# Global Config { email certs@tremendousturtle.tools default_sni tremendousturtle.tools acme_ca https://acme-v02.api.letsencrypt.org/directory admin :2019 # debug # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory servers { trusted_proxies cloudflare { interval 12h timeout 15s } client_ip_headers Cf-Connecting-Ip X-Forwarded-For X-Real-IP } } # Global Reusable Blocks (tls) { tls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } resolvers 1.1.1.1 1.0.0.1 } } (secure) { forward_auth {args[0]} authelia-app-1:9091 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } } (secure-external) { forward_auth {args[0]} https://auth.tremendousturtle.tools { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Name Remote-Email header_up Host {upstream_hostport} } } (ttt-log) { log { output file /logs/{args[0]}.tremendousturtle.tools.log } } (ttt-proxy) { reverse_proxy {args[0]}:{args[1]} { header_up X-Real-IP {http.request.header.CF-Connecting-IP} header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} } } (ttt-app) { {args[0]}.tremendousturtle.tools { import ttt-log {args[0]} import tls import secure * import ttt-proxy {args[0]}-app-1 {args[1]} } } (ttt-app-local) { {args[0]}.tremendousturtle.tools { import ttt-log {args[0]} import tls import secure * import ttt-proxy host.docker.internal {args[1]} } } (ttt-app-alt) { {args[0]}.tremendousturtle.tools { import ttt-log {args[0]} import tls import secure * import ttt-proxy {args[1]} {args[2]} } } (authentik) { {args[0]}.tremendousturtle.tools { import ttt-log {args[0]} import tls @not_cf header !CF-Connecting-IP @cf header CF-Connecting-IP * reverse_proxy @not_cf authentik-app-1:9000 { header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {server_port} } reverse_proxy @cf authentik-app-1:9000 { header_up X-Real-IP {http.request.header.CF-Connecting-IP} header_up X-Forwarded-Port {server_port} } } } (oidc) { {args[0]}.tremendousturtle.tools { import ttt-log {args[0]} import tls @not_cf header !CF-Connecting-IP @cf header CF-Connecting-IP * reverse_proxy @not_cf {args[0]}-app-1:{args[1]} { header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {server_port} } reverse_proxy @cf {args[0]}-app-1:{args[1]} { header_up X-Real-IP {http.request.header.CF-Connecting-IP} header_up X-Forwarded-Port {server_port} } } } (redirect) { {args[0]}.tremendousturtle.tools { import tls redir https://{args[1]}.tremendousturtle.tools{uri} } } (authentik-forward) { {args[0]}.tremendousturtle.tools { import ttt-log {args[0]} import tls route { # always forward outpost path to actual outpost reverse_proxy /outpost.goauthentik.io/* http://authentik-app-1:9000 # forward authentication to outpost forward_auth http://authentik-app-1:9000 { uri /outpost.goauthentik.io/auth/caddy # capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version # optional, in this config trust all private ranges, should probably be set to the outposts IP trusted_proxies private_ranges } # actual site configuration below, for example reverse_proxy {args[1]}:{args[2]} } } } # Web Config tremendousturtle.tools { import tls respond "I'm Alive!" } auth.tremendousturtle.tools { import tls reverse_proxy authelia-app-1:9091 } authentik.tremendousturtle.tools { import tls reverse_proxy authentik-app-1:9000 } # Define code.tremendousturtle.tools # Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost) #import ttt-app-local code 8020 import ttt-app-local pihole 1080 import ttt-app-local sonarr 8989 import ttt-app-local radarr 7878 import ttt-app-local prowlarr 9696 import ttt-app-local cockpit 9090 # Docker apps with same subdomain as docker compose project name #import ttt-app frigate 8971 import ttt-app overseerr 5055 import ttt-app openobserve 5080 #import ttt-app gitea 3000 #import ttt-app homepage 3000 import ttt-app requestrr 4545 # Alternate configuration (different subdomain and docker compose project name) import ttt-app-alt budget actual-server-app-1 5006 import ttt-app-alt trilium triliumnext-notes-app-1 8080 import ttt-app-alt notes triliumnext-notes-app-1 8080 #import ttt-app-alt stash stashapp-app-1 9999 import ttt-app-alt pihole1 192.168.1.116 80 # Authentik Configs import authentik homepage import redirect home homepage import authentik frigate import authentik code import authentik gitea import authentik dozzle import authentik tautulli #import authentik-test stash # Authentik OIDC Configs import oidc komodo 9120 stash.tremendousturtle.tools { import ttt-log stash import tls @not_cf header !CF-Connecting-IP @cf header CF-Connecting-IP * # Match the bedroom Nvidia Shield IP to skip Authentik @exclude client_ip 192.168.1.142 192.168.1.234 127.0.0.1 reverse_proxy @exclude stashapp-app-1:9999 { header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {server_port} } # When not from cloudflare just use the remote host as the real IP reverse_proxy @not_cf authentik-app-1:9000 { header_up X-Real-IP {remote_host} header_up X-Forwarded-Port {server_port} } # When from cloudflare tunnel use the CF-Connecting-IP as the real IP reverse_proxy @cf authentik-app-1:9000 { header_up X-Real-IP {http.request.header.CF-Connecting-IP} header_up X-Forwarded-Port {server_port} }