From 4b5ed5c8a5c35f14a17270df2d86c02e4e165b04 Mon Sep 17 00:00:00 2001
From: Jef Roosens <roosensjef@gmail.com>
Date: Mon, 14 Apr 2025 14:21:00 +0200
Subject: [PATCH 1/2] webdav: add config

---
 group_vars/nas/vars.yml                       |   4 +
 group_vars/nas/vault.yml                      |  79 ++++++------
 hosts.ini                                     |   3 +
 nas.yml                                       |   6 +
 roles/webdav-web/meta/main.yml                |   3 +
 roles/webdav-web/tasks/main.yml               |   9 ++
 .../webdav-web/templates/webdav.Caddyfile.j2  |   5 +
 roles/webdav/files/webdav.data.backup.sh      |  12 ++
 roles/webdav/files/webdav.service             |  15 +++
 roles/webdav/handlers/main.yml                |   5 +
 roles/webdav/tasks/main.yml                   | 117 ++++++++++++++++++
 roles/webdav/templates/config.toml.j2         |  31 +++++
 web.yml                                       |  10 +-
 13 files changed, 260 insertions(+), 39 deletions(-)
 create mode 100644 roles/webdav-web/meta/main.yml
 create mode 100644 roles/webdav-web/tasks/main.yml
 create mode 100644 roles/webdav-web/templates/webdav.Caddyfile.j2
 create mode 100644 roles/webdav/files/webdav.data.backup.sh
 create mode 100644 roles/webdav/files/webdav.service
 create mode 100644 roles/webdav/handlers/main.yml
 create mode 100644 roles/webdav/tasks/main.yml
 create mode 100644 roles/webdav/templates/config.toml.j2

diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml
index aa8f893..25ec871 100644
--- a/group_vars/nas/vars.yml
+++ b/group_vars/nas/vars.yml
@@ -16,3 +16,7 @@ ntfy_user_pi_pass: "{{ vault_ntfy_user_pi_pass }}"
 
 nefarious_admin_user: "{{ vault_nefarious_admin_user }}"
 nefarious_admin_pass: "{{ vault_nefarious_admin_pass }}"
+
+webdav_version: '5.7.4'
+webdav_user: "{{ vault_webdav_user }}"
+webdav_password_bcrypt: "{{ vault_webdav_password_bcrypt }}"
diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml
index 5e2ebbf..b4eda49 100644
--- a/group_vars/nas/vault.yml
+++ b/group_vars/nas/vault.yml
@@ -1,38 +1,43 @@
 $ANSIBLE_VAULT;1.1;AES256
-39383533373564616531386363393531386339396563323835666338383434623366623336343532
-3265343939376332323938613039623439666465656133330a396635613563376263386234396535
-62363264613634323430353131366634303662616564316632373033336262316636663334333232
-3562613462313337390a636533336265656266303766333661326438306166663837313335373862
-35333761653937393338393430363932336238323239623036346139303336653764316637373966
-32316462616263363336316134393262356336373763663165353132396539653336326632376665
-37666534666331343062353535303965373231643762396535623035313231303761393362653665
-38363761383531663862663166363866333434376439643066353666316365306366656564656531
-65656333313637303561656161383335343331303932373130666537323863323634343839666235
-66353562323636663261356162363736616131646561623262363739356231613365626339383934
-62306137613462656565646439656564396430636530306165613364303534303061346461623964
-64396262396136393266356434356365653663376434643033363032376231643162373433393337
-35663932633161336137336533316430346133363434346661373935326236326330346461306663
-62316632313433333162383234333665653135353061653830313032326437383139386135376136
-64333334366531646164393839663839646634636338373838333739346364363233346533323464
-62646234636566656665353331346236316137323734383136363036303338643535376633353033
-30633839383230613363613433343566333664383036666532393830303433373733343330303165
-37626438316236666463393762353734393637346530343364646137383532666530333862643266
-30376131343037383030393435366431383436366266623733346337623364303761623933396236
-65393937666231656232366439333934333265653834646430313666396630656133613663323034
-30373235303535613262616331343935373862386465616365326166656263326537373030386232
-32323833653066666534393938363363363031313664313264653863333931333438333835653466
-36376263373362306334346635613636656664646437626432353435363563376436616635373364
-38666430613239336130393132646562666335663930653362356363383034383635626361353161
-66626364633762396464353662633161616136323064383037323733306165333961636238363163
-32326538373031336639626666653836366232366537393032386465383735363731386632343536
-39653236636366633166323834366237376536343130376462626561326230393937323033303437
-66623861663964663964643436363038313065633234626463363538323938373336326134303263
-31366163623164326635386564656265306332666135623461663839633966623965383761643033
-64653662343935613666636537366565663262393731336565646138313637323763656633396366
-32613966323964323630366239393139366339613462356566656465323436376137303739343638
-64303437666338666463316439623030323232343437303635666661643430323535653162303465
-62633932336636646462376562653461306135646133386339356538343134353264626165373939
-61383636376438613037636466633263326437373033643033353262613336326361393134316236
-62616431656431323061613562373036353739346361346566353236646565613661303832366464
-30376234303631363434376338343938303534383637366561383437353161383239383836636465
-6231
+61313631626664383562666362636266653966633162646535656238616132333434366633373563
+6131663830316134363130396265393636613631396339340a356137323363316565626234303233
+33393461623663303939386465396361656131333533326166353365376132396531643732373330
+6338386366613665320a333365333263663038343265323862633162386561636332323438323030
+37663434643038333861313563363261613631643939646534646338326432326633356166616232
+34636164663166366530343562366364663538303931666534343262323633633139363137653830
+33663830333164313531366563346235313032313264663163386234383465323739323165613161
+38376437356662313865303065393832623638386335303031376238383964313034636363613430
+62396435643662323936393339653561333163616563346636343066643561643566303234303465
+32356132393434346465666261373830386230373933343561376334393334646565353763363066
+63313763306232353434363139333135653034373336626565343538653564323165613738623662
+61393162383837363464653439373339303832363134396330316166333734373735666634393732
+62653835363461666633613833626435653637306132623736346662323730623732323636316533
+36393533353539396562376636656661383766343235653663343662613130633130306162646134
+30366239336566326461343136313264326532303962613034393335626565326261366636393238
+62666534653839323263393535316564626362633065393861663062666335666637346539303565
+31656339376463646534386663333332373130353131646561663136383562613137383837366336
+63616536653834333634396431643232613832633064656162346465363133356637653438363138
+30303466323031353265643134636138656664356463633430643465383534363836633436306537
+35326565363637626165346265333461633261393834656263666339306163393466326131663166
+36353937396630323733346532306331656131373634343538363835656163633061633537396137
+63366333616265313737613264653563333232393136396437316131656639383935343833616130
+33613566343330613032666632643634613239393963616566353332643931656134386336363363
+34623635633166633339313734323335656137623631383539636338393432353665363835643465
+37363762316136616631656364643763643365393662373531343362313466653366363765396261
+31656466343461316434326432346334313136373237393438373636393631356236303234343263
+38616138386536343265303539386564383939636262646134613736393437653564363137653865
+38656232383564373739376234646338323432623437643362366630373731306136623636303865
+65613134396538343430373438663862333338303030326233626534393865656633376663363961
+65343630356635366663346132626661663036653036323233333261316635363933376634303066
+30323666303737396338386365336533376262363739313837636239626263333931396262313430
+66626337386639366531363539633337333834333063326463616634376230653264623339666430
+37393163306562646138353536313561646266303732393637373634363735613131396465656436
+39323966623134316632346131363865396534623261373832326564393161666636393030336335
+37646266373939303530396138396465663733376433646332326634383166323961353435303235
+33616637306334303934366466313261666264653236616335373330313631663037363632613535
+37663138396131343265376430333264336534633238356264613562643835316134306664653830
+62633766306231363635323364313438323161356331636135633832353238353036363362666463
+31353133626365373932336231343736383133323037663163636337336262653862643362353931
+62373062386264366161616230336464386662643836646436366338323861303336313733656333
+31303737643033623962366133653462626162363834333066383333633362333738373235613838
+6163386237363932613938316164333535636161306131643835
diff --git a/hosts.ini b/hosts.ini
index 216a1f0..040cf2f 100644
--- a/hosts.ini
+++ b/hosts.ini
@@ -50,3 +50,6 @@
 
 [otter]
 192.168.0.2 static_ip=192.168.0.2
+
+[webdav]
+192.168.0.3 static_ip=192.168.0.3
diff --git a/nas.yml b/nas.yml
index 251f022..549a52c 100644
--- a/nas.yml
+++ b/nas.yml
@@ -100,3 +100,9 @@
   roles:
     - actual
   tags: actual
+
+- hosts: nas
+  become: yes
+  roles:
+    - webdav
+  tags: webdav
diff --git a/roles/webdav-web/meta/main.yml b/roles/webdav-web/meta/main.yml
new file mode 100644
index 0000000..1dbd0f6
--- /dev/null
+++ b/roles/webdav-web/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: caddy
diff --git a/roles/webdav-web/tasks/main.yml b/roles/webdav-web/tasks/main.yml
new file mode 100644
index 0000000..5c0a310
--- /dev/null
+++ b/roles/webdav-web/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Ensure Caddyfile is present
+  template:
+    src: 'webdav.Caddyfile.j2'
+    dest: '/etc/caddy/webdav.Caddyfile'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: caddy-reload
diff --git a/roles/webdav-web/templates/webdav.Caddyfile.j2 b/roles/webdav-web/templates/webdav.Caddyfile.j2
new file mode 100644
index 0000000..614f114
--- /dev/null
+++ b/roles/webdav-web/templates/webdav.Caddyfile.j2
@@ -0,0 +1,5 @@
+webdav.roosens.me {
+    reverse_proxy {{ hostvars[groups['webdav'][0]].static_ip }}:8018 {
+        header_down +X-Robots-Tag "none"
+    }
+}
diff --git a/roles/webdav/files/webdav.data.backup.sh b/roles/webdav/files/webdav.data.backup.sh
new file mode 100644
index 0000000..b3c92bd
--- /dev/null
+++ b/roles/webdav/files/webdav.data.backup.sh
@@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+
+data_dir='/mnt/data1/webdav/data'
+snapshot_dir="${data_dir}.snapshot"
+
+# Read-only snapshot for atomic backup
+btrfs subvolume snapshot -r "$data_dir" "$snapshot_dir" || exit $?
+
+/usr/local/bin/restic backup "$snapshot_dir"
+
+# Always remove snapshot subvolume, even if restic fails
+btrfs subvolume delete "$snapshot_dir"
diff --git a/roles/webdav/files/webdav.service b/roles/webdav/files/webdav.service
new file mode 100644
index 0000000..3827626
--- /dev/null
+++ b/roles/webdav/files/webdav.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=WebDAV
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=exec
+User=webdav
+Group=webdav
+ExecStart=/usr/local/bin/webdav --config /etc/webdav/config.toml
+
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/webdav/handlers/main.yml b/roles/webdav/handlers/main.yml
new file mode 100644
index 0000000..79a1cfa
--- /dev/null
+++ b/roles/webdav/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: 'restart webdav'
+  ansible.builtin.service:
+    name: 'webdav'
+    state: 'restarted'
diff --git a/roles/webdav/tasks/main.yml b/roles/webdav/tasks/main.yml
new file mode 100644
index 0000000..afa6233
--- /dev/null
+++ b/roles/webdav/tasks/main.yml
@@ -0,0 +1,117 @@
+---
+# Download latest version of binary
+- name: Ensure download directory is present
+  ansible.builtin.file:
+    path: "/home/debian/webdav/{{ webdav_version }}"
+    state: directory
+    mode: '0755'
+
+- name: Ensure compressed binary is downloaded
+  ansible.builtin.get_url:
+    url: "https://github.com/hacdias/webdav/releases/download/v{{ webdav_version }}/linux-arm64-webdav.tar.gz"
+    dest: "/home/debian/webdav/{{ webdav_version }}/webdav-{{ webdav_version }}.tar.gz"
+  register: res
+
+- name: Ensure binary is decompressed
+  ansible.builtin.shell:
+    chdir: "/home/debian/webdav/{{ webdav_version }}"
+    cmd: "tar --extract --gzip --file webdav-{{ webdav_version }}.tar.gz"
+  when: 'res.changed'
+
+- name: Ensure binary is copied to correct location
+  ansible.builtin.copy:
+    src: "/home/debian/webdav/{{ webdav_version }}/webdav"
+    remote_src: true
+    dest: '/usr/local/bin/webdav'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  when: 'res.changed'
+  notify: 'restart webdav'
+
+
+# Set up system user and data directories
+- name: Ensure system group exists
+  ansible.builtin.group:
+    name: 'webdav'
+    gid: 5000
+    system: true
+    state: present
+
+- name: Ensure system user exists
+  ansible.builtin.user:
+    name: 'webdav'
+    group: 'webdav'
+    uid: 5000
+    system: true
+    create_home: false
+
+- name: Ensure data directory is present
+  ansible.builtin.file:
+    path: '/mnt/data1/webdav'
+    state: directory
+    mode: '0755'
+    owner: 'webdav'
+    group: 'webdav'
+
+- name: Ensure data subvolumes are present
+  community.general.btrfs_subvolume:
+    name: '/webdav/{{ item }}'
+  loop:
+    - 'data'
+
+- name: Ensure subvolume permissions are correct
+  ansible.builtin.file:
+    path: "/mnt/data1/webdav/{{ item }}"
+    state: directory
+    mode: '0755'
+    owner: 'webdav'
+    group: 'webdav'
+  loop:
+    - 'data'
+
+
+# Set up configuration, backup scripts and systemd service
+- name: Ensure configuration directory is present
+  ansible.builtin.file:
+    path: '/etc/webdav'
+    state: directory
+    mode: '0755'
+
+- name: Ensure config file is present
+  ansible.builtin.template:
+    src: 'config.toml.j2'
+    dest: '/etc/webdav/config.toml'
+    mode: '0644'
+    owner: 'root'
+    group: 'root'
+  notify: 'restart webdav'
+
+- name: Ensure backup scripts are present
+  ansible.builtin.copy:
+    src: "webdav.{{ item }}.backup.sh"
+    dest: "/etc/backups/webdav.{{ item }}.backup.sh"
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  loop:
+    - 'data'
+
+- name: Ensure service file is present
+  ansible.builtin.copy:
+    src: 'webdav.service'
+    dest: '/lib/systemd/system/webdav.service'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  register: res
+
+- name: systemd-reload
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+  when: 'res.changed'
+
+- name: Ensure webdav service is enabled
+  ansible.builtin.service:
+    name: 'webdav'
+    enabled: true
diff --git a/roles/webdav/templates/config.toml.j2 b/roles/webdav/templates/config.toml.j2
new file mode 100644
index 0000000..6c41282
--- /dev/null
+++ b/roles/webdav/templates/config.toml.j2
@@ -0,0 +1,31 @@
+address = '0.0.0.0'
+port = 8018
+
+# Handled by reverse proxy
+tls = false
+
+prefix = '/'
+debug = false
+noSniff = false
+
+behindProxy = true
+directory = '/mnt/data1/webdav/data'
+
+permissions = 'R'
+rulesBehavior = 'overwrite'
+
+[log]
+format = 'console'
+# Color output isn't useful when ingested via systemd
+colors = false
+outputs = ['stdout']
+
+[cors]
+enabled = false
+
+[[users]]
+username = '{{ webdav_user }}'
+password = '{bcrypt}{{ webdav_password_bcrypt }}'
+permissions = 'CRUD'
+
+# vim: ft=toml
diff --git a/web.yml b/web.yml
index 989a5ad..da6bc2c 100644
--- a/web.yml
+++ b/web.yml
@@ -80,5 +80,11 @@
 - hosts: web
   become: yes
   roles:
-    - otter-web
-  tags: otter
+    - webdav-web
+  tags: webdav
+
+# - hosts: web
+#   become: yes
+#   roles:
+#     - otter-web
+#   tags: otter

From 0c75bd0c26b9692199c4844d598c47e18df3315f Mon Sep 17 00:00:00 2001
From: Jef Roosens <roosensjef@gmail.com>
Date: Mon, 14 Apr 2025 14:21:17 +0200
Subject: [PATCH 2/2] all: forbid scraping on all services

---
 roles/actual-web/templates/actual.Caddyfile.j2             | 4 +++-
 roles/atuin-server-web/templates/atuin-server.Caddyfile.j2 | 4 +++-
 roles/baikal-web/templates/baikal.Caddyfile.j2             | 4 +++-
 roles/calathea-web/templates/calathea.Caddyfile.j2         | 4 +++-
 roles/gitea-web/templates/gitea.Caddyfile.j2               | 4 +++-
 roles/kanboard-web/templates/kanboard.Caddyfile.j2         | 4 +++-
 roles/lander-web/templates/lander.Caddyfile.j2             | 4 +++-
 roles/matrix-web/templates/matrix.Caddyfile.j2             | 4 +++-
 roles/miniflux-web/templates/miniflux.Caddyfile.j2         | 4 +++-
 roles/monica-web/templates/monica.Caddyfile.j2             | 4 +++-
 roles/nefarious-web/templates/nefarious.Caddyfile.j2       | 4 +++-
 roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2   | 4 +++-
 roles/photoview-web/templates/photoview.Caddyfile.j2       | 4 +++-
 13 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/roles/actual-web/templates/actual.Caddyfile.j2 b/roles/actual-web/templates/actual.Caddyfile.j2
index 18b6197..d036dcf 100644
--- a/roles/actual-web/templates/actual.Caddyfile.j2
+++ b/roles/actual-web/templates/actual.Caddyfile.j2
@@ -1,3 +1,5 @@
 actual.roosens.me {
-    reverse_proxy {{ hostvars[groups['actual'][0]].static_ip }}:8014
+    reverse_proxy {{ hostvars[groups['actual'][0]].static_ip }}:8014 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/atuin-server-web/templates/atuin-server.Caddyfile.j2 b/roles/atuin-server-web/templates/atuin-server.Caddyfile.j2
index 01b7342..83a0179 100644
--- a/roles/atuin-server-web/templates/atuin-server.Caddyfile.j2
+++ b/roles/atuin-server-web/templates/atuin-server.Caddyfile.j2
@@ -1,3 +1,5 @@
 atuin.roosens.me {
-    reverse_proxy {{ hostvars[groups['atuin-server'][0]].static_ip }}:8009
+    reverse_proxy {{ hostvars[groups['atuin-server'][0]].static_ip }}:8009 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/baikal-web/templates/baikal.Caddyfile.j2 b/roles/baikal-web/templates/baikal.Caddyfile.j2
index 0ed7d65..a85d875 100644
--- a/roles/baikal-web/templates/baikal.Caddyfile.j2
+++ b/roles/baikal-web/templates/baikal.Caddyfile.j2
@@ -1,3 +1,5 @@
 dav.roosens.me {
-    reverse_proxy {{ hostvars[groups['baikal'][0]].static_ip }}:8005
+    reverse_proxy {{ hostvars[groups['baikal'][0]].static_ip }}:8005 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/calathea-web/templates/calathea.Caddyfile.j2 b/roles/calathea-web/templates/calathea.Caddyfile.j2
index dd1eec5..3731602 100644
--- a/roles/calathea-web/templates/calathea.Caddyfile.j2
+++ b/roles/calathea-web/templates/calathea.Caddyfile.j2
@@ -1,3 +1,5 @@
 plants.roosens.me {
-    reverse_proxy {{ hostvars[groups['calathea'][0]].static_ip }}:8013
+    reverse_proxy {{ hostvars[groups['calathea'][0]].static_ip }}:8013 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/gitea-web/templates/gitea.Caddyfile.j2 b/roles/gitea-web/templates/gitea.Caddyfile.j2
index b2c1cd3..0f0220b 100644
--- a/roles/gitea-web/templates/gitea.Caddyfile.j2
+++ b/roles/gitea-web/templates/gitea.Caddyfile.j2
@@ -1,3 +1,5 @@
 git.rustybever.be {
-    reverse_proxy {{ hostvars[groups['gitea'][0]].static_ip }}:8010
+    reverse_proxy {{ hostvars[groups['gitea'][0]].static_ip }}:8010 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/kanboard-web/templates/kanboard.Caddyfile.j2 b/roles/kanboard-web/templates/kanboard.Caddyfile.j2
index 93c6727..133c74f 100644
--- a/roles/kanboard-web/templates/kanboard.Caddyfile.j2
+++ b/roles/kanboard-web/templates/kanboard.Caddyfile.j2
@@ -1,3 +1,5 @@
 kanban.roosens.me {
-    reverse_proxy {{ hostvars[groups['kanboard'][0]].static_ip }}:8011
+    reverse_proxy {{ hostvars[groups['kanboard'][0]].static_ip }}:8011 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/lander-web/templates/lander.Caddyfile.j2 b/roles/lander-web/templates/lander.Caddyfile.j2
index f379beb..3dd275d 100644
--- a/roles/lander-web/templates/lander.Caddyfile.j2
+++ b/roles/lander-web/templates/lander.Caddyfile.j2
@@ -1,3 +1,5 @@
 s.roosens.me {
-    reverse_proxy {{ groups['lander'][0] }}:18080
+    reverse_proxy {{ groups['lander'][0] }}:18080 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/matrix-web/templates/matrix.Caddyfile.j2 b/roles/matrix-web/templates/matrix.Caddyfile.j2
index f3a189a..233af66 100644
--- a/roles/matrix-web/templates/matrix.Caddyfile.j2
+++ b/roles/matrix-web/templates/matrix.Caddyfile.j2
@@ -1,3 +1,5 @@
 matrix.rustybever.be {
-    reverse_proxy {{ hostvars[groups['matrix'][0]].static_ip }}:8004
+    reverse_proxy {{ hostvars[groups['matrix'][0]].static_ip }}:8004 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/miniflux-web/templates/miniflux.Caddyfile.j2 b/roles/miniflux-web/templates/miniflux.Caddyfile.j2
index ec1f840..24b25d6 100644
--- a/roles/miniflux-web/templates/miniflux.Caddyfile.j2
+++ b/roles/miniflux-web/templates/miniflux.Caddyfile.j2
@@ -1,3 +1,5 @@
 nws.roosens.me {
-    reverse_proxy {{ hostvars[groups['miniflux'][0]].static_ip }}:8002
+    reverse_proxy {{ hostvars[groups['miniflux'][0]].static_ip }}:8002 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/monica-web/templates/monica.Caddyfile.j2 b/roles/monica-web/templates/monica.Caddyfile.j2
index 416a1d7..978b6fa 100644
--- a/roles/monica-web/templates/monica.Caddyfile.j2
+++ b/roles/monica-web/templates/monica.Caddyfile.j2
@@ -1,3 +1,5 @@
 prm.roosens.me {
-    reverse_proxy {{ groups['monica'][0] }}:8001
+    reverse_proxy {{ groups['monica'][0] }}:8001 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/nefarious-web/templates/nefarious.Caddyfile.j2 b/roles/nefarious-web/templates/nefarious.Caddyfile.j2
index 9fbcb26..d3b32cc 100644
--- a/roles/nefarious-web/templates/nefarious.Caddyfile.j2
+++ b/roles/nefarious-web/templates/nefarious.Caddyfile.j2
@@ -1,3 +1,5 @@
 nf.roosens.me {
-    reverse_proxy {{ hostvars[groups['nefarious'][0]].static_ip }}:8006
+    reverse_proxy {{ hostvars[groups['nefarious'][0]].static_ip }}:8006 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2 b/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2
index 437bf11..34e0798 100644
--- a/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2
+++ b/roles/ntfy-server-web/templates/ntfy-server.Caddyfile.j2
@@ -1,3 +1,5 @@
 ntfy.roosens.me {
-    reverse_proxy {{ hostvars[groups['ntfyserver'][0]].static_ip }}:8003
+    reverse_proxy {{ hostvars[groups['ntfyserver'][0]].static_ip }}:8003 {
+        header_down +X-Robots-Tag "none"
+    }
 }
diff --git a/roles/photoview-web/templates/photoview.Caddyfile.j2 b/roles/photoview-web/templates/photoview.Caddyfile.j2
index 3fa63be..03e7e23 100644
--- a/roles/photoview-web/templates/photoview.Caddyfile.j2
+++ b/roles/photoview-web/templates/photoview.Caddyfile.j2
@@ -1,3 +1,5 @@
 photos.roosens.me {
-    reverse_proxy {{ hostvars[groups['photoview'][0]].static_ip }}:8012
+    reverse_proxy {{ hostvars[groups['photoview'][0]].static_ip }}:8012 {
+        header_down +X-Robots-Tag "none"
+    }
 }