Proxmox Infrastruktur - Vollstaendige Konfiguration

Enthaelt: - Docker Compose mit allen Services (Nextcloud, Vaultwarden, n8n, etc.) - nginx Reverse Proxy Konfiguration mit Rate Limiting - WireGuard VPN Template - Backup und Health-Check Scripts - Deployment Script - Ausfuehrliche Dokumentation und Troubleshooting Guide Services: - Isolierte Netzwerke pro Service - Resource Limits (CPU/Memory) - Health Checks - Logging Konfiguration Sicherheit: - .env Template ohne Secrets - Rate Limiting auf nginx - TLS 1.2+ only - Security Headers 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-28 17:12:43 +01:00
commit 364e058b8c
11 changed files with 1686 additions and 0 deletions
--- a/configs/nginx/nginx.conf
+++ b/configs/nginx/nginx.conf
@@ -0,0 +1,177 @@
+# nginx Reverse Proxy Konfiguration
+# Pfad auf VPS: C:\nginx\conf\nginx.conf
+# Server: Windows VPS 217.154.65.205
+
+worker_processes 1;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    sendfile      on;
+    keepalive_timeout 65;
+    client_max_body_size 10G;
+    server_names_hash_bucket_size 64;
+
+    # Security Headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
+    # Rate Limiting
+    limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
+    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
+
+    # ============================================
+    # HTTP -> HTTPS Redirects
+    # ============================================
+    server {
+        listen 80;
+        server_name eckardt-vault.duckdns.org;
+        location /.well-known/acme-challenge/ {
+            alias C:/nginx/html/.well-known/acme-challenge/;
+        }
+        location / {
+            return 301 https://eckardt-vault.duckdns.org$request_uri;
+        }
+    }
+
+    server {
+        listen 80;
+        server_name eckardt-cloud.duckdns.org;
+        location /.well-known/acme-challenge/ {
+            alias C:/nginx/html/.well-known/acme-challenge/;
+        }
+        location / {
+            return 301 https://eckardt-cloud.duckdns.org$request_uri;
+        }
+    }
+
+    server {
+        listen 80;
+        server_name eckardt-git.duckdns.org;
+        location /.well-known/acme-challenge/ {
+            alias C:/nginx/html/.well-known/acme-challenge/;
+        }
+        location / {
+            return 301 https://eckardt-git.duckdns.org$request_uri;
+        }
+    }
+
+    # ============================================
+    # eckardt-vault.duckdns.org - Main Services
+    # ============================================
+    server {
+        listen 443 ssl http2;
+        server_name eckardt-vault.duckdns.org;
+
+        ssl_certificate C:/nginx/ssl/eckardt-vault.duckdns.org-chain.pem;
+        ssl_certificate_key C:/nginx/ssl/eckardt-vault.duckdns.org-key.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+        ssl_prefer_server_ciphers off;
+
+        # Vaultwarden - Password Manager
+        location /vault/ {
+            limit_req zone=login burst=5 nodelay;
+            proxy_pass http://10.0.0.2:8083/;
+            proxy_ssl_verify off;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # n8n - Workflow Automation
+        location /n8n/ {
+            limit_req zone=general burst=20 nodelay;
+            proxy_pass http://10.0.0.2:5678/;
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # API - FastAPI Backend
+        location /api/ {
+            limit_req zone=general burst=50 nodelay;
+            proxy_pass http://10.0.0.2:8000/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # Websites - Static Content (Default)
+        location / {
+            limit_req zone=general burst=20 nodelay;
+            proxy_pass http://10.0.0.2:8082/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+
+    # ============================================
+    # eckardt-cloud.duckdns.org - Nextcloud
+    # ============================================
+    server {
+        listen 443 ssl http2;
+        server_name eckardt-cloud.duckdns.org;
+
+        ssl_certificate C:/nginx/ssl/eckardt-cloud.duckdns.org-chain.pem;
+        ssl_certificate_key C:/nginx/ssl/eckardt-cloud.duckdns.org-key.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            limit_req zone=general burst=50 nodelay;
+            proxy_pass http://10.0.0.2:8081/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Nextcloud specific
+            proxy_max_temp_file_size 10240m;
+            proxy_connect_timeout 300;
+            proxy_send_timeout 300;
+            proxy_read_timeout 300;
+        }
+    }
+
+    # ============================================
+    # eckardt-git.duckdns.org - Gitea
+    # ============================================
+    server {
+        listen 443 ssl http2;
+        server_name eckardt-git.duckdns.org;
+
+        ssl_certificate C:/nginx/ssl/eckardt-git.duckdns.org-chain.pem;
+        ssl_certificate_key C:/nginx/ssl/eckardt-git.duckdns.org-key.pem;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+        ssl_prefer_server_ciphers off;
+
+        location / {
+            limit_req zone=general burst=30 nodelay;
+            proxy_pass http://10.0.0.2:3000/;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            client_max_body_size 1G;
+        }
+    }
+}
--- a/configs/wireguard/wg0.conf.template
+++ b/configs/wireguard/wg0.conf.template
@@ -0,0 +1,32 @@
+# WireGuard Konfiguration - Proxmox Client
+# Pfad auf Proxmox: /etc/wireguard/wg0.conf
+#
+# WICHTIG: PrivateKey und PublicKey muessen fuer jede Installation
+#          neu generiert werden!
+#
+# Keys generieren:
+#   wg genkey | tee privatekey | wg pubkey > publickey
+#
+# Aktivieren:
+#   systemctl enable wg-quick@wg0
+#   systemctl start wg-quick@wg0
+
+[Interface]
+# Eigener Private Key (GEHEIM!)
+PrivateKey = <PRIVATE_KEY_HIER>
+
+# IP im WireGuard Tunnel-Netzwerk
+Address = 10.0.0.2/24
+
+[Peer]
+# Public Key des VPS Servers
+PublicKey = <VPS_PUBLIC_KEY_HIER>
+
+# VPS Server IP und Port
+Endpoint = 217.154.65.205:51820
+
+# Erlaubte IPs (nur Tunnel-Netzwerk)
+AllowedIPs = 10.0.0.0/24
+
+# Keepalive fuer NAT-Traversal
+PersistentKeepalive = 25