diff --git a/caddy/.env b/caddy/.env new file mode 100644 index 0000000..063997f --- /dev/null +++ b/caddy/.env @@ -0,0 +1,2 @@ +CROWDSEC_API_KEY=uok9y/eKet7rhXxxGvgUNmMiKsAxxh2JJd4rsGvCDoE +DNS_PROVIDER_TOKEN=BI5kO2I9fHAqso_OClKxbUM6xTCodH2OfQ60yNp3 \ No newline at end of file diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 76aee64..d9eb004 100755 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -15,7 +15,7 @@ } crowdsec { - api_url http://localhost:8080 + api_url http://crowdsec:8080 api_key uok9y/eKet7rhXxxGvgUNmMiKsAxxh2JJd4rsGvCDoE ticker_interval 15s #disable_streaming @@ -39,7 +39,7 @@ # -------------------------------------------------- (auth) { - forward_auth localhost:9091 { + forward_auth authelia:9091 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } @@ -73,27 +73,26 @@ auth.akanealw.com { *.akanealw.com { - # -------------------------------------------------- - # external subdomains without authelia - # - # - # @ host .akanealw.com - # handle @ { - # reverse_proxy 192.168.1. - # } - # - # - # @ host .akanealw.com - # handle @ { - # reverse_proxy https://192.168.1. { - # transport http { - # tls_insecure_skip_verify - # } - # } - # } - # - # - # -------------------------------------------------- +# -------------------------------------------------- +# external subdomains without authelia +# +# +# @ host .akanealw.com +# handle @ { +# reverse_proxy 192.168.1. +# } +# +# +# @ host .akanealw.com +# handle @ { +# reverse_proxy https://192.168.1. { +# transport http { +# tls_insecure_skip_verify +# } +# } +# } +# +# -------------------------------------------------- @internal client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 @external not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 @@ -688,6 +687,7 @@ auth.akanealw.com { } + # -------------------------------------------------- # aknlw.com root domain # -------------------------------------------------- @@ -708,3 +708,5 @@ repo.aknlw.com { import cloudflare reverse_proxy 192.168.1.50:3000 } + +} diff --git a/caddy/compose.yml b/caddy/compose.yml new file mode 100644 index 0000000..f42671c --- /dev/null +++ b/caddy/compose.yml @@ -0,0 +1,54 @@ +services: + caddy: + container_name: caddy + build: + context: ./ + target: caddy + environment: + - DNS_PROVIDER_TOKEN=${DNS_PROVIDER_TOKEN} + - CROWDSEC_API_KEY=${CROWDSEC_API_KEY} + security_opt: + - no-new-privileges:true + networks: + - crowdsec + - reverse-proxy + ports: + - 80:80 + - 443:443 + - 2019:2019 + restart: unless-stopped + volumes: + - ./caddy/data:/data + - ./caddy-config:/config + - ./caddy/Caddyfile:/etc/caddy/Caddyfile + - ./caddy/logs:/srv/ + + crowdsec: + image: docker.io/crowdsecurity/crowdsec:latest + container_name: crowdsec + environment: + - GID=1000 + - COLLECTIONS=crowdsecurity/caddy crowdsecurity/http-cve crowdsecurity/whitelist-good-actors + - BOUNCER_KEY_CADDY=${CROWDSEC_API_KEY} + security_opt: + - no-new-privileges=true + networks: + - crowdsec + - reverse-proxy + restart: unless-stopped + volumes: + - crowdsec-db:/var/lib/crowdsec/data/ + - ./crowdsec/acquis.yaml:/etc/crowdsec/acquis.yaml + - caddy-logs:/var/log/caddy:ro + + whoami: + image: traefik/whoami + container_name: whoami + networks: + - reverse-proxy + +networks: + crowdsec: + name: crowdsec + reverse-proxy: + external: true