diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 7eb66c9..db6c270 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,10 +1,8 @@ -import conf/*.caddy - { - import dynamic_dns - import auth - import geoip2 - # import layer4 + import conf/dynamic_dns.caddy + import conf/auth.caddy + import conf/geoip2.caddy + # import conf/layer4.caddy } (unprotected) { @@ -18,7 +16,7 @@ import conf/*.caddy (protected) { {args[0]}.{$SUBDOMAIN}.{$DOMAIN} { - import authentik + import conf/authentik.caddy reverse_proxy {args[1]} } } diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy index c5701eb..f5778f5 100644 --- a/caddy/conf/auth.caddy +++ b/caddy/conf/auth.caddy @@ -1,49 +1,47 @@ -(auth) { - order authenticate before respond - order authorize before reverse_proxy - security { - oauth identity provider generic { - realm mine - driver generic - client_id {$OAUTH_CLIENT_ID} - client_secret {$OAUTH_CLIENT_SECRET} - scopes openid email profile +order authenticate before respond +order authorize before reverse_proxy +security { + oauth identity provider generic { + realm mine + driver generic + client_id {$OAUTH_CLIENT_ID} + client_secret {$OAUTH_CLIENT_SECRET} + scopes openid email profile - delay_start 5 - retry_attempts 3 - retry_interval 10 + delay_start 5 + retry_attempts 3 + retry_interval 10 - base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN} - metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration - } - authentication portal myportal { - enable identity provider generic - cookie domain {$DOMAIN} - ui { - links { - "My Identity" "/whoami" icon "las la-user" - "Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play" - } - } - - transform user { - match realm mine - action add role authp/user - } - - transform user { - match realm mine - - # Give this account admin role in the auth portal - match email rik.veenboer@gmail.com - action add role authp/admin + base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN} + metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration + } + authentication portal myportal { + enable identity provider generic + cookie domain {$DOMAIN} + ui { + links { + "My Identity" "/whoami" icon "las la-user" + "Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play" } } - authorization policy mypolicy { - set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic - allow roles authp/admin authp/user - validate bearer header - inject headers with claims + + transform user { + match realm mine + action add role authp/user + } + + transform user { + match realm mine + + # Give this account admin role in the auth portal + match email rik.veenboer@gmail.com + action add role authp/admin } } + authorization policy mypolicy { + set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic + allow roles authp/admin authp/user + validate bearer header + inject headers with claims + } } diff --git a/caddy/conf/authentik.caddy b/caddy/conf/authentik.caddy index dcf8906..497100d 100644 --- a/caddy/conf/authentik.caddy +++ b/caddy/conf/authentik.caddy @@ -1,27 +1,25 @@ -(authentik) { - reverse_proxy /outpost.goauthentik.io/* http://host:19000 - forward_auth http://host:19000 { - uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri} - copy_headers { - X-Authentik-Username - X-Authentik-Groups - X-Authentik-Email - X-Authentik-Name - X-Authentik-Uid - X-Authentik-Jwt - X-Authentik-Meta-Jwks - X-Authentik-Meta-Outpost - X-Authentik-Meta-Provider - X-Authentik-Meta-App - X-Authentik-Meta-Version - X-Authentik-Other - X-Authentik-Password - X-Authentik-This - X-Authentik-What - Authorization>X-Custom-Authorization - X-Custom-User - X-Custom-Password - X-User-Header - } +reverse_proxy /outpost.goauthentik.io/* http://host:19000 +forward_auth http://host:19000 { + uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri} + copy_headers { + X-Authentik-Username + X-Authentik-Groups + X-Authentik-Email + X-Authentik-Name + X-Authentik-Uid + X-Authentik-Jwt + X-Authentik-Meta-Jwks + X-Authentik-Meta-Outpost + X-Authentik-Meta-Provider + X-Authentik-Meta-App + X-Authentik-Meta-Version + X-Authentik-Other + X-Authentik-Password + X-Authentik-This + X-Authentik-What + Authorization>X-Custom-Authorization + X-Custom-User + X-Custom-Password + X-User-Header } } diff --git a/caddy/conf/dynamic_dns.caddy b/caddy/conf/dynamic_dns.caddy index 2f0c89b..a27aea6 100644 --- a/caddy/conf/dynamic_dns.caddy +++ b/caddy/conf/dynamic_dns.caddy @@ -1,9 +1,7 @@ -(dynamic_dns) { - dynamic_dns { - provider route53 - domains { - {$DOMAIN}. {$SUBDOMAIN} - } - versions ipv4 +dynamic_dns { + provider route53 + domains { + {$DOMAIN}. {$SUBDOMAIN} } + versions ipv4 } diff --git a/caddy/conf/geoip2.caddy b/caddy/conf/geoip2.caddy index e4bd313..0aa49c7 100644 --- a/caddy/conf/geoip2.caddy +++ b/caddy/conf/geoip2.caddy @@ -1,12 +1,10 @@ -(geoip2) { - order geoip2_vars first - geoip2 { - # accountId {$GEO_ACCOUNT_ID} - # licenseKey {$GEO_API_KEY} - databaseDirectory /data/caddy/geoip/ - lockFile /data/caddy/geoip/geoip2.lock - editionID GeoLite2-City - updateUrl https://updates.maxmind.com - updateFrequency 86400 # in seconds - } +order geoip2_vars first +geoip2 { + # accountId {$GEO_ACCOUNT_ID} + # licenseKey {$GEO_API_KEY} + databaseDirectory /data/caddy/geoip/ + lockFile /data/caddy/geoip/geoip2.lock + editionID GeoLite2-City + updateUrl https://updates.maxmind.com + updateFrequency 86400 # in seconds } diff --git a/caddy/conf/layer4.caddy b/caddy/conf/layer4.caddy index 4f07fe4..748a202 100644 --- a/caddy/conf/layer4.caddy +++ b/caddy/conf/layer4.caddy @@ -1,10 +1,8 @@ -(layer4) { - layer4 { - :443 { - @openvpn openvpn - route @openvpn { - proxy host:444 # Proxy OpenVPN traffic to its backend - } +layer4 { + :443 { + @openvpn openvpn + route @openvpn { + proxy host:444 # Proxy OpenVPN traffic to its backend } } } diff --git a/caddy/sites/geo.caddy b/caddy/sites/geo.caddy index 722aeb6..9495f9a 100644 --- a/caddy/sites/geo.caddy +++ b/caddy/sites/geo.caddy @@ -9,7 +9,7 @@ geo.{$SUBDOMAIN}.{$DOMAIN} { # trusted_proxies: Trust 'X-Forwarded-For' header_up if trusted_proxies is also valid (see https://caddyserver.com/docs/caddyfile/options#trusted-proxies) # default: trusted_proxies - @geofilter expression ({geoip2.country_code} == "NL") + @geofilter expression ({geoip2.country_code} != "FR") route @geofilter { reverse_proxy host:12345 {