homeserver/opt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tidy up caddy config

Browse Source
This commit is contained in:
Rik Veenboer
2024-12-09 09:17:33 +01:00
parent 1826dd9b4c
commit fc0acdb3ad
7 changed files with 88 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
caddy/Caddyfile
View File

@@ -1,10 +1,8 @@
import conf/*.caddy
{ {
import dynamic_dns import conf/dynamic_dns.caddy
import auth import conf/auth.caddy
import geoip2 import conf/geoip2.caddy
# import layer4 # import conf/layer4.caddy
} }
(unprotected) { (unprotected) {
@@ -18,7 +16,7 @@ import conf/*.caddy
(protected) { (protected) {
{args[0]}.{$SUBDOMAIN}.{$DOMAIN} { {args[0]}.{$SUBDOMAIN}.{$DOMAIN} {
import authentik import conf/authentik.caddy
reverse_proxy {args[1]} reverse_proxy {args[1]}
} }
} }

82
caddy/conf/auth.caddy
View File

@@ -1,49 +1,47 @@
(auth) { order authenticate before respond
order authenticate before respond order authorize before reverse_proxy
order authorize before reverse_proxy security {
security { oauth identity provider generic {
oauth identity provider generic { realm mine
realm mine driver generic
driver generic client_id {$OAUTH_CLIENT_ID}
client_id {$OAUTH_CLIENT_ID} client_secret {$OAUTH_CLIENT_SECRET}
client_secret {$OAUTH_CLIENT_SECRET} scopes openid email profile
scopes openid email profile
delay_start 5 delay_start 5
retry_attempts 3 retry_attempts 3
retry_interval 10 retry_interval 10
base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN} base_auth_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}
metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration metadata_url https://authentik.{$SUBDOMAIN}.{$DOMAIN}/application/o/caddy/.well-known/openid-configuration
} }
authentication portal myportal { authentication portal myportal {
enable identity provider generic enable identity provider generic
cookie domain {$DOMAIN} cookie domain {$DOMAIN}
ui { ui {
links { links {
"My Identity" "/whoami" icon "las la-user" "My Identity" "/whoami" icon "las la-user"
"Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play" "Jellyfin" https://jellyfin.{$SUBDOMAIN}.{$DOMAIN} icon "las la-play"
}
}
transform user {
match realm mine
action add role authp/user
}
transform user {
match realm mine
# Give this account admin role in the auth portal
match email rik.veenboer@gmail.com
action add role authp/admin
} }
} }
authorization policy mypolicy {
set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic transform user {
allow roles authp/admin authp/user match realm mine
validate bearer header action add role authp/user
inject headers with claims }
transform user {
match realm mine
# Give this account admin role in the auth portal
match email rik.veenboer@gmail.com
action add role authp/admin
} }
} }
authorization policy mypolicy {
set auth url https://auth.{$SUBDOMAIN}.{$DOMAIN}/oauth2/generic
allow roles authp/admin authp/user
validate bearer header
inject headers with claims
}
} }

48
caddy/conf/authentik.caddy
View File

@@ -1,27 +1,25 @@
(authentik) { reverse_proxy /outpost.goauthentik.io/* http://host:19000
reverse_proxy /outpost.goauthentik.io/* http://host:19000 forward_auth http://host:19000 {
forward_auth http://host:19000 { uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri}
uri /outpost.goauthentik.io/auth/caddy?rd={http.request.uri} copy_headers {
copy_headers { X-Authentik-Username
X-Authentik-Username X-Authentik-Groups
X-Authentik-Groups X-Authentik-Email
X-Authentik-Email X-Authentik-Name
X-Authentik-Name X-Authentik-Uid
X-Authentik-Uid X-Authentik-Jwt
X-Authentik-Jwt X-Authentik-Meta-Jwks
X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost
X-Authentik-Meta-Outpost X-Authentik-Meta-Provider
X-Authentik-Meta-Provider X-Authentik-Meta-App
X-Authentik-Meta-App X-Authentik-Meta-Version
X-Authentik-Meta-Version X-Authentik-Other
X-Authentik-Other X-Authentik-Password
X-Authentik-Password X-Authentik-This
X-Authentik-This X-Authentik-What
X-Authentik-What Authorization>X-Custom-Authorization
Authorization>X-Custom-Authorization X-Custom-User
X-Custom-User X-Custom-Password
X-Custom-Password X-User-Header
X-User-Header
}
} }
} }

12
caddy/conf/dynamic_dns.caddy
View File

@@ -1,9 +1,7 @@
(dynamic_dns) { dynamic_dns {
dynamic_dns { provider route53
provider route53 domains {
domains { {$DOMAIN}. {$SUBDOMAIN}
{$DOMAIN}. {$SUBDOMAIN}
}
versions ipv4
} }
versions ipv4
} }

20
caddy/conf/geoip2.caddy
View File

@@ -1,12 +1,10 @@
(geoip2) { order geoip2_vars first
order geoip2_vars first geoip2 {
geoip2 { # accountId {$GEO_ACCOUNT_ID}
# accountId {$GEO_ACCOUNT_ID} # licenseKey {$GEO_API_KEY}
# licenseKey {$GEO_API_KEY} databaseDirectory /data/caddy/geoip/
databaseDirectory /data/caddy/geoip/ lockFile /data/caddy/geoip/geoip2.lock
lockFile /data/caddy/geoip/geoip2.lock editionID GeoLite2-City
editionID GeoLite2-City updateUrl https://updates.maxmind.com
updateUrl https://updates.maxmind.com updateFrequency 86400 # in seconds
updateFrequency 86400 # in seconds
}
} }

12
caddy/conf/layer4.caddy
View File

@@ -1,10 +1,8 @@
(layer4) { layer4 {
layer4 { :443 {
:443 { @openvpn openvpn
@openvpn openvpn route @openvpn {
route @openvpn { proxy host:444 # Proxy OpenVPN traffic to its backend
proxy host:444 # Proxy OpenVPN traffic to its backend
}
} }
} }
} }

2
caddy/sites/geo.caddy
View File

@@ -9,7 +9,7 @@ geo.{$SUBDOMAIN}.{$DOMAIN} {
# trusted_proxies: Trust 'X-Forwarded-For' header_up if trusted_proxies is also valid (see https://caddyserver.com/docs/caddyfile/options#trusted-proxies) # trusted_proxies: Trust 'X-Forwarded-For' header_up if trusted_proxies is also valid (see https://caddyserver.com/docs/caddyfile/options#trusted-proxies)
# default: trusted_proxies # default: trusted_proxies
@geofilter expression ({geoip2.country_code} == "NL") @geofilter expression ({geoip2.country_code} != "FR")
route @geofilter { route @geofilter {
reverse_proxy host:12345 { reverse_proxy host:12345 {