diff --git a/caddy/.env.example b/caddy/.env.example index d5468d2..3f48675 100644 --- a/caddy/.env.example +++ b/caddy/.env.example @@ -1,4 +1,8 @@ # create the API token in https://dash.cloudflare.com/profile/api-tokens -# provide access to ptrwd.com for DNS zone -CLOUDFLARE_TOKEN= +# create auth tokens - +# `Zone.Zone:Read` for all zones, and +# `Zone.DNS:Edit` permissions for ptrwd.com +# https://github.com/caddy-dns/cloudflare +CF_ZONE_READ= +CF_DNS_EDIT= \ No newline at end of file diff --git a/caddy/Caddyfile b/caddy/Caddyfile index 44b0068..41cc073 100644 --- a/caddy/Caddyfile +++ b/caddy/Caddyfile @@ -1,9 +1,155 @@ { - debug - email peter@peterwood.dev + # debug + email peter@peterwood.dev +} + +ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # this is the the wiki + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300 +} + +wiki.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Route ACME challenges explicitly to be handled internally by Caddy + route /.well-known/acme-challenge/* { + # No directive needed here; Caddy's internal handler takes precedence. + # This prevents the challenge requests from being proxied. + } + + # Proxy all other requests to the wiki + route { + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300 + } } jellyfin.peterwood.rocks { - encode gzip - reverse_proxy host.docker.internal:8096 + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + reverse_proxy host.docker.internal:8096 +} + +# Serve a simple text message for home.ptrwd.com +home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Debugging: Log all requests + log { + output stdout + format console + } + # Allow connections only from private ranges and home IP using Cf-Connecting-Ip header + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + respond "Welcome home!" 200 { + close # Close the connection after responding + } + } + handle { + respond "Access denied" 403 + } +} + +# Reverse proxy for sonarr.home.ptrwd.com +sonarr.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:8989 + } + handle { + respond 403 + } +} + +radarr.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:7878 + } + handle { + respond 403 + } +} + +io.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-io.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} + +europa.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-europa.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } +} + +racknerd.docker.home.ptrwd.com { + tls { + dns cloudflare { + zone_token {env.CF_ZONE_READ} + api_token {env.CF_DNS_EDIT} + } + } + # Allow connections only from private ranges and home IP + @allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32 + handle @allowAccess { + reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001 + } + handle { + respond 403 + } } diff --git a/caddy/Dockerfile b/caddy/Dockerfile new file mode 100644 index 0000000..130c1e3 --- /dev/null +++ b/caddy/Dockerfile @@ -0,0 +1,9 @@ + +FROM caddy:2.10-builder AS builder + +RUN xcaddy build \ + --with github.com/caddy-dns/cloudflare + +FROM caddy:2.10 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml index 6106a0c..20d8188 100644 --- a/caddy/docker-compose.yml +++ b/caddy/docker-compose.yml @@ -1,7 +1,7 @@ services: caddy: - image: caddy/caddy:latest + image: caddy-cloudflare restart: always ports: - 80:80 @@ -11,6 +11,9 @@ services: - ./Caddyfile:/etc/caddy/Caddyfile - caddy_data:/data - caddy_config:/config + environment: + CF_ZONE_READ: ${CF_ZONE_READ} + CF_DNS_EDIT: ${CF_DNS_EDIT} extra_hosts: - host.docker.internal:host-gateway labels: