From 3f596fb1915f275eae0c9a0c9cd701b63d02d78f Mon Sep 17 00:00:00 2001
From: akanealw <akanealw@gmail.com>
Date: Mon, 24 Mar 2025 14:58:50 -0500
Subject: [PATCH] copied folder

---
 reverseproxy/.env            |  18 +++++
 reverseproxy/Dockerfile      |   8 +++
 reverseproxy/caddy/Caddyfile | 125 +++++++++++++++++++++++++++++++++++
 reverseproxy/compose.yml     | 122 ++++++++++++++++++++++++++++++++++
 4 files changed, 273 insertions(+)
 create mode 100644 reverseproxy/.env
 create mode 100644 reverseproxy/Dockerfile
 create mode 100644 reverseproxy/caddy/Caddyfile
 create mode 100644 reverseproxy/compose.yml

diff --git a/reverseproxy/.env b/reverseproxy/.env
new file mode 100644
index 0000000..cedf6e6
--- /dev/null
+++ b/reverseproxy/.env
@@ -0,0 +1,18 @@
+TZ=America/Chicago
+
+POSTGRES_PASSWORD=nu8Vohx1ot1eesoono5teshu6bohn9eiteich6Bu
+AUTHENTIK_SECRET_KEY=0KGwGINtIe3PE7h1RR+CF/n+6hm6BiD1YjD31BBpqoA=
+
+# SMTP Host Emails are sent to
+AUTHENTIK_EMAIL__HOST=smtp.gmail.com
+AUTHENTIK_EMAIL__PORT=587
+# Optionally authenticate (don't add quotation marks to your password)
+AUTHENTIK_EMAIL__USERNAME=akanealw@gmail.com
+AUTHENTIK_EMAIL__PASSWORD=jaflkfakjfkljkd
+# Use StartTLS
+AUTHENTIK_EMAIL__USE_TLS=true
+# Use SSL
+AUTHENTIK_EMAIL__USE_SSL=false
+AUTHENTIK_EMAIL__TIMEOUT=10
+# Email address authentik will send from, should have a correct @domain
+AUTHENTIK_EMAIL__FROM=akanealw@gmail.com
\ No newline at end of file
diff --git a/reverseproxy/Dockerfile b/reverseproxy/Dockerfile
new file mode 100644
index 0000000..6f91802
--- /dev/null
+++ b/reverseproxy/Dockerfile
@@ -0,0 +1,8 @@
+FROM caddy:builder AS builder
+
+RUN caddy-builder \
+    github.com/caddy-dns/cloudflare
+
+FROM caddy:latest
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
\ No newline at end of file
diff --git a/reverseproxy/caddy/Caddyfile b/reverseproxy/caddy/Caddyfile
new file mode 100644
index 0000000..6144c8e
--- /dev/null
+++ b/reverseproxy/caddy/Caddyfile
@@ -0,0 +1,125 @@
+# --------------------------------------------------
+# global options
+# --------------------------------------------------
+
+{
+        acme_dns cloudflare {env.DNS_PROVIDER_TOKEN}
+
+#       log {
+#                output file caddy.log
+#                level info
+#        }
+
+}
+
+# --------------------------------------------------
+# auth snippet for authentik
+# --------------------------------------------------
+
+(auth) {
+        reverse_proxy /outpost.goauthentik.io/* authentik-server:9000
+
+        forward_auth authentik-server:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+                trusted_proxies private_ranges
+        }
+}
+
+# --------------------------------------------------
+# akanealw2.com root domain
+# --------------------------------------------------
+
+akanealw2.com {
+        @homepage host akanealw2.com
+        handle @homepage {
+                import auth
+                reverse_proxy 192.168.1.30:3005
+        }
+}
+
+# --------------------------------------------------
+# authentik subdomain
+# --------------------------------------------------
+
+authentik.akanealw2.com {
+        reverse_proxy authentik-server:9000
+}
+
+# --------------------------------------------------
+# *.akanealw2.com subdomains
+# --------------------------------------------------
+
+*.akanealw2.com {
+# --------------------------------------------------
+# internal only subdomains
+# --------------------------------------------------
+
+        @allowed client_ip private_ranges
+
+        @dockge host dockge.akanealw2.com
+        handle @dockge {
+                        handle @allowed {
+                                reverse_proxy dockge:5001
+                }
+                respond "ip range not allowed"
+        }
+
+        @dozzle host dozzle.akanealw2.com
+        handle @dozzle {
+                        handle @allowed {
+                                reverse_proxy dozzle:8080
+                }
+                respond "ip range not allowed"
+        }
+
+        @adguard1 host adguard1.akanealw2.com
+        handle @adguard1 {
+                        handle @allowed {
+                                reverse_proxy 192.168.1.2:80
+                }
+                respond "ip range not allowed"
+        }
+
+
+# --------------------------------------------------
+# external subdomains
+# --------------------------------------------------
+
+        @adguard2 host adguard2.akanealw2.com
+        handle @adguard2 {
+                import auth
+                reverse_proxy 192.168.1.3:80
+        }
+
+        @filebrowser host filebrowser.akanealw2.com
+        handle @filebrowser {
+                import auth
+                reverse_proxy 192.168.1.30:8484
+        }
+}
+
+# --------------------------------------------------
+# akanealw3.com root domain
+# --------------------------------------------------
+
+akanealw3.com {
+
+        @shlink host akanealw3.com
+        handle @shlink {
+                reverse_proxy 192.168.1.30:8380
+        }
+}
+
+# --------------------------------------------------
+# *.akanealw3.com subdomains
+# --------------------------------------------------
+
+repo.akanealw3.com {
+
+        tls {
+                dns cloudflare {env.DNS_PROVIDER_TOKEN}
+        }
+
+        reverse_proxy 192.168.1.50:3000
+}
diff --git a/reverseproxy/compose.yml b/reverseproxy/compose.yml
new file mode 100644
index 0000000..7fa2158
--- /dev/null
+++ b/reverseproxy/compose.yml
@@ -0,0 +1,122 @@
+services:
+  authentik-server:
+    image: ghcr.io/goauthentik/server:2025.2.2
+    container_name: authentik-server
+    command: server
+    environment:
+      - AUTHENTIK_REDIS__HOST=authentik-redis
+      - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres
+      - AUTHENTIK_POSTGRESQL__USER=authentik
+      - AUTHENTIK_POSTGRESQL__NAME=authentik
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST}
+      - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT}
+      - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME}
+      - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD}
+      - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS}
+      - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL}
+      - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT}
+      - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM}
+    networks:
+      - reverseproxy
+      - authentik
+    volumes:
+      - ./authentik/media:/media
+      - ./authentik/custom-templates:/templates
+    depends_on:
+      - authentik-postgres
+      - authentik-redis
+    restart: unless-stopped
+
+  authentik-worker:
+    image: ghcr.io/goauthentik/server:2025.2.2
+    container_name: authentik-worker
+    command: worker
+    environment:
+      - AUTHENTIK_REDIS__HOST=authentik-redis
+      - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres
+      - AUTHENTIK_POSTGRESQL__USER=authentik
+      - AUTHENTIK_POSTGRESQL__NAME=authentik
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST}
+      - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT}
+      - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME}
+      - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD}
+      - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS}
+      - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL}
+      - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT}
+      - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM}
+    networks:
+      - reverseproxy
+      - authentik
+    user: root
+    volumes:
+      - /run/docker.sock:/run/docker.sock
+      - ./authentik/media:/media
+      - ./authentik/certs:/certs
+      - ./authentik/custom-templates:/templates
+    depends_on:
+      - authentik-postgres
+      - authentik-redis
+    restart: unless-stopped
+
+  authentik-redis:
+    image: docker.io/library/redis:7.4.2
+    container_name: authentik-redis
+    command: --save 60 1 --loglevel warning
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    networks:
+      - authentik
+    volumes:
+      - ./authentik/redis:/data
+    restart: unless-stopped
+
+  authentik-postgres:
+    image: docker.io/library/postgres:17.4
+    container_name: authentik-postgres
+    environment:
+      - POSTGRES_USER=authentik
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_DB=authentik
+      - TZ=${TZ}
+    healthcheck:
+      test: ['CMD-SHELL', 'pg_isready -U "authentik"']
+      start_period: 30s
+      interval: 10s
+      timeout: 10s
+      retries: 5
+    networks:
+        - authentik
+    volumes:
+      - ./authentik/postgres:/var/lib/postgresql/data
+    restart: unless-stopped
+
+  caddy:
+    container_name: caddy
+    build: .
+    environment:
+      - DNS_PROVIDER_TOKEN=W9UJpmPDDG-kT9RlgRIUjuptTm-xkGcajvzYjpzb
+    security_opt:
+      - no-new-privileges:true
+    networks:
+      - reverseproxy
+    ports:
+      - 80:80
+      - 443:443
+    volumes:
+      - ./caddy/data:/data
+      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
+      - ./caddy/logs:/srv/
+    restart: unless-stopped
+
+networks:
+  authentik:
+  reverseproxy:
+    external: true