8101153.nbg1-dc3.hetzner.redxen.eu."
+
+	local-data: 'redxen.eu. 86400 IN TXT "v=spf1 mx ip4:94.130.108.207 ip6:2a01:4f8:c0c:8d8d::1 -all" '
+	local-data: '_DMARC.redxen.eu. 86400 IN TXT "v=DMARC1; p=quarantine; rua=mailto:postmaster@redxen.eu; ruf=mailto:postmaster@redxen.eu; fo=1; pct=100" '
+        local-data: 'mail._domainkey.redxen.eu. 86400 IN TXT "v=DKIM1; h=sha256; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw8PakBAIZxmAmqyukuwZT92I5gsM8rCD2o+abGbtXSgNCXcKEz+sWZ6kY/EAO5ABxihjyXaETsVTBuoYB514GqCFM9mZNRHHKS87rAE" "/UcXUmgeydxPjqlRzEPxladjh2MhiQijT+XZzfyBVLdK9oYGPlol3VVKn48odiJIx4oRCdQhyiGTzkZGf6QMIJ5XwFqj66+Qv7OkyT6munKhFk974acL4MdL5H+LZwFAWYbRjx6j1zx3Hm7ua/EUHDcPYG6rFbJEwbyFvr1529u9H0OCn9fnIfzqMT+JEgKZRSgOWtK4jLuHcyrXTUkZzbmY8Eho+FxZszDEdvUmUQexKKQIDAQAB" '
+
+	# Custom records

software-configs/varnish-redxen-config/APKBUILD

@@ -0,0 +1,19 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=varnish-redxen-config
+pkgver=1
+pkgrel=0
+pkgdesc="Varnish cache frontend configuration"
+url="https://git.redxen.eu/RedXen"
+arch="noarch"
+license="none"
+source="main.vcl"
+depends="varnish"
+options="!check" # Varnish doesn't have a way to test configs
+
+package() {
+	install -Dm644 main.vcl "$pkgdir"/etc/varnish/main.vcl
+}
+
+
+sha512sums="fda9cd828b8ebbfda54145d3a02ea5272c448220906a3f92ac40538561c6153f3fdf1eea3971c8da91a1b3fbdbaf63c55e0141a6016ade2bb7565c4ccf6c37c4  main.vcl"

software-configs/varnish-redxen-config/main.vcl

@@ -0,0 +1,72 @@
+vcl 4.1;
+import std;
+
+backend default {
+	.path			= "127.0.0.1:7204";
+	.max_connections	= 300;
+	.first_byte_timeout	= 240s;
+	.connect_timeout	= 10s;
+	.between_bytes_timeout	= 2s;
+}
+sub vcl_recv {
+	unset req.http.user-agent;
+	if (	req.method != "GET" &&
+		req.method != "HEAD" &&
+		req.method != "PUT" &&
+		req.method != "POST" &&
+		req.method != "TRACE" &&
+		req.method != "OPTIONS" &&
+		req.method != "PATCH" &&
+		req.method != "DELETE") {
+			return (pipe);
+	}
+	if (req.method == "GET" || req.method == "HEAD") {
+		return (hash);
+	}
+	return (pass);
+}
+sub vcl_hash {
+	hash_data(req.url);
+	hash_data(req.http.host);
+	if (req.http.cookie ~ "pleroma_key|gitea_incredible|grafana_session") {
+		hash_data(req.http.cookie);
+	}
+	if (req.http.authorization) {
+		hash_data(req.http.authorization);
+	}
+	return (lookup);
+}
+sub vcl_backend_response {
+	set beresp.do_stream = false;
+	set beresp.do_gzip = true;
+	if (beresp.status == 500 || beresp.status == 502 || beresp.status == 503 || beresp.status == 504) {
+		if (bereq.is_bgfetch){
+			return (abandon);
+		}
+		set beresp.uncacheable = true;
+		return (deliver);
+	}
+	if (beresp.http.Set-Cookie || beresp.http.Cache-Control ~ "no-cache|no-store|private") {
+		set beresp.uncacheable = true;
+		return (deliver);
+	}
+	if (beresp.http.ETag || beresp.http.Last-Modified || bereq.http.If-Modified-Since) {
+		set beresp.grace = 1h;
+		set beresp.keep = 12h;
+	}
+	if (beresp.status == 301) {
+		set beresp.ttl = 24h;
+	}
+	return (deliver);
+}
+sub vcl_deliver {
+	if (req.proto ~ "HTTP/2.0" && resp.http.keep-alive) {
+		unset resp.http.keep-alive;
+	}
+	if (obj.hits > 0) {
+		set resp.http.X-Cache = "HIT";
+	} else {
+		set resp.http.X-Cache = "MISS";
+	}
+	return (deliver);
+}