diff --git a/Dockerfile b/Dockerfile index 86b438d..69b1c78 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,8 @@ -FROM docker.io/library/caddy:2.9.1-builder as builder +FROM docker.io/library/caddy:2.9.1-builder AS builder RUN xcaddy build \ - --with github.com/caddy-dns/cloudflare + --with github.com/caddy-dns/cloudflare \ + --with github.com/greenpau/caddy-security FROM docker.io/library/caddy:2.9.1-alpine COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/config/Caddyfile b/config/Caddyfile index f84728f..3c79bb1 100644 --- a/config/Caddyfile +++ b/config/Caddyfile @@ -1,5 +1,38 @@ { email {env.ACME_EMAIL} + + security { + oauth identity provider generic { + delay_start 3 + realm generic + driver generic + client_id 54ac14e4-4e6b-46ce-a870-01b297421e89 + client_secret 54ac14e4-4e6b-46ce-a870-01b297421e89 + scopes openid email profile + base_auth_url http://localhost + metadata_url http://localhost/.well-known/openid-configuration + + } + + authentication portal docsportal { + crypto default token lifetime 3600 # Seconds until you have to reauthenticate + enable identity provider generic + cookie insedure off + transfrom { + match realm generic + action add role user + } + + } + + authorization policy docspolicy { + set auth url /caddy-security/oauth2/generic + allow roles user + inject headers with claims + } + + } + } housh.dev { @@ -74,7 +107,18 @@ housh.dev { @docs host docs.housh.dev handle @docs { - reverse_proxy docs:80 + @auth { + path /caddy-security/* + } + + route @auth { + authenticate with docsportal + } + + route /* { + authorize with docspolicy + reverse_proxy docs:80 + } } @pocket_id host id.housh.dev