From 30b7290e315524dd67e5c305301a9020cd9033de Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Tue, 7 Feb 2023 11:08:20 -0700 Subject: [PATCH] Fix deergrove portal, finer-grained permissions --- homelab/Caddyfile | 64 +++++++++++-------------------------- homelab/authelia.yaml | 26 +++++++++++++-- homelab/docker-compose.yaml | 13 ++++---- homelab/www/index.css | 2 +- homelab/www/index.html | 11 ++++--- homelab/www/index.mjs | 5 ++- 6 files changed, 61 insertions(+), 60 deletions(-) diff --git a/homelab/Caddyfile b/homelab/Caddyfile index 88b2623..7f5a221 100644 --- a/homelab/Caddyfile +++ b/homelab/Caddyfile @@ -8,17 +8,22 @@ copy_headers Remote-User Remote-Groups Remote-Name Remote-Email } +# This has to be at the same level as other `handle` directives, +# since `handle` is a mutually-exclusive thingy. +# https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827 (restricted-access) { - @noauth header !Authorization - handle @noauth { - forward_auth authelia:9091 { - import authelia - } - } handle { - forward_auth authelia:9091 { - import authelia - header_up Proxy-Authorization {header.authorization} + @noauth header !Authorization + handle @noauth { + forward_auth authelia:9091 { + import authelia + } + } + handle { + forward_auth authelia:9091 { + import authelia + header_up Proxy-Authorization {header.authorization} + } } } } @@ -62,84 +67,53 @@ ancestry.woozle.org { ## handle_path truncates path ## -(deergrove) { +deergrove.woozle.org { + import restricted-access + handle_path /ddns/* { - import restricted-access reverse_proxy ddns:8000 } handle /transmission/* { - import restricted-access reverse_proxy host.docker.internal:9091 } handle /nzbget/* { - import restricted-access reverse_proxy nzbget:6789 } handle /sonarr/* { - import restricted-access reverse_proxy sonarr:8989 } handle /radarr/* { - import restricted-access reverse_proxy radarr:7878 } handle /readarr/* { - import restricted-access reverse_proxy readarr:8787 } handle /lidarr/* { - import restricted-access reverse_proxy lidarr:8686 } handle /prowlarr/* { - import restricted-access reverse_proxy prowlarr:9696 } handle_path /sucker/* { - import restricted-access reverse_proxy 192.168.86.2:5801 } + # Octoprint serves up broken webcam URLs + uri replace /webcam/ /octoprint/webcam/ handle_path /octoprint/* { - import restricted-access reverse_proxy { to 192.168.86.20:80 header_up X-Script-Name "/octoprint" } } - handle /webcam/* { - # Octoprint doesn't properly prefix webcam URLs - import restricted-access - reverse_proxy { - to 192.168.86.20:80 - } - } - - handle_path /public/* { - file_server { - root /srv/storage/public - } - } - handle { - import restricted-access file_server { root /www } } } - -deergrove.woozle.org { - import deergrove -} - -sweetums.lan { - tls internal - import deergrove -} - diff --git a/homelab/authelia.yaml b/homelab/authelia.yaml index 86c39d8..eeffdab 100644 --- a/homelab/authelia.yaml +++ b/homelab/authelia.yaml @@ -24,19 +24,38 @@ access_control: default_policy: deny rules: - domain: deergrove.woozle.org + subject: + - "group:octoprint" + resources: + - '^/octoprint/' + - '^/webcam/' + policy: one_factor + + - domain: deergrove.woozle.org + subject: + - "group:media" + resources: + - '^/[a-z]+arr/' + - '^/nzbget/' + - '^/transmission/' + - '^/sucker/' + policy: one_factor + + - domain: deergrove.woozle.org + resources: + - '^/[a-z.]*$' policy: one_factor - domain: drive.woozle.org - policy: bypass methods: - HEAD - GET - PROPFIND resources: - '^/storage/public/' + policy: bypass - domain: drive.woozle.org - policy: one_factor subject: - "group:storage" resources: @@ -47,9 +66,9 @@ access_control: - '^/storage/(?P\w+)/' - '^/storage/shared/' - '^/storage/public/' + policy: one_factor - domain: drive.woozle.org - policy: one_factor methods: - HEAD - GET @@ -59,4 +78,5 @@ access_control: - '^/incoming/' - '^/media/' - '^/storage/shared/' + policy: one_factor diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml index e9eab1a..9635e14 100644 --- a/homelab/docker-compose.yaml +++ b/homelab/docker-compose.yaml @@ -40,6 +40,7 @@ services: target: /browser.html extra_hosts: - host.docker.internal:host-gateway + - host.lan:128.165.86.2 authelia: image: authelia/authelia @@ -307,16 +308,16 @@ configs: name: Corefile-v4 Caddyfile: file: Caddyfile - name: Caddyfile-v103 + name: Caddyfile-v110 index.html: file: www/index.html - name: index.html-v36 + name: index.html-v41 index.mjs: file: www/index.mjs - name: index.mjs-v1 + name: index.mjs-v8 index.css: file: www/index.css - name: index.css-v1 + name: index.css-v2 browser.html: file: www/browser.html name: browser.html-v3 @@ -325,7 +326,7 @@ configs: name: deergrove.png-v1 authelia.yaml: file: authelia.yaml - name: authelia.yaml-v18 + name: authelia.yaml-v24 secrets: passwd: @@ -354,7 +355,7 @@ secrets: name: session.secret-v1 users.yaml: file: secrets/users.yaml - name: users.yaml-v6 + name: users.yaml-v9 authelia.oidc.yaml: file: secrets/authelia.oidc.yaml name: authelia.oidc.yaml-v2 diff --git a/homelab/www/index.css b/homelab/www/index.css index 93ca0b4..fc2f70e 100644 --- a/homelab/www/index.css +++ b/homelab/www/index.css @@ -27,7 +27,7 @@ nav a { text-decoration: none; white-space: nowrap; } -nav a[target] { +nav a[data-no-menu] { display: none; } nav a:hover { diff --git a/homelab/www/index.html b/homelab/www/index.html index 29df2e7..9a39c02 100644 --- a/homelab/www/index.html +++ b/homelab/www/index.html @@ -22,10 +22,13 @@
Octoprint - - Git - Drive - Ancestry + + Git + Drive + Ancestry + +
+ Logout
diff --git a/homelab/www/index.mjs b/homelab/www/index.mjs index 774d219..086c2fc 100644 --- a/homelab/www/index.mjs +++ b/homelab/www/index.mjs @@ -72,9 +72,12 @@ function init() { let dlink = icons.appendChild(link.cloneNode(true)) dlink.textContent = "" - if (link.dataset.icon) { + if (link.dataset.icon == "") { + dlink.remove() + } else if (link.dataset.icon) { let icon = dlink.appendChild(doc.createElement("img")) icon.src = link.dataset.icon + icon.alt = link.title icon.style.objectFit = "cover" } else { let text = dlink.appendChild(doc.createElement("div"))