fix: Fixes merge conflicts.

feat: Adds jellyseerr service.
fix: Fixes prowlarr defined twice.
2026-01-15 16:17:28 -05:00 · 2025-11-29 10:11:31 -05:00 · 2025-11-28 18:01:08 -05:00 · 2025-11-28 17:59:06 -05:00 · 2025-11-28 17:49:27 -05:00 · 2025-11-28 17:25:47 -05:00
8 changed files with 345 additions and 10 deletions
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -0,0 +1,55 @@
+# name: CI
+#
+# on:
+#   push:
+#     branches:
+#       - main
+#   pull_request: {}
+#   workflow_dispatch: {}
+#
+# jobs:
+#   release:
+#     runs-on: ubuntu-latest
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@v4
+#         with:
+#           lfs: true
+#
+#       - name: Setup QEMU
+#         uses: docker/setup-qemu-action@v3
+#
+#       - name: Setup docker buildx
+#         uses: docker/setup-buildx-action@v3
+#
+#       - name: Login to Container Registery
+#         uses: docker/login-action@v3
+#         with:
+#           registry: git.housh.dev
+#           username: ${{ secrets.DOCKER_USERNAME }}
+#           password: ${{ secrets.DOCKER_PASSWORD }}
+#
+#       - name: Extract metadata for Docker
+#         id: meta
+#         uses: docker/metadata-action@v5
+#         with:
+#           images: git.housh.dev/homelab/caddy
+#           tags: |
+#             type=schedule
+#             type=ref,event=branch
+#             type=ref,event=pr
+#             type=semver,pattern={{version}}
+#             type=semver,pattern={{major}}.{{minor}}
+#             type=semver,pattern={{major}}
+#             type=sha
+#             type=raw,value=latest
+#
+#       - name: Build and push Docker image
+#         uses: docker/build-push-action@v6
+#         with:
+#           context: .
+#           file: ./Dockerfile
+#           platforms: linux/arm64
+#           push: true
+#           tags: ${{ steps.meta.outputs.tags }}
+#           labels: ${{ steps.meta.outputs.labels }}
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1 @@
+.env
--- a/22
+++ b/22
@@ -1,7 +1,23 @@
-FROM docker.io/library/caddy:2.9.1-builder as builder
+# Adapted from: https://github.com/crowdsecurity/example-docker-compose/blob/main/caddy/Caddyfile
+#
+# the different stages of this Dockerfile are meant to be built into separate images
+# https://docs.docker.com/develop/develop-images/multistage-build/#stop-at-a-specific-build-stage
+# https://docs.docker.com/compose/compose-file/#target
+
+# https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact
+ARG CADDY_VERSION=2
+
+FROM caddy:${CADDY_VERSION}-builder-alpine AS builder

 RUN xcaddy build \
-  --with github.com/caddy-dns/cloudflare
+  --with github.com/caddy-dns/cloudflare \
+  --with github.com/mholt/caddy-l4 \
+  --with github.com/caddyserver/transform-encoder \
+  --with github.com/hslatman/caddy-crowdsec-bouncer/http@main \
+  --with github.com/hslatman/caddy-crowdsec-bouncer/layer4@main
+
+FROM caddy:${CADDY_VERSION} AS caddy
+
+WORKDIR /

-FROM docker.io/library/caddy:2.9.1-alpine
 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/README.md
+++ b/README.md
@@ -1,3 +1,18 @@
 # caddy

-Caddy reverse proxy.
+Caddy reverse proxy, [caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy)
+
+This repository includes the reverse-proxy for the domain's hosted under `*.housh.dev`. The primary
+proxy is on the `main` branch, there are also proxies that run on each server, that can be found on
+the other branches of this repository.
+
+This allows TLS to all backend services from the `primary` proxy.
+
+They all share the same `Dockerfile` and `compose.yaml` file, the only differences are the
+`config/Caddyfile`.
+
+## Usage
+
+1. Clone the repository onto your host, or setup through your container manager (such as komodo).
+2. Copy the `example.env` file to `.env` and update the environment variables.
+3. Deploy the proxy `sudo docker compose --env-file .env up -d`
--- a/compose.yaml
+++ b/compose.yaml
@@ -2,7 +2,7 @@ services:
  caddy:
    build:
      context: .
-      dockerfile: Dockerfile
+      target: caddy
    container_name: caddy
    restart: unless-stopped
    env_file:
@@ -11,6 +11,7 @@ services:
      - CLOUDFLARE_EMAIL=${CF_EMAIL}
      - CLOUDFLARE_API_TOKEN=${CF_AUTH_TOKEN}
      - ACME_AGREE=true
+      - CROWDSEC_API_KEY=${CROWDSEC_API_KEY}
    ports:
      - 80:80
      - 443:443
@@ -18,17 +19,39 @@ services:
    cap_add:
      - NET_ADMIN
    volumes:
-      - ./config:/etc/caddy:z
+      - ./config:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config
+      - caddy_logs:/var/log/caddy
    networks:
      - proxy
    security_opt:
      - no-new-privileges:true

+  crowdsec:
+    image: docker.io/crowdsecurity/crowdsec:latest
+    container_name: crowdsec
+    restart: unless-stopped
+    environment:
+      - GID=1000
+      - COLLECTIONS=crowdsecurity/linux crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors
+      - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY}
+    volumes:
+      - crowdsec_db:/var/lib/crowdsec/data/
+      - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml
+      - caddy_logs:/var/log/caddy:ro
+    networks:
+      - proxy
+    security_opt:
+      - no-new-privileges:true
+    depends_on:
+      - caddy
+
 volumes:
  caddy_data: {}
  caddy_config: {}
+  caddy_logs: {}
+  crowdsec_db: {}

 networks:
  proxy:
--- a/config/Caddyfile
+++ b/config/Caddyfile
@@ -1,16 +1,236 @@
 {
    email {env.ACME_EMAIL}
+    servers {
+        client_ip_headers X-Forwarded-For
+        trusted_proxies static private_ranges
+        trusted_proxies_strict
+    }
+    order crowdsec before respond
+    crowdsec {
+          api_url http://crowdsec:8080
+          api_key {$CROWDSEC_API_KEY}
+    }
 }

-*.frankenmini.housh.dev {
+# Subdomains
+*.housh.dev {
    tls {
        dns cloudflare {env.CF_AUTH_TOKEN}
        resolvers 1.1.1.1
    }

-   @immich host photos.frankenmini.housh.dev
+    log {
+        level INFO
+        output file /var/log/caddy/access.log
+    }
+
+    @pos host po.housh.dev
+    handle @pos {
+          reverse_proxy http://roguemini.housh.dev:8082
+          crowdsec
+    }
+
+    @legacypos host legacy-po.housh.dev
+    handle @legacypos {
+         reverse_proxy http://roguemini.housh.dev:5000
+          crowdsec
+    }
+
+    @gitea host git.housh.dev
+    handle @gitea {
+         reverse_proxy gitea:3000
+          crowdsec
+    }
+
+    @dash host dash.housh.dev
+    handle @dash {
+         reverse_proxy http://roguemini.housh.dev:7575
+          crowdsec
+    }
+
+    @komodo host komo.housh.dev
+    handle @komodo {
+         reverse_proxy komodo:9120
+          crowdsec
+    }
+
+    @excalidraw host draw.housh.dev
+    handle @excalidraw {
+         reverse_proxy excalidraw:80
+          crowdsec
+    }
+
+    @uptimekuma host uptime.housh.dev
+    handle @uptimekuma {
+          reverse_proxy uptime_kuma:3001
+          crowdsec
+    }
+
+    @immich host photos.housh.dev
    handle @immich {
-          reverse_proxy immich-server:2283
+
+      # Immich public proxy.
+      @public path /share /share/*
+      handle @public {
+          reverse_proxy http://frankenmini.housh.dev:3000
+          crowdsec
+      }
+
+      handle {
+          reverse_proxy http://frankenmini.housh.dev:2283
+          crowdsec
+      }
+    }
+
+    @snapp host s.housh.dev
+    handle @snapp {
+          reverse_proxy http://roguemini.housh.dev:3000
+          crowdsec
+    }
+
+    @docs host docs.housh.dev
+    handle @docs {
+          reverse_proxy docs:80
+          crowdsec
+    }
+
+    @pocket_id host id.housh.dev
+    handle @pocket_id {
+          reverse_proxy pocket-id:1411
+          crowdsec
+    }
+
+    @plausible host plausible.housh.dev
+    handle @plausible {
+          reverse_proxy http://roguemini.housh.dev:8004
+          crowdsec
+    }
+
+    @vaultwarden host vaultwarden.housh.dev
+    handle @vaultwarden {
+          reverse_proxy http://roguemini.housh.dev:8888
+          crowdsec
+    }
+
+    @calendar host calendar.housh.dev
+    handle @calendar {
+          reverse_proxy http://frankenmini.housh.dev:5232
+          crowdsec
+    }
+
+    @ollama host ollama.housh.dev
+    handle @ollama {
+          reverse_proxy http://roguemini.housh.dev:3001
+          crowdsec
+    }
+
+		@shlink host l.housh.dev
+		handle @shlink {
+					reverse_proxy http://roguemini.housh.dev:8880
+					crowdsec
+		}
+
+		@shlink_web host shlink.housh.dev
+		handle @shlink_web {
+					reverse_proxy http://roguemini.housh.dev:8881
+					crowdsec
+		}
+
+		######################################################
+		#  Media / *arr stack
+		######################################################
+		@jellyfin host jellyfin.housh.dev
+		handle @jellyfin {
+					reverse_proxy http://frankenmini.housh.dev:8096
+					crowdsec
+		}
+
+		@qbittorrent host qbittorrent.housh.dev
+		handle @qbittorrent {
+					reverse_proxy http://frankenmini.housh.dev:8701
+					crowdsec
+		}
+
+		@prowlarr host prowlarr.housh.dev
+		handle @prowlarr {
+					reverse_proxy http://frankenmini.housh.dev:9696
+					crowdsec
+		}
+
+		@radarr host radarr.housh.dev
+		handle @radarr {
+					reverse_proxy http://frankenmini.housh.dev:7878
+					crowdsec
+		}
+
+		@sonarr host sonarr.housh.dev
+		handle @sonarr {
+					reverse_proxy http://frankenmini.housh.dev:8989
+					crowdsec
+		}
+
+		@lidarr host lidarr.housh.dev
+		handle @lidarr {
+					reverse_proxy http://frankenmini.housh.dev:8686
+					crowdsec
+		}
+
+		@bazarr host bazarr.housh.dev
+		handle @bazarr {
+					reverse_proxy http://frankenmini.housh.dev:6767
+					crowdsec
+		}
+
+		@jellyseerr host jellyseerr.housh.dev
+		handle @jellyseerr {
+					reverse_proxy http://frankenmini.housh.dev:5055
+		}
+
+		@ductcalc host ductcalc.housh.dev
+		handle @ductcalc {
+					reverse_proxy ductcalc:8080
+					crowdsec
 		}

 }
+
+
+# Subdomains
+*.mhoush.com {
+    tls {
+        dns cloudflare {env.CF_AUTH_TOKEN}
+        resolvers 1.1.1.1
+    }
+
+    log {
+        level INFO
+        output file /var/log/caddy/access.log
+    }
+
+		@preview host preview.mhoush.com
+		handle @preview {
+					reverse_proxy http://frankenmini.housh.dev:8888
+					crowdsec
+		}
+}
+
+# Console
+console.mightymini.housh.dev {
+    tls {
+        dns cloudflare {env.CF_AUTH_TOKEN}
+        resolvers 1.1.1.1
+    }
+
+    log {
+        level INFO
+        output file /var/log/caddy/access.log
+    }
+
+    reverse_proxy https://192.168.50.6:9090 {
+          transport http {
+              tls_insecure_skip_verify
+          }
+    }
+    crowdsec
+}
+
--- a/crowdsec/acquis.yaml
+++ b/crowdsec/acquis.yaml
@@ -0,0 +1,4 @@
+filenames:
+  - /var/log/caddy/*.log
+labels:
+  type: caddy
--- a/example.env
+++ b/example.env
@@ -1,3 +1,4 @@
 ACME_EMAIL="acme@example.com"
 CF_AUTH_TOKEN="secret-token"
 CF_EMAIL="cloudflare@example.com"
+CROWDSEC_API_KEY="CHANGEME"
Author	SHA1	Message	Date
Michael Housh	c7f5ba5976	fix: Fixes merge conflicts.	2026-01-15 16:17:28 -05:00
Michael Housh	f303fa3d6d	feat: Adds jellyseerr service.	2025-11-29 10:11:31 -05:00
Michael Housh	c3294197e4	fix: Fixes prowlarr defined twice.	2025-11-28 18:01:08 -05:00
Michael Housh	16a91ff9c1	feat: Adds other *arr stack items.	2025-11-28 17:59:06 -05:00
Michael Housh	2d5d3f427c	feat: Adds prowlarr	2025-11-28 17:49:27 -05:00
Michael Housh	4c0ff938b6	fix: Removes *.mhoush.com domain, which isn't ready to move yet.	2025-11-28 17:25:47 -05:00
Michael Housh	99fe9a3fff	feat: Adds jellyfin and qbittorrent.	2025-11-28 17:24:43 -05:00
Michael Housh	331621e9e7	fix: Fixes typo.	2025-11-18 14:43:08 -05:00
Michael Housh	b6ebac2c15	fix: Moves shlink web interface to seperate domain to try and solve issues.	2025-11-18 14:40:53 -05:00
Michael Housh	509445bad6	feat: Updates shlink to pass /rest/* paths to shlink server.	2025-11-18 14:34:58 -05:00
Michael Housh	1440048847	feat: Adds shlink	2025-11-18 13:37:48 -05:00
Michael Housh	7c3766f2c3	feat: Adds ollama / open-webui.	2025-10-22 11:52:41 -04:00
Michael Housh	9596eb28d0	fix: Fixes some typos and errors with crowdsec integration.	2025-10-17 10:29:04 -04:00
Michael Housh	575dd058d7	feat: Adds crowdsec to caddy.	2025-10-17 09:54:46 -04:00
Michael Housh	4f8e795216	feat: Adds calendar service to proxy	2025-10-10 15:01:25 -04:00
Michael Housh	c8002d1a99	feat: Updates pocket-id port in caddyfile, which wasn't working properly.	2025-10-09 16:25:33 -04:00
Michael Housh	8b1dc08099	feat: Adds vaultwarden to proxy.	2025-04-22 11:01:55 -04:00
Michael Housh	bf10346491	feat: Adds duplicati to proxy.	2025-04-16 15:05:40 -04:00
Michael Housh	740e00c0ce	feat: Adds plausible to proxy.	2025-04-16 10:37:36 -04:00
Michael Housh	bebf2739ef	feat: Reverts Dockerfile.	2025-04-11 11:04:40 -04:00
Michael Housh	e8d45bbc33	feat: Reverts to not using security.	2025-04-11 10:57:16 -04:00
Michael Housh	7ec83f72c0	feat: Adds pocket id authentication to caddy.	2025-04-11 09:05:06 -04:00
Michael Housh	bb9bcb7a9b	feat: Reverts using pocket id for docs, for now.	2025-04-10 16:09:55 -04:00
Michael Housh	1df325a766	feat: Adds pocket-id to docs.	2025-04-10 15:33:28 -04:00
Michael Housh	f8f872de9d	feat: Renames pocket id host in proxy.	2025-04-10 14:33:00 -04:00
Michael Housh	2aecf313c6	fix: Fixes port for pocket-id.	2025-04-10 14:10:53 -04:00
Michael Housh	4d1908b396	feat: Adds pocket-id to proxy.	2025-04-10 14:04:07 -04:00
Michael Housh	fa74ef5914	feat: Adds docs as path to housh.dev	2025-04-09 09:29:45 -04:00
Michael Housh	9199a12103	fix: Adds dns challenge to console management in reverse proxy.	2025-04-08 16:46:53 -04:00
Michael Housh	0beda1d7de	fix: Fixes legacy po handler in reverse proxy.	2025-04-08 16:25:15 -04:00
Michael Housh	ff95b5b0f7	feat: Adds server management console to proxy.	2025-04-08 16:23:42 -04:00
Michael Housh	48c02343aa	fix: Moves back to old setup, watchtower setup wasn't working as expected.	2025-04-04 10:09:37 -04:00
Michael Housh	1d1770d0a1	fix: Fixes domain for pulling image, because it can't use DNS when caddy is not up. All checks were successful CI / release (push) Successful in 1m42s Details	2025-04-04 08:49:58 -04:00
Michael Housh	01b662c4c2	feat: Adds watchtower to compose file, uses ci built image for caddy. All checks were successful CI / release (push) Successful in 1m47s Details	2025-04-04 08:44:34 -04:00
Michael Housh	680d7fd15b	feat: Adds ci workflow. All checks were successful CI / release (push) Successful in 2m50s Details	2025-04-04 08:16:01 -04:00
Michael Housh	f276d92b57	feat: Prepare for building docker image in ci instead of using web-hooks.	2025-04-03 17:02:47 -04:00
Michael Housh	320eed5c85	fix: Fixes port for purchase orders.	2025-04-03 15:18:21 -04:00
Michael Housh	75d8d97960	feat: Adds docs to reverse proxy.	2025-04-03 14:04:19 -04:00
Michael Housh	80b66a463c	feat: Test public photo proxy on same domain as immich.	2025-03-21 14:54:22 -04:00
Michael Housh	84b21656c4	feat: Test public photo proxy on same domain as immich.	2025-03-21 14:51:46 -04:00
Michael Housh	3298dae286	fix: Fixes handle for immich-public-proxy.	2025-03-21 14:38:23 -04:00
Michael Housh	11dc0c9593	feat: Adds immich-public-proxy service.	2025-03-21 14:36:31 -04:00
Michael Housh	299df73f22	feat: Reverts back to using subdomain for snapp.	2025-03-21 12:07:27 -04:00
Michael Housh	e3ea435722	feat: Access snapp from /s/ path	2025-03-21 11:24:23 -04:00
Michael Housh	b9a0b1569b	fix: Fixes proxies to not use TLS to backends as it was causing problems.	2025-03-21 11:18:21 -04:00
Michael Housh	f49093ab9b	feat: Adds snapp to proxy.	2025-03-21 10:35:31 -04:00
Michael Housh	132292a908	fix: Trying shlink web over http.	2025-03-21 08:21:39 -04:00
Michael Housh	ec89dcc116	fix: Fixes excalidraw pointing to wrong port.	2025-03-20 22:21:05 -04:00
Michael Housh	c5cb229974	feat: Adds shlink web client.	2025-03-20 17:15:36 -04:00
Michael Housh	115ed8af99	feat: Adds shlink to proxy.	2025-03-20 16:59:53 -04:00
Michael Housh	f374209578	feat: Updates README	2025-03-20 13:34:16 -04:00
Michael Housh	a55daf54f4	feat: Updates Caddyfile for TLS to rogue-mini services.	2025-03-20 13:12:36 -04:00
Michael Housh	255982745a	feat: Updates immich to test TLS to backend services.	2025-03-20 12:52:28 -04:00