Compare commits
21 Commits
7ec83f72c0
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
c7f5ba5976
|
|||
|
f303fa3d6d
|
|||
|
c3294197e4
|
|||
|
16a91ff9c1
|
|||
|
2d5d3f427c
|
|||
|
4c0ff938b6
|
|||
|
99fe9a3fff
|
|||
|
331621e9e7
|
|||
|
b6ebac2c15
|
|||
|
509445bad6
|
|||
|
1440048847
|
|||
|
7c3766f2c3
|
|||
|
9596eb28d0
|
|||
|
575dd058d7
|
|||
|
4f8e795216
|
|||
|
c8002d1a99
|
|||
|
8b1dc08099
|
|||
|
bf10346491
|
|||
|
740e00c0ce
|
|||
|
bebf2739ef
|
|||
|
e8d45bbc33
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
.env
|
||||
26
Dockerfile
26
Dockerfile
@@ -1,3 +1,23 @@
|
||||
FROM ghcr.io/authcrunch/authcrunch:latest
|
||||
COPY ./config /etc/caddy
|
||||
RUN /usr/bin/caddy fmt --overwrite /etc/caddy/Caddyfile
|
||||
# Adapted from: https://github.com/crowdsecurity/example-docker-compose/blob/main/caddy/Caddyfile
|
||||
#
|
||||
# the different stages of this Dockerfile are meant to be built into separate images
|
||||
# https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage
|
||||
# https://docs.docker.com/compose/compose-file/#target
|
||||
|
||||
# https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
|
||||
ARG CADDY_VERSION=2
|
||||
|
||||
FROM caddy:${CADDY_VERSION}-builder-alpine AS builder
|
||||
|
||||
RUN xcaddy build \
|
||||
--with github.com/caddy-dns/cloudflare \
|
||||
--with github.com/mholt/caddy-l4 \
|
||||
--with github.com/caddyserver/transform-encoder \
|
||||
--with github.com/hslatman/caddy-crowdsec-bouncer/http@main \
|
||||
--with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main
|
||||
|
||||
FROM caddy:${CADDY_VERSION} AS caddy
|
||||
|
||||
WORKDIR /
|
||||
|
||||
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
|
||||
|
||||
24
compose.yaml
24
compose.yaml
@@ -2,6 +2,7 @@ services:
|
||||
caddy:
|
||||
build:
|
||||
context: .
|
||||
target: caddy
|
||||
container_name: caddy
|
||||
restart: unless-stopped
|
||||
env_file:
|
||||
@@ -10,6 +11,7 @@ services:
|
||||
- CLOUDFLARE_EMAIL=${CF_EMAIL}
|
||||
- CLOUDFLARE_API_TOKEN=${CF_AUTH_TOKEN}
|
||||
- ACME_AGREE=true
|
||||
- CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
@@ -20,14 +22,36 @@ services:
|
||||
- ./config:/etc/caddy
|
||||
- caddy_data:/data
|
||||
- caddy_config:/config
|
||||
- caddy_logs:/var/log/caddy
|
||||
networks:
|
||||
- proxy
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
|
||||
crowdsec:
|
||||
image: docker.io/crowdsecurity/crowdsec:latest
|
||||
container_name: crowdsec
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
- GID=1000
|
||||
- COLLECTIONS=crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
|
||||
- BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}
|
||||
volumes:
|
||||
- crowdsec_db:/var/lib/crowdsec/data/
|
||||
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
|
||||
- caddy_logs:/var/log/caddy:ro
|
||||
networks:
|
||||
- proxy
|
||||
security_opt:
|
||||
- no-new-privileges:true
|
||||
depends_on:
|
||||
- caddy
|
||||
|
||||
volumes:
|
||||
caddy_data: {}
|
||||
caddy_config: {}
|
||||
caddy_logs: {}
|
||||
crowdsec_db: {}
|
||||
|
||||
networks:
|
||||
proxy:
|
||||
|
||||
189
config/Caddyfile
189
config/Caddyfile
@@ -1,37 +1,14 @@
|
||||
{
|
||||
email {env.ACME_EMAIL}
|
||||
|
||||
# Configure caddy-security.
|
||||
order authenticate before respond
|
||||
|
||||
security {
|
||||
oauth identity provider generic {
|
||||
delay_start 3
|
||||
realm generic
|
||||
driver generic
|
||||
client_id {env.OAUTH_CLIENT_ID}
|
||||
client_secret {env.OAUTH_CLIENT_SECRET}
|
||||
scopes openid email profile
|
||||
base_auth_url https://id.housh.dev
|
||||
metadata_url https://id.housh.dev/.well-known/openid-configuration
|
||||
}
|
||||
|
||||
authentication portal myportal {
|
||||
crypto default token lifetime 3600 # Seconds until you have to re-authenticate
|
||||
enable identity provider generic
|
||||
cookie insecure off # Set to "on" if you're not using HTTPS
|
||||
|
||||
transform user {
|
||||
match realm generic
|
||||
action add role user
|
||||
}
|
||||
}
|
||||
|
||||
authorization policy mypolicy {
|
||||
set auth url /caddy-security/oauth2/generic
|
||||
allow roles user
|
||||
inject headers with claims
|
||||
}
|
||||
servers {
|
||||
client_ip_headers X-Forwarded-For
|
||||
trusted_proxies static private_ranges
|
||||
trusted_proxies_strict
|
||||
}
|
||||
order crowdsec before respond
|
||||
crowdsec {
|
||||
api_url http://crowdsec:8080
|
||||
api_key {$CROWDSEC_API_KEY}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -42,39 +19,51 @@
|
||||
resolvers 1.1.1.1
|
||||
}
|
||||
|
||||
log {
|
||||
level INFO
|
||||
output file /var/log/caddy/access.log
|
||||
}
|
||||
|
||||
@pos host po.housh.dev
|
||||
handle @pos {
|
||||
reverse_proxy http://roguemini.housh.dev:8082
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@legacypos host legacy-po.housh.dev
|
||||
handle @legacypos {
|
||||
reverse_proxy http://roguemini.housh.dev:5000
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@gitea host git.housh.dev
|
||||
handle @gitea {
|
||||
reverse_proxy gitea:3000
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@dash host dash.housh.dev
|
||||
handle @dash {
|
||||
reverse_proxy http://roguemini.housh.dev:7575
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@komodo host komo.housh.dev
|
||||
handle @komodo {
|
||||
reverse_proxy komodo:9120
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@excalidraw host draw.housh.dev
|
||||
handle @excalidraw {
|
||||
reverse_proxy excalidraw:80
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@uptimekuma host uptime.housh.dev
|
||||
handle @uptimekuma {
|
||||
reverse_proxy uptime_kuma:3001
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@immich host photos.housh.dev
|
||||
@@ -84,40 +73,145 @@
|
||||
@public path /share /share/*
|
||||
handle @public {
|
||||
reverse_proxy http://frankenmini.housh.dev:3000
|
||||
crowdsec
|
||||
}
|
||||
|
||||
handle {
|
||||
reverse_proxy http://frankenmini.housh.dev:2283
|
||||
crowdsec
|
||||
}
|
||||
}
|
||||
|
||||
@snapp host s.housh.dev
|
||||
handle @snapp {
|
||||
reverse_proxy http://roguemini.housh.dev:3000
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@docs host docs.housh.dev
|
||||
handle @docs {
|
||||
@auth {
|
||||
path /caddy-security/*
|
||||
}
|
||||
|
||||
route @auth {
|
||||
authenticate with myportal
|
||||
}
|
||||
|
||||
|
||||
route /* {
|
||||
reverse_proxy docs:80
|
||||
}
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@pocket_id host id.housh.dev
|
||||
handle @pocket_id {
|
||||
reverse_proxy pocket-id:80
|
||||
reverse_proxy pocket-id:1411
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@plausible host plausible.housh.dev
|
||||
handle @plausible {
|
||||
reverse_proxy http://roguemini.housh.dev:8004
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@vaultwarden host vaultwarden.housh.dev
|
||||
handle @vaultwarden {
|
||||
reverse_proxy http://roguemini.housh.dev:8888
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@calendar host calendar.housh.dev
|
||||
handle @calendar {
|
||||
reverse_proxy http://frankenmini.housh.dev:5232
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@ollama host ollama.housh.dev
|
||||
handle @ollama {
|
||||
reverse_proxy http://roguemini.housh.dev:3001
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@shlink host l.housh.dev
|
||||
handle @shlink {
|
||||
reverse_proxy http://roguemini.housh.dev:8880
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@shlink_web host shlink.housh.dev
|
||||
handle @shlink_web {
|
||||
reverse_proxy http://roguemini.housh.dev:8881
|
||||
crowdsec
|
||||
}
|
||||
|
||||
######################################################
|
||||
# Media / *arr stack
|
||||
######################################################
|
||||
@jellyfin host jellyfin.housh.dev
|
||||
handle @jellyfin {
|
||||
reverse_proxy http://frankenmini.housh.dev:8096
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@qbittorrent host qbittorrent.housh.dev
|
||||
handle @qbittorrent {
|
||||
reverse_proxy http://frankenmini.housh.dev:8701
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@prowlarr host prowlarr.housh.dev
|
||||
handle @prowlarr {
|
||||
reverse_proxy http://frankenmini.housh.dev:9696
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@radarr host radarr.housh.dev
|
||||
handle @radarr {
|
||||
reverse_proxy http://frankenmini.housh.dev:7878
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@sonarr host sonarr.housh.dev
|
||||
handle @sonarr {
|
||||
reverse_proxy http://frankenmini.housh.dev:8989
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@lidarr host lidarr.housh.dev
|
||||
handle @lidarr {
|
||||
reverse_proxy http://frankenmini.housh.dev:8686
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@bazarr host bazarr.housh.dev
|
||||
handle @bazarr {
|
||||
reverse_proxy http://frankenmini.housh.dev:6767
|
||||
crowdsec
|
||||
}
|
||||
|
||||
@jellyseerr host jellyseerr.housh.dev
|
||||
handle @jellyseerr {
|
||||
reverse_proxy http://frankenmini.housh.dev:5055
|
||||
}
|
||||
|
||||
@ductcalc host ductcalc.housh.dev
|
||||
handle @ductcalc {
|
||||
reverse_proxy ductcalc:8080
|
||||
crowdsec
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
# Subdomains
|
||||
*.mhoush.com {
|
||||
tls {
|
||||
dns cloudflare {env.CF_AUTH_TOKEN}
|
||||
resolvers 1.1.1.1
|
||||
}
|
||||
|
||||
log {
|
||||
level INFO
|
||||
output file /var/log/caddy/access.log
|
||||
}
|
||||
|
||||
@preview host preview.mhoush.com
|
||||
handle @preview {
|
||||
reverse_proxy http://frankenmini.housh.dev:8888
|
||||
crowdsec
|
||||
}
|
||||
}
|
||||
|
||||
# Console
|
||||
@@ -127,9 +221,16 @@ console.mightymini.housh.dev {
|
||||
resolvers 1.1.1.1
|
||||
}
|
||||
|
||||
log {
|
||||
level INFO
|
||||
output file /var/log/caddy/access.log
|
||||
}
|
||||
|
||||
reverse_proxy https://192.168.50.6:9090 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
}
|
||||
crowdsec
|
||||
}
|
||||
|
||||
|
||||
4
crowdsec/acquis.yaml
Normal file
4
crowdsec/acquis.yaml
Normal file
@@ -0,0 +1,4 @@
|
||||
filenames:
|
||||
- /var/log/caddy/*.log
|
||||
labels:
|
||||
type: caddy
|
||||
@@ -1,3 +1,4 @@
|
||||
ACME_EMAIL="acme@example.com"
|
||||
CF_AUTH_TOKEN="secret-token"
|
||||
CF_EMAIL="cloudflare@example.com"
|
||||
CROWDSEC_API_KEY="CHANGEME"
|
||||
|
||||
Reference in New Issue
Block a user