diff --git a/playbooks/roles/authentik/vars/main.yml b/playbooks/roles/authentik/vars/main.yml index 6318eda..03d4755 100644 --- a/playbooks/roles/authentik/vars/main.yml +++ b/playbooks/roles/authentik/vars/main.yml @@ -2,6 +2,7 @@ authentik_svc: domain: "{{ all_services | service_get_domain(role_name) }}" port: 9000 + caddy_proxy_extra: "header_up X-Forwarded-Host {http.request.header.X-Forward-Auth-Host}" image_tag: 2025.2 db: host: "{{ postgres.host }}" diff --git a/playbooks/roles/caddy/files/snippets b/playbooks/roles/caddy/files/snippets index 1de7f22..84b3a8a 100644 --- a/playbooks/roles/caddy/files/snippets +++ b/playbooks/roles/caddy/files/snippets @@ -1,16 +1,19 @@ (auth_serguzim_me) { # always forward outpost path to actual outpost - reverse_proxy /outpost.goauthentik.io/* authentik:9000 + reverse_proxy /outpost.goauthentik.io/* https://auth.serguzim.me { + header_up Host {http.reverse_proxy.upstream.hostport} + header_up X-Forward-Auth-Host {http.request.host} + } # forward authentication to outpost - forward_auth authentik:9000 { + forward_auth https://auth.serguzim.me { uri /outpost.goauthentik.io/auth/caddy + header_up Host {http.reverse_proxy.upstream.hostport} + header_up X-Forward-Auth-Host {http.request.host} + # capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version - - # optional, in this config trust all private ranges, should probably be set to the outposts IP - trusted_proxies private_ranges } } diff --git a/playbooks/roles/caddy/templates/Caddyfile.j2 b/playbooks/roles/caddy/templates/Caddyfile.j2 index 882ef0f..dddf9a0 100644 --- a/playbooks/roles/caddy/templates/Caddyfile.j2 +++ b/playbooks/roles/caddy/templates/Caddyfile.j2 @@ -1,7 +1,7 @@ { email {{ admin_email }} - metrics + metrics servers { strict_sni_host on @@ -11,9 +11,9 @@ import /etc/caddy/snippets http://{{ host_vpn.domain }} { - import vpn_only + import vpn_only - metrics + metrics } *.serguzim.me { diff --git a/playbooks/templates/caddy_site.conf.j2 b/playbooks/templates/caddy_site.conf.j2 index 0ed1ac0..4612ea7 100644 --- a/playbooks/templates/caddy_site.conf.j2 +++ b/playbooks/templates/caddy_site.conf.j2 @@ -21,7 +21,9 @@ {% elif svc.redirect|default(false) %} redir "{{ svc.redirect }}" {% else %} - reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} + reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} { + {{ svc.caddy_proxy_extra | indent(width='\t', first=False) if svc.caddy_proxy_extra|default(false) }} + } {% endif %} } {% endif %} diff --git a/scripts/visualize.py b/scripts/visualize.py index dacec8f..a0ee108 100755 --- a/scripts/visualize.py +++ b/scripts/visualize.py @@ -9,7 +9,7 @@ import hcl2 icon_overrides = { "acme_dns": "lets-encrypt", "backup": "restic", - "deploy": "webhook", + "deploy": "adnanh-webhook", "extra_services": None, "forgejo_runner": "forgejo", "healthcheck": "healthchecks",