snapshot of caddy with oauth security plugin

2024-12-04 21:56:32 +01:00
parent 58d71cfc95
commit 10bb430d43
8 changed files with 134 additions and 25 deletions
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -1,3 +1,5 @@
+import conf/*.caddy
+
 {
 	dynamic_dns {
 		provider route53
@@ -18,14 +20,16 @@

 	order geoip2_vars first
 	geoip2 {
-		accountId {$GEO_ACCOUNT_ID}
-		licenseKey {$GEO_API_KEY}
-		databaseDirectory "/data/caddy/geoip/"
-		lockFile "/data/caddy/geoip/geoip2.lock"
-		editionID "GeoLite2-City"
-		updateUrl "https://updates.maxmind.com"
+		#	accountId {$GEO_ACCOUNT_ID}
+		#	licenseKey {$GEO_API_KEY}
+		databaseDirectory /data/caddy/geoip/
+		lockFile /data/caddy/geoip/geoip2.lock
+		editionID GeoLite2-City
+		updateUrl https://updates.maxmind.com
 		updateFrequency 86400 # in seconds
 	}
+
+	import auth
 }

 (unprotected) {
@@ -38,6 +42,7 @@
 }

 import unprotected authentik host:19000
+import unprotected vouch host:9090
 import unprotected jellyfin host:8097
 import unprotected seafile host:8082
 import unprotected grafana host:3333
--- a/caddy/Dockerfile
+++ b/caddy/Dockerfile
@@ -4,7 +4,8 @@ RUN xcaddy build \
    --with github.com/caddy-dns/route53 \
    --with github.com/mholt/caddy-dynamicdns \
    --with github.com/zhangjiayin/caddy-geoip2 \
-    --with github.com/mholt/caddy-l4
+    --with github.com/mholt/caddy-l4 \
+    --with github.com/greenpau/caddy-security

 FROM caddy:2.9-alpine

--- a/caddy/conf/auth.caddy
+++ b/caddy/conf/auth.caddy
@@ -0,0 +1,42 @@
+(auth) {
+   order authenticate before respond
+   order authorize before reverse_proxy
+   security {
+           oauth identity provider google {
+                   realm google
+                   driver google
+                   client_id {$OAUTH_CLIENT_ID}
+                   client_secret {$OAUTH_CLIENT_SECRET}
+                   scopes openid email profile
+           }
+           authentication portal myportal {
+                   enable identity provider google
+                   cookie domain veenboer.xyz
+                   ui {
+                           links {
+                                   "My Identity" "/whoami" icon "las la-user"
+                           }
+                   }
+
+                   transform user {
+                           match realm google
+                           action add role authp/user
+                   }
+
+                   transform user {
+                           match realm google
+
+                           # Give this account admin role in the auth portal
+                           match email rik.veenboer@gmail.com
+                           action add role authp/admin
+                   }
+           }
+           authorization policy mypolicy {
+                   set auth url https://auth.rik.veenboer.xyz/oauth2/google
+                   allow roles authp/admin authp/user
+                   validate bearer header
+                   inject headers with claims
+           }
+   }
+
+ }
--- a/caddy/sites/test.caddy
+++ b/caddy/sites/test.caddy
@@ -0,0 +1,15 @@
+test.rik.veenboer.xyz {
+log {
+	output file /var/log/test.log
+}
+
+	authorize with mypolicy
+	reverse_proxy host:12345
+
+}
+
+auth.rik.veenboer.xyz {
+	route {
+		authenticate with myportal
+	}
+}
--- a/caddy/sites/unused.caddy
+++ b/caddy/sites/unused.caddy
@@ -1,16 +0,0 @@
-unused.rik.veenboer.xyz {
-	handle {
-		# import authentik
-		reverse_proxy host:8100
-	}
-
-	handle /seafhttp* {
-		uri strip_prefix seafhttp
-		reverse_proxy host:8182
-	}
-
-	handle /seafdav* {
-		reverse_proxy host:8180
-	}
-}
-