first

caddy/config/Caddyfile

@@ -0,0 +1,29 @@
+import snippets.caddy
+diukman.com {
+	respond "Error" 500
+}
+https://photos.diukman.com {
+	reverse_proxy http://192.168.2.100:3002
+}
+https://auth.diukman.com {
+	reverse_proxy oauth2proxy:4180
+}
+https://adguard.diukman.com {
+	import protect rp http://192.168.2.8
+	# respond "aaaaa"
+}
+https://opnsense.diukman.com {
+	import protect rp http://192.168.2.1
+}
+https://dns.diukman.com {
+	import protect rp http://192.168.2.2:5380
+}
+https://proxmox.diukman.com {
+	import protect rp_skip_tls https://192.168.2.10:8006
+}
+https://wireguard.diukman.com {
+	import protect rp http://192.168.2.5
+}
+https://modem.diukman.com {
+	import protect rp http://192.168.1.1
+}

caddy/config/snippets.caddy

@@ -0,0 +1,36 @@
+(rp_skip_tls) {
+	reverse_proxy {args[0]} {
+		transport http {
+			tls_insecure_skip_verify
+		}
+	}
+}
+(rp) {
+	reverse_proxy {args[0]}
+}
+(auth_path) {
+	handle /oauth2/* {
+		reverse_proxy oauth2proxy:4180 {
+			header_up X-Real-IP {remote_host}
+			header_up X-Forwarded-Uri {uri}
+		}
+	}
+}
+(auth_redirect) {
+	import auth_path
+	handle {
+		forward_auth oauth2proxy:4180 {
+			uri /oauth2/auth
+			header_up X-Real-IP {remote_host}
+			@error status 401
+			handle_response @error {
+				redir * /oauth2/sign_in?rd={scheme}://{host}{uri}
+			}
+		}
+	}
+	import {args[0]} {args[1]}
+}
+(protect) {
+	import auth_path
+	import auth_redirect {args[0]} {args[1]}
+}

compose.yml

@@ -0,0 +1,56 @@
+services: ########################SERVICES########################
+
+#-------------------------------------CADDY--------------------------------------------
+  caddy:
+    image: caddy:2
+    restart: unless-stopped
+    container_name: caddy
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - ./caddy/config/:/etc/caddy/
+      - caddy_data:/data
+      - caddy_config:/config
+    networks:
+      - gateway
+    # tty: true
+#-----------------------------------OAUTH2PROXY--------------------------------------
+  oauth2proxy:
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0
+    container_name: oauth2proxy
+    restart: unless-stopped
+    ports:
+      - "4180:4180"
+    networks:
+      - gateway
+    volumes:
+      - "./oauth2-proxy/oauth2-proxy.cfg:/etc/oauth2-proxy.cfg"
+      - "./oauth2-proxy/allowed_emails.txt:/etc/allowed_emails.txt"
+    command: --config /etc/oauth2-proxy.cfg
+    # command: --config /etc/oauth2-proxy.cfg --authenticated-emails-file /etc/allowed_emails.txt
+    # command: --config /etc/oauth2-proxy.cfg --whitelist-domain .diukman.com
+    # tty: true
+
+#########################VOLUMES########################
+
+volumes:
+  caddy_data:
+  caddy_config:
+
+########################NETWORKS########################
+networks:
+  gateway:
+    external: false
+
+
+# reload after config change: 
+# docker exec -w /etc/caddy caddy sh -c 'caddy fmt --overwrite && caddy reload'
+
+# The required section for 'watch' inside the service definition!
+# develop:
+#   watch:
+#     - action: restart
+#       path: ./caddy/config/Caddyfile  # Host path to watch
+#       target: /etc/caddy/Caddyfile

oauth2-proxy/allowed_emails.txt

@@ -0,0 +1,2 @@
+zeevdukeman@gmail.com
+zeevdukemandev@gmail.com

oauth2-proxy/oauth2-proxy.cfg

@@ -0,0 +1,17 @@
+# --- 1. Provider Configuration ---
+provider = "google"
+client_id = "908518725447-1pbdp071t2b07p66fv0n845n3nrbeu0k.apps.googleusercontent.com"
+client_secret = "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"
+cookie_secret = "0MuGA07eq7PqfEBQXV_mkRxPsHb4VsuwlEka5A4dExg="
+upstreams = "static://200"
+http_address = "0.0.0.0:4180"
+redirect_url = "https://auth.diukman.com/oauth2/callback"
+scope = "openid profile email"
+set_xauthrequest = true
+# whitelist_domains = [ ".diukman.com", "diukman.com" ]
+cookie_domains = [ ".diukman.com", "diukman.com" ]
+cookie_httponly = true
+cookie_secure = true
+cookie_samesite = "none"
+authenticated_emails_file = "/etc/allowed_emails.txt"
+# email_domains = [ "*" ]

z.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Capture all arguments as array
+Z_CMD=("$@")
+Z_FLAG=false
+case "${Z_CMD[0]}" in
+    docker | d)
+        case "${Z_CMD[1]}" in
+            restart | r)
+                echo "Restarting Docker containers..."
+                docker compose down && docker compose up -d
+                ;;
+            up | u)
+                echo "Starting Docker containers..."
+                docker compose up -d
+                ;;
+            down | d)
+                echo "Stopping Docker containers..."
+                docker compose down
+                ;;
+            *)
+                Z_FLAG=true
+                ;;
+        esac
+        ;;
+    caddy | c)
+        case "${Z_CMD[1]}" in
+            reload | r)
+                echo "Reloading Caddy..."
+                docker exec -w /etc/caddy caddy sh -c 'caddy fmt --overwrite && caddy reload'
+                ;;
+            restart)
+                echo "Restarting Caddy container..."
+                docker compose restart caddy
+                ;;
+            *)
+                Z_FLAG=true
+                ;;
+        esac
+        ;;
+    *)
+        Z_FLAG=true
+        ;;
+esac
+
+case $Z_FLAG in
+    true)
+        echo "Usage: $0 caddy [reload|restart|watch]"
+        exit 1
+        ;;
+esac