From 79f7ccdf3f320cfab1baa285016df687bc4b1bdf Mon Sep 17 00:00:00 2001 From: debian Date: Wed, 22 Oct 2025 18:15:04 +0200 Subject: [PATCH] headscale config and caddy service --- services/caddy/Caddyfile | 174 ++++++++++++++++++++++++++ services/caddy/caddy.yml | 30 +++++ services/headscale/config/config.yaml | 4 +- 3 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 services/caddy/Caddyfile diff --git a/services/caddy/Caddyfile b/services/caddy/Caddyfile new file mode 100644 index 0000000..192fb1d --- /dev/null +++ b/services/caddy/Caddyfile @@ -0,0 +1,174 @@ +(forward_headers) { + header { + Permissions-Policy interest-cohort=() + Strict-Transport-Security "max-age=31536000; includeSubdomains" + X-XSS-Protection "1; mode=block" + X-Content-Type-Options "nosniff" + X-Robots-Tag noindex, nofollow + Referrer-Policy "same-origin" + Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}" + -Server + Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()" + } +} + +auth.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +audiobookshelf.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +gitea.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +headscale.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + + +immich.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +ldap.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +linkwarden.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +mealie.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +paperless.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +radicale.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +shlink.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +stirling-pdf.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +superset.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +vaultwarden.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +vikunja.{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} + +{$public_domain} { + reverse_proxy ${node_local_ip} { + transport http { + tls_insecure_skip_verify + } + } + tls {$email} + import forward_headers +} diff --git a/services/caddy/caddy.yml b/services/caddy/caddy.yml index e69de29..d244975 100644 --- a/services/caddy/caddy.yml +++ b/services/caddy/caddy.yml @@ -0,0 +1,30 @@ +services: + caddy: + extends: + file: ${TEMPLATES_PATH} + service: default + image: caddy + container_name: caddy + volumes: + - ${SERVICE_PATH}/caddy/config:/etc/headscale + - ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile + - ${SERVICE_PATH}/caddy/site:/srv + - ${SERVICE_PATH}/caddy/data:/data + - ${SERVICE_PATH}/caddy/config:/config + - ${SERVICE_PATH}/caddy/certs:/certs + ports: + - "80:80" + - "443:443" + - "443:443/udp" + environment: + email: ${EMAIL} + public_domain: ${PUBLIC_DOMAIN} + private_domain: ${LOCAL_DOMAIN} + node_local_ip: ${NODE_LOCAL_IP} + cap_add: + - NET_ADMIN + networks: + - ip4net + labels: + # Watchtower + - "com.centurylinklabs.watchtower.enable=true" diff --git a/services/headscale/config/config.yaml b/services/headscale/config/config.yaml index 268beb1..eb92a63 100644 --- a/services/headscale/config/config.yaml +++ b/services/headscale/config/config.yaml @@ -10,7 +10,7 @@ # # https://myheadscale.example.com:443 # -server_url: http://127.0.0.1:8080 +server_url: http://0.0.0.0:8080 # Address to listen to / bind to on the server # @@ -77,7 +77,7 @@ derp: server: # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place - enabled: false + enabled: true # Region ID to use for the embedded DERP server. # The local DERP prevails if the region ID collides with other region ID coming from