Move Caddyfile into config/Caddyfile to allow caddy reload to work in Docker
Remove caddyfile configs setup in docker-compose.yml Add authentik, redirect, and authentik-forward Caddyfile snippets Move homepage, frigate, and code into Authentik in Caddyfile Add redirect for home to homepage
This commit is contained in:
Chris King
163
caddy/config/Caddyfile
Normal file
163
caddy/config/Caddyfile
Normal file
@@ -0,0 +1,163 @@
|
||||
# Global Config
|
||||
{
|
||||
email certs@tremendousturtle.tools
|
||||
default_sni tremendousturtle.tools
|
||||
acme_ca https://acme-v02.api.letsencrypt.org/directory
|
||||
admin :2019
|
||||
# debug
|
||||
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
|
||||
servers {
|
||||
trusted_proxies cloudflare {
|
||||
interval 12h
|
||||
timeout 15s
|
||||
}
|
||||
client_ip_headers Cf-Connecting-Ip X-Forwarded-For X-Real-IP
|
||||
}
|
||||
}
|
||||
|
||||
# Global Reusable Blocks
|
||||
(tls) {
|
||||
tls {
|
||||
dns cloudflare {
|
||||
zone_token {env.CF_ZONE_TOKEN}
|
||||
api_token {env.CF_API_TOKEN}
|
||||
}
|
||||
resolvers 1.1.1.1 1.0.0.1
|
||||
}
|
||||
}
|
||||
(secure) {
|
||||
forward_auth {args[0]} authelia-app-1:9091 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
}
|
||||
(secure-external) {
|
||||
forward_auth {args[0]} https://auth.tremendousturtle.tools {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
header_up Host {upstream_hostport}
|
||||
}
|
||||
}
|
||||
(ttt-log) {
|
||||
log {
|
||||
output file /logs/{args[0]}.tremendousturtle.tools.log
|
||||
}
|
||||
}
|
||||
(ttt-proxy) {
|
||||
reverse_proxy {args[0]}:{args[1]} {
|
||||
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
|
||||
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
|
||||
}
|
||||
}
|
||||
(ttt-app) {
|
||||
{args[0]}.tremendousturtle.tools {
|
||||
import ttt-log {args[0]}
|
||||
import tls
|
||||
import secure *
|
||||
import ttt-proxy {args[0]}-app-1 {args[1]}
|
||||
}
|
||||
}
|
||||
(ttt-app-local) {
|
||||
{args[0]}.tremendousturtle.tools {
|
||||
import ttt-log {args[0]}
|
||||
import tls
|
||||
import secure *
|
||||
import ttt-proxy host.docker.internal {args[1]}
|
||||
}
|
||||
}
|
||||
(ttt-app-alt) {
|
||||
{args[0]}.tremendousturtle.tools {
|
||||
import ttt-log {args[0]}
|
||||
import tls
|
||||
import secure *
|
||||
import ttt-proxy {args[1]} {args[2]}
|
||||
}
|
||||
}
|
||||
(authentik) {
|
||||
{args[0]}.tremendousturtle.tools {
|
||||
import ttt-log {args[0]}
|
||||
import tls
|
||||
reverse_proxy authentik-app-1:9000 {
|
||||
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
|
||||
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
|
||||
}
|
||||
}
|
||||
}
|
||||
(redirect) {
|
||||
{args[0]}.tremendousturtle.tools {
|
||||
import tls
|
||||
redir https://{args[1]}.tremendousturtle.tools{uri}
|
||||
}
|
||||
}
|
||||
(authentik-forward) {
|
||||
{args[0]}.tremendousturtle.tools {
|
||||
import ttt-log {args[0]}
|
||||
import tls
|
||||
route {
|
||||
# always forward outpost path to actual outpost
|
||||
reverse_proxy /outpost.goauthentik.io/* http://authentik-app-1:9000
|
||||
|
||||
# forward authentication to outpost
|
||||
forward_auth http://authentik-app-1:9000 {
|
||||
uri /outpost.goauthentik.io/auth/caddy
|
||||
|
||||
# capitalization of the headers is important, otherwise they will be empty
|
||||
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
|
||||
|
||||
# optional, in this config trust all private ranges, should probably be set to the outposts IP
|
||||
trusted_proxies private_ranges
|
||||
}
|
||||
|
||||
# actual site configuration below, for example
|
||||
reverse_proxy {args[1]}:{args[2]}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Web Config
|
||||
tremendousturtle.tools {
|
||||
import tls
|
||||
respond "I'm Alive!"
|
||||
}
|
||||
|
||||
auth.tremendousturtle.tools {
|
||||
import tls
|
||||
reverse_proxy authelia-app-1:9091
|
||||
}
|
||||
|
||||
authentik.tremendousturtle.tools {
|
||||
import tls
|
||||
reverse_proxy authentik-app-1:9000
|
||||
}
|
||||
|
||||
# Define code.tremendousturtle.tools
|
||||
# Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost)
|
||||
#import ttt-app-local code 8020
|
||||
import ttt-app-local pihole 1080
|
||||
import ttt-app-local sonarr 8989
|
||||
import ttt-app-local radarr 7878
|
||||
import ttt-app-local prowlarr 9696
|
||||
import ttt-app-local cockpit 9090
|
||||
|
||||
# Docker apps with same subdomain as docker compose project name
|
||||
#import ttt-app frigate 8971
|
||||
import ttt-app overseerr 5055
|
||||
import ttt-app openobserve 5080
|
||||
import ttt-app gitea 3000
|
||||
#import ttt-app homepage 3000
|
||||
import ttt-app requestrr 4545
|
||||
|
||||
# Alternate configuration (different subdomain and docker compose project name)
|
||||
import ttt-app-alt budget actual-server-app-1 5006
|
||||
import ttt-app-alt trilium triliumnext-notes-app-1 8080
|
||||
import ttt-app-alt notes triliumnext-notes-app-1 8080
|
||||
import ttt-app-alt stash stashapp-app-1 9999
|
||||
import ttt-app-alt pihole1 192.168.1.116 80
|
||||
|
||||
# Authentik Configs
|
||||
import authentik homepage
|
||||
import redirect home homepage
|
||||
|
||||
import authentik frigate
|
||||
import authentik code
|
||||
Reference in New Issue
Block a user