diff --git a/Dockerfile b/Dockerfile index 69b1c78..3bd88d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,3 @@ -FROM docker.io/library/caddy:2.9.1-builder AS builder - -RUN xcaddy build \ - --with github.com/caddy-dns/cloudflare \ - --with github.com/greenpau/caddy-security - -FROM docker.io/library/caddy:2.9.1-alpine -COPY --from=builder /usr/bin/caddy /usr/bin/caddy +FROM ghcr.io/authcrunch/authcrunch:latest COPY ./config /etc/caddy +RUN /usr/bin/caddy fmt --overwrite /etc/caddy/Caddyfile diff --git a/config/Caddyfile b/config/Caddyfile index f84728f..55cccd4 100644 --- a/config/Caddyfile +++ b/config/Caddyfile @@ -1,14 +1,38 @@ { email {env.ACME_EMAIL} -} -housh.dev { - tls { - dns cloudflare {env.CF_AUTH_TOKEN} - resolvers 1.1.1.1 + # Configure caddy-security. + order authenticate before respond + + security { + oauth identity provider generic { + delay_start 3 + realm generic + driver generic + client_id {env.OAUTH_CLIENT_ID} + client_secret {env.OAUTH_CLIENT_SECRET} + scopes openid email profile + base_auth_url https://id.housh.dev + metadata_url https://id.housh.dev/.well-known/openid-configuration + } + + authentication portal myportal { + crypto default token lifetime 3600 # Seconds until you have to re-authenticate + enable identity provider generic + cookie insecure off # Set to "on" if you're not using HTTPS + + transform user { + match realm generic + action add role user + } + } + + authorization policy mypolicy { + set auth url /caddy-security/oauth2/generic + allow roles user + inject headers with claims + } } - - reverse_proxy /docs/* http://docs:80 } # Subdomains @@ -74,7 +98,18 @@ housh.dev { @docs host docs.housh.dev handle @docs { + @auth { + path /caddy-security/* + } + + route @auth { + authenticate with myportal + } + + + route /* { reverse_proxy docs:80 + } } @pocket_id host id.housh.dev