(logging) { log { output stdout } } { # local_certs email {$TLS_EMAIL} acme_ca {$CA_URL} } (errorpages) { handle_errors { rewrite * /{http.error.status_code}.html file_server { root /srv/errorpages } } } (maintenance) { @denied not remote_ip forwarded {$CADDY_BYPASS_IP} handle @denied { rewrite * /maintenance.html file_server { root /srv/errorpages status 503 } } } (defaultHeaders) { header { # enable HSTS Strict-Transport-Security "max-age=31536000" } } (default) { import logging import errorpages import defaultHeaders } {$BASE_DOMAIN} { import default @matrix { path /_matrix/* /_synapse/* } reverse_proxy @matrix matrix:8008 reverse_proxy homepage:80 } {$BASE_DOMAIN}:8448 { import default reverse_proxy matrix:8008 } # needs to be http! autoconfig.{$BASE_DOMAIN}, autoconfig.{$SECOND_MAIL_DOMAIN} { file_server { root /srv/autoconfig } } status.{$BASE_DOMAIN} { import default redir https://stats.uptimerobot.com/PMoGJHK8W9 permanent } post.{$BASE_DOMAIN} { import default reverse_proxy echo:8000 } account.{$BASE_DOMAIN} { import default reverse_proxy authentik:80 } cloud.{$BASE_DOMAIN} { import default redir /.well-known/carddav /remote.php/dav redir /.well-known/caldav /remote.php/dav redir /.well-known/webfinger /index.php/.well-known/webfinger redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo reverse_proxy nextcloud:80 } git.{$BASE_DOMAIN} { import default reverse_proxy forgejo:3000 } home.{$BASE_DOMAIN} { import default reverse_proxy https://doge6m1146mivr5g789a5tbjo0re3lrv.ui.nabu.casa } stuff.{$BASE_DOMAIN} { import default header { # headers for godot web export Cross-Origin-Opener-Policy "same-origin" Cross-Origin-Embedder-Policy "require-corp" } root * /srv/public_html file_server browse } md.{$BASE_DOMAIN} { import default reverse_proxy hedgedoc:3000 } hackmd.{$BASE_DOMAIN} { import default redir https://md.{$BASE_DOMAIN}{uri} permanent } ci.{$BASE_DOMAIN} { import default reverse_proxy woodpecker:8000 } passwords.{$BASE_DOMAIN} { import default reverse_proxy vaultwarden:80 { header_up X-Real-IP {remote_host} } } games.{$BASE_DOMAIN} { import default reverse_proxy games:8080 } mc-map.{$BASE_DOMAIN} { import default root * /srv/bluemap file_server reverse_proxy /live/* games:8123 @JSONgz { path *.json file { try_files {path}.gz } } route @JSONgz { rewrite {http.matchers.file.relative} header Content-Type application/json header Content-Encoding gzip } } money.{$BASE_DOMAIN} { # always forward outpost path to actual outpost reverse_proxy /outpost.goauthentik.io/* http://authentik:80 # forward authentication to outpost forward_auth http://authentik:80 { uri /outpost.goauthentik.io/auth/caddy # capitalization of the headers is important, otherwise they will be empty copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version # optional, in this config trust all private ranges, should probably be set to the outposts IP trusted_proxies private_ranges } # actual site config reverse_proxy money:5006 }