From 1942bbb50f16a0a765bca519073311c36f48a907 Mon Sep 17 00:00:00 2001 From: Rik Veenboer Date: Thu, 19 Dec 2024 17:25:43 +0100 Subject: [PATCH] setup remote auth --- caddy/Caddyfile | 9 ++++----- caddy/conf/auth.caddy | 8 ++------ caddy/conf/authentik.caddy | 25 ------------------------- caddy/sites/auth.caddy | 5 +++++ docker-compose.caddy.yml | 2 ++ 5 files changed, 13 insertions(+), 36 deletions(-) delete mode 100644 caddy/conf/authentik.caddy create mode 100644 caddy/sites/auth.caddy diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 79cb639..5049da4 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,5 +1,6 @@ { import conf/dynamic_dns.caddy + import conf/auth.caddy } (unprotected) { @@ -11,13 +12,11 @@ } } -herderin.veenboer.xyz \ -uitgeest.veenboer.xyz \ -peter.veenboer.xyz \ - { +*.veenboer.xyz { reverse_proxy nginx } - import unprotected esp host:6052 import unprotected grafana host:3333 import unprotected ha host:8123 + +import sites/auth.caddy diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy index e3e3870..0c8b9a4 100644 --- a/caddy/conf/auth.caddy +++ b/caddy/conf/auth.caddy @@ -30,14 +30,11 @@ security { ui { links { "My Identity" "/whoami" icon "las la-user" - "Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play" } } transform user { match realm remote action add role authp/user - action add iets "Zo iets!" as string - } transform user { match origin local @@ -52,8 +49,7 @@ security { set user identity seafile_id inject headers with claims - inject header "X-Seafile-Email" from "user|email" - inject header "X-Test" from "userinfo|seafile_email" - inject header "X-Onzin" from "realm" + inject header "X-Seafile-Email" from "userinfo|seafile_email" } } + diff --git a/caddy/conf/authentik.caddy b/caddy/conf/authentik.caddy deleted file mode 100644 index 497100d..0000000 --- a/caddy/conf/authentik.caddy +++ /dev/null @@ -1,25 +0,0 @@ -reverse_proxy /outpost.goauthentik.io/* http://host:19000 -forward_auth http://host:19000 { - uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri} - copy_headers { - X-Authentik-Username - X-Authentik-Groups - X-Authentik-Email - X-Authentik-Name - X-Authentik-Uid - X-Authentik-Jwt - X-Authentik-Meta-Jwks - X-Authentik-Meta-Outpost - X-Authentik-Meta-Provider - X-Authentik-Meta-App - X-Authentik-Meta-Version - X-Authentik-Other - X-Authentik-Password - X-Authentik-This - X-Authentik-What - Authorization>X-Custom-Authorization - X-Custom-User - X-Custom-Password - X-User-Header - } -} diff --git a/caddy/sites/auth.caddy b/caddy/sites/auth.caddy new file mode 100644 index 0000000..fc47cd5 --- /dev/null +++ b/caddy/sites/auth.caddy @@ -0,0 +1,5 @@ +auth.{$SUBDOMAIN}.{$DOMAIN} { + route { + authenticate with myportal + } +} diff --git a/docker-compose.caddy.yml b/docker-compose.caddy.yml index 4f88426..8272246 100644 --- a/docker-compose.caddy.yml +++ b/docker-compose.caddy.yml @@ -9,6 +9,8 @@ services: - AWS_REGION=eu-west-1 - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:?} - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:?} + - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID:?} + - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET:?} image: caddy links: - nginx