Fix deergrove portal, finer-grained permissions

This commit is contained in:
Neale Pickett 2023-02-07 11:08:20 -07:00
parent 1bf3249d49
commit 30b7290e31
6 changed files with 61 additions and 60 deletions

View File

@ -8,17 +8,22 @@
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
} }
# This has to be at the same level as other `handle` directives,
# since `handle` is a mutually-exclusive thingy.
# https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827
(restricted-access) { (restricted-access) {
@noauth header !Authorization
handle @noauth {
forward_auth authelia:9091 {
import authelia
}
}
handle { handle {
forward_auth authelia:9091 { @noauth header !Authorization
import authelia handle @noauth {
header_up Proxy-Authorization {header.authorization} forward_auth authelia:9091 {
import authelia
}
}
handle {
forward_auth authelia:9091 {
import authelia
header_up Proxy-Authorization {header.authorization}
}
} }
} }
} }
@ -62,84 +67,53 @@ ancestry.woozle.org {
## handle_path truncates path ## handle_path truncates path
## ##
(deergrove) { deergrove.woozle.org {
import restricted-access
handle_path /ddns/* { handle_path /ddns/* {
import restricted-access
reverse_proxy ddns:8000 reverse_proxy ddns:8000
} }
handle /transmission/* { handle /transmission/* {
import restricted-access
reverse_proxy host.docker.internal:9091 reverse_proxy host.docker.internal:9091
} }
handle /nzbget/* { handle /nzbget/* {
import restricted-access
reverse_proxy nzbget:6789 reverse_proxy nzbget:6789
} }
handle /sonarr/* { handle /sonarr/* {
import restricted-access
reverse_proxy sonarr:8989 reverse_proxy sonarr:8989
} }
handle /radarr/* { handle /radarr/* {
import restricted-access
reverse_proxy radarr:7878 reverse_proxy radarr:7878
} }
handle /readarr/* { handle /readarr/* {
import restricted-access
reverse_proxy readarr:8787 reverse_proxy readarr:8787
} }
handle /lidarr/* { handle /lidarr/* {
import restricted-access
reverse_proxy lidarr:8686 reverse_proxy lidarr:8686
} }
handle /prowlarr/* { handle /prowlarr/* {
import restricted-access
reverse_proxy prowlarr:9696 reverse_proxy prowlarr:9696
} }
handle_path /sucker/* { handle_path /sucker/* {
import restricted-access
reverse_proxy 192.168.86.2:5801 reverse_proxy 192.168.86.2:5801
} }
# Octoprint serves up broken webcam URLs
uri replace /webcam/ /octoprint/webcam/
handle_path /octoprint/* { handle_path /octoprint/* {
import restricted-access
reverse_proxy { reverse_proxy {
to 192.168.86.20:80 to 192.168.86.20:80
header_up X-Script-Name "/octoprint" header_up X-Script-Name "/octoprint"
} }
} }
handle /webcam/* {
# Octoprint doesn't properly prefix webcam URLs
import restricted-access
reverse_proxy {
to 192.168.86.20:80
}
}
handle_path /public/* {
file_server {
root /srv/storage/public
}
}
handle { handle {
import restricted-access
file_server { file_server {
root /www root /www
} }
} }
} }
deergrove.woozle.org {
import deergrove
}
sweetums.lan {
tls internal
import deergrove
}

View File

@ -24,19 +24,38 @@ access_control:
default_policy: deny default_policy: deny
rules: rules:
- domain: deergrove.woozle.org - domain: deergrove.woozle.org
subject:
- "group:octoprint"
resources:
- '^/octoprint/'
- '^/webcam/'
policy: one_factor
- domain: deergrove.woozle.org
subject:
- "group:media"
resources:
- '^/[a-z]+arr/'
- '^/nzbget/'
- '^/transmission/'
- '^/sucker/'
policy: one_factor
- domain: deergrove.woozle.org
resources:
- '^/[a-z.]*$'
policy: one_factor policy: one_factor
- domain: drive.woozle.org - domain: drive.woozle.org
policy: bypass
methods: methods:
- HEAD - HEAD
- GET - GET
- PROPFIND - PROPFIND
resources: resources:
- '^/storage/public/' - '^/storage/public/'
policy: bypass
- domain: drive.woozle.org - domain: drive.woozle.org
policy: one_factor
subject: subject:
- "group:storage" - "group:storage"
resources: resources:
@ -47,9 +66,9 @@ access_control:
- '^/storage/(?P<Group>\w+)/' - '^/storage/(?P<Group>\w+)/'
- '^/storage/shared/' - '^/storage/shared/'
- '^/storage/public/' - '^/storage/public/'
policy: one_factor
- domain: drive.woozle.org - domain: drive.woozle.org
policy: one_factor
methods: methods:
- HEAD - HEAD
- GET - GET
@ -59,4 +78,5 @@ access_control:
- '^/incoming/' - '^/incoming/'
- '^/media/' - '^/media/'
- '^/storage/shared/' - '^/storage/shared/'
policy: one_factor

View File

@ -40,6 +40,7 @@ services:
target: /browser.html target: /browser.html
extra_hosts: extra_hosts:
- host.docker.internal:host-gateway - host.docker.internal:host-gateway
- host.lan:128.165.86.2
authelia: authelia:
image: authelia/authelia image: authelia/authelia
@ -307,16 +308,16 @@ configs:
name: Corefile-v4 name: Corefile-v4
Caddyfile: Caddyfile:
file: Caddyfile file: Caddyfile
name: Caddyfile-v103 name: Caddyfile-v110
index.html: index.html:
file: www/index.html file: www/index.html
name: index.html-v36 name: index.html-v41
index.mjs: index.mjs:
file: www/index.mjs file: www/index.mjs
name: index.mjs-v1 name: index.mjs-v8
index.css: index.css:
file: www/index.css file: www/index.css
name: index.css-v1 name: index.css-v2
browser.html: browser.html:
file: www/browser.html file: www/browser.html
name: browser.html-v3 name: browser.html-v3
@ -325,7 +326,7 @@ configs:
name: deergrove.png-v1 name: deergrove.png-v1
authelia.yaml: authelia.yaml:
file: authelia.yaml file: authelia.yaml
name: authelia.yaml-v18 name: authelia.yaml-v24
secrets: secrets:
passwd: passwd:
@ -354,7 +355,7 @@ secrets:
name: session.secret-v1 name: session.secret-v1
users.yaml: users.yaml:
file: secrets/users.yaml file: secrets/users.yaml
name: users.yaml-v6 name: users.yaml-v9
authelia.oidc.yaml: authelia.oidc.yaml:
file: secrets/authelia.oidc.yaml file: secrets/authelia.oidc.yaml
name: authelia.oidc.yaml-v2 name: authelia.oidc.yaml-v2

View File

@ -27,7 +27,7 @@ nav a {
text-decoration: none; text-decoration: none;
white-space: nowrap; white-space: nowrap;
} }
nav a[target] { nav a[data-no-menu] {
display: none; display: none;
} }
nav a:hover { nav a:hover {

View File

@ -22,10 +22,13 @@
<hr> <hr>
<a href="/octoprint/" data-icon="/octoprint/static/img/logo.png" title="3D Printer Front-End">Octoprint</a> <a href="/octoprint/" data-icon="/octoprint/static/img/logo.png" title="3D Printer Front-End">Octoprint</a>
<!-- Items that launch a new tab don't appear in the top menu --> <!-- Items that don't appear in the top menu -->
<a href="https://git.woozle.org" target="_blank" data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a> <a href="https://git.woozle.org" target="_blank" data-no-menu data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
<a href="https://drive.woozle.org/" target="_blank" data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a> <a href="https://drive.woozle.org/" target="_blank" data-no-menu data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
<a href="https://ancestry.woozle.org/" target="_blank" data-icon="https://ancestry.woozle.org/images/favicon_gwd.png" title="Genealogy">Ancestry</a> <a href="https://ancestry.woozle.org/" target="_blank" data-no-menu data-icon="https://ancestry.woozle.org/images/arbre_start.png" title="Genealogy">Ancestry</a>
<hr>
<a href="https://auth.woozle.org/logout/" target="_top" data-icon="" title="Logout">Logout</a>
</nav> </nav>
<section id="app"> <section id="app">
<iframe></iframe> <iframe></iframe>

View File

@ -72,9 +72,12 @@ function init() {
let dlink = icons.appendChild(link.cloneNode(true)) let dlink = icons.appendChild(link.cloneNode(true))
dlink.textContent = "" dlink.textContent = ""
if (link.dataset.icon) { if (link.dataset.icon == "") {
dlink.remove()
} else if (link.dataset.icon) {
let icon = dlink.appendChild(doc.createElement("img")) let icon = dlink.appendChild(doc.createElement("img"))
icon.src = link.dataset.icon icon.src = link.dataset.icon
icon.alt = link.title
icon.style.objectFit = "cover" icon.style.objectFit = "cover"
} else { } else {
let text = dlink.appendChild(doc.createElement("div")) let text = dlink.appendChild(doc.createElement("div"))