diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 1b35177..bd49d17 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,35 +1,10 @@ import conf/*.caddy { - dynamic_dns { - provider route53 - domains { - veenboer.xyz. rik - } - versions ipv4 - } - - # layer4 { - # :443 { - # @openvpn openvpn - # route @openvpn { - # proxy host:444 # Proxy OpenVPN traffic to its backend - # } - # } - # } - - order geoip2_vars first - geoip2 { - # accountId {$GEO_ACCOUNT_ID} - # licenseKey {$GEO_API_KEY} - databaseDirectory /data/caddy/geoip/ - lockFile /data/caddy/geoip/geoip2.lock - editionID GeoLite2-City - updateUrl https://updates.maxmind.com - updateFrequency 86400 # in seconds - } - + import dynamic_dns import auth + import geoip2 + # import layer4 } (unprotected) { @@ -41,6 +16,13 @@ import conf/*.caddy } } +(protected) { + {args[0]}.rik.veenboer.xyz { + import authentik + reverse_proxy {args[1]} + } +} + import unprotected authentik host:19000 import unprotected vouch host:9090 import unprotected jellyfin host:8097 @@ -50,41 +32,6 @@ import unprotected pgadmin host:5050 import unprotected homarr host:17575 import unprotected jellyseerr host:15055 -(authentik) { - reverse_proxy /outpost.goauthentik.io/* http://host:19000 - forward_auth http://host:19000 { - uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri} - copy_headers { - X-Authentik-Username - X-Authentik-Groups - X-Authentik-Email - X-Authentik-Name - X-Authentik-Uid - X-Authentik-Jwt - X-Authentik-Meta-Jwks - X-Authentik-Meta-Outpost - X-Authentik-Meta-Provider - X-Authentik-Meta-App - X-Authentik-Meta-Version - X-Authentik-Other - X-Authentik-Password - X-Authentik-This - X-Authentik-What - Authorization>X-Custom-Authorization - X-Custom-User - X-Custom-Password - X-User-Header - } - } -} - -(protected) { - {args[0]}.rik.veenboer.xyz { - import authentik - reverse_proxy {args[1]} - } -} - import protected sonarr host:18989 import protected radarr host:17878 import protected bazarr host:16767 diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy index 2c86ce8..24c4139 100644 --- a/caddy/conf/auth.caddy +++ b/caddy/conf/auth.caddy @@ -1,42 +1,41 @@ (auth) { - order authenticate before respond - order authorize before reverse_proxy - security { - oauth identity provider google { - realm google - driver google - client_id {$OAUTH_CLIENT_ID} - client_secret {$OAUTH_CLIENT_SECRET} - scopes openid email profile - } - authentication portal myportal { - enable identity provider google - cookie domain veenboer.xyz - ui { - links { - "My Identity" "/whoami" icon "las la-user" - } - } + order authenticate before respond + order authorize before reverse_proxy + security { + oauth identity provider google { + realm google + driver google + client_id {$OAUTH_CLIENT_ID} + client_secret {$OAUTH_CLIENT_SECRET} + scopes openid email profile + } + authentication portal myportal { + enable identity provider google + cookie domain veenboer.xyz + ui { + links { + "My Identity" "/whoami" icon "las la-user" + } + } - transform user { - match realm google - action add role authp/user - } + transform user { + match realm google + action add role authp/user + } - transform user { - match realm google + transform user { + match realm google - # Give this account admin role in the auth portal - match email rik.veenboer@gmail.com - action add role authp/admin - } - } - authorization policy mypolicy { - set auth url https://auth.rik.veenboer.xyz/oauth2/google - allow roles authp/admin authp/user - validate bearer header - inject headers with claims - } - } - - } + # Give this account admin role in the auth portal + match email rik.veenboer@gmail.com + action add role authp/admin + } + } + authorization policy mypolicy { + set auth url https://auth.rik.veenboer.xyz/oauth2/google + allow roles authp/admin authp/user + validate bearer header + inject headers with claims + } + } +} diff --git a/caddy/conf/authentik.caddy b/caddy/conf/authentik.caddy new file mode 100644 index 0000000..dcf8906 --- /dev/null +++ b/caddy/conf/authentik.caddy @@ -0,0 +1,27 @@ +(authentik) { + reverse_proxy /outpost.goauthentik.io/* http://host:19000 + forward_auth http://host:19000 { + uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri} + copy_headers { + X-Authentik-Username + X-Authentik-Groups + X-Authentik-Email + X-Authentik-Name + X-Authentik-Uid + X-Authentik-Jwt + X-Authentik-Meta-Jwks + X-Authentik-Meta-Outpost + X-Authentik-Meta-Provider + X-Authentik-Meta-App + X-Authentik-Meta-Version + X-Authentik-Other + X-Authentik-Password + X-Authentik-This + X-Authentik-What + Authorization>X-Custom-Authorization + X-Custom-User + X-Custom-Password + X-User-Header + } + } +} diff --git a/caddy/conf/dynamic_dns.caddy b/caddy/conf/dynamic_dns.caddy new file mode 100644 index 0000000..35212c6 --- /dev/null +++ b/caddy/conf/dynamic_dns.caddy @@ -0,0 +1,9 @@ +(dynamic_dns) { + dynamic_dns { + provider route53 + domains { + veenboer.xyz. rik + } + versions ipv4 + } +} diff --git a/caddy/conf/geoip2.caddy b/caddy/conf/geoip2.caddy new file mode 100644 index 0000000..e4bd313 --- /dev/null +++ b/caddy/conf/geoip2.caddy @@ -0,0 +1,12 @@ +(geoip2) { + order geoip2_vars first + geoip2 { + # accountId {$GEO_ACCOUNT_ID} + # licenseKey {$GEO_API_KEY} + databaseDirectory /data/caddy/geoip/ + lockFile /data/caddy/geoip/geoip2.lock + editionID GeoLite2-City + updateUrl https://updates.maxmind.com + updateFrequency 86400 # in seconds + } +} diff --git a/caddy/conf/layer4.caddy b/caddy/conf/layer4.caddy new file mode 100644 index 0000000..fbfa8c5 --- /dev/null +++ b/caddy/conf/layer4.caddy @@ -0,0 +1,9 @@ +(layer4) {layer4 { + :443 { + @openvpn openvpn + route @openvpn { + proxy host:444 # Proxy OpenVPN traffic to its backend + } + } +} +} diff --git a/caddy/sites/test.caddy b/caddy/sites/test.caddy index 6d500a3..35f7acc 100644 --- a/caddy/sites/test.caddy +++ b/caddy/sites/test.caddy @@ -1,11 +1,10 @@ test.rik.veenboer.xyz { -log { - output file /var/log/test.log -} + log { + output file /var/log/test.log + } authorize with mypolicy reverse_proxy host:12345 - } auth.rik.veenboer.xyz {