homelab/caddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Adds crowdsec to caddy.

Browse Source
This commit is contained in:
Michael Housh
2025-10-17 09:54:46 -04:00
parent 4f8e795216
commit 575dd058d7
6 changed files with 82 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.env

29
Dockerfile
View File

@@ -1,18 +1,23 @@
FROM caddy/caddy:2.9.1-builder-alpine AS builder
# Adapted from: https://github.com/crowdsecurity/example-docker-compose/blob/main/caddy/Caddyfile
#
# the different stages of this Dockerfile are meant to be built into separate images
# https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage
# https://docs.docker.com/compose/compose-file/#target
# https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
ARG CADDY_VERSION=2
FROM caddy:${CADDY_VERSION}-builder-alpine AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
--with github.com/caddy-dns/cloudflare \
--with github.com/mholt/caddy-l4 \
--with github.com/caddyserver/transform-encoder \
--with github.com/hslatman/caddy-crowdsec-bouncer/http@main \
--with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main
# ==================================================
# Run image
# ==================================================
FROM caddy:${CADDY_VERSION} AS caddy
#FROM ghcr.io/authcrunch/authcrunch:latest
FROM caddy/caddy:2.9.1-alpine
WORKDIR /
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY ./config /etc/caddy
RUN /usr/bin/caddy fmt --overwrite /etc/caddy/Caddyfile
CMD ["/usr/bin/caddy", "run", "--config", "/etc/caddy/Caddyfile"]

22
compose.yaml
View File

@@ -2,6 +2,7 @@ services:
caddy:
build:
context: .
target: caddy
container_name: caddy
restart: unless-stopped
env_file:
@@ -10,6 +11,7 @@ services:
- CLOUDFLARE_EMAIL=${CF_EMAIL}
- CLOUDFLARE_API_TOKEN=${CF_AUTH_TOKEN}
- ACME_AGREE=true
- CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
ports:
- 80:80
- 443:443
@@ -20,6 +22,24 @@ services:
- ./config:/etc/caddy
- caddy_data:/data
- caddy_config:/config
- caddy_logs:/var/log/caddy
networks:
- proxy
security_opt:
- no-new-privileges:true
crowdsec:
image: docker.io/crowdsecurity/crowdsec:latest
container_name: crowdsec
restart: unless-stopped
environment:
- GID=1000
- COLLECTIONS="crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelisth-good-actors"
- BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}
volumes:
- crowdsec_db:/var/lib/crowdsec/data/
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
- caddy_logs:/var/log/caddy:ro
networks:
- proxy
security_opt:
@@ -28,6 +48,8 @@ services:
volumes:
caddy_data: {}
caddy_config: {}
caddy_logs: {}
crowdsec_db: {}
networks:
proxy:

47
config/Caddyfile
View File

@@ -1,5 +1,15 @@
{
email {env.ACME_EMAIL}
servers {
client_ip_headers X-Forwarded-For
trusted_proxies static private_ranges
trusted_proxies_strict
}
order crowdsec before respond
crowdsec {
api_url http://crowdsec:8080
api_key {$CROWDSEC_API_KEY}
}
}
# Subdomains
@@ -9,39 +19,51 @@
resolvers 1.1.1.1
}
log {
level INFO
output file /var/log/caddy/access.log
}
@pos host po.housh.dev
handle @pos {
reverse_proxy http://roguemini.housh.dev:8082
crowdsec
}
@legacypos host legacy-po.housh.dev
handle @legacypos {
reverse_proxy http://roguemini.housh.dev:5000
crowdsec
}
@gitea host git.housh.dev
handle @gitea {
reverse_proxy gitea:3000
crowdsec
}
@dash host dash.housh.dev
handle @dash {
reverse_proxy http://roguemini.housh.dev:7575
crowdsec
}
@komodo host komo.housh.dev
handle @komodo {
reverse_proxy komodo:9120
crowdsec
}
@excalidraw host draw.housh.dev
handle @excalidraw {
reverse_proxy excalidraw:80
crowdsec
}
@uptimekuma host uptime.housh.dev
handle @uptimekuma {
reverse_proxy uptime_kuma:3001
crowdsec
}
@immich host photos.housh.dev
@@ -51,41 +73,49 @@
@public path /share /share/*
handle @public {
reverse_proxy http://frankenmini.housh.dev:3000
crowdsec
}
handle {
reverse_proxy http://frankenmini.housh.dev:2283
crowdsec
}
}
@snapp host s.housh.dev
handle @snapp {
reverse_proxy http://roguemini.housh.dev:3000
crowdsec
}
@docs host docs.housh.dev
handle @docs {
reverse_proxy docs:80
crowdsec
}
@pocket_id host id.housh.dev
handle @pocket_id {
reverse_proxy pocket-id:1411
crowdsec
}
@plausible host plausible.housh.dev
handle @plausible {
reverse_proxy http://roguemini.housh.dev:8004
crowdsec
}
@vaultwarden host vaultwarden.housh.dev
handle @vaultwarden {
reverse_proxy http://roguemini.housh.dev:8888
crowdsec
}
@calendar host calendar.housh.dev
handle @calendar {
reverse_proxy http://frankenmini.housh.dev:5232
reverse_proxy http://frankenmini.housh.dev:5232
crowdsec
}
@@ -98,19 +128,16 @@ console.mightymini.housh.dev {
resolvers 1.1.1.1
}
log {
level INFO
output file /var/log/caddy/access.log
}
reverse_proxy https://192.168.50.6:9090 {
transport http {
tls_insecure_skip_verify
}
crowdsec
}
}
# Duplicati (backup service).
duplicati.mightymini.housh.dev {
tls {
dns cloudflare {env.CF_AUTH_TOKEN}
resolvers 1.1.1.1
}
reverse_proxy http://duplicati:8200
}

4
crowdsec/acquis.yaml Normal file
View File

@@ -0,0 +1,4 @@
filenames:
- /var/log/caddy/*.log
labels:
type: caddy

1
example.env
View File

@@ -1,3 +1,4 @@
ACME_EMAIL="acme@example.com"
CF_AUTH_TOKEN="secret-token"
CF_EMAIL="cloudflare@example.com"
CROWDSEC_API_KEY="CHANGEME"