diff --git a/Dockerfile b/Dockerfile deleted file mode 100644 index 6f91802..0000000 --- a/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM caddy:builder AS builder - -RUN caddy-builder \ - github.com/caddy-dns/cloudflare - -FROM caddy:latest - -COPY --from=builder /usr/bin/caddy /usr/bin/caddy \ No newline at end of file diff --git a/caddy/Caddyfile b/caddy/Caddyfile old mode 100644 new mode 100755 index f4f99cf..38bb2fd --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,20 +1,26 @@ # -------------------------------------------------- # global options # -------------------------------------------------- - { - acme_ca https://acme-v02.api.letsencrypt.org/directory + acme_ca https://acme-v02.api.letsencrypt.org/directory admin :2019 -# log { -# output file caddy.log -# level info -# } + log { + output file /var/log/caddy/caddy.log + level info + } servers { trusted_proxies static private_ranges } + crowdsec { + api_url http://localhost:8080 + api_key uok9y/eKet7rhXxxGvgUNmMiKsAxxh2JJd4rsGvCDoE + ticker_interval 15s + #disable_streaming + #enable_hard_fails + } } # -------------------------------------------------- @@ -22,30 +28,21 @@ # -------------------------------------------------- (cloudflare) { - tls { - dns cloudflare {env.DNS_PROVIDER_TOKEN} - resolvers 1.1.1.1 1.0.0.1 - } + tls { + dns cloudflare BI5kO2I9fHAqso_OClKxbUM6xTCodH2OfQ60yNp3 + resolvers 1.1.1.1 1.0.0.1 + } } # -------------------------------------------------- -# auth snippet for authentik +# auth snippet for authelia # -------------------------------------------------- -(authentik) { - reverse_proxy /outpost.goauthentik.io/* authentik-server:9000 - - forward_auth authentik-server:9000 { - uri /outpost.goauthentik.io/auth/caddy - copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version - } -} - (auth) { - forward_auth authelia:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } + forward_auth localhost:9091 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } } # -------------------------------------------------- @@ -53,21 +50,12 @@ # -------------------------------------------------- akanealw.com { - import cloudflare - @akanealwcom host akanealw.com - handle @akanealwcom { - import auth - reverse_proxy 192.168.1.4:3005 - } -} - -# -------------------------------------------------- -# authentik subdomain -# -------------------------------------------------- - -authentik.akanealw.com { - import cloudflare - reverse_proxy authentik-server:9000 + import cloudflare + @akanealwcom host akanealw.com + handle @akanealwcom { + import auth + reverse_proxy 192.168.1.4:3005 + } } # -------------------------------------------------- @@ -75,595 +63,26 @@ authentik.akanealw.com { # -------------------------------------------------- auth.akanealw.com { - import cloudflare - reverse_proxy authelia:9091 + import cloudflare + reverse_proxy localhost:9091 } # -------------------------------------------------- # *.akanealw.com subdomains # -------------------------------------------------- -*.akanealw.com { -# -------------------------------------------------- -# internal only subdomains -# -# -# @ host .akanealw.com -# handle @ { -# handle @internal { -# reverse_proxy 192.168.1. -# } -# respond "ip range not allowed" -# } -# -# -# @ host .akanealw.com -# handle @ { -# handle @internal { -# reverse_proxy https://192.168.1. { -# transport http { -# tls_insecure_skip_verify -# } -# } -# } -# respond "ip range not allowed" -# } -# -# -# -------------------------------------------------- - @internal client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 - @external not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 - import cloudflare - - @checkmk host checkmk.akanealw.com - handle @checkmk { - handle @internal { - reverse_proxy 192.168.1.4:8888 - } - respond "ip range not allowed" - } - - @linkwarden host linkwarden.akanealw.com - handle @linkwarden { - handle @internal { - reverse_proxy 192.168.1.4:3232 - } - respond "ip range not allowed" - } - - @adguard1 host adguardserver1.akanealw.com - handle @adguard1 { - handle @internal { - reverse_proxy 192.168.1.2:80 - } - respond "ip range not allowed" - } - - @adguard2 host adguardserver2.akanealw.com - handle @adguard2 { - handle @internal { - reverse_proxy 192.168.1.3:80 - } - respond "ip range not allowed" - } - - @bale host bale.akanealw.com - handle @bale { - handle @internal { - reverse_proxy 192.168.1.51:8080 - } - respond "ip range not allowed" - } - - @cronicle host cronicle.akanealw.com - handle @cronicle { - handle @internal { - reverse_proxy 192.168.1.30:3012 - } - respond "ip range not allowed" - } - - @devdockge host dev-dockge.akanealw.com - handle @devdockge { - handle @internal { - reverse_proxy 192.168.1.35:5001 - } - respond "ip range not allowed" - } - - @devdozzle host dev-dozzle.akanealw.com - handle @devdozzle { - handle @internal { - reverse_proxy 192.168.1.35:8080 - } - respond "ip range not allowed" - } - - @dockerdockge host dockerserver-dockge.akanealw.com - handle @dockerdockge { - handle @internal { - reverse_proxy 192.168.1.30:5001 - } - respond "ip range not allowed" - } - - @dockerdozzle host dockerserver-dozzle.akanealw.com - handle @dockerdozzle { - handle @internal { - reverse_proxy 192.168.1.30:8080 - } - respond "ip range not allowed" - } - - @dockertestdockge host dockerservertest-dockge.akanealw.com - handle @dockertestdockge { - handle @internal { - reverse_proxy 192.168.1.33:5001 - } - respond "ip range not allowed" - } - - @dockertestdozzle host dockerservertest-dozzle.akanealw.com - handle @dockertestdozzle { - handle @internal { - reverse_proxy 192.168.1.33:8080 - } - respond "ip range not allowed" - } - - @proxyserverdockge host proxyserver-dockge.akanealw.com - handle @proxyserverdockge { - handle @internal { - reverse_proxy 192.168.1.4:5001 - } - respond "ip range not allowed" - } - - @proxyserverdozzle host proxyserver-dozzle.akanealw.com - handle @proxyserverdozzle { - handle @internal { - reverse_proxy 192.168.1.4:8080 - } - respond "ip range not allowed" - } - - @files host files.akanealw.com - handle @files { - handle @internal { - redir / /files{uri} - reverse_proxy 192.168.1.50:80 - } - respond "ip range not allowed" - } - - @icons host icons.akanealw.com - handle @icons { - handle @internal { - rewrite * /files/icons{uri} - reverse_proxy 192.168.1.50:80 - } - respond "ip range not allowed" - } - - @gluetun host gluetun.akanealw.com - handle @gluetun { - handle @internal { - reverse_proxy 192.168.1.30:8777 - } - respond "ip range not allowed" - } - - @peanut host peanut.akanealw.com - handle @peanut { - handle @internal { - reverse_proxy 192.168.1.30:8980 - } - respond "ip range not allowed" - } - - @photoprism host photoprism.akanealw.com - handle @photoprism { - handle @internal { - reverse_proxy 192.168.1.30:2342 - } - respond "ip range not allowed" - } - - @photoprismdadandmom host photos.akanealw.com - handle @photoprismdadandmom { - handle @internal { - reverse_proxy 192.168.1.25:2342 - } - respond "ip range not allowed" - } - - @proxmox1 host proxmox1.akanealw.com - handle @proxmox1 { - handle @internal { - reverse_proxy https://192.168.1.51:8006 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @proxmox2 host proxmox2.akanealw.com - handle @proxmox2 { - handle @internal { - reverse_proxy https://192.168.1.52:8006 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @proxmoxbackup host proxmoxbackup.akanealw.com - handle @proxmoxbackup { - handle @internal { - reverse_proxy https://192.168.1.51:8007 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @router host router.akanealw.com - handle @router { - handle @internal { - reverse_proxy https://192.168.1.1:443 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @rssbridge host rss-bridge.akanealw.com - handle @rssbridge { - handle @internal { - reverse_proxy 192.168.1.30:3006 - } - respond "ip range not allowed" - } - - @invidious host invidious.akanealw.com - handle @invidious { - handle @internal { - reverse_proxy 192.168.1.30:3000 - } - respond "ip range not allowed" - } - - @scripts host scripts.akanealw.com - handle @scripts { - handle @internal { - redir / /scripts{uri} - reverse_proxy 192.168.1.50:80 - } - respond "ip range not allowed" - } - - @speedtest host speedtest.akanealw.com - handle @speedtest { - handle @internal { - reverse_proxy 192.168.1.30:8765 - } - respond "ip range not allowed" - } - - @dockersyncthing host dockerserver-syncthing.akanealw.com - handle @dockersyncthing { - handle @internal { - reverse_proxy https://192.168.1.30:8384 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @gamingpcsyncthing host gamingpc-syncthing.akanealw.com - handle @gamingpcsyncthing { - handle @internal { - reverse_proxy https://192.168.1.11:8384 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @laptoppcsyncthing host laptoppc-syncthing.akanealw.com - handle @laptoppcsyncthing { - handle @internal { - reverse_proxy https://192.168.1.12:8384 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @webmin host webmin.akanealw.com - handle @webmin { - handle @internal { - reverse_proxy https://192.168.1.51:10000 { - transport http { - tls_insecure_skip_verify - } - } - } - respond "ip range not allowed" - } - - @wireguardui host wireguardui.akanealw.com - handle @wireguardui { - handle @internal { - reverse_proxy 192.168.1.4:5000 - } - respond "ip range not allowed" - } - - @zabbix host zabbix.akanealw.com - handle @zabbix { - handle @internal { - reverse_proxy 192.168.1.44:8080 - } - respond "ip range not allowed" - } - - @piholewg host pihole-wg.akanealw.com - handle @piholewg { - handle @internal { - redir / /admin{uri} - reverse_proxy 192.168.1.4:3000 - } - respond "ip range not allowed" - } - -# -------------------------------------------------- -# external subdomains without authentik -# -# -# @ host .akanealw.com -# handle @ { -# reverse_proxy 192.168.1. -# } -# -# -# -------------------------------------------------- - - @bitwarden host bitwarden.akanealw.com - handle @bitwarden { - reverse_proxy 192.168.1.4:8089 - } - - @giteadocker host gitea-docker.akanealw.com - handle @giteadocker { - reverse_proxy 192.168.1.4:3001 - } - - @gitea host gitea.akanealw.com - handle @gitea { - reverse_proxy 192.168.1.50:3000 - } - - @jellyfin host jellyfin.akanealw.com - handle @jellyfin { - reverse_proxy 192.168.1.42:8096 - } - -# -------------------------------------------------- -# external subdomains with authentik -# -# -# @ host .akanealw.com -# handle @ { -# import auth -# reverse_proxy 192.168.1. -# } -# -# -# -------------------------------------------------- - - @memos host memos.akanealw.com - handle @memos { - handle @external { - import auth - } - reverse_proxy 192.168.1.4:5230 - } - - @whoami host whoami.akanealw.com - handle @whoami { - import auth - reverse_proxy whoami:80 - } - - @wallos host wallos.akanealw.com - handle @wallos { - import auth - reverse_proxy 192.168.1.4:8389 - } - - @homepage host www.akanealw.com - handle @homepage { - import auth - reverse_proxy 192.168.1.4:3005 - } - - @filebrowser host filebrowser.akanealw.com - handle @filebrowser { - import auth - reverse_proxy 192.168.1.30:8484 - } - - @archive host archive.akanealw.com - handle @archive { - import auth - reverse_proxy 192.168.1.30:8283 - } - - @archivebox host archivebox.akanealw.com - handle @archivebox { - import auth - reverse_proxy 192.168.1.30:8283 - } - - @codeserver host codeserver.akanealw.com - handle @codeserver { - import auth - reverse_proxy 192.168.1.50:3001 - } - - @freshrss host freshrss.akanealw.com - handle @freshrss { - import auth - reverse_proxy 192.168.1.30:8088 - } - - @jackett host jackett.akanealw.com - handle @jackett { - import auth - reverse_proxy 192.168.1.30:9117 - } - - @jdownloader host jdownloader.akanealw.com - handle @jdownloader { - import auth - reverse_proxy 192.168.1.30:5800 - } - - @jellyseerr host jellyseerr.akanealw.com - handle @jellyseerr { - import auth - reverse_proxy 192.168.1.30:5056 - } - - @kavita host kavita.akanealw.com - handle @kavita { - import auth - reverse_proxy 192.168.1.30:5002 - } - - @lidarr host lidarr.akanealw.com - handle @lidarr { - import auth - reverse_proxy 192.168.1.30:8686 - } - - @metube host metube.akanealw.com - handle @metube { - import auth - reverse_proxy 192.168.1.30:8082 - } - - @mstream host mstream.akanealw.com - handle @mstream { - import auth - reverse_proxy 192.168.1.30:3001 - } - - @nzbhydra host nzbhydra.akanealw.com - handle @nzbhydra { - import auth - reverse_proxy 192.168.1.30:5076 - } - - @olivetin host olivetin.akanealw.com - handle @olivetin { - import auth - reverse_proxy 192.168.1.30:1337 - } - - @opengist host opengist.akanealw.com - handle @opengist { - import auth - reverse_proxy opengist:6157 - } - - @paperless host paperless.akanealw.com - handle @paperless { - import auth - reverse_proxy 192.168.1.30:8112 - } - - @prowlarr host prowlarr.akanealw.com - handle @prowlarr { - import auth - reverse_proxy 192.168.1.30:9696 - } - - @qbittorrent host qbittorrent.akanealw.com - handle @qbittorrent { - import auth - reverse_proxy 192.168.1.30:8282 - } - - @radarr host radarr.akanealw.com - handle @radarr { - import auth - reverse_proxy 192.168.1.30:7878 - } - - @sabnzbd host sabnzbd.akanealw.com - handle @sabnzbd { - import auth - reverse_proxy 192.168.1.30:8181 - } - - @shlinkweb host shlink.akanealw.com - handle @shlinkweb { - import auth - reverse_proxy 192.168.1.30:8381 - } - - @sonarr host sonarr.akanealw.com - handle @sonarr { - import auth - reverse_proxy 192.168.1.30:8989 - } - - @spdf host spdf.akanealw.com - handle @spdf { - import auth - reverse_proxy 192.168.1.30:8086 - } - - @ittools host it-tools.akanealw.com - handle @ittools { - import auth - reverse_proxy 192.168.1.30:8383 - } - - @wikidocs host wiki.akanealw.com - handle @wikidocs { - import auth - reverse_proxy 192.168.1.30:8022 - } - -} +import *.caddy # -------------------------------------------------- # aknlw.com root domain # -------------------------------------------------- aknlw.com { - import cloudflare - @shlink host aknlw.com - handle @shlink { - reverse_proxy 192.168.1.30:8380 - } + import cloudflare + @shlink host aknlw.com + handle @shlink { + reverse_proxy 192.168.1.30:8380 + } } # -------------------------------------------------- @@ -671,6 +90,6 @@ aknlw.com { # -------------------------------------------------- repo.aknlw.com { - import cloudflare - reverse_proxy 192.168.1.50:3000 + import cloudflare + reverse_proxy 192.168.1.50:3000 } diff --git a/caddy/Dockerfile b/caddy/Dockerfile new file mode 100644 index 0000000..5b02e7e --- /dev/null +++ b/caddy/Dockerfile @@ -0,0 +1,9 @@ +FROM caddy:builder AS builder + +RUN caddy-builder \ + github.com/caddy-dns/cloudflare \ + github.com/hslatman/caddy-crowdsec-bouncer + +FROM caddy:latest + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/caddy/akanealw-subdomains.caddy b/caddy/akanealw-subdomains.caddy new file mode 100644 index 0000000..113316f --- /dev/null +++ b/caddy/akanealw-subdomains.caddy @@ -0,0 +1,599 @@ +*.akanealw.com { + + # -------------------------------------------------- + # external subdomains without authelia + # + # + # @ host .akanealw.com + # handle @ { + # reverse_proxy 192.168.1. + # } + # + # + # @ host .akanealw.com + # handle @ { + # reverse_proxy https://192.168.1. { + # transport http { + # tls_insecure_skip_verify + # } + # } + # } + # + # + # -------------------------------------------------- + + @internal client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 + @external not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 + import cloudflare + + + @bitwarden host bitwarden.akanealw.com + handle @bitwarden { + reverse_proxy 192.168.1.4:8089 + } + + @giteadocker host gitea-docker.akanealw.com + handle @giteadocker { + reverse_proxy 192.168.1.4:3001 + } + + @gitea host gitea.akanealw.com + handle @gitea { + reverse_proxy 192.168.1.50:3000 + } + + @jellyfin host jellyfin.akanealw.com + handle @jellyfin { + reverse_proxy 192.168.1.42:8096 + } + + @headscale host headscale.akanealw.com + handle @headscale { + reverse_proxy 192.168.1.95:8888 + } + + # -------------------------------------------------- + # external subdomains with authelia + # + # + # @ host .akanealw.com + # handle @ { + # import auth + # reverse_proxy 192.168.1. + # } + # + # @ host .akanealw.com + # handle @ { + # import auth + # reverse_proxy https://192.168.1. { + # transport http { + # tls_insecure_skip_verify + # } + # } + # } + # + # + # -------------------------------------------------- + + @docmost host docmost.akanealw.com + handle @docmost { + import auth + reverse_proxy 192.168.1.4:3300 + } + + @memos host memos.akanealw.com + handle @memos { + import auth + reverse_proxy 192.168.1.4:5230 + } + + @whoami host whoami.akanealw.com + handle @whoami { + import auth + reverse_proxy localhost:80 + } + + @wallos host wallos.akanealw.com + handle @wallos { + import auth + reverse_proxy 192.168.1.4:8389 + } + + @homepage host www.akanealw.com + handle @homepage { + import auth + reverse_proxy 192.168.1.4:3005 + } + + @filebrowser host filebrowser.akanealw.com + handle @filebrowser { + import auth + reverse_proxy 192.168.1.30:8484 + } + + @archive host archive.akanealw.com + handle @archive { + import auth + reverse_proxy 192.168.1.30:8283 + } + + @archivebox host archivebox.akanealw.com + handle @archivebox { + import auth + reverse_proxy 192.168.1.30:8283 + } + + @codeserver host codeserver.akanealw.com + handle @codeserver { + import auth + reverse_proxy 192.168.1.50:3001 + } + + @freshrss host freshrss.akanealw.com + handle @freshrss { + import auth + reverse_proxy 192.168.1.30:8088 + } + + @jackett host jackett.akanealw.com + handle @jackett { + import auth + reverse_proxy 192.168.1.30:9117 + } + + @jdownloader host jdownloader.akanealw.com + handle @jdownloader { + import auth + reverse_proxy 192.168.1.30:5800 + } + + @jellyseerr host jellyseerr.akanealw.com + handle @jellyseerr { + import auth + reverse_proxy 192.168.1.30:5056 + } + + @kavita host kavita.akanealw.com + handle @kavita { + import auth + reverse_proxy 192.168.1.30:5002 + } + + @lidarr host lidarr.akanealw.com + handle @lidarr { + import auth + reverse_proxy 192.168.1.30:8686 + } + + @metube host metube.akanealw.com + handle @metube { + import auth + reverse_proxy 192.168.1.30:8082 + } + + @mstream host mstream.akanealw.com + handle @mstream { + import auth + reverse_proxy 192.168.1.30:3001 + } + + @nzbhydra host nzbhydra.akanealw.com + handle @nzbhydra { + import auth + reverse_proxy 192.168.1.30:5076 + } + + @olivetin host olivetin.akanealw.com + handle @olivetin { + import auth + reverse_proxy 192.168.1.30:1337 + } + + @opengist host opengist.akanealw.com + handle @opengist { + import auth + reverse_proxy 192.168.1.4:6157 + } + + @paperless host paperless.akanealw.com + handle @paperless { + import auth + reverse_proxy 192.168.1.30:8112 + } + + @prowlarr host prowlarr.akanealw.com + handle @prowlarr { + import auth + reverse_proxy 192.168.1.30:9696 + } + + @qbittorrent host qbittorrent.akanealw.com + handle @qbittorrent { + import auth + reverse_proxy 192.168.1.30:8282 + } + + @radarr host radarr.akanealw.com + handle @radarr { + import auth + reverse_proxy 192.168.1.30:7878 + } + + @sabnzbd host sabnzbd.akanealw.com + handle @sabnzbd { + import auth + reverse_proxy 192.168.1.30:8181 + } + + @shlinkweb host shlink.akanealw.com + handle @shlinkweb { + import auth + reverse_proxy 192.168.1.30:8381 + } + + @sonarr host sonarr.akanealw.com + handle @sonarr { + import auth + reverse_proxy 192.168.1.30:8989 + } + + @spdf host spdf.akanealw.com + handle @spdf { + import auth + reverse_proxy 192.168.1.30:8086 + } + + @ittools host it-tools.akanealw.com + handle @ittools { + import auth + reverse_proxy 192.168.1.30:8383 + } + + @wikidocs host wiki.akanealw.com + handle @wikidocs { + import auth + reverse_proxy 192.168.1.30:8022 + } + + + # -------------------------------------------------- + # internal only subdomains + # + # + # @ host .akanealw.com + # handle @ { + # handle @internal { + # reverse_proxy 192.168.1. + # } + # respond "ip range not allowed" + # } + # + # + # @ host .akanealw.com + # handle @ { + # handle @internal { + # reverse_proxy https://192.168.1. { + # transport http { + # tls_insecure_skip_verify + # } + # } + # } + # respond "ip range not allowed" + # } + # + # + # -------------------------------------------------- + + @checkmk host checkmk.akanealw.com + handle @checkmk { + handle @internal { + reverse_proxy 192.168.1.4:8888 + } + respond "ip range not allowed" + } + + @linkwarden host linkwarden.akanealw.com + handle @linkwarden { + handle @internal { + reverse_proxy 192.168.1.4:3232 + } + respond "ip range not allowed" + } + + @adguard1 host adguardserver1.akanealw.com + handle @adguard1 { + handle @internal { + reverse_proxy 192.168.1.2:80 + } + respond "ip range not allowed" + } + + @adguard2 host adguardserver2.akanealw.com + handle @adguard2 { + handle @internal { + reverse_proxy 192.168.1.3:80 + } + respond "ip range not allowed" + } + + @bale host bale.akanealw.com + handle @bale { + handle @internal { + reverse_proxy 192.168.1.51:8080 + } + respond "ip range not allowed" + } + + @cronicle host cronicle.akanealw.com + handle @cronicle { + handle @internal { + reverse_proxy 192.168.1.30:3012 + } + respond "ip range not allowed" + } + + @devdockge host dev-dockge.akanealw.com + handle @devdockge { + handle @internal { + reverse_proxy 192.168.1.35:5001 + } + respond "ip range not allowed" + } + + @devdozzle host dev-dozzle.akanealw.com + handle @devdozzle { + handle @internal { + reverse_proxy 192.168.1.35:8080 + } + respond "ip range not allowed" + } + + @dockerdockge host dockerserver-dockge.akanealw.com + handle @dockerdockge { + handle @internal { + reverse_proxy 192.168.1.30:5001 + } + respond "ip range not allowed" + } + + @dockerdozzle host dockerserver-dozzle.akanealw.com + handle @dockerdozzle { + handle @internal { + reverse_proxy 192.168.1.30:8080 + } + respond "ip range not allowed" + } + + @dockertestdockge host dockerservertest-dockge.akanealw.com + handle @dockertestdockge { + handle @internal { + reverse_proxy 192.168.1.33:5001 + } + respond "ip range not allowed" + } + + @dockertestdozzle host dockerservertest-dozzle.akanealw.com + handle @dockertestdozzle { + handle @internal { + reverse_proxy 192.168.1.33:8080 + } + respond "ip range not allowed" + } + + @proxyserverdockge host proxyserver-dockge.akanealw.com + handle @proxyserverdockge { + handle @internal { + reverse_proxy 192.168.1.4:5001 + } + respond "ip range not allowed" + } + + @proxyserverdozzle host proxyserver-dozzle.akanealw.com + handle @proxyserverdozzle { + handle @internal { + reverse_proxy 192.168.1.4:8080 + } + respond "ip range not allowed" + } + + @files host files.akanealw.com + handle @files { + handle @internal { + redir / /files{uri} + reverse_proxy 192.168.1.50:80 + } + respond "ip range not allowed" + } + + @icons host icons.akanealw.com + handle @icons { + handle @internal { + rewrite * /files/icons{uri} + reverse_proxy 192.168.1.50:80 + } + respond "ip range not allowed" + } + + @gluetun host gluetun.akanealw.com + handle @gluetun { + handle @internal { + reverse_proxy 192.168.1.30:8777 + } + respond "ip range not allowed" + } + + @peanut host peanut.akanealw.com + handle @peanut { + handle @internal { + reverse_proxy 192.168.1.30:8980 + } + respond "ip range not allowed" + } + + @photoprism host photoprism.akanealw.com + handle @photoprism { + handle @internal { + reverse_proxy 192.168.1.30:2342 + } + respond "ip range not allowed" + } + + @photoprismdadandmom host photos.akanealw.com + handle @photoprismdadandmom { + handle @internal { + reverse_proxy 192.168.1.25:2342 + } + respond "ip range not allowed" + } + + @proxmox1 host proxmox1.akanealw.com + handle @proxmox1 { + handle @internal { + reverse_proxy https://192.168.1.51:8006 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @proxmox2 host proxmox2.akanealw.com + handle @proxmox2 { + handle @internal { + reverse_proxy https://192.168.1.52:8006 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @proxmoxbackup host proxmoxbackup.akanealw.com + handle @proxmoxbackup { + handle @internal { + reverse_proxy https://192.168.1.51:8007 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @router host router.akanealw.com + handle @router { + handle @internal { + reverse_proxy http://192.168.1.1:80 + } + respond "ip range not allowed" + } + + @rssbridge host rss-bridge.akanealw.com + handle @rssbridge { + handle @internal { + reverse_proxy 192.168.1.30:3006 + } + respond "ip range not allowed" + } + + @invidious host invidious.akanealw.com + handle @invidious { + handle @internal { + reverse_proxy 192.168.1.30:3000 + } + respond "ip range not allowed" + } + + @scripts host scripts.akanealw.com + handle @scripts { + handle @internal { + redir / /scripts{uri} + reverse_proxy 192.168.1.50:80 + } + respond "ip range not allowed" + } + + @speedtest host speedtest.akanealw.com + handle @speedtest { + handle @internal { + reverse_proxy 192.168.1.30:8765 + } + respond "ip range not allowed" + } + + @dockersyncthing host dockerserver-syncthing.akanealw.com + handle @dockersyncthing { + handle @internal { + reverse_proxy https://192.168.1.30:8384 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @gamingpcsyncthing host gamingpc-syncthing.akanealw.com + handle @gamingpcsyncthing { + handle @internal { + reverse_proxy https://192.168.1.11:8384 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @laptoppcsyncthing host laptoppc-syncthing.akanealw.com + handle @laptoppcsyncthing { + handle @internal { + reverse_proxy https://192.168.1.12:8384 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @webmin host webmin.akanealw.com + handle @webmin { + handle @internal { + reverse_proxy https://192.168.1.51:10000 { + transport http { + tls_insecure_skip_verify + } + } + } + respond "ip range not allowed" + } + + @wireguardui host wireguardui.akanealw.com + handle @wireguardui { + handle @internal { + reverse_proxy 192.168.1.4:5000 + } + respond "ip range not allowed" + } + + @zabbix host zabbix.akanealw.com + handle @zabbix { + handle @internal { + reverse_proxy 192.168.1.44:8080 + } + respond "ip range not allowed" + } + + @piholewg host pihole-wg.akanealw.com + handle @piholewg { + handle @internal { + redir / /admin{uri} + reverse_proxy 192.168.1.4:3000 + } + respond "ip range not allowed" + } + +} diff --git a/caddy/compose.yml b/caddy/compose.yml new file mode 100644 index 0000000..edc8b48 --- /dev/null +++ b/caddy/compose.yml @@ -0,0 +1,29 @@ +services: + caddy: + container_name: caddy + build: . + environment: + - DNS_PROVIDER_TOKEN=BI5kO2I9fHAqso_OClKxbUM6xTCodH2OfQ60yNp3 + security_opt: + - no-new-privileges:true + networks: + - reverseproxy + ports: + - 80:80 + - 443:443 + - 2019:2019 + volumes: + - ./data:/data + - ./Caddyfile:/etc/caddy/Caddyfile + - ./logs:/srv/ + restart: unless-stopped + + whoami: + image: traefik/whoami + container_name: whoami + networks: + - reverseproxy + +networks: + reverseproxy: + external: true diff --git a/compose.yml b/compose.yml deleted file mode 100644 index b28a7d0..0000000 --- a/compose.yml +++ /dev/null @@ -1,130 +0,0 @@ -services: - authentik-server: - image: ghcr.io/goauthentik/server:2025.2.2 - container_name: authentik-server - command: server - environment: - - AUTHENTIK_REDIS__HOST=authentik-redis - - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres - - AUTHENTIK_POSTGRESQL__USER=authentik - - AUTHENTIK_POSTGRESQL__NAME=authentik - - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD} - - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} - - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST} - - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT} - - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME} - - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD} - - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS} - - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL} - - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT} - - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM} - networks: - - reverseproxy - - authentik - volumes: - - ./media:/media - - ./custom-templates:/templates - depends_on: - - authentik-postgres - - authentik-redis - restart: unless-stopped - - authentik-worker: - image: ghcr.io/goauthentik/server:2025.2.2 - container_name: authentik-worker - command: worker - environment: - - AUTHENTIK_REDIS__HOST=authentik-redis - - AUTHENTIK_POSTGRESQL__HOST=authentik-postgres - - AUTHENTIK_POSTGRESQL__USER=authentik - - AUTHENTIK_POSTGRESQL__NAME=authentik - - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD} - - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY} - - AUTHENTIK_EMAIL__HOST=${AUTHENTIK_EMAIL__HOST} - - AUTHENTIK_EMAIL__PORT=${AUTHENTIK_EMAIL__PORT} - - AUTHENTIK_EMAIL__USERNAME=${AUTHENTIK_EMAIL__USERNAME} - - AUTHENTIK_EMAIL__PASSWORD=${AUTHENTIK_EMAIL__PASSWORD} - - AUTHENTIK_EMAIL__USE_TLS=${AUTHENTIK_EMAIL__USE_TLS} - - AUTHENTIK_EMAIL__USE_SSL=${AUTHENTIK_EMAIL__USE_SSL} - - AUTHENTIK_EMAIL__TIMEOUT=${AUTHENTIK_EMAIL__TIMEOUT} - - AUTHENTIK_EMAIL__FROM=${AUTHENTIK_EMAIL__FROM} - networks: - - reverseproxy - - authentik - user: root - volumes: - - /run/docker.sock:/run/docker.sock - - ./media:/media - - ./certs:/certs - - ./custom-templates:/templates - depends_on: - - authentik-postgres - - authentik-redis - restart: unless-stopped - - authentik-redis: - image: docker.io/library/redis:7.4.2 - container_name: authentik-redis - command: --save 60 1 --loglevel warning - healthcheck: - test: ["CMD-SHELL", "redis-cli ping | grep PONG"] - start_period: 20s - interval: 30s - retries: 5 - timeout: 3s - networks: - - authentik - volumes: - - ./redis:/data - restart: unless-stopped - - authentik-postgres: - image: docker.io/library/postgres:17.4 - container_name: authentik-postgres - environment: - - POSTGRES_USER=authentik - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} - - POSTGRES_DB=authentik - - TZ=${TZ} - healthcheck: - test: ['CMD-SHELL', 'pg_isready -U "authentik"'] - start_period: 30s - interval: 10s - timeout: 10s - retries: 5 - networks: - - authentik - volumes: - - ./postgres:/var/lib/postgresql/data - restart: unless-stopped - - caddy: - container_name: caddy - build: . - environment: - - DNS_PROVIDER_TOKEN=BI5kO2I9fHAqso_OClKxbUM6xTCodH2OfQ60yNp3 - security_opt: - - no-new-privileges:true - networks: - - reverseproxy - ports: - - 80:80 - - 443:443 - - 2019:2019 - volumes: - - ./caddy/data:/data - - ./caddy/Caddyfile:/etc/caddy/Caddyfile - - ./caddy/logs:/srv/ - restart: unless-stopped - - whoami: - image: traefik/whoami - container_name: whoami - networks: - - reverseproxy - -networks: - authentik: - name: authentik - reverseproxy: - external: true