commit 273f46d0fba8d7c10f0e358420890fd854b26205 Author: Zeev Diukman Date: Fri Nov 28 16:08:29 2025 +0200 first diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile new file mode 100644 index 0000000..e81d450 --- /dev/null +++ b/caddy/config/Caddyfile @@ -0,0 +1,29 @@ +import snippets.caddy +diukman.com { + respond "Error" 500 +} +https://photos.diukman.com { + reverse_proxy http://192.168.2.100:3002 +} +https://auth.diukman.com { + reverse_proxy oauth2proxy:4180 +} +https://adguard.diukman.com { + import protect rp http://192.168.2.8 + # respond "aaaaa" +} +https://opnsense.diukman.com { + import protect rp http://192.168.2.1 +} +https://dns.diukman.com { + import protect rp http://192.168.2.2:5380 +} +https://proxmox.diukman.com { + import protect rp_skip_tls https://192.168.2.10:8006 +} +https://wireguard.diukman.com { + import protect rp http://192.168.2.5 +} +https://modem.diukman.com { + import protect rp http://192.168.1.1 +} diff --git a/caddy/config/snippets.caddy b/caddy/config/snippets.caddy new file mode 100644 index 0000000..a104278 --- /dev/null +++ b/caddy/config/snippets.caddy @@ -0,0 +1,36 @@ +(rp_skip_tls) { + reverse_proxy {args[0]} { + transport http { + tls_insecure_skip_verify + } + } +} +(rp) { + reverse_proxy {args[0]} +} +(auth_path) { + handle /oauth2/* { + reverse_proxy oauth2proxy:4180 { + header_up X-Real-IP {remote_host} + header_up X-Forwarded-Uri {uri} + } + } +} +(auth_redirect) { + import auth_path + handle { + forward_auth oauth2proxy:4180 { + uri /oauth2/auth + header_up X-Real-IP {remote_host} + @error status 401 + handle_response @error { + redir * /oauth2/sign_in?rd={scheme}://{host}{uri} + } + } + } + import {args[0]} {args[1]} +} +(protect) { + import auth_path + import auth_redirect {args[0]} {args[1]} +} \ No newline at end of file diff --git a/compose.yml b/compose.yml new file mode 100644 index 0000000..85cc8f4 --- /dev/null +++ b/compose.yml @@ -0,0 +1,56 @@ +services: ########################SERVICES######################## + +#-------------------------------------CADDY-------------------------------------------- + caddy: + image: caddy:2 + restart: unless-stopped + container_name: caddy + ports: + - "80:80" + - "443:443" + - "443:443/udp" + volumes: + - ./caddy/config/:/etc/caddy/ + - caddy_data:/data + - caddy_config:/config + networks: + - gateway + # tty: true +#-----------------------------------OAUTH2PROXY-------------------------------------- + oauth2proxy: + image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 + container_name: oauth2proxy + restart: unless-stopped + ports: + - "4180:4180" + networks: + - gateway + volumes: + - "./oauth2-proxy/oauth2-proxy.cfg:/etc/oauth2-proxy.cfg" + - "./oauth2-proxy/allowed_emails.txt:/etc/allowed_emails.txt" + command: --config /etc/oauth2-proxy.cfg + # command: --config /etc/oauth2-proxy.cfg --authenticated-emails-file /etc/allowed_emails.txt + # command: --config /etc/oauth2-proxy.cfg --whitelist-domain .diukman.com + # tty: true + +#########################VOLUMES######################## + +volumes: + caddy_data: + caddy_config: + +########################NETWORKS######################## +networks: + gateway: + external: false + + +# reload after config change: +# docker exec -w /etc/caddy caddy sh -c 'caddy fmt --overwrite && caddy reload' + +# The required section for 'watch' inside the service definition! +# develop: +# watch: +# - action: restart +# path: ./caddy/config/Caddyfile # Host path to watch +# target: /etc/caddy/Caddyfile \ No newline at end of file diff --git a/oauth2-proxy/allowed_emails.txt b/oauth2-proxy/allowed_emails.txt new file mode 100644 index 0000000..39c5c30 --- /dev/null +++ b/oauth2-proxy/allowed_emails.txt @@ -0,0 +1,2 @@ +zeevdukeman@gmail.com +zeevdukemandev@gmail.com \ No newline at end of file diff --git a/oauth2-proxy/oauth2-proxy.cfg b/oauth2-proxy/oauth2-proxy.cfg new file mode 100644 index 0000000..3de1140 --- /dev/null +++ b/oauth2-proxy/oauth2-proxy.cfg @@ -0,0 +1,17 @@ +# --- 1. Provider Configuration --- +provider = "google" +client_id = "908518725447-1pbdp071t2b07p66fv0n845n3nrbeu0k.apps.googleusercontent.com" +client_secret = "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" +cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg=" +upstreams = "static://200" +http_address = "0.0.0.0:4180" +redirect_url = "https://auth.diukman.com/oauth2/callback" +scope = "openid profile email" +set_xauthrequest = true +# whitelist_domains = [ ".diukman.com", "diukman.com" ] +cookie_domains = [ ".diukman.com", "diukman.com" ] +cookie_httponly = true +cookie_secure = true +cookie_samesite = "none" +authenticated_emails_file = "/etc/allowed_emails.txt" +# email_domains = [ "*" ] \ No newline at end of file diff --git a/z.sh b/z.sh new file mode 100755 index 0000000..76a8dd1 --- /dev/null +++ b/z.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +# Capture all arguments as array +Z_CMD=("$@") +Z_FLAG=false +case "${Z_CMD[0]}" in + docker | d) + case "${Z_CMD[1]}" in + restart | r) + echo "Restarting Docker containers..." + docker compose down && docker compose up -d + ;; + up | u) + echo "Starting Docker containers..." + docker compose up -d + ;; + down | d) + echo "Stopping Docker containers..." + docker compose down + ;; + *) + Z_FLAG=true + ;; + esac + ;; + caddy | c) + case "${Z_CMD[1]}" in + reload | r) + echo "Reloading Caddy..." + docker exec -w /etc/caddy caddy sh -c 'caddy fmt --overwrite && caddy reload' + ;; + restart) + echo "Restarting Caddy container..." + docker compose restart caddy + ;; + *) + Z_FLAG=true + ;; + esac + ;; + *) + Z_FLAG=true + ;; +esac + +case $Z_FLAG in + true) + echo "Usage: $0 caddy [reload|restart|watch]" + exit 1 + ;; +esac \ No newline at end of file