setup remote auth

2024-12-19 17:25:43 +01:00
parent f7369af8ee
commit 1942bbb50f
5 changed files with 13 additions and 36 deletions
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -1,5 +1,6 @@
 {
 	import conf/dynamic_dns.caddy
+	import conf/auth.caddy
 }

 (unprotected) {
@@ -11,13 +12,11 @@
 	}
 }

-herderin.veenboer.xyz \
-uitgeest.veenboer.xyz \
-peter.veenboer.xyz \
- {
+*.veenboer.xyz {
 	reverse_proxy nginx
 }
-
 import unprotected esp host:6052
 import unprotected grafana host:3333
 import unprotected ha host:8123
+
+import sites/auth.caddy
--- a/caddy/conf/auth.caddy
+++ b/caddy/conf/auth.caddy
@@ -30,14 +30,11 @@ security {
 		ui {
 			links {
 				"My Identity" "/whoami" icon "las la-user"
-				"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
 			}
 		}
 		transform user {
 			match realm remote
 			action add role authp/user
-			action add iets "Zo iets!" as string
-
 		}
 		transform user {
 			match origin local
@@ -52,8 +49,7 @@ security {
 		set user identity seafile_id

 		inject headers with claims
-		inject header "X-Seafile-Email" from "user|email"
-		inject header "X-Test" from "userinfo|seafile_email"
-		inject header "X-Onzin" from "realm"
+		inject header "X-Seafile-Email" from "userinfo|seafile_email"
 	}
 }
+
--- a/caddy/conf/authentik.caddy
+++ b/caddy/conf/authentik.caddy
@@ -1,25 +0,0 @@
-reverse_proxy /outpost.goauthentik.io/* http://host:19000
-forward_auth http://host:19000 {
-	uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
-	copy_headers {
-		X-Authentik-Username
-		X-Authentik-Groups
-		X-Authentik-Email
-		X-Authentik-Name
-		X-Authentik-Uid
-		X-Authentik-Jwt
-		X-Authentik-Meta-Jwks
-		X-Authentik-Meta-Outpost
-		X-Authentik-Meta-Provider
-		X-Authentik-Meta-App
-		X-Authentik-Meta-Version
-		X-Authentik-Other
-		X-Authentik-Password
-		X-Authentik-This
-		X-Authentik-What
-		Authorization>X-Custom-Authorization
-		X-Custom-User
-		X-Custom-Password
-		X-User-Header
-	}
-}
--- a/caddy/sites/auth.caddy
+++ b/caddy/sites/auth.caddy
@@ -0,0 +1,5 @@
+auth.{$SUBDOMAIN}.{$DOMAIN} {
+	route {
+		authenticate with myportal
+	}
+}
--- a/docker-compose.caddy.yml
+++ b/docker-compose.caddy.yml
@@ -9,6 +9,8 @@ services:
        - AWS_REGION=eu-west-1
        - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:?}
        - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:?}
+        - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID:?}
+        - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET:?}
        image: caddy
        links:
        - nginx