commit ff7c79409aab2a974d1c7d7ded94c48c9284e80f Author: Tord-Vincent Heggland Date: Mon Apr 13 16:50:34 2026 +0200 firscleancommit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..449bbfb --- /dev/null +++ b/.gitignore @@ -0,0 +1,55 @@ +./data +./git +*.save +# ------------------------- +# SSH private keys +# ------------------------- +id_* +*.pem +*.key +*.private + +# ------------------------- +# SSH runtime files +# ------------------------- +authorized_keys +known_hosts +known_hosts.old + +# ------------------------- +# Agent / sockets +# ------------------------- +ssh-agent* +*.sock + +# ------------------------- +# Backup / temp +# ------------------------- +*.bak +*.tmp +*.swp +*~ + +# ------------------------- +# Logs +# ------------------------- +*.log + +# ------------------------- +# OS files +# ------------------------- +.DS_Store +Thumbs.db + +# ------------------------- +# Editors +# ------------------------- +.vscode/ +.idea/ + +# ------------------------- +# Git safety +# ------------------------- +.env +*.env +*.secret diff --git a/Caddyfile b/Caddyfile new file mode 100644 index 0000000..0a2f41f --- /dev/null +++ b/Caddyfile @@ -0,0 +1,80 @@ +{ + email {$ACME_EMAIL} +} +### FUNKSJONER ### +(remote-ip) { + @internal remote_ip 10.10.10.0/24 127.0.0.1/8 + @external remote_ip 0.0.0.0/0 +} +(common-auth) { + basicauth { + tvh {$HASH} + } +} +(rate-limit) { + rate_limit { + zone git_zone { + key {remote_host} + events 30 + window 10s + } + } +} +(read-only) { + @readonly { + method POST PUT DELETE PATCH + } + respond @readonly 403 +} +### TJENESTER ### +git.{$DOMENESHOP_DNS} { + import remote-ip + handle @external { + import rate-limit + reverse_proxy gitea:3000 + } +} +lms.home.{$DOMENESHOP_DNS} { + tls internal + import remote-ip + handle @internal { + reverse_proxy lms:9000 + } + respond "Forbidden" 403 +} + +pihole.home.{$DOMENESHOP_DNS} { + tls internal + import remote-ip + handle @internal { + redir / /admin + reverse_proxy pihole:80 + } +} +nextcloud.{$DOMENESHOP_DNS} { + import remote-ip + handle @external { + import rate-limit + encode gzip zstd + reverse_proxy nextcloud-app:80 + } +} +portainer.{$DOMENESHOP_DNS} { + import remote-ip + handle @external { + import common-auth + import rate-limit + import read-only + reverse_proxy portainer:9000 + } + respond "Forbidden" 403 +} +portainer.home.{$DOMENESHOP_DNS} { + import remote-ip + handle @internal { + reverse_proxy portainer:9000 + } + respond "Forbidden" 403 +} + + diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..468e0e8 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,10 @@ +FROM caddy:2-builder AS builder + +RUN --mount=type=cache,target=/go/pkg/mod \ + --mount=type=cache,target=/root/.cache/go-build \ + xcaddy build \ + --with github.com/mholt/caddy-ratelimit + +FROM caddy:2 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/docker-compose.yaml b/docker-compose.yaml new file mode 100644 index 0000000..783ba88 --- /dev/null +++ b/docker-compose.yaml @@ -0,0 +1,30 @@ +services: + caddy: + build: . + container_name: caddy + restart: unless-stopped + ports: + - "80:80" + - "443:443" + env_file: + - .env + volumes: + - ./Caddyfile:/etc/caddy/Caddyfile:ro + - caddy_data:/data + - caddy_config:/config + networks: + - proxy_net + - edge_net + - proxy_swarm + +networks: + proxy_net: + external: true + edge_net: + external: true + proxy_swarm: + external: true + +volumes: + caddy_data: + caddy_config: