Files
init_scripts/admin/bootstrap/Caddyfile
T

81 lines
1.6 KiB
Caddyfile

{
email dead@cxap.space
acme_dns cloudflare {$CF_API_TOKEN}
order authenticate before respond
order authorize before reverse_proxy
servers {
trusted_proxies static private_ranges
}
security {
local identity store localdb {
realm local
path /data/users.json
}
authentication portal authportal {
crypto default token lifetime {$AUTH_TOKEN_LIFETIME:43200}
enable identity store localdb
cookie domain realy.nothing.help
cookie lifetime {$AUTH_COOKIE_LIFETIME:43200}
cookie samesite lax
ui {
links {
"Portainer" "https://port.realy.nothing.help" icon "las la-tachometer-alt"
"WhoAmI" "/whoami" icon "las la-user"
}
}
transform user {
match origin local
action add role admin
# require mfa
}
}
authorization policy apikey_or_admin {
set auth url https://auth.realy.nothing.help
allow roles admin
with api key auth portal authportal realm local
acl rule {
comment "Accept"
match role admin
allow stop log info
}
acl rule {
comment "Deny"
match any
deny log warn
}
}
}
}
(auth_forward) {
authorize with apikey_or_admin {
set auth url https://auth.realy.nothing.help
inject headers with claims
}
}
auth.realy.nothing.help {
route {
authenticate with authportal
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Referrer-Policy "no-referrer"
}
}
*.realy.nothing.help {
respond / "ok"
}