Change Authentik server image to use env variables again

code-server docker is actually not used at this time

authelia/config/authelia/configuration.yml

@@ -6,7 +6,19 @@ server:
 
 # Security https://www.authelia.com/configuration/security/access-control/
 access_control:
+  networks:
+  - name: 'internal'
+    networks:
+    - '192.168.1.0/24'
+    - '172.16.0.0/12'
   rules:
+  - domain: 'gitea.tremendousturtle.tools'
+    policy: bypass
+    networks:
+    - 'internal'
+    resources:
+    - '^/api([/?].*)?$'
+    - '^/v2([/?].*)?$'
   - domain: '*.tremendousturtle.tools'
     policy: two_factor
 

authentik/docker-compose.yml

@@ -42,6 +42,8 @@ services:
     networks:
       - proxy-net
       - default
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     volumes:
       - ./data/media:/media
       - ./config/custom-templates:/templates
@@ -50,6 +52,9 @@ services:
     ports:
       - "${COMPOSE_PORT_HTTP:-9000}:9000"
       - "${COMPOSE_PORT_HTTPS:-9443}:9443"
+    expose:
+      - "9000"
+      - "9443"
     depends_on:
       db:
         condition: service_healthy

caddy/config/Caddyfile

@@ -74,6 +74,46 @@
 		import ttt-proxy {args[1]} {args[2]}
 	}
 }
+(authentik) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		reverse_proxy authentik-app-1:9000 {
+			header_up X-Real-IP {http.request.header.CF-Connecting-IP}
+			header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
+		}
+	}
+}
+(redirect) {
+	{args[0]}.tremendousturtle.tools {
+		import tls
+		redir https://{args[1]}.tremendousturtle.tools{uri}
+	}
+}
+(authentik-forward) {
+	{args[0]}.tremendousturtle.tools {
+		import ttt-log {args[0]}
+		import tls
+		route {
+			# always forward outpost path to actual outpost
+			reverse_proxy /outpost.goauthentik.io/* http://authentik-app-1:9000
+
+			# forward authentication to outpost
+			forward_auth http://authentik-app-1:9000 {
+				uri /outpost.goauthentik.io/auth/caddy
+
+				# capitalization of the headers is important, otherwise they will be empty
+				copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+				# optional, in this config trust all private ranges, should probably be set to the outposts IP
+				trusted_proxies private_ranges
+			}
+
+			# actual site configuration below, for example
+			reverse_proxy {args[1]}:{args[2]}
+		}
+	}
+}
 
 # Web Config
 tremendousturtle.tools {
@@ -93,7 +133,7 @@ authentik.tremendousturtle.tools {
 
 # Define code.tremendousturtle.tools
 # Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost)
-import ttt-app-local code 8020
+#import ttt-app-local code 8020
 import ttt-app-local pihole 1080
 import ttt-app-local sonarr 8989
 import ttt-app-local radarr 7878
@@ -101,11 +141,11 @@ import ttt-app-local prowlarr 9696
 import ttt-app-local cockpit 9090
 
 # Docker apps with same subdomain as docker compose project name
-import ttt-app frigate 8971
+#import ttt-app frigate 8971
 import ttt-app overseerr 5055
 import ttt-app openobserve 5080
-import ttt-app gitea 3000
+#import ttt-app gitea 3000
-import ttt-app homepage 3000
+#import ttt-app homepage 3000
 import ttt-app requestrr 4545
 
 # Alternate configuration (different subdomain and docker compose project name)
@@ -114,3 +154,11 @@ import ttt-app-alt trilium triliumnext-notes-app-1 8080
 import ttt-app-alt notes triliumnext-notes-app-1 8080
 import ttt-app-alt stash stashapp-app-1 9999
 import ttt-app-alt pihole1 192.168.1.116 80
+
+# Authentik Configs
+import authentik homepage
+import redirect home homepage
+
+import authentik frigate
+import authentik code
+import authentik gitea

caddy/docker-compose.yml

@@ -13,12 +13,10 @@ services:
       - "443:443"
       - "443:443/udp"
       - "2019:2019"
-    configs:
-      - source: caddyfile
-        target: /etc/caddy/Caddyfile
     volumes:
       - ./data/site:/srv
       - ./data/logs:/logs
+      - ./config:/etc/caddy
       - caddy_data:/data
       - caddy_config:/config
 
@@ -26,10 +24,6 @@ networks:
   proxy-net:
     external: true
 
-configs:
-  caddyfile:
-    file: ./Caddyfile
-
 volumes:
   caddy_data:
   caddy_config:

frigate/config/config.yaml

@@ -4,7 +4,7 @@ auth:
 
 proxy:
   header_map:
-    user: Remote-User
+    user: X-Forwarded-Preferred-Username
 
 tls:
   enabled: false

frigate/docker-compose.yml

@@ -2,7 +2,8 @@ name: frigate
 services:
   app:
     restart: unless-stopped
-    image: ghcr.io/blakeblackshear/frigate:stable
+    #image: ghcr.io/blakeblackshear/frigate:stable
+    image: gitea.tremendousturtle.tools/chris/frigate:v0.14.1-web-admin-088ff992
     shm_size: "250mb"
     devices:
       - /dev/apex_0:/dev/apex_0 # Passes a PCIe Coral
@@ -20,6 +21,7 @@ services:
     networks:
       - proxy-net
     ports:
+      # - "8971:8971"
       - "8554:8554" # RTSP feeds
       - "8555:8555/tcp" # WebRTC over tcp
       - "8555:8555/udp" # WebRTC over udp

gitea/docker-compose.yml

@@ -17,6 +17,9 @@ services:
       GITEA__database__USER: ${GITEA_DB_USER}
       GITEA__database__PASSWD__FILE: /run/secrets/postgres_pass
       GITEA__server__SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE: gitea --config={{.CustomConf}} serv key-{{.Key.ID}}
+      GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION: true
+      GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION: true
+      GITEA__service__ENABLE_REVERSE_PROXY_EMAIL: true
     restart: unless-stopped
     networks:
       - gitea