split Caddyfile

caddy/conf/auth.caddy

@@ -1,42 +1,41 @@
 (auth) {
-   order authenticate before respond
-   order authorize before reverse_proxy
-   security {
-           oauth identity provider google {
-                   realm google
-                   driver google
-                   client_id {$OAUTH_CLIENT_ID}
-                   client_secret {$OAUTH_CLIENT_SECRET}
-                   scopes openid email profile
-           }
-           authentication portal myportal {
-                   enable identity provider google
-                   cookie domain veenboer.xyz
-                   ui {
-                           links {
-                                   "My Identity" "/whoami" icon "las la-user"
-                           }
-                   }
+	order authenticate before respond
+	order authorize before reverse_proxy
+	security {
+		oauth identity provider google {
+			realm google
+			driver google
+			client_id {$OAUTH_CLIENT_ID}
+			client_secret {$OAUTH_CLIENT_SECRET}
+			scopes openid email profile
+		}
+		authentication portal myportal {
+			enable identity provider google
+			cookie domain veenboer.xyz
+			ui {
+				links {
+					"My Identity" "/whoami" icon "las la-user"
+				}
+			}
 
-                   transform user {
-                           match realm google
-                           action add role authp/user
-                   }
+			transform user {
+				match realm google
+				action add role authp/user
+			}
 
-                   transform user {
-                           match realm google
+			transform user {
+				match realm google
 
-                           # Give this account admin role in the auth portal
-                           match email rik.veenboer@gmail.com
-                           action add role authp/admin
-                   }
-           }
-           authorization policy mypolicy {
-                   set auth url https://auth.rik.veenboer.xyz/oauth2/google
-                   allow roles authp/admin authp/user
-                   validate bearer header
-                   inject headers with claims
-           }
-   }
-
- }
+				# Give this account admin role in the auth portal
+				match email rik.veenboer@gmail.com
+				action add role authp/admin
+			}
+		}
+		authorization policy mypolicy {
+			set auth url https://auth.rik.veenboer.xyz/oauth2/google
+			allow roles authp/admin authp/user
+			validate bearer header
+			inject headers with claims
+		}
+	}
+}

caddy/conf/authentik.caddy

@@ -0,0 +1,27 @@
+(authentik) {
+	reverse_proxy /outpost.goauthentik.io/* http://host:19000
+	forward_auth http://host:19000 {
+		uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
+		copy_headers {
+			X-Authentik-Username
+			X-Authentik-Groups
+			X-Authentik-Email
+			X-Authentik-Name
+			X-Authentik-Uid
+			X-Authentik-Jwt
+			X-Authentik-Meta-Jwks
+			X-Authentik-Meta-Outpost
+			X-Authentik-Meta-Provider
+			X-Authentik-Meta-App
+			X-Authentik-Meta-Version
+			X-Authentik-Other
+			X-Authentik-Password
+			X-Authentik-This
+			X-Authentik-What
+			Authorization>X-Custom-Authorization
+			X-Custom-User
+			X-Custom-Password
+			X-User-Header
+		}
+	}
+}

caddy/conf/dynamic_dns.caddy

@@ -0,0 +1,9 @@
+(dynamic_dns) {
+	dynamic_dns {
+		provider route53
+		domains {
+			veenboer.xyz. rik
+		}
+		versions ipv4
+	}
+}

caddy/conf/geoip2.caddy

@@ -0,0 +1,12 @@
+(geoip2) {
+	order geoip2_vars first
+	geoip2 {
+		#	accountId {$GEO_ACCOUNT_ID}
+		#	licenseKey {$GEO_API_KEY}
+		databaseDirectory /data/caddy/geoip/
+		lockFile /data/caddy/geoip/geoip2.lock
+		editionID GeoLite2-City
+		updateUrl https://updates.maxmind.com
+		updateFrequency 86400 # in seconds
+	}
+}

caddy/conf/layer4.caddy

@@ -0,0 +1,9 @@
+(layer4) {layer4 {
+	:443 {
+		@openvpn openvpn
+		route @openvpn {
+			proxy host:444 # Proxy OpenVPN traffic to its backend
+		}
+	}
+}
+}