Add caddy

caddy/.gitignore

@@ -0,0 +1 @@
+/config/conf-hidden.d/

caddy/config/Caddyfile

@@ -0,0 +1,12 @@
+{
+	email tobias@msrg.cc
+}
+
+db.serguzim.me:80,
+dns.serguzim.me:80 {
+	reverse_proxy host.docker.internal:4444
+}
+
+import /etc/caddy/snippets
+import /etc/caddy/conf.d/*.conf
+import /etc/caddy/conf-hidden.d/*.conf

caddy/config/conf.d/analytics.serguzim.me.conf

@@ -0,0 +1,3 @@
+analytics.serguzim.me {
+    reverse_proxy umami:3000
+}

caddy/config/conf.d/auth.serguzim.me.conf

@@ -0,0 +1,3 @@
+auth.serguzim.me {
+    reverse_proxy authentik:9000
+}

caddy/config/conf.d/ci.serguzim.me.conf

@@ -0,0 +1,3 @@
+ci.serguzim.me {
+    reverse_proxy woodpecker:8000
+}

caddy/config/conf.d/cloud.serguzim.me.conf

@@ -0,0 +1,11 @@
+cloud.serguzim.me {
+    reverse_proxy host.docker.internal:3015
+
+    redir /.well-known/host-meta         /public.php?service=host-meta 301
+    redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
+    redir /.well-known/webfinger         /public.php?service=webfinger 301
+    redir /.well-known/carddav           /remote.php/dav/ 301
+    redir /.well-known/caldav            /remote.php/dav/ 301
+
+    header Strict-Transport-Security "max-age=15552000; includeSubdomains;"
+}

caddy/config/conf.d/faas.serguzim.me.conf

@@ -0,0 +1,3 @@
+faas.serguzim.me {
+    reverse_proxy host.docker.internal:8080
+}

caddy/config/conf.d/git.serguzim.me.conf

@@ -0,0 +1,5 @@
+git.serguzim.me {
+    header /attachments/* Access-Control-Allow-Origin *
+
+    reverse_proxy gitea:3000
+}

caddy/config/conf.d/graph.serguzim.me.conf

@@ -0,0 +1,3 @@
+graph.serguzim.me {
+    reverse_proxy grafana:3000
+}

caddy/config/conf.d/hook.serguzim.me.conf

@@ -0,0 +1,3 @@
+hook.serguzim.me {
+    reverse_proxy host.docker.internal:3002
+}

caddy/config/conf.d/matrix.msrg.cc.conf

@@ -0,0 +1,16 @@
+matrix.msrg.cc {
+  reverse_proxy /_matrix/* synapse:8008
+  reverse_proxy /_synapse/* synapse:8008
+
+  handle_path /admin/* {
+	rewrite * {path}
+	reverse_proxy synapse-admin:80
+}
+}
+
+msrg.cc:8008,
+msrg.cc:8448,
+matrix.msrg.cc:8008,
+matrix.msrg.cc:8448 {
+  reverse_proxy synapse:8008
+}

caddy/config/conf.d/media.serguzim.me.conf

@@ -0,0 +1,3 @@
+media.serguzim.me {
+    reverse_proxy host.docker.internal:3014
+}

caddy/config/conf.d/msrg.cc.conf

@@ -0,0 +1,8 @@
+msrg.cc {
+    header /.well-known/openpgpkey/* Access-Control-Allow-Origin *
+
+    rewrite * /function/webpage-msrg-cc{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}

caddy/config/conf.d/prometheus.serguzim.me.conf

@@ -0,0 +1,9 @@
+prometheus.serguzim.me {
+    import auth_serguzim_me
+
+    reverse_proxy host.docker.internal:9090
+}
+
+prometheus.internal.serguzim.net:80 {
+    reverse_proxy host.docker.internal:9090
+}

caddy/config/conf.d/recipies.serguzim.me.conf

@@ -0,0 +1,3 @@
+recipies.serguzim.me {
+    reverse_proxy tandoor:80
+}

caddy/config/conf.d/registry.serguzim.me.conf

@@ -0,0 +1,4 @@
+registry.serguzim.me {
+    reverse_proxy /metrics host.docker.internal:3029
+    reverse_proxy host.docker.internal:3021
+}

caddy/config/conf.d/rss.serguzim.me.conf

@@ -0,0 +1,3 @@
+rss.serguzim.me {
+    reverse_proxy tt-rss:80
+}

caddy/config/conf.d/serguzim.me.conf

@@ -0,0 +1,11 @@
+serguzim.me {
+    header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
+    redir https://www.serguzim.me{uri}
+}
+
+www.serguzim.me {
+    rewrite * /function/webpage-serguzim-me{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}

caddy/config/conf.d/soeder.stream.conf

@@ -0,0 +1,6 @@
+xn--sder-5qa.stream {
+    rewrite * /function/webpage-soeder-stream{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}

caddy/config/conf.d/stream.serguzim.me.conf

@@ -0,0 +1,5 @@
+stream.serguzim.me {
+    import auth_serguzim_me
+
+    reverse_proxy host.docker.internal:8888
+}

caddy/config/conf.d/tick.serguzim.me.conf

@@ -0,0 +1,3 @@
+tick.serguzim.me {
+    reverse_proxy host.docker.internal:8086
+}

caddy/config/conf.d/wiki.serguzim.me.conf

@@ -0,0 +1,3 @@
+wiki.serguzim.me {
+    reverse_proxy wiki-js:3000
+}

caddy/config/snippets

@@ -0,0 +1,15 @@
+(auth_serguzim_me) {
+    # always forward outpost path to actual outpost
+    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+
+    # forward authentication to outpost
+    forward_auth authentik:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+        # optional, in this config trust all private ranges, should probably be set to the outposts IP
+        trusted_proxies private_ranges
+    }
+}

caddy/docker-compose.yml

@@ -0,0 +1,26 @@
+version: "3.7"
+
+services:
+  app:
+    image: caddy:2-alpine
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "8008:8008"
+      - "8448:8448"
+    volumes:
+      - ./config:/etc/caddy/
+      - data:/data
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    networks:
+      services:
+
+volumes:
+  data:
+
+networks:
+  services:
+    external: true

tt-rss/docker-compose.yml

@@ -4,8 +4,6 @@ services:
   app:
     image: cthulhoo/ttrss-fpm-pgsql-static
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     env_file:
       - .env
       - .secret.env
@@ -19,8 +17,6 @@ services:
   updater:
     image: cthulhoo/ttrss-fpm-pgsql-static
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     env_file:
       - .env
       - .secret.env
@@ -35,8 +31,6 @@ services:
   web-nginx:
     image: cthulhoo/ttrss-web-nginx
     restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
     volumes:
       - app:/var/www/html:ro
       - ./nginx.conf:/etc/nginx/nginx.conf