traveler/services
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

sadsad
Some checks are pending
Deploy on push / detect (push) Waiting to run
Details
Deploy on push / deploy_swarm (push) Blocked by required conditions
Details
Deploy on push / deploy_compose (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
traveler 2026-04-27 09:45:16 -05:00
parent c58c7bc21a
commit b917b3dc32
1 changed files with 85 additions and 94 deletions
Download patch file Download diff file Expand all files Collapse all files

179
swarm/stack/caddy/Caddyfile
View file

@ -1,12 +1,7 @@
# ───────────────────────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────────────────────
# GLOBAL BLOCK — add this at the very top before any snippets # GLOBAL BLOCK
# ───────────────────────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────────────────────
{ {
crowdsec {
api_url http://crowdsec:8080
api_key {$CROWDSEC_API_KEY}
}
log { log {
output file /var/log/caddy/access.log { output file /var/log/caddy/access.log {
roll_size 50mb roll_size 50mb
@ -17,16 +12,16 @@
} }
# ───────────────────────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────────────────────
# CROWDSEC SNIPPET — add alongside existing auth snippets # SNIPPETS
# ───────────────────────────────────────────────────────────────────────────── # ─────────────────────────────────────────────────────────────────────────────
(crowdsec) { (use-crowdsec) {
route { crowdsec {
crowdsec api_url http://crowdsec:8080
api_key {$CROWDSEC_API_KEY}
} }
} }
(authentik) { (authentik) {
route /outpost.goauthentik.io/* { route /outpost.goauthentik.io/* {
reverse_proxy http://authentik:9000 reverse_proxy http://authentik:9000
@ -34,36 +29,99 @@
forward_auth http://authentik:9000 { forward_auth http://authentik:9000 {
uri /outpost.goauthentik.io/auth/caddy uri /outpost.goauthentik.io/auth/caddy
# header_up X-Forwarded-Host {http.request.host}
# header_up X-Forwarded-Proto {http.request.scheme}
header_up X-Forwarded-URI {http.request.uri} header_up X-Forwarded-URI {http.request.uri}
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
} }
} }
(authelia) { (authelia) {
forward_auth http://authelia:9091 { forward_auth http://authelia:9091 {
uri /api/verify?rd=https://login.wasted-bandwidth.net/ uri /api/verify?rd=https://login.wasted-bandwidth.net/
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
} }
}
(email-proxy) {
redir https://mail.netgrimoire.com/sogo 301
} }
(mailcow-proxy) { (mailcow-proxy) {
reverse_proxy nginx-mailcow:80 reverse_proxy nginx-mailcow:80
} }
# ─────────────────────────────────────────────────────────────────────────────
# SITE BLOCKS
# ─────────────────────────────────────────────────────────────────────────────
# Nextcloud AIO - Optimized for WebDAV and Folder Uploads
cloud.netgrimoire.com { cloud.netgrimoire.com {
reverse_proxy http://nextcloud-aio-apache:11000 # No CrowdSec here for now to prevent 404s on rapid-fire WebDAV requests
reverse_proxy http://nextcloud-aio-apache:11000 {
header_up Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
transport http {
response_header_timeout 300s
dial_timeout 30s
}
}
} }
# Services with Authentik Protection
dozzle.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://192.168.4.72:8043
}
dns.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://192.168.5.7:5380
}
webtop.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://webtop:3000
}
jackett.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://gluetun:9117
}
transmission.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://gluetun:9091
}
scrutiny.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://192.168.5.10:8081
}
homelable.netgrimoire.com {
import use-crowdsec
import authentik
reverse_proxy http://homelable-frontend:80
}
# Services with Authelia Protection
stash.wasted-bandwidth.net {
import use-crowdsec
import authelia
reverse_proxy http://192.168.5.10:9999
}
namer.wasted-bandwidth.net {
import use-crowdsec
import authelia
reverse_proxy http://192.168.5.10:6980
}
# Standard Services (Direct Proxy)
log.netgrimoire.com { log.netgrimoire.com {
reverse_proxy http://graylog:9000 reverse_proxy http://graylog:9000
} }
@ -72,11 +130,6 @@ win.netgrimoire.com {
reverse_proxy http://192.168.5.10:8006 reverse_proxy http://192.168.5.10:8006
} }
#jellyfin.netgrimoire.com {
# reverse_proxy http://jellyfin:8096
#}
docker.netgrimoire.com { docker.netgrimoire.com {
reverse_proxy http://portainer:9000 reverse_proxy http://portainer:9000
} }
@ -89,48 +142,10 @@ npm.netgrimoire.com {
reverse_proxy http://librenms:8000 reverse_proxy http://librenms:8000
} }
dozzle.netgrimoire.com {
import authentik
reverse_proxy http://192.168.4.72:8043
}
dns.netgrimoire.com {
import authentik
reverse_proxy http://192.168.5.7:5380
}
webtop.netgrimoire.com {
import authentik
reverse_proxy http://webtop:3000
}
accounts.netgrimoire.com, accounts.pncharris.com { accounts.netgrimoire.com, accounts.pncharris.com {
reverse_proxy http://bigcapital-proxy-1:80 reverse_proxy http://bigcapital-proxy-1:80
} }
jackett.netgrimoire.com {
import authentik
reverse_proxy http://gluetun:9117
}
transmission.netgrimoire.com {
import authentik
reverse_proxy http://gluetun:9091
}
stash.wasted-bandwidth.net {
import authelia
reverse_proxy http://192.168.5.10:9999
}
namer.wasted-bandwidth.net {
import authelia
reverse_proxy http://192.168.5.10:6980
}
fish.pncharris.com { fish.pncharris.com {
reverse_proxy http://web reverse_proxy http://web
} }
@ -139,26 +154,11 @@ www.wasted-bandwidth.net {
reverse_proxy http://web reverse_proxy http://web
} }
scrutiny.netgrimoire.com {
import authentik
reverse_proxy http://192.168.5.10:8081
}
homelable.netgrimoire.com {
import authentik
reverse_proxy http://homelable-frontend:80
}
webmail.netgrimoire.com, webmail.gnarlypandaproductions.com, webmail.pncharris.com, webmail.pncfishandmore.com, webmail.pncharrisenterprises.com, webmail.florosafd.org { webmail.netgrimoire.com, webmail.gnarlypandaproductions.com, webmail.pncharris.com, webmail.pncfishandmore.com, webmail.pncharrisenterprises.com, webmail.florosafd.org {
reverse_proxy http://roundcube:80 reverse_proxy http://roundcube:80
} }
# Mailcow Stack
mail.netgrimoire.com, autodiscover.netgrimoire.com, autoconfig.netgrimoire.com, \ mail.netgrimoire.com, autodiscover.netgrimoire.com, autoconfig.netgrimoire.com, \
mail.wasted-bandwidth.net, autodiscover.wasted-bandwidth.net, autoconfig.wasted-bandwidth.net, \ mail.wasted-bandwidth.net, autodiscover.wasted-bandwidth.net, autoconfig.wasted-bandwidth.net, \
mail.gnarlypandaproductions.com, autodiscover.gnarlypandaproductions.com, autoconfig.gnarlypandaproductions.com, \ mail.gnarlypandaproductions.com, autodiscover.gnarlypandaproductions.com, autoconfig.gnarlypandaproductions.com, \
@ -167,13 +167,4 @@ mail.pncharrisenterprises.com, autodiscover.pncharrisenterprises.com, autoconfig
mail.pncharris.com, autodiscover.pncharris.com, autoconfig.pncharris.com, \ mail.pncharris.com, autodiscover.pncharris.com, autoconfig.pncharris.com, \
mail.florosafd.org, autodiscover.florosafd.org, autoconfig.florosafd.org { mail.florosafd.org, autodiscover.florosafd.org, autoconfig.florosafd.org {
import mailcow-proxy import mailcow-proxy
} }