From dac15275f4525acc9fee2358a1597c75c8517791 Mon Sep 17 00:00:00 2001 From: Marko Korhonen Date: Sat, 7 Jun 2025 00:20:49 -0500 Subject: [PATCH] Implement cloudflare tunnel --- docker/caddy/Caddyfile | 226 ++++++++++++++++++------- docker/caddy/Caddyfile.old | 4 - docker/caddy/docker-compose.yaml | 7 +- docker/cloudflared/docker-compose.yaml | 19 +++ docker/forgejo/docker-compose.yaml | 1 - root/etc/pacman.conf | 2 +- 6 files changed, 191 insertions(+), 68 deletions(-) create mode 100644 docker/cloudflared/docker-compose.yaml diff --git a/docker/caddy/Caddyfile b/docker/caddy/Caddyfile index b45a08ad..149a0e9c 100644 --- a/docker/caddy/Caddyfile +++ b/docker/caddy/Caddyfile @@ -1,67 +1,177 @@ { - auto_https off + order umami first } -http://index.korhonen.lan { - root * /var/www/index.korhonen.cc - file_server browse -} +korhonen.cc, *.korhonen.cc { + encode zstd gzip -http://home.korhonen.lan { - reverse_proxy home-assistant:8123 -} - -http://sso.korhonen.lan, http://sso.korhonen.cc { - reverse_proxy authentik:9000 -} - -http://git.korhonen.lan { - rewrite /user/login /user/oauth2/authentik - reverse_proxy forgejo:3000 -} - -http://search.korhonen.lan { - reverse_proxy searx:8080 -} - -http://jellyfin.korhonen.lan { - reverse_proxy jellyfin:8096 -} - -http://cloud.korhonen.lan { - # Redirect login page to Authentik - redir /login /apps/sociallogin/custom_oidc/korhonen-sso 301 - - # .htaccess / data / config / ... shouldn't be accessible from outside - @forbidden { - path /.htaccess - path /data/* - path /config/* - path /db_structure - path /.xml - path /README - path /3rdparty/* - path /lib/* - path /templates/* - path /occ - path /console.php - } - handle @forbidden { - respond 404 + tls { + dns cloudflare {$CF_API_TOKEN} + resolvers 1.1.1.1 } - redir /.well-known/carddav /remote.php/dav 301 - redir /.well-known/caldav /remote.php/dav 301 - - root * /var/www/nextcloud - php_fastcgi nextcloud:9000 { - root /var/www/html - # Tells nextcloud to remove /index.php from URLs in links - env front_controller_active true + header { + Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" } - file_server -} -http://collabora.korhonen.lan { - reverse_proxy collabora:9980 + @static { + file + path *.ico *.css *.js *.gif *.webp *.avif *.jpg *.jpeg *.png *.svg *.woff *.woff2 *.pdf *.webmanifest + } + + @homepage-www-redir host www.korhonen.cc + handle @homepage-www-redir { + redir https://korhonen.cc + } + + @homepage host korhonen.cc + handle @homepage { + # Redirect finnish WIP + # @redirFinnish { + # header Accept-Language *fi-FI* + # not path *.js *.css *.png *.jpg *.jpeg *.svg + # not path /en* /fi* + # } + # redir @redirFinnish /fi{uri} + # + # uri strip_prefix /en + + header @static Cache-Control max-age=5184000 + root * /var/www/korhonen.cc + file_server + } + + @wkd host openpgpkey.korhonen.cc + handle @wkd { + root * /var/www/wkd + file_server browse + header Access-Control-Allow-Origin "*" + } + + @index host index.korhonen.cc + handle @index { + umami { + event_endpoint "https://umami.korhonen.cc/api/send" + website_uuid "9fe4f5c0-8e63-4479-a58d-d399cdbc0a3a" + client_ip_header X-Real-IP + device_detection + allowed_extensions "" .tar.zst .json .html + } + root * /var/www/index.korhonen.cc + file_server browse + } + + @home-assistant host home.korhonen.cc + handle @home-assistant { + reverse_proxy home-assistant:8123 + } + + @authentik host sso.korhonen.cc + handle @authentik { + reverse_proxy authentik:9000 + } + + @forgejo host git.korhonen.cc + handle @forgejo { + rewrite /user/login /user/oauth2/authentik + reverse_proxy forgejo:3000 + } + + @woodpecker host ci.korhonen.cc + handle @woodpecker { + reverse_proxy woodpecker:8000 + } + + @searx host search.korhonen.cc + handle @searx { + reverse_proxy searx:8080 + } + + @freshrss host rss.korhonen.cc + handle @freshrss { + reverse_proxy freshrss + } + + @jellyfin host jellyfin.korhonen.cc + handle @jellyfin { + reverse_proxy jellyfin:8096 + } + + @pihole host pihole.korhonen.cc + handle @pihole { + reverse_proxy pihole + } + + @umami host umami.korhonen.cc + handle @umami { + reverse_proxy umami:3000 + } + + @nextcloud host cloud.korhonen.cc + handle @nextcloud { + # Redirect login page to Authentik + redir /login /apps/sociallogin/custom_oidc/korhonen-sso 301 + + # .htaccess / data / config / ... shouldn't be accessible from outside + @forbidden { + path /.htaccess + path /data/* + path /config/* + path /db_structure + path /.xml + path /README + path /3rdparty/* + path /lib/* + path /templates/* + path /occ + path /console.php + } + handle @forbidden { + respond 404 + } + + redir /.well-known/carddav /remote.php/dav 301 + redir /.well-known/caldav /remote.php/dav 301 + + root * /var/www/nextcloud + php_fastcgi nextcloud:9000 { + root /var/www/html + # Tells nextcloud to remove /index.php from URLs in links + env front_controller_active true + } + file_server + } + + @collabora host collabora.korhonen.cc + handle @collabora { + reverse_proxy collabora:9980 + } + + @drop host drop.korhonen.cc + handle @drop { + reverse_proxy drop:3000 + } + + @ipvX host ipv6.korhonen.cc ipv4.korhonen.cc + handle @ipvX { + respond {remote_host} + } + + handle { + respond "404 Not Found" 404 + } + + handle_errors { + @homepage_404 { + expression {http.error.status_code} == 404 + host korhonen.cc + } + handle @homepage_404 { + root * /var/www/korhonen.cc + rewrite * /404.html + file_server + } + + respond "{err.status_code} {err.status_text}" + } } diff --git a/docker/caddy/Caddyfile.old b/docker/caddy/Caddyfile.old index e33bef26..c2597f36 100644 --- a/docker/caddy/Caddyfile.old +++ b/docker/caddy/Caddyfile.old @@ -1,7 +1,3 @@ -# My old public configuration. -# Currently don't have a public IP so running everything in LAN -# in the current configuration - { order umami first } diff --git a/docker/caddy/docker-compose.yaml b/docker/caddy/docker-compose.yaml index fa7f5f9e..8187ad08 100644 --- a/docker/caddy/docker-compose.yaml +++ b/docker/caddy/docker-compose.yaml @@ -14,6 +14,7 @@ services: - 80:80 - 443:443/tcp - 443:443/udp + - 127.0.0.1:2019:2019 networks: - proxy volumes: @@ -24,10 +25,8 @@ services: - korhonen_cc:/var/www/korhonen.cc - nextcloud_config:/var/www/nextcloud - /var/www/index.korhonen.cc:/var/www/index.korhonen.cc - environment: - - CLOUDFLARE_EMAIL - - CLOUDFLARE_API_TOKEN - - ACME_AGREE=true + env_file: + - .env cap_add: - NET_ADMIN networks: diff --git a/docker/cloudflared/docker-compose.yaml b/docker/cloudflared/docker-compose.yaml new file mode 100644 index 00000000..e4ea0f26 --- /dev/null +++ b/docker/cloudflared/docker-compose.yaml @@ -0,0 +1,19 @@ +services: + cloudflared: + image: cloudflare/cloudflared + container_name: cloudflared + restart: unless-stopped + networks: + - proxy + volumes: + - /etc/localtime:/etc/localtime:ro + entrypoint: + command: tunnel --no-autoupdate run + env_file: + - .env + extra_hosts: + - 'host.docker.internal:host-gateway' + +networks: + proxy: + external: true diff --git a/docker/forgejo/docker-compose.yaml b/docker/forgejo/docker-compose.yaml index 44e2e8d6..9659a8a6 100644 --- a/docker/forgejo/docker-compose.yaml +++ b/docker/forgejo/docker-compose.yaml @@ -6,7 +6,6 @@ services: image: git.korhonen.cc/functionalhacker/forgejo-asciidoc container_name: forgejo environment: - - TZ=Europe/Helsinki - USER_UID=1000 - USER_GID=1000 restart: unless-stopped diff --git a/root/etc/pacman.conf b/root/etc/pacman.conf index 437f09b9..df0355eb 100755 --- a/root/etc/pacman.conf +++ b/root/etc/pacman.conf @@ -30,5 +30,5 @@ Include = /etc/pacman.d/mirrorlist Server = file:///var/www/index.korhonen.cc/repo/arch_linux/$repo/$arch {%@@ else @@%} Include = /etc/pacman.d/pacserve -Server = http://index.korhonen.lan/repo/arch_linux/$repo/$arch +Server = http://index.korhonen.cc/repo/arch_linux/$repo/$arch {%@@ endif @@%}