caddy/config/Caddyfile

{
    email {env.ACME_EMAIL}

    # Configure caddy-security.
    order authenticate before respond

    security {
      oauth identity provider generic {
        delay_start 3
        realm generic
        driver generic
        client_id {env.OAUTH_CLIENT_ID}
        client_secret {env.OAUTH_CLIENT_SECRET}
        scopes openid email profile
        base_auth_url https://id.housh.dev
        metadata_url https://id.housh.dev/.well-known/openid-configuration
      }

      authentication portal myportal {
        crypto default token lifetime 3600 # Seconds until you have to re-authenticate
        enable identity provider generic
        cookie insecure off # Set to "on" if you're not using HTTPS

        transform user {
          match realm generic
          action add role user
        }
      }

      authorization policy mypolicy {
        set auth url /caddy-security/oauth2/generic
        allow roles user
        inject headers with claims
      }
    }
}

# Subdomains
*.housh.dev {
    tls {
        dns cloudflare {env.CF_AUTH_TOKEN}
        resolvers 1.1.1.1
    }

    @pos host po.housh.dev
    handle @pos {
          reverse_proxy http://roguemini.housh.dev:8082
    }

    @legacypos host legacy-po.housh.dev
    handle @legacypos {
         reverse_proxy http://roguemini.housh.dev:5000
    }

    @gitea host git.housh.dev
    handle @gitea {
         reverse_proxy gitea:3000
    }

    @dash host dash.housh.dev
    handle @dash {
         reverse_proxy http://roguemini.housh.dev:7575
    }

    @komodo host komo.housh.dev
    handle @komodo {
         reverse_proxy komodo:9120
    }

    @excalidraw host draw.housh.dev
    handle @excalidraw {
         reverse_proxy excalidraw:80
    }

    @uptimekuma host uptime.housh.dev
    handle @uptimekuma {
          reverse_proxy uptime_kuma:3001
    }

    @immich host photos.housh.dev
    handle @immich {

      # Immich public proxy.
      @public path /share /share/*
      handle @public {
          reverse_proxy http://frankenmini.housh.dev:3000
      }

      handle {
          reverse_proxy http://frankenmini.housh.dev:2283
      }
    }

    @snapp host s.housh.dev
    handle @snapp {
          reverse_proxy http://roguemini.housh.dev:3000
    }

    @docs host docs.housh.dev
    handle @docs {
      @auth {
		          path /caddy-security/*
	    }

	    route @auth {
		        authenticate with myportal
	    }


      route /* {
          reverse_proxy docs:80
      }
    }

    @pocket_id host id.housh.dev
    handle @pocket_id {
          reverse_proxy pocket-id:80
    }


}

# Console
console.mightymini.housh.dev {
    tls {
        dns cloudflare {env.CF_AUTH_TOKEN}
        resolvers 1.1.1.1
    }

    reverse_proxy https://192.168.50.6:9090 {
          transport http {
              tls_insecure_skip_verify
          }
    }
}