Add caddy

2022-08-22 23:05:13 +02:00 · 2022-08-22 23:05:13 +02:00 · dfe87690d7
commit dfe87690d7
parent 73c6b454fa
25 changed files with 162 additions and 6 deletions
--- a/caddy/.gitignore
+++ b/caddy/.gitignore
@ -0,0 +1 @@
+/config/conf-hidden.d/
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@ -0,0 +1,12 @@
+{
+	email tobias@msrg.cc
+}
+
+db.serguzim.me:80,
+dns.serguzim.me:80 {
+	reverse_proxy host.docker.internal:4444
+}
+
+import /etc/caddy/snippets
+import /etc/caddy/conf.d/*.conf
+import /etc/caddy/conf-hidden.d/*.conf
--- a/caddy/config/conf.d/analytics.serguzim.me.conf
+++ b/caddy/config/conf.d/analytics.serguzim.me.conf
@ -0,0 +1,3 @@
+analytics.serguzim.me {
+    reverse_proxy umami:3000
+}
--- a/caddy/config/conf.d/auth.serguzim.me.conf
+++ b/caddy/config/conf.d/auth.serguzim.me.conf
@ -0,0 +1,3 @@
+auth.serguzim.me {
+    reverse_proxy authentik:9000
+}
--- a/caddy/config/conf.d/ci.serguzim.me.conf
+++ b/caddy/config/conf.d/ci.serguzim.me.conf
@ -0,0 +1,3 @@
+ci.serguzim.me {
+    reverse_proxy woodpecker:8000
+}
--- a/caddy/config/conf.d/cloud.serguzim.me.conf
+++ b/caddy/config/conf.d/cloud.serguzim.me.conf
@ -0,0 +1,11 @@
+cloud.serguzim.me {
+    reverse_proxy host.docker.internal:3015
+
+    redir /.well-known/host-meta         /public.php?service=host-meta 301
+    redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
+    redir /.well-known/webfinger         /public.php?service=webfinger 301
+    redir /.well-known/carddav           /remote.php/dav/ 301
+    redir /.well-known/caldav            /remote.php/dav/ 301
+
+    header Strict-Transport-Security "max-age=15552000; includeSubdomains;"
+}
--- a/caddy/config/conf.d/faas.serguzim.me.conf
+++ b/caddy/config/conf.d/faas.serguzim.me.conf
@ -0,0 +1,3 @@
+faas.serguzim.me {
+    reverse_proxy host.docker.internal:8080
+}
--- a/caddy/config/conf.d/git.serguzim.me.conf
+++ b/caddy/config/conf.d/git.serguzim.me.conf
@ -0,0 +1,5 @@
+git.serguzim.me {
+    header /attachments/* Access-Control-Allow-Origin *
+
+    reverse_proxy gitea:3000
+}
--- a/caddy/config/conf.d/graph.serguzim.me.conf
+++ b/caddy/config/conf.d/graph.serguzim.me.conf
@ -0,0 +1,3 @@
+graph.serguzim.me {
+    reverse_proxy grafana:3000
+}
--- a/caddy/config/conf.d/hook.serguzim.me.conf
+++ b/caddy/config/conf.d/hook.serguzim.me.conf
@ -0,0 +1,3 @@
+hook.serguzim.me {
+    reverse_proxy host.docker.internal:3002
+}
--- a/caddy/config/conf.d/matrix.msrg.cc.conf
+++ b/caddy/config/conf.d/matrix.msrg.cc.conf
@ -0,0 +1,16 @@
+matrix.msrg.cc {
+  reverse_proxy /_matrix/* synapse:8008
+  reverse_proxy /_synapse/* synapse:8008
+
+  handle_path /admin/* {
+	rewrite * {path}
+	reverse_proxy synapse-admin:80
+}
+}
+
+msrg.cc:8008,
+msrg.cc:8448,
+matrix.msrg.cc:8008,
+matrix.msrg.cc:8448 {
+  reverse_proxy synapse:8008
+}
--- a/caddy/config/conf.d/media.serguzim.me.conf
+++ b/caddy/config/conf.d/media.serguzim.me.conf
@ -0,0 +1,3 @@
+media.serguzim.me {
+    reverse_proxy host.docker.internal:3014
+}
--- a/caddy/config/conf.d/msrg.cc.conf
+++ b/caddy/config/conf.d/msrg.cc.conf
@ -0,0 +1,8 @@
+msrg.cc {
+    header /.well-known/openpgpkey/* Access-Control-Allow-Origin *
+
+    rewrite * /function/webpage-msrg-cc{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}
--- a/caddy/config/conf.d/prometheus.serguzim.me.conf
+++ b/caddy/config/conf.d/prometheus.serguzim.me.conf
@ -0,0 +1,9 @@
+prometheus.serguzim.me {
+    import auth_serguzim_me
+
+    reverse_proxy host.docker.internal:9090
+}
+
+prometheus.internal.serguzim.net:80 {
+    reverse_proxy host.docker.internal:9090
+}
--- a/caddy/config/conf.d/recipies.serguzim.me.conf
+++ b/caddy/config/conf.d/recipies.serguzim.me.conf
@ -0,0 +1,3 @@
+recipies.serguzim.me {
+    reverse_proxy tandoor:80
+}
--- a/caddy/config/conf.d/registry.serguzim.me.conf
+++ b/caddy/config/conf.d/registry.serguzim.me.conf
@ -0,0 +1,4 @@
+registry.serguzim.me {
+    reverse_proxy /metrics host.docker.internal:3029
+    reverse_proxy host.docker.internal:3021
+}
--- a/caddy/config/conf.d/rss.serguzim.me.conf
+++ b/caddy/config/conf.d/rss.serguzim.me.conf
@ -0,0 +1,3 @@
+rss.serguzim.me {
+    reverse_proxy tt-rss:80
+}
--- a/caddy/config/conf.d/serguzim.me.conf
+++ b/caddy/config/conf.d/serguzim.me.conf
@ -0,0 +1,11 @@
+serguzim.me {
+    header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
+    redir https://www.serguzim.me{uri}
+}
+
+www.serguzim.me {
+    rewrite * /function/webpage-serguzim-me{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}
--- a/caddy/config/conf.d/soeder.stream.conf
+++ b/caddy/config/conf.d/soeder.stream.conf
@ -0,0 +1,6 @@
+xn--sder-5qa.stream {
+    rewrite * /function/webpage-soeder-stream{uri}
+    reverse_proxy https://faas.serguzim.me {
+        header_up Host {http.reverse_proxy.upstream.hostport}
+    }
+}
--- a/caddy/config/conf.d/stream.serguzim.me.conf
+++ b/caddy/config/conf.d/stream.serguzim.me.conf
@ -0,0 +1,5 @@
+stream.serguzim.me {
+    import auth_serguzim_me
+
+    reverse_proxy host.docker.internal:8888
+}
--- a/caddy/config/conf.d/tick.serguzim.me.conf
+++ b/caddy/config/conf.d/tick.serguzim.me.conf
@ -0,0 +1,3 @@
+tick.serguzim.me {
+    reverse_proxy host.docker.internal:8086
+}
--- a/caddy/config/conf.d/wiki.serguzim.me.conf
+++ b/caddy/config/conf.d/wiki.serguzim.me.conf
@ -0,0 +1,3 @@
+wiki.serguzim.me {
+    reverse_proxy wiki-js:3000
+}
--- a/caddy/config/snippets
+++ b/caddy/config/snippets
@ -0,0 +1,15 @@
+(auth_serguzim_me) {
+    # always forward outpost path to actual outpost
+    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+
+    # forward authentication to outpost
+    forward_auth authentik:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+        # optional, in this config trust all private ranges, should probably be set to the outposts IP
+        trusted_proxies private_ranges
+    }
+}
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@ -0,0 +1,26 @@
+version: "3.7"
+
+services:
+  app:
+    image: caddy:2-alpine
+    restart: always
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+      - "8008:8008"
+      - "8448:8448"
+    volumes:
+      - ./config:/etc/caddy/
+      - data:/data
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    networks:
+      services:
+
+volumes:
+  data:
+
+networks:
+  services:
+    external: true
--- a/tt-rss/docker-compose.yml
+++ b/tt-rss/docker-compose.yml
@ -4,8 +4,6 @@ services:
  app:
    image: cthulhoo/ttrss-fpm-pgsql-static
    restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
    env_file:
      - .env
      - .secret.env
@ -19,8 +17,6 @@ services:
  updater:
    image: cthulhoo/ttrss-fpm-pgsql-static
    restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
    env_file:
      - .env
      - .secret.env
@ -35,8 +31,6 @@ services:
  web-nginx:
    image: cthulhoo/ttrss-web-nginx
    restart: always
-    labels:
-      com.centurylinklabs.watchtower.enable: true
    volumes:
      - app:/var/www/html:ro
      - ./nginx.conf:/etc/nginx/nginx.conf