Implement cloudflare tunnel

2025-06-07 00:20:49 -05:00 · 2025-06-07 00:20:49 -05:00 · dac15275f4
commit dac15275f4
parent 11b5a0347b
6 changed files with 191 additions and 68 deletions
--- a/docker/caddy/Caddyfile
+++ b/docker/caddy/Caddyfile
@ -1,67 +1,177 @@
 {
-	auto_https off
+	order umami first
 }

-http://index.korhonen.lan {
-	root * /var/www/index.korhonen.cc
-	file_server browse
-}
+korhonen.cc, *.korhonen.cc {
+	encode zstd gzip

-http://home.korhonen.lan {
-	reverse_proxy home-assistant:8123
-}
-
-http://sso.korhonen.lan, http://sso.korhonen.cc {
-	reverse_proxy authentik:9000
-}
-
-http://git.korhonen.lan {
-	rewrite /user/login /user/oauth2/authentik
-	reverse_proxy forgejo:3000
-}
-
-http://search.korhonen.lan {
-	reverse_proxy searx:8080
-}
-
-http://jellyfin.korhonen.lan {
-	reverse_proxy jellyfin:8096
-}
-
-http://cloud.korhonen.lan {
-	# Redirect login page to Authentik
-	redir /login /apps/sociallogin/custom_oidc/korhonen-sso 301
-
-	# .htaccess / data / config / ... shouldn't be accessible from outside
-	@forbidden {
-		path /.htaccess
-		path /data/*
-		path /config/*
-		path /db_structure
-		path /.xml
-		path /README
-		path /3rdparty/*
-		path /lib/*
-		path /templates/*
-		path /occ
-		path /console.php
-	}
-	handle @forbidden {
-		respond 404
+	tls {
+		dns cloudflare {$CF_API_TOKEN}
+		resolvers 1.1.1.1
 	}

-	redir /.well-known/carddav /remote.php/dav 301
-	redir /.well-known/caldav /remote.php/dav 301
-
-	root * /var/www/nextcloud
-	php_fastcgi nextcloud:9000 {
-		root /var/www/html
-		# Tells nextcloud to remove /index.php from URLs in links
-		env front_controller_active true
+	header {
+		Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 	}
-	file_server
-}

-http://collabora.korhonen.lan {
-	reverse_proxy collabora:9980
+	@static {
+		file
+		path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2 *.pdf *.webmanifest
+	}
+
+	@homepage-www-redir host www.korhonen.cc
+	handle @homepage-www-redir {
+		redir https://korhonen.cc
+	}
+
+	@homepage host korhonen.cc
+	handle @homepage {
+		# Redirect finnish WIP
+		# @redirFinnish {
+		#     header Accept-Language *fi-FI*
+		#     not path *.js *.css *.png *.jpg *.jpeg *.svg
+		#     not path /en* /fi*
+		#   }
+		#   redir @redirFinnish /fi{uri}
+		#
+		#   uri strip_prefix /en
+
+		header @static Cache-Control max-age=5184000
+		root * /var/www/korhonen.cc
+		file_server
+	}
+
+	@wkd host openpgpkey.korhonen.cc
+	handle @wkd {
+		root * /var/www/wkd
+		file_server browse
+		header Access-Control-Allow-Origin "*"
+	}
+
+	@index host index.korhonen.cc
+	handle @index {
+		umami {
+			event_endpoint "https://umami.korhonen.cc/api/send"
+			website_uuid "9fe4f5c0-8e63-4479-a58d-d399cdbc0a3a"
+			client_ip_header X-Real-IP
+			device_detection
+			allowed_extensions "" .tar.zst .json .html
+		}
+		root * /var/www/index.korhonen.cc
+		file_server browse
+	}
+
+	@home-assistant host home.korhonen.cc
+	handle @home-assistant {
+		reverse_proxy home-assistant:8123
+	}
+
+	@authentik host sso.korhonen.cc
+	handle @authentik {
+		reverse_proxy authentik:9000
+	}
+
+	@forgejo host git.korhonen.cc
+	handle @forgejo {
+		rewrite /user/login /user/oauth2/authentik
+		reverse_proxy forgejo:3000
+	}
+
+	@woodpecker host ci.korhonen.cc
+	handle @woodpecker {
+		reverse_proxy woodpecker:8000
+	}
+
+	@searx host search.korhonen.cc
+	handle @searx {
+		reverse_proxy searx:8080
+	}
+
+	@freshrss host rss.korhonen.cc
+	handle @freshrss {
+		reverse_proxy freshrss
+	}
+
+	@jellyfin host jellyfin.korhonen.cc
+	handle @jellyfin {
+		reverse_proxy jellyfin:8096
+	}
+
+	@pihole host pihole.korhonen.cc
+	handle @pihole {
+		reverse_proxy pihole
+	}
+
+	@umami host umami.korhonen.cc
+	handle @umami {
+		reverse_proxy umami:3000
+	}
+
+	@nextcloud host cloud.korhonen.cc
+	handle @nextcloud {
+		# Redirect login page to Authentik
+		redir /login /apps/sociallogin/custom_oidc/korhonen-sso 301
+
+		# .htaccess / data / config / ... shouldn't be accessible from outside
+		@forbidden {
+			path /.htaccess
+			path /data/*
+			path /config/*
+			path /db_structure
+			path /.xml
+			path /README
+			path /3rdparty/*
+			path /lib/*
+			path /templates/*
+			path /occ
+			path /console.php
+		}
+		handle @forbidden {
+			respond 404
+		}
+
+		redir /.well-known/carddav /remote.php/dav 301
+		redir /.well-known/caldav /remote.php/dav 301
+
+		root * /var/www/nextcloud
+		php_fastcgi nextcloud:9000 {
+			root /var/www/html
+			# Tells nextcloud to remove /index.php from URLs in links
+			env front_controller_active true
+		}
+		file_server
+	}
+
+	@collabora host collabora.korhonen.cc
+	handle @collabora {
+		reverse_proxy collabora:9980
+	}
+
+	@drop host drop.korhonen.cc
+	handle @drop {
+		reverse_proxy drop:3000
+	}
+
+	@ipvX host ipv6.korhonen.cc ipv4.korhonen.cc
+	handle @ipvX {
+		respond {remote_host}
+	}
+
+	handle {
+		respond "404 Not Found" 404
+	}
+
+	handle_errors {
+		@homepage_404 {
+			expression {http.error.status_code} == 404
+			host korhonen.cc
+		}
+		handle @homepage_404 {
+			root * /var/www/korhonen.cc
+			rewrite * /404.html
+			file_server
+		}
+
+		respond "{err.status_code} {err.status_text}"
+	}
 }
--- a/docker/caddy/Caddyfile.old
+++ b/docker/caddy/Caddyfile.old
@ -1,7 +1,3 @@
-# My old public configuration.
-# Currently don't have a public IP so running everything in LAN
-# in the current configuration
-
 {
 	order umami first
 }
--- a/docker/caddy/docker-compose.yaml
+++ b/docker/caddy/docker-compose.yaml
@ -14,6 +14,7 @@ services:
      - 80:80
      - 443:443/tcp
      - 443:443/udp
+      - 127.0.0.1:2019:2019
    networks:
      - proxy
    volumes:
@ -24,10 +25,8 @@ services:
      - korhonen_cc:/var/www/korhonen.cc
      - nextcloud_config:/var/www/nextcloud
      - /var/www/index.korhonen.cc:/var/www/index.korhonen.cc
-    environment:
-      - CLOUDFLARE_EMAIL
-      - CLOUDFLARE_API_TOKEN
-      - ACME_AGREE=true
+    env_file:
+      - .env
    cap_add:
      - NET_ADMIN
 networks:
--- a/docker/cloudflared/docker-compose.yaml
+++ b/docker/cloudflared/docker-compose.yaml
@ -0,0 +1,19 @@
+services:
+  cloudflared:
+    image: cloudflare/cloudflared
+    container_name: cloudflared
+    restart: unless-stopped
+    networks:
+      - proxy
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+    entrypoint:
+    command: tunnel --no-autoupdate run
+    env_file:
+      - .env
+    extra_hosts:
+      - 'host.docker.internal:host-gateway'
+
+networks:
+  proxy:
+    external: true
--- a/docker/forgejo/docker-compose.yaml
+++ b/docker/forgejo/docker-compose.yaml
@ -6,7 +6,6 @@ services:
    image: git.korhonen.cc/functionalhacker/forgejo-asciidoc
    container_name: forgejo
    environment:
-      - TZ=Europe/Helsinki
      - USER_UID=1000
      - USER_GID=1000
    restart: unless-stopped
--- a/root/etc/pacman.conf
+++ b/root/etc/pacman.conf
@ -30,5 +30,5 @@ Include = /etc/pacman.d/mirrorlist
 Server = file:///var/www/index.korhonen.cc/repo/arch_linux/$repo/$arch
 {%@@ else @@%}
 Include = /etc/pacman.d/pacserve
-Server = http://index.korhonen.lan/repo/arch_linux/$repo/$arch
+Server = http://index.korhonen.cc/repo/arch_linux/$repo/$arch
 {%@@ endif @@%}