Fix deergrove portal, finer-grained permissions
This commit is contained in:
parent
1bf3249d49
commit
30b7290e31
|
@ -8,7 +8,11 @@
|
||||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This has to be at the same level as other `handle` directives,
|
||||||
|
# since `handle` is a mutually-exclusive thingy.
|
||||||
|
# https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827
|
||||||
(restricted-access) {
|
(restricted-access) {
|
||||||
|
handle {
|
||||||
@noauth header !Authorization
|
@noauth header !Authorization
|
||||||
handle @noauth {
|
handle @noauth {
|
||||||
forward_auth authelia:9091 {
|
forward_auth authelia:9091 {
|
||||||
|
@ -22,6 +26,7 @@
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
auth.woozle.org {
|
auth.woozle.org {
|
||||||
reverse_proxy authelia:9091
|
reverse_proxy authelia:9091
|
||||||
|
@ -62,84 +67,53 @@ ancestry.woozle.org {
|
||||||
## handle_path truncates path
|
## handle_path truncates path
|
||||||
##
|
##
|
||||||
|
|
||||||
(deergrove) {
|
deergrove.woozle.org {
|
||||||
handle_path /ddns/* {
|
|
||||||
import restricted-access
|
import restricted-access
|
||||||
|
|
||||||
|
handle_path /ddns/* {
|
||||||
reverse_proxy ddns:8000
|
reverse_proxy ddns:8000
|
||||||
}
|
}
|
||||||
|
|
||||||
handle /transmission/* {
|
handle /transmission/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy host.docker.internal:9091
|
reverse_proxy host.docker.internal:9091
|
||||||
}
|
}
|
||||||
|
|
||||||
handle /nzbget/* {
|
handle /nzbget/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy nzbget:6789
|
reverse_proxy nzbget:6789
|
||||||
}
|
}
|
||||||
|
|
||||||
handle /sonarr/* {
|
handle /sonarr/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy sonarr:8989
|
reverse_proxy sonarr:8989
|
||||||
}
|
}
|
||||||
handle /radarr/* {
|
handle /radarr/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy radarr:7878
|
reverse_proxy radarr:7878
|
||||||
}
|
}
|
||||||
handle /readarr/* {
|
handle /readarr/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy readarr:8787
|
reverse_proxy readarr:8787
|
||||||
}
|
}
|
||||||
handle /lidarr/* {
|
handle /lidarr/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy lidarr:8686
|
reverse_proxy lidarr:8686
|
||||||
}
|
}
|
||||||
handle /prowlarr/* {
|
handle /prowlarr/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy prowlarr:9696
|
reverse_proxy prowlarr:9696
|
||||||
}
|
}
|
||||||
|
|
||||||
handle_path /sucker/* {
|
handle_path /sucker/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy 192.168.86.2:5801
|
reverse_proxy 192.168.86.2:5801
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Octoprint serves up broken webcam URLs
|
||||||
|
uri replace /webcam/ /octoprint/webcam/
|
||||||
handle_path /octoprint/* {
|
handle_path /octoprint/* {
|
||||||
import restricted-access
|
|
||||||
reverse_proxy {
|
reverse_proxy {
|
||||||
to 192.168.86.20:80
|
to 192.168.86.20:80
|
||||||
header_up X-Script-Name "/octoprint"
|
header_up X-Script-Name "/octoprint"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
handle /webcam/* {
|
|
||||||
# Octoprint doesn't properly prefix webcam URLs
|
|
||||||
import restricted-access
|
|
||||||
reverse_proxy {
|
|
||||||
to 192.168.86.20:80
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
handle_path /public/* {
|
|
||||||
file_server {
|
|
||||||
root /srv/storage/public
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
handle {
|
handle {
|
||||||
import restricted-access
|
|
||||||
file_server {
|
file_server {
|
||||||
root /www
|
root /www
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
deergrove.woozle.org {
|
|
||||||
import deergrove
|
|
||||||
}
|
|
||||||
|
|
||||||
sweetums.lan {
|
|
||||||
tls internal
|
|
||||||
import deergrove
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
|
@ -24,19 +24,38 @@ access_control:
|
||||||
default_policy: deny
|
default_policy: deny
|
||||||
rules:
|
rules:
|
||||||
- domain: deergrove.woozle.org
|
- domain: deergrove.woozle.org
|
||||||
|
subject:
|
||||||
|
- "group:octoprint"
|
||||||
|
resources:
|
||||||
|
- '^/octoprint/'
|
||||||
|
- '^/webcam/'
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
|
- domain: deergrove.woozle.org
|
||||||
|
subject:
|
||||||
|
- "group:media"
|
||||||
|
resources:
|
||||||
|
- '^/[a-z]+arr/'
|
||||||
|
- '^/nzbget/'
|
||||||
|
- '^/transmission/'
|
||||||
|
- '^/sucker/'
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
|
- domain: deergrove.woozle.org
|
||||||
|
resources:
|
||||||
|
- '^/[a-z.]*$'
|
||||||
policy: one_factor
|
policy: one_factor
|
||||||
|
|
||||||
- domain: drive.woozle.org
|
- domain: drive.woozle.org
|
||||||
policy: bypass
|
|
||||||
methods:
|
methods:
|
||||||
- HEAD
|
- HEAD
|
||||||
- GET
|
- GET
|
||||||
- PROPFIND
|
- PROPFIND
|
||||||
resources:
|
resources:
|
||||||
- '^/storage/public/'
|
- '^/storage/public/'
|
||||||
|
policy: bypass
|
||||||
|
|
||||||
- domain: drive.woozle.org
|
- domain: drive.woozle.org
|
||||||
policy: one_factor
|
|
||||||
subject:
|
subject:
|
||||||
- "group:storage"
|
- "group:storage"
|
||||||
resources:
|
resources:
|
||||||
|
@ -47,9 +66,9 @@ access_control:
|
||||||
- '^/storage/(?P<Group>\w+)/'
|
- '^/storage/(?P<Group>\w+)/'
|
||||||
- '^/storage/shared/'
|
- '^/storage/shared/'
|
||||||
- '^/storage/public/'
|
- '^/storage/public/'
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
- domain: drive.woozle.org
|
- domain: drive.woozle.org
|
||||||
policy: one_factor
|
|
||||||
methods:
|
methods:
|
||||||
- HEAD
|
- HEAD
|
||||||
- GET
|
- GET
|
||||||
|
@ -59,4 +78,5 @@ access_control:
|
||||||
- '^/incoming/'
|
- '^/incoming/'
|
||||||
- '^/media/'
|
- '^/media/'
|
||||||
- '^/storage/shared/'
|
- '^/storage/shared/'
|
||||||
|
policy: one_factor
|
||||||
|
|
||||||
|
|
|
@ -40,6 +40,7 @@ services:
|
||||||
target: /browser.html
|
target: /browser.html
|
||||||
extra_hosts:
|
extra_hosts:
|
||||||
- host.docker.internal:host-gateway
|
- host.docker.internal:host-gateway
|
||||||
|
- host.lan:128.165.86.2
|
||||||
|
|
||||||
authelia:
|
authelia:
|
||||||
image: authelia/authelia
|
image: authelia/authelia
|
||||||
|
@ -307,16 +308,16 @@ configs:
|
||||||
name: Corefile-v4
|
name: Corefile-v4
|
||||||
Caddyfile:
|
Caddyfile:
|
||||||
file: Caddyfile
|
file: Caddyfile
|
||||||
name: Caddyfile-v103
|
name: Caddyfile-v110
|
||||||
index.html:
|
index.html:
|
||||||
file: www/index.html
|
file: www/index.html
|
||||||
name: index.html-v36
|
name: index.html-v41
|
||||||
index.mjs:
|
index.mjs:
|
||||||
file: www/index.mjs
|
file: www/index.mjs
|
||||||
name: index.mjs-v1
|
name: index.mjs-v8
|
||||||
index.css:
|
index.css:
|
||||||
file: www/index.css
|
file: www/index.css
|
||||||
name: index.css-v1
|
name: index.css-v2
|
||||||
browser.html:
|
browser.html:
|
||||||
file: www/browser.html
|
file: www/browser.html
|
||||||
name: browser.html-v3
|
name: browser.html-v3
|
||||||
|
@ -325,7 +326,7 @@ configs:
|
||||||
name: deergrove.png-v1
|
name: deergrove.png-v1
|
||||||
authelia.yaml:
|
authelia.yaml:
|
||||||
file: authelia.yaml
|
file: authelia.yaml
|
||||||
name: authelia.yaml-v18
|
name: authelia.yaml-v24
|
||||||
|
|
||||||
secrets:
|
secrets:
|
||||||
passwd:
|
passwd:
|
||||||
|
@ -354,7 +355,7 @@ secrets:
|
||||||
name: session.secret-v1
|
name: session.secret-v1
|
||||||
users.yaml:
|
users.yaml:
|
||||||
file: secrets/users.yaml
|
file: secrets/users.yaml
|
||||||
name: users.yaml-v6
|
name: users.yaml-v9
|
||||||
authelia.oidc.yaml:
|
authelia.oidc.yaml:
|
||||||
file: secrets/authelia.oidc.yaml
|
file: secrets/authelia.oidc.yaml
|
||||||
name: authelia.oidc.yaml-v2
|
name: authelia.oidc.yaml-v2
|
||||||
|
|
|
@ -27,7 +27,7 @@ nav a {
|
||||||
text-decoration: none;
|
text-decoration: none;
|
||||||
white-space: nowrap;
|
white-space: nowrap;
|
||||||
}
|
}
|
||||||
nav a[target] {
|
nav a[data-no-menu] {
|
||||||
display: none;
|
display: none;
|
||||||
}
|
}
|
||||||
nav a:hover {
|
nav a:hover {
|
||||||
|
|
|
@ -22,10 +22,13 @@
|
||||||
<hr>
|
<hr>
|
||||||
<a href="/octoprint/" data-icon="/octoprint/static/img/logo.png" title="3D Printer Front-End">Octoprint</a>
|
<a href="/octoprint/" data-icon="/octoprint/static/img/logo.png" title="3D Printer Front-End">Octoprint</a>
|
||||||
|
|
||||||
<!-- Items that launch a new tab don't appear in the top menu -->
|
<!-- Items that don't appear in the top menu -->
|
||||||
<a href="https://git.woozle.org" target="_blank" data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
|
<a href="https://git.woozle.org" target="_blank" data-no-menu data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
|
||||||
<a href="https://drive.woozle.org/" target="_blank" data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
|
<a href="https://drive.woozle.org/" target="_blank" data-no-menu data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
|
||||||
<a href="https://ancestry.woozle.org/" target="_blank" data-icon="https://ancestry.woozle.org/images/favicon_gwd.png" title="Genealogy">Ancestry</a>
|
<a href="https://ancestry.woozle.org/" target="_blank" data-no-menu data-icon="https://ancestry.woozle.org/images/arbre_start.png" title="Genealogy">Ancestry</a>
|
||||||
|
|
||||||
|
<hr>
|
||||||
|
<a href="https://auth.woozle.org/logout/" target="_top" data-icon="" title="Logout">Logout</a>
|
||||||
</nav>
|
</nav>
|
||||||
<section id="app">
|
<section id="app">
|
||||||
<iframe></iframe>
|
<iframe></iframe>
|
||||||
|
|
|
@ -72,9 +72,12 @@ function init() {
|
||||||
let dlink = icons.appendChild(link.cloneNode(true))
|
let dlink = icons.appendChild(link.cloneNode(true))
|
||||||
dlink.textContent = ""
|
dlink.textContent = ""
|
||||||
|
|
||||||
if (link.dataset.icon) {
|
if (link.dataset.icon == "") {
|
||||||
|
dlink.remove()
|
||||||
|
} else if (link.dataset.icon) {
|
||||||
let icon = dlink.appendChild(doc.createElement("img"))
|
let icon = dlink.appendChild(doc.createElement("img"))
|
||||||
icon.src = link.dataset.icon
|
icon.src = link.dataset.icon
|
||||||
|
icon.alt = link.title
|
||||||
icon.style.objectFit = "cover"
|
icon.style.objectFit = "cover"
|
||||||
} else {
|
} else {
|
||||||
let text = dlink.appendChild(doc.createElement("div"))
|
let text = dlink.appendChild(doc.createElement("div"))
|
||||||
|
|
Loading…
Reference in New Issue