infrastructure/playbooks/templates/caddy_site.conf.j2
Tobias Reisinger 9af19f51fa
Fix caddy forward_auth settings for authentik
The snippet will now set the correct Host for the next hop and keep the
original site in the X-Forward-Auth-Host. The authentik caddy-site will
then put the X-Forward-Auth-Host into the X-Forwarded-Host (which would
normally be the authentik host/domain). Authentik is able to handle the
X-Forwarded-Host header.
2025-05-30 15:15:34 +02:00

47 lines
1.3 KiB
Django/Jinja

{%- macro caddy_site_hsts(svc, for_www) -%}
{%- if svc.hsts|default(false) and (svc.www_domain|default(false) == for_www) -%}
{{ 'header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"' if svc.hsts|default(false) }}
{%- endif -%}
{%- endmacro -%}
{% macro caddy_site(svc) %}
{%- for domain in svc.additional_domains|default([]) %}
{{ domain }},
{% endfor -%}
{{ "www." + svc.domain if svc.www_domain|default(false) else svc.domain }} {
import default
{{ caddy_site_hsts(svc, false) }}
{{ svc.caddy_extra | indent(width='\t', first=True) if svc.caddy_extra|default(false) }}
{% if svc.caddy_default|default(true) %}
handle {
{% if svc.faas_function|default(false) %}
import faas {{ svc.faas_function }}
{% elif svc.redirect|default(false) %}
redir "{{ svc.redirect }}"
{% else %}
reverse_proxy {{ svc.docker_host|default(role_name) }}:{{ svc.port }} {
{{ svc.caddy_proxy_extra | indent(width='\t', first=False) if svc.caddy_proxy_extra|default(false) }}
}
{% endif %}
}
{% endif %}
}
{% if svc.www_domain|default(false) %}
{{ svc.domain }} {
import default
{{ caddy_site_hsts(svc, true) }}
redir https://www.{{ svc.domain }}{uri}
}
{% endif %}
{% endmacro -%}
{% if svc.domain|default(false) %}
{{ caddy_site(svc) }}
{% endif %}
{%- for extra_svc in svc.extra_svcs|default([]) %}
{{ caddy_site(extra_svc) }}
{% endfor %}