chris/docker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8de9b5736527832c08353a136fab9c44fc061ab4
docker/caddy/config/Caddyfile
Chris King 8de9b57365 Move Stash to Authentik 
Add bypass for bedroom ShieldTV
Remove Stash port forwarding
Set STASH_EXTERNAL_HOST to URL
Add customized DupFileManager plugin to Stash
Enable custom_served_folders in Stash
Disable built-in Stash auth in favor of Authentik
Add additional Stash plugins and plugin sources
Add FansDB stash box configuration
2025-02-16 01:20:53 -08:00

201 lines
5.2 KiB
Caddyfile
Raw Blame History

# Global Config
{
email certs@tremendousturtle.tools
default_sni tremendousturtle.tools
acme_ca https://acme-v02.api.letsencrypt.org/directory
admin :2019
# debug
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
servers {
trusted_proxies cloudflare {
interval 12h
timeout 15s
}
client_ip_headers Cf-Connecting-Ip X-Forwarded-For X-Real-IP
}
}
# Global Reusable Blocks
(tls) {
tls {
dns cloudflare {
zone_token {env.CF_ZONE_TOKEN}
api_token {env.CF_API_TOKEN}
}
resolvers 1.1.1.1 1.0.0.1
}
}
(secure) {
forward_auth {args[0]} authelia-app-1:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
(secure-external) {
forward_auth {args[0]} https://auth.tremendousturtle.tools {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
header_up Host {upstream_hostport}
}
}
(ttt-log) {
log {
output file /logs/{args[0]}.tremendousturtle.tools.log
}
}
(ttt-proxy) {
reverse_proxy {args[0]}:{args[1]} {
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
}
}
(ttt-app) {
{args[0]}.tremendousturtle.tools {
import ttt-log {args[0]}
import tls
import secure *
import ttt-proxy {args[0]}-app-1 {args[1]}
}
}
(ttt-app-local) {
{args[0]}.tremendousturtle.tools {
import ttt-log {args[0]}
import tls
import secure *
import ttt-proxy host.docker.internal {args[1]}
}
}
(ttt-app-alt) {
{args[0]}.tremendousturtle.tools {
import ttt-log {args[0]}
import tls
import secure *
import ttt-proxy {args[1]} {args[2]}
}
}
(authentik) {
{args[0]}.tremendousturtle.tools {
import ttt-log {args[0]}
import tls
@not_cf header !CF-Connecting-IP
@cf header CF-Connecting-IP *
reverse_proxy @not_cf authentik-app-1:9000 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Port {server_port}
}
reverse_proxy @cf authentik-app-1:9000 {
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-Port {server_port}
}
}
}
(redirect) {
{args[0]}.tremendousturtle.tools {
import tls
redir https://{args[1]}.tremendousturtle.tools{uri}
}
}
(authentik-forward) {
{args[0]}.tremendousturtle.tools {
import ttt-log {args[0]}
import tls
route {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* http://authentik-app-1:9000
# forward authentication to outpost
forward_auth http://authentik-app-1:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
# actual site configuration below, for example
reverse_proxy {args[1]}:{args[2]}
}
}
}
# Web Config
tremendousturtle.tools {
import tls
respond "I'm Alive!"
}
auth.tremendousturtle.tools {
import tls
reverse_proxy authelia-app-1:9091
}
authentik.tremendousturtle.tools {
import tls
reverse_proxy authentik-app-1:9000
}
# Define code.tremendousturtle.tools
# Locally hosted non-docker apps (proxies to 192.168.1.234 instead of localhost)
#import ttt-app-local code 8020
import ttt-app-local pihole 1080
import ttt-app-local sonarr 8989
import ttt-app-local radarr 7878
import ttt-app-local prowlarr 9696
import ttt-app-local cockpit 9090
# Docker apps with same subdomain as docker compose project name
#import ttt-app frigate 8971
import ttt-app overseerr 5055
import ttt-app openobserve 5080
#import ttt-app gitea 3000
#import ttt-app homepage 3000
import ttt-app requestrr 4545
# Alternate configuration (different subdomain and docker compose project name)
import ttt-app-alt budget actual-server-app-1 5006
import ttt-app-alt trilium triliumnext-notes-app-1 8080
import ttt-app-alt notes triliumnext-notes-app-1 8080
#import ttt-app-alt stash stashapp-app-1 9999
import ttt-app-alt pihole1 192.168.1.116 80
# Authentik Configs
import authentik homepage
import redirect home homepage
import authentik frigate
import authentik code
import authentik gitea
import authentik dozzle
import authentik tautulli
#import authentik-test stash
stash.tremendousturtle.tools {
import ttt-log stash
import tls
@not_cf header !CF-Connecting-IP
@cf header CF-Connecting-IP *
# Match the bedroom Nvidia Shield IP to skip Authentik
@shield client_ip 192.168.1.142
reverse_proxy @shield stashapp-app-1:9999 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Port {server_port}
}
# When not from cloudflare just use the remote host as the real IP
reverse_proxy @not_cf authentik-app-1:9000 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Port {server_port}
}
# When from cloudflare tunnel use the CF-Connecting-IP as the real IP
reverse_proxy @cf authentik-app-1:9000 {
header_up X-Real-IP {http.request.header.CF-Connecting-IP}
header_up X-Forwarded-Port {server_port}
}
Reference in New Issue View Git Blame Copy Permalink