diff --git a/swarm/stack/caddy/Caddyfile b/swarm/stack/caddy/Caddyfile index 03f9748..30e91d8 100644 --- a/swarm/stack/caddy/Caddyfile +++ b/swarm/stack/caddy/Caddyfile @@ -1,12 +1,7 @@ # ───────────────────────────────────────────────────────────────────────────── -# GLOBAL BLOCK — add this at the very top before any snippets +# GLOBAL BLOCK # ───────────────────────────────────────────────────────────────────────────── - { - crowdsec { - api_url http://crowdsec:8080 - api_key {$CROWDSEC_API_KEY} - } log { output file /var/log/caddy/access.log { roll_size 50mb @@ -17,16 +12,16 @@ } # ───────────────────────────────────────────────────────────────────────────── -# CROWDSEC SNIPPET — add alongside existing auth snippets +# SNIPPETS # ───────────────────────────────────────────────────────────────────────────── -(crowdsec) { - route { - crowdsec +(use-crowdsec) { + crowdsec { + api_url http://crowdsec:8080 + api_key {$CROWDSEC_API_KEY} } } - (authentik) { route /outpost.goauthentik.io/* { reverse_proxy http://authentik:9000 @@ -34,36 +29,99 @@ forward_auth http://authentik:9000 { uri /outpost.goauthentik.io/auth/caddy - # header_up X-Forwarded-Host {http.request.host} - # header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-URI {http.request.uri} copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version } } (authelia) { - forward_auth http://authelia:9091 { - uri /api/verify?rd=https://login.wasted-bandwidth.net/ - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } -} - - - - -(email-proxy) { - redir https://mail.netgrimoire.com/sogo 301 + forward_auth http://authelia:9091 { + uri /api/verify?rd=https://login.wasted-bandwidth.net/ + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } } (mailcow-proxy) { reverse_proxy nginx-mailcow:80 } +# ───────────────────────────────────────────────────────────────────────────── +# SITE BLOCKS +# ───────────────────────────────────────────────────────────────────────────── +# Nextcloud AIO - Optimized for WebDAV and Folder Uploads cloud.netgrimoire.com { - reverse_proxy http://nextcloud-aio-apache:11000 + # No CrowdSec here for now to prevent 404s on rapid-fire WebDAV requests + reverse_proxy http://nextcloud-aio-apache:11000 { + header_up Host {host} + header_up X-Real-IP {remote_host} + header_up X-Forwarded-For {remote_host} + header_up X-Forwarded-Proto {scheme} + + transport http { + response_header_timeout 300s + dial_timeout 30s + } + } } +# Services with Authentik Protection +dozzle.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://192.168.4.72:8043 +} + +dns.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://192.168.5.7:5380 +} + +webtop.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://webtop:3000 +} + +jackett.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://gluetun:9117 +} + +transmission.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://gluetun:9091 +} + +scrutiny.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://192.168.5.10:8081 +} + +homelable.netgrimoire.com { + import use-crowdsec + import authentik + reverse_proxy http://homelable-frontend:80 +} + +# Services with Authelia Protection +stash.wasted-bandwidth.net { + import use-crowdsec + import authelia + reverse_proxy http://192.168.5.10:9999 +} + +namer.wasted-bandwidth.net { + import use-crowdsec + import authelia + reverse_proxy http://192.168.5.10:6980 +} + +# Standard Services (Direct Proxy) log.netgrimoire.com { reverse_proxy http://graylog:9000 } @@ -72,11 +130,6 @@ win.netgrimoire.com { reverse_proxy http://192.168.5.10:8006 } - -#jellyfin.netgrimoire.com { -# reverse_proxy http://jellyfin:8096 -#} - docker.netgrimoire.com { reverse_proxy http://portainer:9000 } @@ -89,48 +142,10 @@ npm.netgrimoire.com { reverse_proxy http://librenms:8000 } - -dozzle.netgrimoire.com { - import authentik - reverse_proxy http://192.168.4.72:8043 -} - - -dns.netgrimoire.com { - import authentik - reverse_proxy http://192.168.5.7:5380 -} - -webtop.netgrimoire.com { - import authentik - reverse_proxy http://webtop:3000 -} - accounts.netgrimoire.com, accounts.pncharris.com { reverse_proxy http://bigcapital-proxy-1:80 } - -jackett.netgrimoire.com { - import authentik - reverse_proxy http://gluetun:9117 -} - -transmission.netgrimoire.com { - import authentik - reverse_proxy http://gluetun:9091 -} - -stash.wasted-bandwidth.net { - import authelia - reverse_proxy http://192.168.5.10:9999 -} - -namer.wasted-bandwidth.net { - import authelia - reverse_proxy http://192.168.5.10:6980 -} - fish.pncharris.com { reverse_proxy http://web } @@ -139,26 +154,11 @@ www.wasted-bandwidth.net { reverse_proxy http://web } -scrutiny.netgrimoire.com { - import authentik - reverse_proxy http://192.168.5.10:8081 -} - -homelable.netgrimoire.com { - import authentik - reverse_proxy http://homelable-frontend:80 -} - - - webmail.netgrimoire.com, webmail.gnarlypandaproductions.com, webmail.pncharris.com, webmail.pncfishandmore.com, webmail.pncharrisenterprises.com, webmail.florosafd.org { reverse_proxy http://roundcube:80 } - - - - +# Mailcow Stack mail.netgrimoire.com, autodiscover.netgrimoire.com, autoconfig.netgrimoire.com, \ mail.wasted-bandwidth.net, autodiscover.wasted-bandwidth.net, autoconfig.wasted-bandwidth.net, \ mail.gnarlypandaproductions.com, autodiscover.gnarlypandaproductions.com, autoconfig.gnarlypandaproductions.com, \ @@ -167,13 +167,4 @@ mail.pncharrisenterprises.com, autodiscover.pncharrisenterprises.com, autoconfig mail.pncharris.com, autodiscover.pncharris.com, autoconfig.pncharris.com, \ mail.florosafd.org, autodiscover.florosafd.org, autoconfig.florosafd.org { import mailcow-proxy -} - - - - - - - - - +} \ No newline at end of file