From 128ddaa95f43b4963218814bd41d075b5a3a0d09 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Wed, 2 Oct 2024 16:00:58 +0200 Subject: [PATCH 01/10] Stirling PDF under Tools --- tools/docker-compose.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 tools/docker-compose.yml diff --git a/tools/docker-compose.yml b/tools/docker-compose.yml new file mode 100644 index 0000000..53592e1 --- /dev/null +++ b/tools/docker-compose.yml @@ -0,0 +1,28 @@ +services: + + stirling-pdf: + image: frooodle/s-pdf:latest + # ports: + # - '8080:8080' + networks: + - web + volumes: + - ${VOLUMES_PATH}/tools/stirling-pdf/trainingData:/usr/share/tesseract-ocr/5/tessdata #Required for extra OCR languages + - ${VOLUMES_PATH}/tools/stirling-pdf/extraConfigs:/configs +# - ${VOLUMES_PATH}/tools/stirling-pdf/customFiles:/customFiles/ +# - ${VOLUMES_PATH}/tools/stirling-pdf/logs:/logs/ + environment: + - DOCKER_ENABLE_SECURITY=false + labels: + - "traefik.enable=true" + - "traefik.http.routers.pdf.rule=Host(`pdf.${DOMAIN}`)" + - "traefik.http.routers.pdf.entrypoints=web" + - "traefik.http.services.pdf.loadbalancer.server.port=8080" + - "traefik.docker.network=web" + - "docker.group=tools" + +networks: + paperless: + web: + external: true + From 66f0eddb952b06f0f7905fbf055000a137bcf931 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Sun, 16 Mar 2025 17:46:36 +0100 Subject: [PATCH 02/10] adapt stirling-pdf to caddy --- proxy/Caddyfile | 5 +++++ tools/docker-compose.yml | 8 +------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/proxy/Caddyfile b/proxy/Caddyfile index c155caf..e1167af 100644 --- a/proxy/Caddyfile +++ b/proxy/Caddyfile @@ -73,6 +73,11 @@ torrent.{$DOMAIN} http://torrent.{$DOMAIN} { import errorhandler } +pdf.{$DOMAIN} http://pdf.{$DOMAIN} { + reverse_proxy stirling-pdf:8080 + import errorhandler +} + root-ca.{$DOMAIN} http://root-ca.{$DOMAIN} { file_server * { root /usr/share/caddy/web diff --git a/tools/docker-compose.yml b/tools/docker-compose.yml index 53592e1..2d2fb65 100644 --- a/tools/docker-compose.yml +++ b/tools/docker-compose.yml @@ -13,13 +13,7 @@ services: # - ${VOLUMES_PATH}/tools/stirling-pdf/logs:/logs/ environment: - DOCKER_ENABLE_SECURITY=false - labels: - - "traefik.enable=true" - - "traefik.http.routers.pdf.rule=Host(`pdf.${DOMAIN}`)" - - "traefik.http.routers.pdf.entrypoints=web" - - "traefik.http.services.pdf.loadbalancer.server.port=8080" - - "traefik.docker.network=web" - - "docker.group=tools" + networks: paperless: From fff5e468db1773f83c51293f46f9ab5cf5d43f68 Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Wed, 19 Mar 2025 08:41:58 +0100 Subject: [PATCH 03/10] error.html --- proxy/Caddyfile | 5 +++++ proxy/web/error.html | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 proxy/web/error.html diff --git a/proxy/Caddyfile b/proxy/Caddyfile index c155caf..1fff47a 100644 --- a/proxy/Caddyfile +++ b/proxy/Caddyfile @@ -73,6 +73,11 @@ torrent.{$DOMAIN} http://torrent.{$DOMAIN} { import errorhandler } +*.{$DOMAIN} http://*.{$DOMAIN} { + error 404 + import errorhandler +} + root-ca.{$DOMAIN} http://root-ca.{$DOMAIN} { file_server * { root /usr/share/caddy/web diff --git a/proxy/web/error.html b/proxy/web/error.html new file mode 100644 index 0000000..2315a15 --- /dev/null +++ b/proxy/web/error.html @@ -0,0 +1,35 @@ + + + + + + Fehler + + + + + +

{{placeholder "http.error.status_code"}}

+ + {{placeholder "http.error.status_text"}} + + + + + + From 8181de3f125327fa48b9d494ff142d2f80c47d8f Mon Sep 17 00:00:00 2001 From: Florian Zirker Date: Wed, 19 Mar 2025 15:11:10 +0100 Subject: [PATCH 04/10] Change domain and get public ssl --- proxy/Caddyfile | 141 ++++++++++++++++++-------------------- proxy/Dockerfile | 7 ++ proxy/docker-compose.yaml | 6 +- proxy/web/error.html | 2 +- proxy/web/index.html | 2 +- 5 files changed, 80 insertions(+), 78 deletions(-) create mode 100644 proxy/Dockerfile diff --git a/proxy/Caddyfile b/proxy/Caddyfile index 1fff47a..bc24cc5 100644 --- a/proxy/Caddyfile +++ b/proxy/Caddyfile @@ -1,18 +1,76 @@ { - auto_https disable_redirects - local_certs - pki { - ca local { - name "{$LOCAL_CA_NAME}" - } - } + email {env.EMAIL} log default { output stdout format console } + debug } -(errorhandler) { +*.{$DOMAIN} { + tls { + dns netcup { + customer_number {env.NETCUP_CUSTOMER_NUMBER} + api_key {env.NETCUP_API_KEY} + api_password {env.NETCUP_API_PASSWORD} + } + propagation_timeout 900s + propagation_delay 600s + resolvers 9.9.9.9 + } + #header Strict-Transport-Security "max-age=63072000" + + @whoami host whoami.{$DOMAIN} + handle @whoami { + reverse_proxy whoami:80 + } + + @dashboard host dashboard.{$DOMAIN} + handle @dashboard { + reverse_proxy homer:8080 + } + + @hassi host hassi.{$DOMAIN} + handle @hassi { + # reverse_proxy homeassistant:8123 + reverse_proxy {host}:8123 + } + + @zigbee2mqtt host zigbee2mqtt.{$DOMAIN} + handle @zigbee2mqtt { + reverse_proxy zigbee2mqtt:8080 + } + + @jellyfin host jellyfin.{$DOMAIN} + handle @jellyfin { + reverse_proxy jellyfin:8096 + } + + @paperless host paperless.{$DOMAIN} + handle @paperless { + reverse_proxy paperless-ngx:8000 + } + + @download host download.{$DOMAIN} + handle @download { + reverse_proxy pyload:8000 + } + + @uptime host uptime.{$DOMAIN} + handle @uptime { + reverse_proxy uptime-kuma:3001 + } + + @torrent host torrent.{$DOMAIN} + handle @torrent { + reverse_proxy transmission:9091 + } + + # Fallback unhandled (sub)domains + handle { + error 404 + } + handle_errors { root * /usr/share/caddy/web rewrite * /error.html @@ -22,70 +80,3 @@ } } } - -(localtls) { - tls internal -} - -whoami.{$DOMAIN} http://whoami.{$DOMAIN} { - reverse_proxy whoami:80 - import errorhandler -} - -dashboard.{$DOMAIN} http://dashboard.{$DOMAIN} { - reverse_proxy homer:8080 - import errorhandler -} - -hassi.{$DOMAIN} http://hassi.{$DOMAIN} { - # reverse_proxy homeassistant:8123 - reverse_proxy {host}:8123 - import errorhandler -} - -zigbee2mqtt.{$DOMAIN} http://zigbee2mqtt.{$DOMAIN} { - reverse_proxy zigbee2mqtt:8080 - import errorhandler -} - -jellyfin.{$DOMAIN} http://jellyfin.{$DOMAIN} { - reverse_proxy jellyfin:8096 - import errorhandler -} - -paperless.{$DOMAIN} http://paperless.{$DOMAIN} { - reverse_proxy paperless-ngx:8000 - import errorhandler -} - -download.{$DOMAIN} http://download.{$DOMAIN} { - reverse_proxy pyload:8000 - import errorhandler -} - -uptime.{$DOMAIN} http://uptime.{$DOMAIN} { - reverse_proxy uptime-kuma:3001 - import errorhandler -} - -torrent.{$DOMAIN} http://torrent.{$DOMAIN} { - reverse_proxy transmission:9091 - import errorhandler -} - -*.{$DOMAIN} http://*.{$DOMAIN} { - error 404 - import errorhandler -} - -root-ca.{$DOMAIN} http://root-ca.{$DOMAIN} { - file_server * { - root /usr/share/caddy/web - hide .git Readme.md - } - file_server /root.crt { - root /data/caddy/pki/authorities/local/ - hide *.key - } - import errorhandler -} diff --git a/proxy/Dockerfile b/proxy/Dockerfile new file mode 100644 index 0000000..7223e84 --- /dev/null +++ b/proxy/Dockerfile @@ -0,0 +1,7 @@ +FROM caddy:2-builder AS builder + +RUN xcaddy build --with github.com/caddy-dns/netcup + +FROM caddy:2 + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml index 2870b0b..9f0eaac 100644 --- a/proxy/docker-compose.yaml +++ b/proxy/docker-compose.yaml @@ -1,7 +1,7 @@ services: caddy: - image: caddy:2 + build: ./ restart: unless-stopped ports: - 80:80 @@ -17,6 +17,10 @@ services: environment: - DOMAIN=${DOMAIN} - LOCAL_CA_NAME=${LOCAL_CA_NAME} + - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER} + - NETCUP_API_KEY=${NETCUP_API_KEY} + - NETCUP_API_PASSWORD=${NETCUP_API_PASSWORD} + - EMAIL=${LETSENCRYPT_MAIL} cap_add: - cap_net_bind_service diff --git a/proxy/web/error.html b/proxy/web/error.html index 2315a15..7a72d86 100644 --- a/proxy/web/error.html +++ b/proxy/web/error.html @@ -28,7 +28,7 @@ diff --git a/proxy/web/index.html b/proxy/web/index.html index 76a3485..2f9cb5e 100644 --- a/proxy/web/index.html +++ b/proxy/web/index.html @@ -37,7 +37,7 @@
  • Um das CA-Certifikat in den Linux-Truststore zu installieren führen Sie folgende Befehle aus: - 
    curl -o caddy-root-ca.crt http://example.lan/root.crt
+         
    curl -o caddy-root-ca.crt http://example.home.florianzirker.de/root.crt
 sudo mkdir -p /usr/local/share/ca-certificates/extra
 sudo cp caddy-root-ca.crt /usr/local/share/ca-certificates/extra/
 sudo update-ca-certificates

From 37dc3b82d90287c48ff6b0c1d4895fe94af619f2 Mon Sep 17 00:00:00 2001
From: Florian Zirker 
Date: Tue, 18 Mar 2025 15:04:33 +0100
Subject: [PATCH 05/10] Starting with Authentik

---
 auth/docker-compose.yml       | 90 +++++++++++++++++++++++++++++++++++
 paperless/docker-compose.yaml |  3 ++
 proxy/Caddyfile               |  6 ++-
 proxy/docker-compose.yaml     |  2 -
 start-all.sh                  |  1 +
 5 files changed, 99 insertions(+), 3 deletions(-)
 create mode 100644 auth/docker-compose.yml

diff --git a/auth/docker-compose.yml b/auth/docker-compose.yml
new file mode 100644
index 0000000..1214623
--- /dev/null
+++ b/auth/docker-compose.yml
@@ -0,0 +1,90 @@
+services:
+
+  authentik-server:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
+    restart: unless-stopped
+    command: server
+    environment:
+      - AUTHENTIK_REDIS__HOST=redis
+      - AUTHENTIK_POSTGRESQL__HOST=postgresql
+      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
+      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+    volumes:
+      - ${VOLUMES_PATH}/auth/media:/media
+      - ${VOLUMES_PATH}/auth/custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - web
+      - auth
+
+  authentik-worker:
+    image: ghcr.io/goauthentik/server:${AUTHENTIK_VERSION}
+    restart: unless-stopped
+    command: worker
+    environment:
+      - AUTHENTIK_REDIS__HOST=redis
+      - AUTHENTIK_POSTGRESQL__HOST=postgresql
+      - AUTHENTIK_POSTGRESQL__USER=${POSTGRES_USER}
+      - AUTHENTIK_POSTGRESQL__NAME=${POSTGRES_DB}
+      - AUTHENTIK_POSTGRESQL__PASSWORD=${POSTGRES_PASSWORD}
+      - AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
+      - AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
+    user: root
+    volumes:
+      # - /var/run/docker.sock:/var/run/docker.sock
+      - ${VOLUMES_PATH}/auth/media:/media
+      - ${VOLUMES_PATH}/auth/certs:/certs
+      - ${VOLUMES_PATH}/auth/custom-templates:/templates
+    depends_on:
+      postgresql:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    networks:
+      - auth
+
+  postgresql:
+    image: postgres:${POSTGRES_VERSION}
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    volumes:
+      - ${VOLUMES_PATH}/auth/postgres/:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_DB=${POSTGRES_DB}
+    networks:
+      - auth
+
+  redis:
+    image: redis:${REDIS_VERSION}
+    command: --save 60 1 --loglevel warning
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 3s
+    volumes:
+      - ${VOLUMES_PATH}/auth/redis:/data
+    networks:
+      - auth
+
+
+networks:
+  auth:
+  web:
+    external: true
diff --git a/paperless/docker-compose.yaml b/paperless/docker-compose.yaml
index 20b0079..5688a55 100644
--- a/paperless/docker-compose.yaml
+++ b/paperless/docker-compose.yaml
@@ -60,6 +60,9 @@ services:
       - USERMAP_GID=1000
       - PAPERLESS_PRE_CONSUME_SCRIPT=/usr/src/paperless/scripts/removePdfPassword.py
       - PAPERLESS_OCR_USER_ARGS=${USER_ARGS_JSON}
+      - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
+      - PAPERLESS_SOCIALACCOUNT_PROVIDERS=${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
+      - PAPERLESS_CSRF_TRUSTED_ORIGINS=https://paperless.home.florianzirker.de,https://auth.home.florianzirker.de
     labels:
       - "docker.group=paperless"
 
diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index bc24cc5..d723d79 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -4,7 +4,6 @@
 		output stdout
 		format console
 	}
-	debug
 }
 
 *.{$DOMAIN} {
@@ -66,6 +65,11 @@
 		reverse_proxy transmission:9091
 	}
 
+	@auth host auth.{$DOMAIN}
+	handle @auth {
+		reverse_proxy authentik-server:9000
+	}
+
 	# Fallback unhandled (sub)domains
 	handle {
 		error 404
diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index 9f0eaac..7c587c9 100644
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -37,6 +37,4 @@ services:
 networks:
   web:
     external: true
-  dockersocket:
-    external: true
 
diff --git a/start-all.sh b/start-all.sh
index 8010786..69b5585 100755
--- a/start-all.sh
+++ b/start-all.sh
@@ -6,6 +6,7 @@ function up {
 }
 
 up proxy;
+up auth;
 up monitoring;
 up smartHome;
 up dashboard;

From c009c6e30e6a0e50081e69635fa59cdf65db59a5 Mon Sep 17 00:00:00 2001
From: Florian Zirker 
Date: Thu, 20 Mar 2025 12:52:46 +0100
Subject: [PATCH 06/10] proxy auth for unsecured apps

---
 proxy/Caddyfile             | 29 +++++++++++++++++++++++++----
 torrent/docker-compose.yaml |  2 --
 2 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index d723d79..2a2d8e3 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -6,6 +6,15 @@
 	}
 }
 
+(proxy-auth) {
+	reverse_proxy /outpost.goauthentik.io/* http://authentik-server:9000
+	forward_auth http://authentik-server:9000 {
+		uri /outpost.goauthentik.io/auth/caddy
+		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+		trusted_proxies private_ranges
+	}
+}
+
 *.{$DOMAIN} {
 	tls {
 		dns netcup {
@@ -21,7 +30,10 @@
 
 	@whoami host whoami.{$DOMAIN}
 	handle @whoami {
-		reverse_proxy whoami:80
+		route {
+			import proxy-auth
+			reverse_proxy whoami:80
+		}
 	}
 
 	@dashboard host dashboard.{$DOMAIN}
@@ -37,7 +49,10 @@
 
 	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
 	handle @zigbee2mqtt {
-		reverse_proxy zigbee2mqtt:8080
+		route {
+			import proxy-auth
+			reverse_proxy zigbee2mqtt:8080
+		}
 	}
 
 	@jellyfin host jellyfin.{$DOMAIN}
@@ -52,7 +67,10 @@
 
 	@download host download.{$DOMAIN}
 	handle @download {
-		reverse_proxy pyload:8000
+		route {
+			import proxy-auth
+			reverse_proxy pyload:8000
+		}
 	}
 
 	@uptime host uptime.{$DOMAIN}
@@ -62,7 +80,10 @@
 
 	@torrent host torrent.{$DOMAIN}
 	handle @torrent {
-		reverse_proxy transmission:9091
+		route {
+			import proxy-auth
+			reverse_proxy transmission:9091
+		}
 	}
 
 	@auth host auth.{$DOMAIN}
diff --git a/torrent/docker-compose.yaml b/torrent/docker-compose.yaml
index f5b6923..72d8c9b 100644
--- a/torrent/docker-compose.yaml
+++ b/torrent/docker-compose.yaml
@@ -4,8 +4,6 @@ services:
     image: lscr.io/linuxserver/transmission:${TRANSMISSION_VERSION}
     environment:
       - TZ=Etc/UTC
-      - USER=${USERNAME}
-      - PASS=${PASSWORD}
     volumes:
       - ${VOLUMES_PATH}/torrent/transmission:/config
       - ${DOWNLOAD_PATH}:/downloads

From d0a670796c44b90781b594afacb7a182a651b2e0 Mon Sep 17 00:00:00 2001
From: Florian Zirker 
Date: Thu, 10 Apr 2025 17:05:16 +0200
Subject: [PATCH 07/10] Home Assistant to network mode

---
 proxy/Caddyfile               | 3 +--
 smartHome/docker-compose.yaml | 7 ++++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index 2a2d8e3..ad90cd5 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -43,8 +43,7 @@
 
 	@hassi host hassi.{$DOMAIN}
 	handle @hassi {
-		# reverse_proxy homeassistant:8123
-		reverse_proxy {host}:8123
+		reverse_proxy homeassistant:8123
 	}
 
 	@zigbee2mqtt host zigbee2mqtt.{$DOMAIN}
diff --git a/smartHome/docker-compose.yaml b/smartHome/docker-compose.yaml
index 026778b..3f9d183 100644
--- a/smartHome/docker-compose.yaml
+++ b/smartHome/docker-compose.yaml
@@ -8,11 +8,13 @@ services:
     environment:
       - TZ=Europe/Berlin
     restart: unless-stopped
-    network_mode: host
+    #network_mode: host
+    networks:
+       - web
+       - smarthome
     labels:
       - "docker.group=smartHome"
 
-
   mqttbroker:
     image: eclipse-mosquitto:${MOSQUITTO_VERSION}
     restart: unless-stopped
@@ -28,7 +30,6 @@ services:
     labels:
       - "docker.group=smartHome"
 
-
   zigbee2mqtt:
     restart: unless-stopped
     image: koenkk/zigbee2mqtt

From dc1303c7965a7a94d1f96385ca5616c97256ccc0 Mon Sep 17 00:00:00 2001
From: Florian Zirker 
Date: Thu, 10 Apr 2025 17:05:26 +0200
Subject: [PATCH 08/10] Add postgres to Smarthome

---
 smartHome/docker-compose.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/smartHome/docker-compose.yaml b/smartHome/docker-compose.yaml
index 3f9d183..4a27a1b 100644
--- a/smartHome/docker-compose.yaml
+++ b/smartHome/docker-compose.yaml
@@ -46,6 +46,26 @@ services:
     labels:
       - "docker.group=smartHome"
 
+  db:
+    image: postgres:${POSTGRES_VERSION}
+    restart: unless-stopped
+    networks:
+      - smarthome
+    volumes:
+      - ${VOLUMES_PATH}/smartHome/postgres:/var/lib/postgresql/data
+    environment:
+      - POSTGRES_DB=${POSTGRES_DB}
+      - POSTGRES_USER=${POSTGRES_USER}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
+      start_period: 20s
+      interval: 30s
+      retries: 5
+      timeout: 5s
+    labels:
+      - "docker.group=smartHome"
+
 
 networks:
   web:

From 2b59b4ce9919a9c6802d1534b6dc2c69c4ca1399 Mon Sep 17 00:00:00 2001
From: Florian Zirker 
Date: Thu, 10 Apr 2025 17:06:27 +0200
Subject: [PATCH 09/10] proxy auth for uptime kuma

---
 proxy/Caddyfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index ad90cd5..f2d151b 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -74,7 +74,10 @@
 
 	@uptime host uptime.{$DOMAIN}
 	handle @uptime {
-		reverse_proxy uptime-kuma:3001
+		route {
+			import proxy-auth
+			reverse_proxy uptime-kuma:3001
+		}
 	}
 
 	@torrent host torrent.{$DOMAIN}

From 7fc79f7a21affee5bc7cc2cd7ae836e3db7d55f2 Mon Sep 17 00:00:00 2001
From: Florian Zirker 
Date: Thu, 10 Apr 2025 17:06:47 +0200
Subject: [PATCH 10/10] Redirect old domain to new one

---
 proxy/Caddyfile           | 9 +++++++++
 proxy/docker-compose.yaml | 1 +
 2 files changed, 10 insertions(+)

diff --git a/proxy/Caddyfile b/proxy/Caddyfile
index f2d151b..a245a03 100644
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@@ -4,6 +4,7 @@
 		output stdout
 		format console
 	}
+	auto_https disable_redirects
 }
 
 (proxy-auth) {
@@ -15,6 +16,14 @@
 	}
 }
 
+http://*.{$DOMAIN} {
+	redir https://{labels.3}.{$DOMAIN}{uri} permanent
+}
+
+http://*.{$OLD_DOMAIN} {
+	redir https://{labels.1}.{$DOMAIN}{uri} permanent
+}
+
 *.{$DOMAIN} {
 	tls {
 		dns netcup {
diff --git a/proxy/docker-compose.yaml b/proxy/docker-compose.yaml
index 7c587c9..c6e63dd 100644
--- a/proxy/docker-compose.yaml
+++ b/proxy/docker-compose.yaml
@@ -16,6 +16,7 @@ services:
       - web
     environment:
       - DOMAIN=${DOMAIN}
+      - OLD_DOMAIN=${OLD_DOMAIN}
       - LOCAL_CA_NAME=${LOCAL_CA_NAME}
       - NETCUP_CUSTOMER_NUMBER=${NETCUP_CUSTOMER_NUMBER}
       - NETCUP_API_KEY=${NETCUP_API_KEY}