split Caddyfile

caddy/Caddyfile

@@ -1,35 +1,10 @@
 import conf/*.caddy
 
 {
-	dynamic_dns {
-		provider route53
-		domains {
-			veenboer.xyz. rik
-		}
-		versions ipv4
-	}
-
-	#	layer4 {
-	#		:443 {
-	#			@openvpn openvpn
-	#			route @openvpn {
-	#				proxy host:444 # Proxy OpenVPN traffic to its backend
-	#			}
-	#		}
-	#	}
-
-	order geoip2_vars first
-	geoip2 {
-		#	accountId {$GEO_ACCOUNT_ID}
-		#	licenseKey {$GEO_API_KEY}
-		databaseDirectory /data/caddy/geoip/
-		lockFile /data/caddy/geoip/geoip2.lock
-		editionID GeoLite2-City
-		updateUrl https://updates.maxmind.com
-		updateFrequency 86400 # in seconds
-	}
-
+	import dynamic_dns
 	import auth
+	import geoip2
+	# import layer4
 }
 
 (unprotected) {
@@ -41,6 +16,13 @@ import conf/*.caddy
 	}
 }
 
+(protected) {
+	{args[0]}.rik.veenboer.xyz {
+		import authentik
+		reverse_proxy {args[1]}
+	}
+}
+
 import unprotected authentik host:19000
 import unprotected vouch host:9090
 import unprotected jellyfin host:8097
@@ -50,41 +32,6 @@ import unprotected pgadmin host:5050
 import unprotected homarr host:17575
 import unprotected jellyseerr host:15055
 
-(authentik) {
-	reverse_proxy /outpost.goauthentik.io/* http://host:19000
-	forward_auth http://host:19000 {
-		uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
-		copy_headers {
-			X-Authentik-Username
-			X-Authentik-Groups
-			X-Authentik-Email
-			X-Authentik-Name
-			X-Authentik-Uid
-			X-Authentik-Jwt
-			X-Authentik-Meta-Jwks
-			X-Authentik-Meta-Outpost
-			X-Authentik-Meta-Provider
-			X-Authentik-Meta-App
-			X-Authentik-Meta-Version
-			X-Authentik-Other
-			X-Authentik-Password
-			X-Authentik-This
-			X-Authentik-What
-			Authorization>X-Custom-Authorization
-			X-Custom-User
-			X-Custom-Password
-			X-User-Header
-		}
-	}
-}
-
-(protected) {
-	{args[0]}.rik.veenboer.xyz {
-		import authentik
-		reverse_proxy {args[1]}
-	}
-}
-
 import protected sonarr host:18989
 import protected radarr host:17878
 import protected bazarr host:16767

caddy/conf/auth.caddy

@@ -1,42 +1,41 @@
 (auth) {
-   order authenticate before respond
-   order authorize before reverse_proxy
-   security {
-           oauth identity provider google {
-                   realm google
-                   driver google
-                   client_id {$OAUTH_CLIENT_ID}
-                   client_secret {$OAUTH_CLIENT_SECRET}
-                   scopes openid email profile
-           }
-           authentication portal myportal {
-                   enable identity provider google
-                   cookie domain veenboer.xyz
-                   ui {
-                           links {
-                                   "My Identity" "/whoami" icon "las la-user"
-                           }
-                   }
+	order authenticate before respond
+	order authorize before reverse_proxy
+	security {
+		oauth identity provider google {
+			realm google
+			driver google
+			client_id {$OAUTH_CLIENT_ID}
+			client_secret {$OAUTH_CLIENT_SECRET}
+			scopes openid email profile
+		}
+		authentication portal myportal {
+			enable identity provider google
+			cookie domain veenboer.xyz
+			ui {
+				links {
+					"My Identity" "/whoami" icon "las la-user"
+				}
+			}
 
-                   transform user {
-                           match realm google
-                           action add role authp/user
-                   }
+			transform user {
+				match realm google
+				action add role authp/user
+			}
 
-                   transform user {
-                           match realm google
+			transform user {
+				match realm google
 
-                           # Give this account admin role in the auth portal
-                           match email rik.veenboer@gmail.com
-                           action add role authp/admin
-                   }
-           }
-           authorization policy mypolicy {
-                   set auth url https://auth.rik.veenboer.xyz/oauth2/google
-                   allow roles authp/admin authp/user
-                   validate bearer header
-                   inject headers with claims
-           }
-   }
-
- }
+				# Give this account admin role in the auth portal
+				match email rik.veenboer@gmail.com
+				action add role authp/admin
+			}
+		}
+		authorization policy mypolicy {
+			set auth url https://auth.rik.veenboer.xyz/oauth2/google
+			allow roles authp/admin authp/user
+			validate bearer header
+			inject headers with claims
+		}
+	}
+}

caddy/conf/authentik.caddy

@@ -0,0 +1,27 @@
+(authentik) {
+	reverse_proxy /outpost.goauthentik.io/* http://host:19000
+	forward_auth http://host:19000 {
+		uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
+		copy_headers {
+			X-Authentik-Username
+			X-Authentik-Groups
+			X-Authentik-Email
+			X-Authentik-Name
+			X-Authentik-Uid
+			X-Authentik-Jwt
+			X-Authentik-Meta-Jwks
+			X-Authentik-Meta-Outpost
+			X-Authentik-Meta-Provider
+			X-Authentik-Meta-App
+			X-Authentik-Meta-Version
+			X-Authentik-Other
+			X-Authentik-Password
+			X-Authentik-This
+			X-Authentik-What
+			Authorization>X-Custom-Authorization
+			X-Custom-User
+			X-Custom-Password
+			X-User-Header
+		}
+	}
+}

caddy/conf/dynamic_dns.caddy

@@ -0,0 +1,9 @@
+(dynamic_dns) {
+	dynamic_dns {
+		provider route53
+		domains {
+			veenboer.xyz. rik
+		}
+		versions ipv4
+	}
+}

caddy/conf/geoip2.caddy

@@ -0,0 +1,12 @@
+(geoip2) {
+	order geoip2_vars first
+	geoip2 {
+		#	accountId {$GEO_ACCOUNT_ID}
+		#	licenseKey {$GEO_API_KEY}
+		databaseDirectory /data/caddy/geoip/
+		lockFile /data/caddy/geoip/geoip2.lock
+		editionID GeoLite2-City
+		updateUrl https://updates.maxmind.com
+		updateFrequency 86400 # in seconds
+	}
+}

caddy/conf/layer4.caddy

@@ -0,0 +1,9 @@
+(layer4) {layer4 {
+	:443 {
+		@openvpn openvpn
+		route @openvpn {
+			proxy host:444 # Proxy OpenVPN traffic to its backend
+		}
+	}
+}
+}

caddy/sites/test.caddy

@@ -1,11 +1,10 @@
 test.rik.veenboer.xyz {
-log {
-	output file /var/log/test.log
-}
+	log {
+		output file /var/log/test.log
+	}
 
 	authorize with mypolicy
 	reverse_proxy host:12345
-
 }
 
 auth.rik.veenboer.xyz {