Switch from traefik to caddy

2023-04-03 23:20:36 +03:00 · 2023-04-03 23:20:36 +03:00 · 219d5c7633
parent 2a9517822d
commit 219d5c7633
14 changed files with 98 additions and 290 deletions
--- a/docker/caddy/Caddyfile
+++ b/docker/caddy/Caddyfile
@ -0,0 +1,74 @@
+korhonen.cc, *.korhonen.cc {
+	tls {$CLOUDFLARE_EMAIL} {
+		dns cloudflare {$CLOUDFLARE_API_TOKEN}
+		resolvers 1.1.1.1
+	}
+
+	@homepage host korhonen.cc
+  handle @homepage {
+		root * /var/www/korhonen.cc
+		file_server
+	}
+
+	@wkd host openpgpkey.korhonen.cc
+	handle @wkd {
+		root * /var/www/wkd
+		file_server browse
+	}
+
+	@index host index.korhonen.cc
+	handle @index {
+		root * /docker/index.korhonen.cc
+		file_server browse
+	}
+
+	@home-assistant host home.korhonen.cc
+	handle @home-assistant {
+		reverse_proxy home-assistant:8123
+	}
+
+	@authentik host sso.korhonen.cc
+	handle @authentik {
+		reverse_proxy authentik:9000
+	}
+
+	@forgejo host git.korhonen.cc
+	handle @forgejo {
+		reverse_proxy forgejo:3000
+	}
+
+	@searx host search.korhonen.cc
+	handle @searx {
+		reverse_proxy searx:8080
+	}
+
+	@freshrss host rss.korhonen.cc
+	handle @freshrss {
+		reverse_proxy freshrss
+	}
+
+	@jellyfin host jellyfin.korhonen.cc
+	handle @jellyfin {
+		reverse_proxy jellyfin:8096
+	}
+
+	@misskey host social.korhonen.cc
+	handle @misskey {
+		reverse_proxy misskey:3000
+	}
+
+	@pihole host pihole.korhonen.cc
+	handle @pihole {
+		reverse_proxy pihole
+	}
+
+	@umami host umami.korhonen.cc
+	handle @umami {
+    reverse_proxy umami:3000
+	}
+
+	# Fallback for unhandled domains
+	handle {
+		redir https://korhonen.cc/404.html
+	}
+}
--- a/docker/caddy/docker-compose.toml
+++ b/docker/caddy/docker-compose.toml
@ -0,0 +1,18 @@
+[services.caddy]
+image = "slothcroissant/caddy-cloudflaredns"
+container_name = "caddy"
+restart = "unless-stopped"
+ports = ["80:80", "443:443/tcp", "443:443/udp"]
+networks = ["proxy"]
+volumes = [
+  "/docker/caddy/data:/data",
+  "/docker/caddy/config:/config",
+  "/var/www/korhonen.cc:/var/www/korhonen.cc",
+  "/var/www/wkd:/var/www/wkd",
+  "/var/www/index.korhonen.cc:/var/www/index.korhonen.cc",
+  "./Caddyfile:/etc/caddy/Caddyfile",
+]
+environment = ["CLOUDFLARE_EMAIL", "CLOUDFLARE_API_TOKEN", "ACME_AGREE=true"]
+
+[networks.proxy]
+external = true
--- a/docker/forgejo/docker-compose.toml
+++ b/docker/forgejo/docker-compose.toml
@ -4,20 +4,8 @@ container_name = "forgejo"
 environment = ["TZ=Europe/Helsinki", "USER_UID=1000", "USER_GID=1000"]
 restart = "unless-stopped"
 networks = ["postgres", "proxy"]
-ports = ["3000:3000", "22:22"]
+ports = ["22:22"]
 volumes = ["/docker/forgejo:/data", "/etc/localtime:/etc/localtime:ro"]
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.forgejo-redirect.entrypoints=http",
-  "traefik.http.routers.forgejo-redirect.rule=Host(`git.korhonen.cc`)",
-  "traefik.http.routers.forgejo-redirect.middlewares=http2https@file",
-  "traefik.http.routers.forgejo.entrypoints=https",
-  "traefik.http.routers.forgejo.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.forgejo.rule=Host(`git.korhonen.cc`)",
-  "traefik.http.routers.forgejo.service=forgejo",
-  "traefik.http.services.forgejo.loadbalancer.server.port=3000",
-]

 [networks.postgres]
 external = true
--- a/docker/index.korhonen.cc/docker-compose.toml
+++ b/docker/index.korhonen.cc/docker-compose.toml
@ -1,26 +0,0 @@
-[services]
-
-[services.nginx]
-image = "fraoustin/fancyindex"
-container_name = "index.korhonen.cc"
-environment = ["DISABLE_AUTH=true", "CONTAINER_TIMEZONE=\"Europe/Helsinki\""]
-volumes = ["/docker/index.korhonen.cc:/share"]
-networks = ["proxy"]
-restart = "unless-stopped"
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.index-redirect.entrypoints=http",
-  "traefik.http.routers.index-redirect.rule=Host(`index.korhonen.cc`)",
-  "traefik.http.routers.index-redirect.middlewares=http2https@file",
-  "traefik.http.routers.index.entrypoints=https",
-  "traefik.http.routers.index.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.index.rule=Host(`index.korhonen.cc`)",
-  "traefik.http.routers.index.service=index",
-  "traefik.http.services.index.loadbalancer.server.port=80",
-]
-
-[networks]
-
-[networks.proxy]
-external = true
--- a/docker/jellyfin/docker-compose.toml
+++ b/docker/jellyfin/docker-compose.toml
@ -1,10 +1,7 @@
-[services]
-
 [services.jellyfin]
 image = "jellyfin/jellyfin"
 container_name = "jellyfin"
 environment = ["TZ=Europe/Helsinki"]
-ports = ["8096:8096"]
 networks = ["proxy", "authentik"]
 restart = "unless-stopped"
 volumes = [
@ -18,20 +15,6 @@ devices = [
  "/dev/dri/renderD128:/dev/dri/renderD128",
  "/dev/dri/card0:/dev/dri/card0",
 ]
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.jellyfin-redirect.entrypoints=http",
-  "traefik.http.routers.jellyfin-redirect.rule=Host(`jellyfin.korhonen.cc`)",
-  "traefik.http.routers.jellyfin-redirect.middlewares=http2https@file",
-  "traefik.http.routers.jellyfin.entrypoints=https",
-  "traefik.http.routers.jellyfin.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.jellyfin.rule=Host(`jellyfin.korhonen.cc`)",
-  "traefik.http.routers.jellyfin.service=jellyfin",
-  "traefik.http.services.jellyfin.loadbalancer.server.port=8096",
-]
-
-[networks]

 [networks.proxy]
 external = true
--- a/docker/misskey/docker-compose.toml
+++ b/docker/misskey/docker-compose.toml
@ -9,18 +9,6 @@ volumes = [
  "/docker/misskey/files:/misskey/files",
  "/docker/misskey/config:/misskey/.config:ro",
 ]
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.misskey-redirect.entrypoints=http",
-  "traefik.http.routers.misskey-redirect.rule=Host(`social.korhonen.cc`)",
-  "traefik.http.routers.misskey-redirect.middlewares=http2https@file",
-  "traefik.http.routers.misskey.entrypoints=https",
-  "traefik.http.routers.misskey.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.misskey.rule=Host(`social.korhonen.cc`)",
-  "traefik.http.routers.misskey.service=misskey",
-  "traefik.http.services.misskey.loadbalancer.server.port=3000",
-]

 [services.elasticsearch]
 image = "docker.elastic.co/elasticsearch/elasticsearch:7.17.8"
--- a/docker/pihole/docker-compose.toml
+++ b/docker/pihole/docker-compose.toml
@ -12,18 +12,6 @@ volumes = [
 dns = ["127.0.0.1", "1.1.1.1"]
 cap_add = ["NET_ADMIN"]
 restart = "unless-stopped"
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.pihole-redirect.entrypoints=http",
-  "traefik.http.routers.pihole-redirect.rule=Host(`pihole.korhonen.cc`)",
-  "traefik.http.routers.pihole-redirect.middlewares=http2https@file",
-  "traefik.http.routers.pihole.entrypoints=https",
-  "traefik.http.routers.pihole.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.pihole.rule=Host(`pihole.korhonen.cc`)",
-  "traefik.http.routers.pihole.service=pihole",
-  "traefik.http.services.pihole.loadbalancer.server.port=80",
-]

 [services.pihole.environment]
 TZ = "Europe/Helsinki"
--- a/docker/traefik/docker-compose.toml
+++ b/docker/traefik/docker-compose.toml
@ -1,53 +0,0 @@
-[services.traefik]
-image = "traefik"
-container_name = "traefik"
-restart = "unless-stopped"
-ports = ["80:80", "443:443/tcp", "443:443/udp"]
-environment = [
-  "TZ=Europe/Helsinki",
-  "ADMIN_EMAIL",
-  "CF_API_EMAIL=${ADMIN_EMAIL}",
-  "CF_API_KEY",
-  "CF_ZONE_API_TOKEN",
-  "CF_DNS_API_TOKEN",
-]
-security_opt = ["no-new-privileges:true"]
-networks = ["proxy"]
-volumes = [
-  "/etc/localtime:/etc/localtime:ro",
-  "/var/run/docker.sock:/var/run/docker.sock:ro",
-  "./traefik.toml:/traefik.toml:ro",
-  "./dynamic.toml:/dynamic.toml:ro",
-  "/docker/traefik/traefik/acme.json:/acme.json",
-  "/docker/traefik/traefik/log:/var/log",
-]
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.redirect.entrypoints=http",
-  "traefik.http.routers.redirect.rule=Host(`traefik.korhonen.cc`)",
-  "traefik.http.routers.redirect.middlewares=http2https@file",
-  "traefik.http.routers.dashboard.entrypoints=https",
-  "traefik.http.routers.dashboard.middlewares=secHeaders@file,compress@file,authentik@file",
-  "traefik.http.routers.dashboard.rule=Host(`traefik.korhonen.cc`)",
-  "traefik.http.routers.dashboard.service=api@internal",
-]
-
-[services.fail2ban]
-image = "crazymax/fail2ban"
-container_name = "fail2ban"
-restart = "unless-stopped"
-network_mode = "host"
-cap_add = ["NET_ADMIN", "NET_RAW"]
-environment = ["TZ=Europe/Helsinki"]
-volumes = [
-  "/etc/localtime:/etc/localtime:ro",
-  "/docker/traefik/traefik/log:/var/log/traefik:ro",
-  "/docker/traefik/fail2ban:/data",
-  "/docker/forgejo/gitea/log/gitea.log:/var/log/forgejo:ro",
-  "/docker/homeautomation/home-assistant/home-assistant.log:/var/log/hass",
-  "/mnt/Storage/Nextcloud/nextcloud.log:/var/log/nextcloud:ro",
-]
-
-[networks.proxy]
-external = true
--- a/docker/traefik/dynamic.toml
+++ b/docker/traefik/dynamic.toml
@ -1,86 +0,0 @@
-[http.middlewares.authentik.forwardAuth]
-address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
-trustForwardHeader = true
-authResponseHeaders = [
-  "X-authentik-username",
-  "X-authentik-groups",
-  "X-authentik-email",
-  "X-authentik-name",
-  "X-authentik-uid",
-  "X-authentik-jwt",
-  "X-authentik-meta-jwks",
-  "X-authentik-meta-outpost",
-  "X-authentik-meta-provider",
-  "X-authentik-meta-app",
-  "X-authentik-meta-version",
-]
-
-[http.middlewares.compress.compress]
-
-[http.middlewares.http2https.redirectScheme]
-scheme = "https"
-permanent = true
-
-[http.middlewares.secHeaders.headers]
-browserXssFilter = true
-contentTypeNosniff = true
-frameDeny = true
-sslRedirect = true
-stsIncludeSubdomains = true
-stsPreload = true
-stsSeconds = 31_536_000
-customFrameOptionsValue = "SAMEORIGIN"
-referrerPolicy = "strict-origin-when-cross-origin"
-accesscontrolAllowMethods = ["GET", "OPTIONS", "POST"]
-accesscontrolAllowOriginList = ["https://korhonen.cc"]
-accessControlAllowHeaders = [
-  "Accept",
-  "Accept-Encoding",
-  "Accept-Language",
-  "Access-Control-Request-Headers",
-  "Access-Control-Request-Method",
-  "Connection",
-  "Content-Type",
-  "DNT",
-  "Host",
-  "Origin",
-  "Referer",
-  "Sec-Fetch-Dest",
-  "Sec-Fetch-Mode",
-  "Sec-Fetch-Site",
-  "User-Agent",
-]
-accesscontrolMaxAge = 100
-addVaryHeader = true
-
-[http.middlewares.nextcloud-redirect-dav.redirectRegex]
-permanent = true
-regex = "https://cloud.korhonen.cc/.well-known/(card|cal)dav"
-replacement = "https://cloud.korhonen.cc/remote.php/dav/"
-
-[http.middlewares.nextcloud-redirect-extra.redirectRegex]
-permanent = true
-regex = "https://cloud.korhonen.cc/.well-known/(.*)"
-replacement = "https://cloud.korhonen.cc/index.php/.well-known/${1}"
-
-[http.middlewares.nextcloud-security-headers.headers.customResponseHeaders]
-X-Robots-Tag = "noindex,nofollow"
-
-[http.middlewares.www2non-www.redirectregex]
-permanent = true
-regex = "^https?://www\\.(.+)"
-replacement = "https://${1}"
-
-[http.serversTransports.ignorecert]
-insecureSkipVerify = true
-
-[tls.options.default]
-minVersion = "VersionTLS12"
-cipherSuites = [
-  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
-  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
-]
-
-[tls.options.mintls13]
-minVersion = "VersionTLS13"
--- a/docker/traefik/traefik.toml
+++ b/docker/traefik/traefik.toml
@ -1,41 +0,0 @@
-[experimental]
-http3 = true
-
-[api]
-dashboard = true
-
-[entryPoints.http]
-address = ":80"
-
-[entryPoints.https]
-address = ":443"
-
-[entryPoints.https.http3]
-
-[entryPoints.https.http.tls]
-options = "default"
-certResolver = "letsEncrypt"
-
-[[entryPoints.https.http.tls.domains]]
-main = "korhonen.cc"
-sans = ["*.korhonen.cc"]
-
-[certificatesResolvers.letsEncrypt.acme]
-email = "admin@korhonen.cc"
-storage = "acme.json"
-
-[certificatesResolvers.letsEncrypt.acme.dnsChallenge]
-provider = "cloudflare"
-
-[accessLog]
-filePath = "/var/log/access.log"
-
-[accessLog.filters]
-statusCodes = ["400-499"]
-
-[providers.docker]
-endpoint = "unix:///var/run/docker.sock"
-exposedByDefault = false
-
-[providers.file]
-filename = "/dynamic.toml"
--- a/docker/tvheadend/docker-compose.toml
+++ b/docker/tvheadend/docker-compose.toml
@ -1,5 +1,3 @@
-[services]
-
 [services.tvheadend]
 image = "linuxserver/tvheadend"
 container_name = "tvheadend"
@ -14,20 +12,6 @@ ports = ["9981:9981", "9982:9982"]
 devices = ["/dev/dvb:/dev/dvb"]
 restart = "unless-stopped"
 networks = ["proxy"]
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.tvheadend-redirect.entrypoints=http",
-  "traefik.http.routers.tvheadend-redirect.rule=Host(`tvheadend.korhonen.cc`)",
-  "traefik.http.routers.tvheadend-redirect.middlewares=http2https@file",
-  "traefik.http.routers.tvheadend.entrypoints=https",
-  "traefik.http.routers.tvheadend.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.tvheadend.rule=Host(`tvheadend.korhonen.cc`)",
-  "traefik.http.routers.tvheadend.service=tvheadend",
-  "traefik.http.services.tvheadend.loadbalancer.server.port=9981",
-]
-
-[networks]

 [networks.proxy]
 external = true
--- a/docker/umami/docker-compose.toml
+++ b/docker/umami/docker-compose.toml
@ -4,18 +4,6 @@ container_name = "umami"
 restart = "unless-stopped"
 networks = ["postgres", "proxy"]
 env_file = ".env"
-labels = [
-  "traefik.enable=true",
-  "traefik.docker.network=proxy",
-  "traefik.http.routers.umami-redirect.entrypoints=http",
-  "traefik.http.routers.umami-redirect.rule=Host(`umami.korhonen.cc`)",
-  "traefik.http.routers.umami-redirect.middlewares=http2https@file",
-  "traefik.http.routers.umami.entrypoints=https",
-  "traefik.http.routers.umami.middlewares=secHeaders@file,compress@file",
-  "traefik.http.routers.umami.rule=Host(`umami.korhonen.cc`)",
-  "traefik.http.routers.umami.service=umami",
-  "traefik.http.services.umami.loadbalancer.server.port=3000",
-]

 [services.umami.environment]
 DATABASE_URL = "postgresql://umami:${POSTGRES_PASS}@postgres:5432/umami"
--- a/home/.config/nvim/lua/plugins/init.lua
+++ b/home/.config/nvim/lua/plugins/init.lua
@ -203,6 +203,9 @@ local plugins = {
    "norcalli/nvim-colorizer.lua",
    config = true,
  },
+
+  -- Caddyfile syntax support
+  "isobit/vim-caddyfile",
 }

 local lazy_opts = {}
--- a/root/etc/pacman.conf
+++ b/root/etc/pacman.conf
@ -10,7 +10,7 @@ LocalFileSigLevel = Optional
 CacheDir = /var/cache/pacman/pkg
 {%@@ if profile == "Moria" @@%}
 CleanMethod=KeepCurrent
-CacheDir=/docker/index.korhonen.cc/repo/arch_linux/korhonen_aur/x86_64
+CacheDir=/var/www/index.korhonen.cc/repo/arch_linux/korhonen_aur/x86_64
 {%@@ endif @@%}

 [cachyos-v3]
@ -43,7 +43,7 @@ Include = /etc/pacman.d/mirrorlist

 [korhonen_aur]
 {%@@ if profile == "Moria" @@%}
-Server = file:///docker/index.korhonen.cc/repo/arch_linux/$repo/$arch
+Server = file:///var/www/index.korhonen.cc/repo/arch_linux/$repo/$arch
 {%@@ else @@%}
 Include = /etc/pacman.d/pacserve
 Server = https://index.korhonen.cc/repo/arch_linux/$repo/$arch