snapshot of caddy with oauth security plugin

caddy/Caddyfile

@@ -1,3 +1,5 @@
+import conf/*.caddy
+
 {
 	dynamic_dns {
 		provider route53
@@ -18,14 +20,16 @@
 
 	order geoip2_vars first
 	geoip2 {
-		accountId {$GEO_ACCOUNT_ID}
+		#	accountId {$GEO_ACCOUNT_ID}
-		licenseKey {$GEO_API_KEY}
+		#	licenseKey {$GEO_API_KEY}
-		databaseDirectory "/data/caddy/geoip/"
+		databaseDirectory /data/caddy/geoip/
-		lockFile "/data/caddy/geoip/geoip2.lock"
+		lockFile /data/caddy/geoip/geoip2.lock
-		editionID "GeoLite2-City"
+		editionID GeoLite2-City
-		updateUrl "https://updates.maxmind.com"
+		updateUrl https://updates.maxmind.com
 		updateFrequency 86400 # in seconds
 	}
+
+	import auth
 }
 
 (unprotected) {
@@ -38,6 +42,7 @@
 }
 
 import unprotected authentik host:19000
+import unprotected vouch host:9090
 import unprotected jellyfin host:8097
 import unprotected seafile host:8082
 import unprotected grafana host:3333

caddy/Dockerfile

@@ -4,7 +4,8 @@ RUN xcaddy build \
     --with github.com/caddy-dns/route53 \
     --with github.com/mholt/caddy-dynamicdns \
     --with github.com/zhangjiayin/caddy-geoip2 \
-    --with github.com/mholt/caddy-l4
+    --with github.com/mholt/caddy-l4 \
+    --with github.com/greenpau/caddy-security
 
 FROM caddy:2.9-alpine
 

caddy/conf/auth.caddy

@@ -0,0 +1,42 @@
+(auth) {
+   order authenticate before respond
+   order authorize before reverse_proxy
+   security {
+           oauth identity provider google {
+                   realm google
+                   driver google
+                   client_id {$OAUTH_CLIENT_ID}
+                   client_secret {$OAUTH_CLIENT_SECRET}
+                   scopes openid email profile
+           }
+           authentication portal myportal {
+                   enable identity provider google
+                   cookie domain veenboer.xyz
+                   ui {
+                           links {
+                                   "My Identity" "/whoami" icon "las la-user"
+                           }
+                   }
+
+                   transform user {
+                           match realm google
+                           action add role authp/user
+                   }
+
+                   transform user {
+                           match realm google
+
+                           # Give this account admin role in the auth portal
+                           match email rik.veenboer@gmail.com
+                           action add role authp/admin
+                   }
+           }
+           authorization policy mypolicy {
+                   set auth url https://auth.rik.veenboer.xyz/oauth2/google
+                   allow roles authp/admin authp/user
+                   validate bearer header
+                   inject headers with claims
+           }
+   }
+
+ }

caddy/sites/test.caddy

@@ -0,0 +1,15 @@
+test.rik.veenboer.xyz {
+log {
+	output file /var/log/test.log
+}
+
+	authorize with mypolicy
+	reverse_proxy host:12345
+
+}
+
+auth.rik.veenboer.xyz {
+	route {
+		authenticate with myportal
+	}
+}

caddy/sites/unused.caddy

@@ -1,16 +0,0 @@
-unused.rik.veenboer.xyz {
-	handle {
-		# import authentik
-		reverse_proxy host:8100
-	}
-
-	handle /seafhttp* {
-		uri strip_prefix seafhttp
-		reverse_proxy host:8182
-	}
-
-	handle /seafdav* {
-		reverse_proxy host:8180
-	}
-}
-

docker-compose.caddy.yml

@@ -9,12 +9,15 @@ services:
         - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:?}
         - GEO_ACCOUNT_ID=${MAXMIND_ACCOUNT_ID:?}
         - GEO_API_KEY=${MAXMIND_API_KEY:?}
+        - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com
+        - OAUTH_CLIENT_SECRET=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
         image: caddy
         ports:
         - 443:443
         restart: unless-stopped
         volumes:
         - /opt/caddy/Caddyfile:/etc/caddy/Caddyfile
+        - /opt/caddy/conf:/etc/caddy/conf
         - /opt/caddy/sites:/etc/caddy/sites
         - /opt/caddy/data:/data/caddy
         - /opt/caddy/logs:/var/log

docker-compose.vouch.yml

@@ -0,0 +1,59 @@
+services:
+    vouch:
+        image: quay.io/vouch/vouch-proxy:alpine-0.41.0
+        container_name: vouch
+        ports:
+        - 9090:9090
+        environment:
+            # Google
+            # - OAUTH_PROVIDER=google
+            # - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com
+            # - OAUTH_CLIENT_SECRET=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
+            # - https://www.googleapis.com/oauth2/v3/userinfo
+
+            # Google
+            # - OAUTH_PROVIDER=oidc
+            # - OAUTH_CLIENT_ID=889676430308-ivr6b4fmneivn70ri2ugm1gkbgoh5qdq.apps.googleusercontent.com
+            # - OAUTH_CLIENT_SECRET=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
+            # - OAUTH_AUTH_URL=https://accounts.google.com/o/oauth2/auth
+            # - OAUTH_TOKEN_URL=https://accounts.google.com/o/oauth2/token
+            # - OAUTH_USER_INFO_URL=https://www.googleapis.com/oauth2/v3/userinfo
+
+            # Amazon
+            # - OAUTH_PROVIDER=oidc
+            # - OAUTH_CLIENT_ID=793k18vvmiooosv5j4dd0bkqi
+            # - OAUTH_CLIENT_SECRET=ccpsr589kufadbmi7ac6kgi3gaftc4cqkm3pi627tsidmbsk1lj
+            # - OAUTH_AUTH_URL=https://veenboer.auth.eu-central-1.amazoncognito.com/oauth2/authorize
+            # - OAUTH_TOKEN_URL=https://veenboer.auth.eu-central-1.amazoncognito.com/oauth2/token
+            # - OAUTH_USER_INFO_URL=https://veenboer.auth.eu-central-1.amazoncognito.com/oauth2/userInfo
+
+            # Microsoft
+            # - OAUTH_PROVIDER=oidc
+            # - OAUTH_CLIENT_ID=2483d0ed-95a1-4ca1-ae72-a79ca6defd96
+            # - OAUTH_CLIENT_SECRET=x8V8Q~vklpp75~xwMRzAuNa4NQ7K8gNEAAsx-cTZ
+            # - OAUTH_AUTH_URL=https://login.microsoftonline.com/common/oauth2/v2.0/authorize
+            # - OAUTH_TOKEN_URL=https://login.microsoftonline.com/common/oauth2/v2.0/token
+            # - OAUTH_USER_INFO_URL=https://graph.microsoft.com/oidc/userinfo
+
+            # Authentik
+            - OAUTH_PROVIDER=oidc
+            - OAUTH_CLIENT_ID=MJJ44TzracJ8J24xVsUvO12KvAbzxiev9G0t9sYl
+            - OAUTH_CLIENT_SECRET=vrUGfNfqzooKujOyvTLDZffOTakEgNeCIlILaBU2aF9QtaDHJWaYVY3MLGlkF2jlFFn4W0a1eSJcZpJMxojO4i7U6b9CqbdTr5Al2LvK3FQnFbViUn2MN0qKibv8VVO1
+            - OAUTH_AUTH_URL=https://authentik.rik.veenboer.xyz/application/o/authorize/
+            - OAUTH_TOKEN_URL=https://authentik.rik.veenboer.xyz/application/o/token/
+            - OAUTH_USER_INFO_URL=https://authentik.rik.veenboer.xyz/application/o/userinfo/
+
+            # General
+            - OAUTH_CALLBACK_URL=https://vouch.rik.veenboer.xyz/auth
+            - OAUTH_SCOPES=openid,profile,email
+            - VOUCH_COOKIE_DOMAIN=veenboer.xyz
+            - VOUCH_ALLOWALLUSERS=true
+            - VOUCH_HEADERS_CLAIMS=email,preferred_username
+            - VOUCH_LOGLEVEL=debug
+
+            # Unused
+            # - VOUCH_COOKIE_SECURE=false
+            # - VOUCH_HEADERS_CLAIMS=sub,name,email
+            # - OAUTH_CLAIMS=sub,name,email
+            # - VOUCH_HEADERS_IDTOKEN=X-Vouch-IdP-IdToken
+        restart: unless-stopped

docker-compose.yml

@@ -4,6 +4,7 @@ include:
 
 # Authentication
 - docker-compose.authentik.yml
+- docker-compose.vouch.yml
 
 # Other
 - docker-compose.homarr.yml
@@ -25,8 +26,8 @@ include:
 
 # Networking
 - docker-compose.surfshark.yml
-- docker-compose.openvpn-server.yml
 - docker-compose.dns-ad-blocker.yml
+# - docker-compose.openvpn-server.yml
 
 # Backup
 - docker-compose.rsnapshot.yml
@@ -47,4 +48,3 @@ include:
 - docker-compose.postgis.yml
 - docker-compose.timescaledb.yml
 - docker-compose.influxdb.yml
-