tidy up caddy config

caddy/Caddyfile

@@ -1,10 +1,8 @@
-import conf/*.caddy
-
 {
-	import dynamic_dns
-	import auth
-	import geoip2
-	# import layer4
+	import conf/dynamic_dns.caddy
+	import conf/auth.caddy
+	import conf/geoip2.caddy
+	# import conf/layer4.caddy
 }
 
 (unprotected) {
@@ -18,7 +16,7 @@ import conf/*.caddy
 
 (protected) {
 	{args[0]}.{$SUBDOMAIN}.{$DOMAIN} {
-		import authentik
+		import conf/authentik.caddy
 		reverse_proxy {args[1]}
 	}
 }

caddy/conf/auth.caddy

@@ -1,49 +1,47 @@
-(auth) {
-	order authenticate before respond
-	order authorize before reverse_proxy
-	security {
-		oauth identity provider generic {
-			realm mine
-			driver generic
-			client_id {$OAUTH_CLIENT_ID}
-			client_secret {$OAUTH_CLIENT_SECRET}
-			scopes openid email profile
+order authenticate before respond
+order authorize before reverse_proxy
+security {
+	oauth identity provider generic {
+		realm mine
+		driver generic
+		client_id {$OAUTH_CLIENT_ID}
+		client_secret {$OAUTH_CLIENT_SECRET}
+		scopes openid email profile
 
-			delay_start 5
-			retry_attempts 3
-			retry_interval 10
+		delay_start 5
+		retry_attempts 3
+		retry_interval 10
 
-			base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}
-			metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
-		}
-		authentication portal myportal {
-			enable identity provider generic
-			cookie domain {$DOMAIN}
-			ui {
-				links {
-					"My Identity" "/whoami" icon "las la-user"
-					"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
-				}
-			}
-
-			transform user {
-				match realm mine
-				action add role authp/user
-			}
-
-			transform user {
-				match realm mine
-
-				# Give this account admin role in the auth portal
-				match email rik.veenboer@gmail.com
-				action add role authp/admin
+		base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}
+		metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
+	}
+	authentication portal myportal {
+		enable identity provider generic
+		cookie domain {$DOMAIN}
+		ui {
+			links {
+				"My Identity" "/whoami" icon "las la-user"
+				"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
 			}
 		}
-		authorization policy mypolicy {
-			set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
-			allow roles authp/admin authp/user
-			validate bearer header
-			inject headers with claims
+
+		transform user {
+			match realm mine
+			action add role authp/user
+		}
+
+		transform user {
+			match realm mine
+
+			# Give this account admin role in the auth portal
+			match email rik.veenboer@gmail.com
+			action add role authp/admin
 		}
 	}
+	authorization policy mypolicy {
+		set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
+		allow roles authp/admin authp/user
+		validate bearer header
+		inject headers with claims
+	}
 }

caddy/conf/authentik.caddy

@@ -1,27 +1,25 @@
-(authentik) {
-	reverse_proxy /outpost.goauthentik.io/* http://host:19000
-	forward_auth http://host:19000 {
-		uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
-		copy_headers {
-			X-Authentik-Username
-			X-Authentik-Groups
-			X-Authentik-Email
-			X-Authentik-Name
-			X-Authentik-Uid
-			X-Authentik-Jwt
-			X-Authentik-Meta-Jwks
-			X-Authentik-Meta-Outpost
-			X-Authentik-Meta-Provider
-			X-Authentik-Meta-App
-			X-Authentik-Meta-Version
-			X-Authentik-Other
-			X-Authentik-Password
-			X-Authentik-This
-			X-Authentik-What
-			Authorization>X-Custom-Authorization
-			X-Custom-User
-			X-Custom-Password
-			X-User-Header
-		}
+reverse_proxy /outpost.goauthentik.io/* http://host:19000
+forward_auth http://host:19000 {
+	uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
+	copy_headers {
+		X-Authentik-Username
+		X-Authentik-Groups
+		X-Authentik-Email
+		X-Authentik-Name
+		X-Authentik-Uid
+		X-Authentik-Jwt
+		X-Authentik-Meta-Jwks
+		X-Authentik-Meta-Outpost
+		X-Authentik-Meta-Provider
+		X-Authentik-Meta-App
+		X-Authentik-Meta-Version
+		X-Authentik-Other
+		X-Authentik-Password
+		X-Authentik-This
+		X-Authentik-What
+		Authorization>X-Custom-Authorization
+		X-Custom-User
+		X-Custom-Password
+		X-User-Header
 	}
 }

caddy/conf/dynamic_dns.caddy

@@ -1,9 +1,7 @@
-(dynamic_dns) {
-	dynamic_dns {
-		provider route53
-		domains {
-			{$DOMAIN}. {$SUBDOMAIN}
-		}
-		versions ipv4
+dynamic_dns {
+	provider route53
+	domains {
+		{$DOMAIN}. {$SUBDOMAIN}
 	}
+	versions ipv4
 }

caddy/conf/geoip2.caddy

@@ -1,12 +1,10 @@
-(geoip2) {
-	order geoip2_vars first
-	geoip2 {
-		#	accountId {$GEO_ACCOUNT_ID}
-		#	licenseKey {$GEO_API_KEY}
-		databaseDirectory /data/caddy/geoip/
-		lockFile /data/caddy/geoip/geoip2.lock
-		editionID GeoLite2-City
-		updateUrl https://updates.maxmind.com
-		updateFrequency 86400 # in seconds
-	}
+order geoip2_vars first
+geoip2 {
+	#	accountId {$GEO_ACCOUNT_ID}
+	#	licenseKey {$GEO_API_KEY}
+	databaseDirectory /data/caddy/geoip/
+	lockFile /data/caddy/geoip/geoip2.lock
+	editionID GeoLite2-City
+	updateUrl https://updates.maxmind.com
+	updateFrequency 86400 # in seconds
 }

caddy/conf/layer4.caddy

@@ -1,10 +1,8 @@
-(layer4) {
-	layer4 {
-		:443 {
-			@openvpn openvpn
-			route @openvpn {
-				proxy host:444 # Proxy OpenVPN traffic to its backend
-			}
+layer4 {
+	:443 {
+		@openvpn openvpn
+		route @openvpn {
+			proxy host:444 # Proxy OpenVPN traffic to its backend
 		}
 	}
 }

caddy/sites/geo.caddy

@@ -9,7 +9,7 @@ geo.{$SUBDOMAIN}.{$DOMAIN} {
 	# trusted_proxies: Trust 'X-Forwarded-For' header_up if trusted_proxies is also valid (see https://caddyserver.com/docs/caddyfile/options#trusted-proxies)
 	# default: trusted_proxies
 
-	@geofilter expression ({geoip2.country_code} == "NL")
+	@geofilter expression ({geoip2.country_code} != "FR")
 
 	route @geofilter {
 		reverse_proxy host:12345 {