homelab/caddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: homelab:franken-mini
Branches Tags
homelab:main homelab:franken-mini
..
compare: homelab:main
Branches Tags
homelab:main homelab:franken-mini

53 Commits
franken-mi ... main

Author SHA1 Message Date
Michael Housh
c7f5ba5976 fix: Fixes merge conflicts. 2026-01-15 16:17:28 -05:00
Michael Housh
f303fa3d6d feat: Adds jellyseerr service. 2025-11-29 10:11:31 -05:00
Michael Housh
c3294197e4 fix: Fixes prowlarr defined twice. 2025-11-28 18:01:08 -05:00
Michael Housh
16a91ff9c1 feat: Adds other *arr stack items. 2025-11-28 17:59:06 -05:00
Michael Housh
2d5d3f427c feat: Adds prowlarr 2025-11-28 17:49:27 -05:00
Michael Housh
4c0ff938b6 fix: Removes *.mhoush.com domain, which isn't ready to move yet. 2025-11-28 17:25:47 -05:00
Michael Housh
99fe9a3fff feat: Adds jellyfin and qbittorrent. 2025-11-28 17:24:43 -05:00
Michael Housh
331621e9e7 fix: Fixes typo. 2025-11-18 14:43:08 -05:00
Michael Housh
b6ebac2c15 fix: Moves shlink web interface to seperate domain to try and solve issues. 2025-11-18 14:40:53 -05:00
Michael Housh
509445bad6 feat: Updates shlink to pass /rest/* paths to shlink server. 2025-11-18 14:34:58 -05:00
Michael Housh
1440048847 feat: Adds shlink 2025-11-18 13:37:48 -05:00
Michael Housh
7c3766f2c3 feat: Adds ollama / open-webui. 2025-10-22 11:52:41 -04:00
Michael Housh
9596eb28d0 fix: Fixes some typos and errors with crowdsec integration. 2025-10-17 10:29:04 -04:00
Michael Housh
575dd058d7 feat: Adds crowdsec to caddy. 2025-10-17 09:54:46 -04:00
Michael Housh
4f8e795216 feat: Adds calendar service to proxy 2025-10-10 15:01:25 -04:00
Michael Housh
c8002d1a99 feat: Updates pocket-id port in caddyfile, which wasn't working properly. 2025-10-09 16:25:33 -04:00
Michael Housh
8b1dc08099 feat: Adds vaultwarden to proxy. 2025-04-22 11:01:55 -04:00
Michael Housh
bf10346491 feat: Adds duplicati to proxy. 2025-04-16 15:05:40 -04:00
Michael Housh
740e00c0ce feat: Adds plausible to proxy. 2025-04-16 10:37:36 -04:00
Michael Housh
bebf2739ef feat: Reverts Dockerfile. 2025-04-11 11:04:40 -04:00
Michael Housh
e8d45bbc33 feat: Reverts to not using security. 2025-04-11 10:57:16 -04:00
Michael Housh
7ec83f72c0 feat: Adds pocket id authentication to caddy. 2025-04-11 09:05:06 -04:00
Michael Housh
bb9bcb7a9b feat: Reverts using pocket id for docs, for now. 2025-04-10 16:09:55 -04:00
Michael Housh
1df325a766 feat: Adds pocket-id to docs. 2025-04-10 15:33:28 -04:00
Michael Housh
f8f872de9d feat: Renames pocket id host in proxy. 2025-04-10 14:33:00 -04:00
Michael Housh
2aecf313c6 fix: Fixes port for pocket-id. 2025-04-10 14:10:53 -04:00
Michael Housh
4d1908b396 feat: Adds pocket-id to proxy. 2025-04-10 14:04:07 -04:00
Michael Housh
fa74ef5914 feat: Adds docs as path to housh.dev 2025-04-09 09:29:45 -04:00
Michael Housh
9199a12103 fix: Adds dns challenge to console management in reverse proxy. 2025-04-08 16:46:53 -04:00
Michael Housh
0beda1d7de fix: Fixes legacy po handler in reverse proxy. 2025-04-08 16:25:15 -04:00
Michael Housh
ff95b5b0f7 feat: Adds server management console to proxy. 2025-04-08 16:23:42 -04:00
Michael Housh
48c02343aa fix: Moves back to old setup, watchtower setup wasn't working as expected. 2025-04-04 10:09:37 -04:00
Michael Housh
1d1770d0a1 fix: Fixes domain for pulling image, because it can't use DNS when caddy is not up.
All checks were successful
CI / release (push) Successful in 1m42s
Details
2025-04-04 08:49:58 -04:00
Michael Housh
01b662c4c2 feat: Adds watchtower to compose file, uses ci built image for caddy.
All checks were successful
CI / release (push) Successful in 1m47s
Details
2025-04-04 08:44:34 -04:00
Michael Housh
680d7fd15b feat: Adds ci workflow.
All checks were successful
CI / release (push) Successful in 2m50s
Details
2025-04-04 08:16:01 -04:00
Michael Housh
f276d92b57 feat: Prepare for building docker image in ci instead of using web-hooks. 2025-04-03 17:02:47 -04:00
Michael Housh
320eed5c85 fix: Fixes port for purchase orders. 2025-04-03 15:18:21 -04:00
Michael Housh
75d8d97960 feat: Adds docs to reverse proxy. 2025-04-03 14:04:19 -04:00
Michael Housh
80b66a463c feat: Test public photo proxy on same domain as immich. 2025-03-21 14:54:22 -04:00
Michael Housh
84b21656c4 feat: Test public photo proxy on same domain as immich. 2025-03-21 14:51:46 -04:00
Michael Housh
3298dae286 fix: Fixes handle for immich-public-proxy. 2025-03-21 14:38:23 -04:00
Michael Housh
11dc0c9593 feat: Adds immich-public-proxy service. 2025-03-21 14:36:31 -04:00
Michael Housh
299df73f22 feat: Reverts back to using subdomain for snapp. 2025-03-21 12:07:27 -04:00
Michael Housh
e3ea435722 feat: Access snapp from /s/ path 2025-03-21 11:24:23 -04:00
Michael Housh
b9a0b1569b fix: Fixes proxies to not use TLS to backends as it was causing problems. 2025-03-21 11:18:21 -04:00
Michael Housh
f49093ab9b feat: Adds snapp to proxy. 2025-03-21 10:35:31 -04:00
Michael Housh
132292a908 fix: Trying shlink web over http. 2025-03-21 08:21:39 -04:00
Michael Housh
ec89dcc116 fix: Fixes excalidraw pointing to wrong port. 2025-03-20 22:21:05 -04:00
Michael Housh
c5cb229974 feat: Adds shlink web client. 2025-03-20 17:15:36 -04:00
Michael Housh
115ed8af99 feat: Adds shlink to proxy. 2025-03-20 16:59:53 -04:00
Michael Housh
f374209578 feat: Updates README 2025-03-20 13:34:16 -04:00
Michael Housh
a55daf54f4 feat: Updates Caddyfile for TLS to rogue-mini services. 2025-03-20 13:12:36 -04:00
Michael Housh
255982745a feat: Updates immich to test TLS to backend services. 2025-03-20 12:52:28 -04:00
8 changed files with 345 additions and 10 deletions
Expand all files Collapse all files

55
.gitea/workflows/ci.yaml Normal file
View File

@@ -0,0 +1,55 @@
# name: CI
#
# on:
# push:
# branches:
# - main
# pull_request: {}
# workflow_dispatch: {}
#
# jobs:
# release:
# runs-on: ubuntu-latest
# steps:
# - name: Checkout
# uses: actions/checkout@v4
# with:
# lfs: true
#
# - name: Setup QEMU
# uses: docker/setup-qemu-action@v3
#
# - name: Setup docker buildx
# uses: docker/setup-buildx-action@v3
#
# - name: Login to Container Registery
# uses: docker/login-action@v3
# with:
# registry: git.housh.dev
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_PASSWORD }}
#
# - name: Extract metadata for Docker
# id: meta
# uses: docker/metadata-action@v5
# with:
# images: git.housh.dev/homelab/caddy
# tags: |
# type=schedule
# type=ref,event=branch
# type=ref,event=pr
# type=semver,pattern={{version}}
# type=semver,pattern={{major}}.{{minor}}
# type=semver,pattern={{major}}
# type=sha
# type=raw,value=latest
#
# - name: Build and push Docker image
# uses: docker/build-push-action@v6
# with:
# context: .
# file: ./Dockerfile
# platforms: linux/arm64
# push: true
# tags: ${{ steps.meta.outputs.tags }}
# labels: ${{ steps.meta.outputs.labels }}

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.env

22
Dockerfile
View File

@@ -1,7 +1,23 @@
FROM docker.io/library/caddy:2.9.1-builder as builder
# Adapted from: https://github.com/crowdsecurity/example-docker-compose/blob/main/caddy/Caddyfile
#
# the different stages of this Dockerfile are meant to be built into separate images
# https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage
# https://docs.docker.com/compose/compose-file/#target
# https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
ARG CADDY_VERSION=2
FROM caddy:${CADDY_VERSION}-builder-alpine AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
--with github.com/caddy-dns/cloudflare \
--with github.com/mholt/caddy-l4 \
--with github.com/caddyserver/transform-encoder \
--with github.com/hslatman/caddy-crowdsec-bouncer/http@main \
--with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main
FROM caddy:${CADDY_VERSION} AS caddy
WORKDIR /
FROM docker.io/library/caddy:2.9.1-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

17
README.md
View File

@@ -1,3 +1,18 @@
# caddy
Caddy reverse proxy.
Caddy reverse proxy, [caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)
This repository includes the reverse-proxy for the domain's hosted under `*.housh.dev`. The primary
proxy is on the `main` branch, there are also proxies that run on each server, that can be found on
the other branches of this repository.
This allows TLS to all backend services from the `primary` proxy.
They all share the same `Dockerfile` and `compose.yaml` file, the only differences are the
`config/Caddyfile`.
## Usage
1. Clone the repository onto your host, or setup through your container manager (such as komodo).
2. Copy the `example.env` file to `.env` and update the environment variables.
3. Deploy the proxy `sudo docker compose --env-file .env up -d`

27
compose.yaml
View File

@@ -2,7 +2,7 @@ services:
caddy:
build:
context: .
dockerfile: Dockerfile
target: caddy
container_name: caddy
restart: unless-stopped
env_file:
@@ -11,6 +11,7 @@ services:
- CLOUDFLARE_EMAIL=${CF_EMAIL}
- CLOUDFLARE_API_TOKEN=${CF_AUTH_TOKEN}
- ACME_AGREE=true
- CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
ports:
- 80:80
- 443:443
@@ -18,17 +19,39 @@ services:
cap_add:
- NET_ADMIN
volumes:
- ./config:/etc/caddy:z
- ./config:/etc/caddy
- caddy_data:/data
- caddy_config:/config
- caddy_logs:/var/log/caddy
networks:
- proxy
security_opt:
- no-new-privileges:true
crowdsec:
image: docker.io/crowdsecurity/crowdsec:latest
container_name: crowdsec
restart: unless-stopped
environment:
- GID=1000
- COLLECTIONS=crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
- BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}
volumes:
- crowdsec_db:/var/lib/crowdsec/data/
- ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
- caddy_logs:/var/log/caddy:ro
networks:
- proxy
security_opt:
- no-new-privileges:true
depends_on:
- caddy
volumes:
caddy_data: {}
caddy_config: {}
caddy_logs: {}
crowdsec_db: {}
networks:
proxy:

226
config/Caddyfile
View File

@@ -1,16 +1,236 @@
{
email {env.ACME_EMAIL}
servers {
client_ip_headers X-Forwarded-For
trusted_proxies static private_ranges
trusted_proxies_strict
}
order crowdsec before respond
crowdsec {
api_url http://crowdsec:8080
api_key {$CROWDSEC_API_KEY}
}
}
*.frankenmini.housh.dev {
# Subdomains
*.housh.dev {
tls {
dns cloudflare {env.CF_AUTH_TOKEN}
resolvers 1.1.1.1
}
@immich host photos.frankenmini.housh.dev
log {
level INFO
output file /var/log/caddy/access.log
}
@pos host po.housh.dev
handle @pos {
reverse_proxy http://roguemini.housh.dev:8082
crowdsec
}
@legacypos host legacy-po.housh.dev
handle @legacypos {
reverse_proxy http://roguemini.housh.dev:5000
crowdsec
}
@gitea host git.housh.dev
handle @gitea {
reverse_proxy gitea:3000
crowdsec
}
@dash host dash.housh.dev
handle @dash {
reverse_proxy http://roguemini.housh.dev:7575
crowdsec
}
@komodo host komo.housh.dev
handle @komodo {
reverse_proxy komodo:9120
crowdsec
}
@excalidraw host draw.housh.dev
handle @excalidraw {
reverse_proxy excalidraw:80
crowdsec
}
@uptimekuma host uptime.housh.dev
handle @uptimekuma {
reverse_proxy uptime_kuma:3001
crowdsec
}
@immich host photos.housh.dev
handle @immich {
reverse_proxy immich-server:2283
# Immich public proxy.
@public path /share /share/*
handle @public {
reverse_proxy http://frankenmini.housh.dev:3000
crowdsec
}
handle {
reverse_proxy http://frankenmini.housh.dev:2283
crowdsec
}
}
@snapp host s.housh.dev
handle @snapp {
reverse_proxy http://roguemini.housh.dev:3000
crowdsec
}
@docs host docs.housh.dev
handle @docs {
reverse_proxy docs:80
crowdsec
}
@pocket_id host id.housh.dev
handle @pocket_id {
reverse_proxy pocket-id:1411
crowdsec
}
@plausible host plausible.housh.dev
handle @plausible {
reverse_proxy http://roguemini.housh.dev:8004
crowdsec
}
@vaultwarden host vaultwarden.housh.dev
handle @vaultwarden {
reverse_proxy http://roguemini.housh.dev:8888
crowdsec
}
@calendar host calendar.housh.dev
handle @calendar {
reverse_proxy http://frankenmini.housh.dev:5232
crowdsec
}
@ollama host ollama.housh.dev
handle @ollama {
reverse_proxy http://roguemini.housh.dev:3001
crowdsec
}
@shlink host l.housh.dev
handle @shlink {
reverse_proxy http://roguemini.housh.dev:8880
crowdsec
}
@shlink_web host shlink.housh.dev
handle @shlink_web {
reverse_proxy http://roguemini.housh.dev:8881
crowdsec
}
######################################################
# Media / *arr stack
######################################################
@jellyfin host jellyfin.housh.dev
handle @jellyfin {
reverse_proxy http://frankenmini.housh.dev:8096
crowdsec
}
@qbittorrent host qbittorrent.housh.dev
handle @qbittorrent {
reverse_proxy http://frankenmini.housh.dev:8701
crowdsec
}
@prowlarr host prowlarr.housh.dev
handle @prowlarr {
reverse_proxy http://frankenmini.housh.dev:9696
crowdsec
}
@radarr host radarr.housh.dev
handle @radarr {
reverse_proxy http://frankenmini.housh.dev:7878
crowdsec
}
@sonarr host sonarr.housh.dev
handle @sonarr {
reverse_proxy http://frankenmini.housh.dev:8989
crowdsec
}
@lidarr host lidarr.housh.dev
handle @lidarr {
reverse_proxy http://frankenmini.housh.dev:8686
crowdsec
}
@bazarr host bazarr.housh.dev
handle @bazarr {
reverse_proxy http://frankenmini.housh.dev:6767
crowdsec
}
@jellyseerr host jellyseerr.housh.dev
handle @jellyseerr {
reverse_proxy http://frankenmini.housh.dev:5055
}
@ductcalc host ductcalc.housh.dev
handle @ductcalc {
reverse_proxy ductcalc:8080
crowdsec
}
}
# Subdomains
*.mhoush.com {
tls {
dns cloudflare {env.CF_AUTH_TOKEN}
resolvers 1.1.1.1
}
log {
level INFO
output file /var/log/caddy/access.log
}
@preview host preview.mhoush.com
handle @preview {
reverse_proxy http://frankenmini.housh.dev:8888
crowdsec
}
}
# Console
console.mightymini.housh.dev {
tls {
dns cloudflare {env.CF_AUTH_TOKEN}
resolvers 1.1.1.1
}
log {
level INFO
output file /var/log/caddy/access.log
}
reverse_proxy https://192.168.50.6:9090 {
transport http {
tls_insecure_skip_verify
}
}
crowdsec
}

4
crowdsec/acquis.yaml Normal file
View File

@@ -0,0 +1,4 @@
filenames:
- /var/log/caddy/*.log
labels:
type: caddy

1
example.env
View File

@@ -1,3 +1,4 @@
ACME_EMAIL="acme@example.com"
CF_AUTH_TOKEN="secret-token"
CF_EMAIL="cloudflare@example.com"
CROWDSEC_API_KEY="CHANGEME"