feat: Adds pocket id authentication to caddy.

feat: Reverts using pocket id for docs, for now.
feat: Adds pocket-id to docs.
2025-04-11 09:05:06 -04:00 · 2025-04-10 16:09:55 -04:00 · 2025-04-10 15:33:28 -04:00 · 2025-04-10 14:33:00 -04:00 · 2025-04-10 14:10:53 -04:00 · 2025-04-10 14:04:07 -04:00
5 changed files with 165 additions and 16 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -0,0 +1,55 @@
 # name: CI
 #
 # on:
 #   push:
 #     branches:
 #       - main
 #   pull_request: {}
 #   workflow_dispatch: {}
 #
 # jobs:
 #   release:
 #     runs-on: ubuntu-latest
 #     steps:
 #       - name: Checkout
 #         uses: actions/checkout@v4
 #         with:
 #           lfs: true
 #
 #       - name: Setup QEMU
 #         uses: docker/setup-qemu-action@v3
 #
 #       - name: Setup docker buildx
 #         uses: docker/setup-buildx-action@v3
 #
 #       - name: Login to Container Registery
 #         uses: docker/login-action@v3
 #         with:
 #           registry: git.housh.dev
 #           username: ${{ secrets.DOCKER_USERNAME }}
 #           password: ${{ secrets.DOCKER_PASSWORD }}
 #
 #       - name: Extract metadata for Docker
 #         id: meta
 #         uses: docker/metadata-action@v5
 #         with:
 #           images: git.housh.dev/homelab/caddy
 #           tags: |
 #             type=schedule
 #             type=ref,event=branch
 #             type=ref,event=pr
 #             type=semver,pattern={{version}}
 #             type=semver,pattern={{major}}.{{minor}}
 #             type=semver,pattern={{major}}
 #             type=sha
 #             type=raw,value=latest
 #
 #       - name: Build and push Docker image
 #         uses: docker/build-push-action@v6
 #         with:
 #           context: .
 #           file: ./Dockerfile
 #           platforms: linux/arm64
 #           push: true
 #           tags: ${{ steps.meta.outputs.tags }}
 #           labels: ${{ steps.meta.outputs.labels }}
--- a/10
+++ b/10
@@ -1,7 +1,3 @@
-FROM docker.io/library/caddy:2.9.1-builder as builder
+FROM ghcr.io/authcrunch/authcrunch:latest
-
+COPY ./config /etc/caddy
-RUN xcaddy build \
+RUN /usr/bin/caddy fmt --overwrite /etc/caddy/Caddyfile
  --with github.com/caddy-dns/cloudflare
 FROM docker.io/library/caddy:2.9.1-alpine
 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/README.md
+++ b/README.md
@@ -1,3 +1,18 @@
 # caddy
-Caddy reverse proxy.
+Caddy reverse proxy, [caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)
 This repository includes the reverse-proxy for the domain's hosted under `*.housh.dev`. The primary
 proxy is on the `main` branch, there are also proxies that run on each server, that can be found on
 the other branches of this repository.
 This allows TLS to all backend services from the `primary` proxy.
 They all share the same `Dockerfile` and `compose.yaml` file, the only differences are the
 `config/Caddyfile`.
 ## Usage
 1. Clone the repository onto your host, or setup through your container manager (such as komodo).
 2. Copy the `example.env` file to `.env` and update the environment variables.
 3. Deploy the proxy `sudo docker compose --env-file .env up -d`
--- a/compose.yaml
+++ b/compose.yaml
@@ -2,7 +2,6 @@ services:
  caddy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy
    restart: unless-stopped
    env_file:
@@ -18,7 +17,7 @@ services:
    cap_add:
      - NET_ADMIN
    volumes:
-      - ./config:/etc/caddy:z
+      - ./config:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config
    networks:
--- a/config/Caddyfile
+++ b/config/Caddyfile
@@ -1,7 +1,41 @@
 {
    email {env.ACME_EMAIL}
    # Configure caddy-security.
    order authenticate before respond
    security {
      oauth identity provider generic {
        delay_start 3
        realm generic
        driver generic
        client_id {env.OAUTH_CLIENT_ID}
        client_secret {env.OAUTH_CLIENT_SECRET}
        scopes openid email profile
        base_auth_url https://id.housh.dev
        metadata_url https://id.housh.dev/.well-known/openid-configuration
      }
      authentication portal myportal {
        crypto default token lifetime 3600 # Seconds until you have to re-authenticate
        enable identity provider generic
        cookie insecure off # Set to "on" if you're not using HTTPS
        transform user {
          match realm generic
          action add role user
        }
      }
      authorization policy mypolicy {
        set auth url /caddy-security/oauth2/generic
        allow roles user
        inject headers with claims
      }
    }
 }
 # Subdomains
 *.housh.dev {
    tls {
        dns cloudflare {env.CF_AUTH_TOKEN}
@@ -10,12 +44,12 @@
    @pos host po.housh.dev
    handle @pos {
-          reverse_proxy roguemini.housh.dev:8080
+          reverse_proxy http://roguemini.housh.dev:8082
    }
-    @legacypos host legacy-po.housh.dev, legacy-pos.housh.dev
+    @legacypos host legacy-po.housh.dev
    handle @legacypos {
-         reverse_proxy roguemini.housh.dev:5000
+         reverse_proxy http://roguemini.housh.dev:5000
    }
    @gitea host git.housh.dev
@@ -25,7 +59,7 @@
    @dash host dash.housh.dev
    handle @dash {
-         reverse_proxy roguemini.housh.dev:7575
+         reverse_proxy http://roguemini.housh.dev:7575
    }
    @komodo host komo.housh.dev
@@ -35,7 +69,7 @@
    @excalidraw host draw.housh.dev
    handle @excalidraw {
-         reverse_proxy excalidraw:8180
+         reverse_proxy excalidraw:80
    }
    @uptimekuma host uptime.housh.dev
@@ -45,7 +79,57 @@
    @immich host photos.housh.dev
    handle @immich {
-          reverse_proxy frankenmini.housh.dev:2283
+
      # Immich public proxy.
      @public path /share /share/*
      handle @public {
          reverse_proxy http://frankenmini.housh.dev:3000
      }
      handle {
          reverse_proxy http://frankenmini.housh.dev:2283
      }
    }
    @snapp host s.housh.dev
    handle @snapp {
          reverse_proxy http://roguemini.housh.dev:3000
    }
    @docs host docs.housh.dev
    handle @docs {
      @auth {
 		          path /caddy-security/*
 	    }
 	    route @auth {
 		        authenticate with myportal
 	    }
      route /* {
          reverse_proxy docs:80
      }
    }
    @pocket_id host id.housh.dev
    handle @pocket_id {
          reverse_proxy pocket-id:80
    }
 }
 # Console
 console.mightymini.housh.dev {
    tls {
        dns cloudflare {env.CF_AUTH_TOKEN}
        resolvers 1.1.1.1
    }
    reverse_proxy https://192.168.50.6:9090 {
          transport http {
              tls_insecure_skip_verify
          }
    }
 }
Author	SHA1	Message	Date
Michael Housh	7ec83f72c0	feat: Adds pocket id authentication to caddy.	2025-04-11 09:05:06 -04:00
Michael Housh	bb9bcb7a9b	feat: Reverts using pocket id for docs, for now.	2025-04-10 16:09:55 -04:00
Michael Housh	1df325a766	feat: Adds pocket-id to docs.	2025-04-10 15:33:28 -04:00
Michael Housh	f8f872de9d	feat: Renames pocket id host in proxy.	2025-04-10 14:33:00 -04:00
Michael Housh	2aecf313c6	fix: Fixes port for pocket-id.	2025-04-10 14:10:53 -04:00
Michael Housh	4d1908b396	feat: Adds pocket-id to proxy.	2025-04-10 14:04:07 -04:00
Michael Housh	fa74ef5914	feat: Adds docs as path to housh.dev	2025-04-09 09:29:45 -04:00
Michael Housh	9199a12103	fix: Adds dns challenge to console management in reverse proxy.	2025-04-08 16:46:53 -04:00
Michael Housh	0beda1d7de	fix: Fixes legacy po handler in reverse proxy.	2025-04-08 16:25:15 -04:00
Michael Housh	ff95b5b0f7	feat: Adds server management console to proxy.	2025-04-08 16:23:42 -04:00
Michael Housh	48c02343aa	fix: Moves back to old setup, watchtower setup wasn't working as expected.	2025-04-04 10:09:37 -04:00
Michael Housh	1d1770d0a1	fix: Fixes domain for pulling image, because it can't use DNS when caddy is not up. All checks were successful CI / release (push) Successful in 1m42s Details	2025-04-04 08:49:58 -04:00
Michael Housh	01b662c4c2	feat: Adds watchtower to compose file, uses ci built image for caddy. All checks were successful CI / release (push) Successful in 1m47s Details	2025-04-04 08:44:34 -04:00
Michael Housh	680d7fd15b	feat: Adds ci workflow. All checks were successful CI / release (push) Successful in 2m50s Details	2025-04-04 08:16:01 -04:00
Michael Housh	f276d92b57	feat: Prepare for building docker image in ci instead of using web-hooks.	2025-04-03 17:02:47 -04:00
Michael Housh	320eed5c85	fix: Fixes port for purchase orders.	2025-04-03 15:18:21 -04:00
Michael Housh	75d8d97960	feat: Adds docs to reverse proxy.	2025-04-03 14:04:19 -04:00
Michael Housh	80b66a463c	feat: Test public photo proxy on same domain as immich.	2025-03-21 14:54:22 -04:00
Michael Housh	84b21656c4	feat: Test public photo proxy on same domain as immich.	2025-03-21 14:51:46 -04:00
Michael Housh	3298dae286	fix: Fixes handle for immich-public-proxy.	2025-03-21 14:38:23 -04:00
Michael Housh	11dc0c9593	feat: Adds immich-public-proxy service.	2025-03-21 14:36:31 -04:00
Michael Housh	299df73f22	feat: Reverts back to using subdomain for snapp.	2025-03-21 12:07:27 -04:00
Michael Housh	e3ea435722	feat: Access snapp from /s/ path	2025-03-21 11:24:23 -04:00
Michael Housh	b9a0b1569b	fix: Fixes proxies to not use TLS to backends as it was causing problems.	2025-03-21 11:18:21 -04:00
Michael Housh	f49093ab9b	feat: Adds snapp to proxy.	2025-03-21 10:35:31 -04:00
Michael Housh	132292a908	fix: Trying shlink web over http.	2025-03-21 08:21:39 -04:00
Michael Housh	ec89dcc116	fix: Fixes excalidraw pointing to wrong port.	2025-03-20 22:21:05 -04:00
Michael Housh	c5cb229974	feat: Adds shlink web client.	2025-03-20 17:15:36 -04:00
Michael Housh	115ed8af99	feat: Adds shlink to proxy.	2025-03-20 16:59:53 -04:00
Michael Housh	f374209578	feat: Updates README	2025-03-20 13:34:16 -04:00
Michael Housh	a55daf54f4	feat: Updates Caddyfile for TLS to rogue-mini services.	2025-03-20 13:12:36 -04:00
Michael Housh	255982745a	feat: Updates immich to test TLS to backend services.	2025-03-20 12:52:28 -04:00