Fix deergrove portal, finer-grained permissions

2023-02-07 11:08:20 -07:00 · 2023-02-07 11:08:20 -07:00 · 30b7290e31
parent 1bf3249d49
commit 30b7290e31
6 changed files with 61 additions and 60 deletions
--- a/homelab/Caddyfile
+++ b/homelab/Caddyfile
@ -8,17 +8,22 @@
  copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
 }
 # This has to be at the same level as other `handle` directives,
 # since `handle` is a mutually-exclusive thingy.
 # https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827
 (restricted-access) {
  @noauth header !Authorization
  handle @noauth {
    forward_auth authelia:9091 {
      import authelia
    }
  }
  handle {
-    forward_auth authelia:9091 {
+    @noauth header !Authorization
-      import authelia
+    handle @noauth {
-      header_up Proxy-Authorization {header.authorization}
+      forward_auth authelia:9091 {
        import authelia
      }
    }
    handle {
      forward_auth authelia:9091 {
        import authelia
        header_up Proxy-Authorization {header.authorization}
      }
    }
  }
 }
@ -62,84 +67,53 @@ ancestry.woozle.org {
 ## handle_path truncates path
 ##
-(deergrove) {
+deergrove.woozle.org {
  import restricted-access
  handle_path /ddns/* {
    import restricted-access
    reverse_proxy ddns:8000
  }
  handle /transmission/* {
    import restricted-access
    reverse_proxy host.docker.internal:9091
  }
  handle /nzbget/* {
    import restricted-access
    reverse_proxy nzbget:6789
  }
  handle /sonarr/* {
    import restricted-access
    reverse_proxy sonarr:8989
  }
  handle /radarr/* {
    import restricted-access
    reverse_proxy radarr:7878
  }
  handle /readarr/* {
    import restricted-access
    reverse_proxy readarr:8787
  }
  handle /lidarr/* {
    import restricted-access
    reverse_proxy lidarr:8686
  }
  handle /prowlarr/* {
    import restricted-access
    reverse_proxy prowlarr:9696
  }
  handle_path /sucker/* {
    import restricted-access
    reverse_proxy 192.168.86.2:5801
  }
  # Octoprint serves up broken webcam URLs
  uri replace /webcam/ /octoprint/webcam/
  handle_path /octoprint/* {
    import restricted-access
    reverse_proxy {
      to 192.168.86.20:80
      header_up X-Script-Name "/octoprint"
    }
  }
  handle /webcam/* {
    # Octoprint doesn't properly prefix webcam URLs
    import restricted-access
    reverse_proxy {
      to 192.168.86.20:80
    }
  }
  handle_path /public/* {
    file_server {
      root /srv/storage/public
    }
  }
  handle {
    import restricted-access
    file_server {
      root /www
    }
  }
 }
 deergrove.woozle.org {
  import deergrove
 }
 sweetums.lan {
  tls internal
  import deergrove
 }
--- a/homelab/authelia.yaml
+++ b/homelab/authelia.yaml
@ -24,19 +24,38 @@ access_control:
  default_policy: deny
  rules:
    - domain: deergrove.woozle.org
      subject:
        - "group:octoprint"
      resources:
        - '^/octoprint/'
        - '^/webcam/'
      policy: one_factor
    - domain: deergrove.woozle.org
      subject:
        - "group:media"
      resources:
        - '^/[a-z]+arr/'
        - '^/nzbget/'
        - '^/transmission/'
        - '^/sucker/'
      policy: one_factor
    - domain: deergrove.woozle.org
      resources:
        - '^/[a-z.]*$'
      policy: one_factor
    - domain: drive.woozle.org
      policy: bypass
      methods:
        - HEAD
        - GET
        - PROPFIND
      resources:
        - '^/storage/public/'
      policy: bypass
    - domain: drive.woozle.org
      policy: one_factor
      subject:
        - "group:storage"
      resources: 
@ -47,9 +66,9 @@ access_control:
        - '^/storage/(?P<Group>\w+)/'
        - '^/storage/shared/'
        - '^/storage/public/'
      policy: one_factor
    - domain: drive.woozle.org
      policy: one_factor
      methods:
        - HEAD
        - GET
@ -59,4 +78,5 @@ access_control:
        - '^/incoming/'
        - '^/media/'
        - '^/storage/shared/'
      policy: one_factor
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@ -40,6 +40,7 @@ services:
        target: /browser.html
    extra_hosts:
      - host.docker.internal:host-gateway
      - host.lan:128.165.86.2
  authelia:
    image: authelia/authelia
@ -307,16 +308,16 @@ configs:
    name: Corefile-v4
  Caddyfile:
    file: Caddyfile
-    name: Caddyfile-v103
+    name: Caddyfile-v110
  index.html:
    file: www/index.html
-    name: index.html-v36
+    name: index.html-v41
  index.mjs:
    file: www/index.mjs
-    name: index.mjs-v1
+    name: index.mjs-v8
  index.css:
    file: www/index.css
-    name: index.css-v1
+    name: index.css-v2
  browser.html:
    file: www/browser.html
    name: browser.html-v3
@ -325,7 +326,7 @@ configs:
    name: deergrove.png-v1
  authelia.yaml:
    file: authelia.yaml
-    name: authelia.yaml-v18
+    name: authelia.yaml-v24
 secrets:
  passwd:
@ -354,7 +355,7 @@ secrets:
    name: session.secret-v1
  users.yaml:
    file: secrets/users.yaml
-    name: users.yaml-v6
+    name: users.yaml-v9
  authelia.oidc.yaml:
    file: secrets/authelia.oidc.yaml
    name: authelia.oidc.yaml-v2
--- a/homelab/www/index.css
+++ b/homelab/www/index.css
@ -27,7 +27,7 @@ nav a {
  text-decoration: none;
  white-space: nowrap;
 }
-nav a[target] {
+nav a[data-no-menu] {
  display: none;
 }
 nav a:hover {
--- a/homelab/www/index.html
+++ b/homelab/www/index.html
@ -22,10 +22,13 @@
      <hr>
      <a href="/octoprint/" data-icon="/octoprint/static/img/logo.png" title="3D Printer Front-End">Octoprint</a>
-      <!-- Items that launch a new tab don't appear in the top menu -->
+      <!-- Items that don't appear in the top menu -->
-      <a href="https://git.woozle.org" target="_blank" data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
+      <a href="https://git.woozle.org" target="_blank" data-no-menu data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
-      <a href="https://drive.woozle.org/" target="_blank" data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
+      <a href="https://drive.woozle.org/" target="_blank" data-no-menu data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
-      <a href="https://ancestry.woozle.org/" target="_blank" data-icon="https://ancestry.woozle.org/images/favicon_gwd.png" title="Genealogy">Ancestry</a>
+      <a href="https://ancestry.woozle.org/" target="_blank" data-no-menu data-icon="https://ancestry.woozle.org/images/arbre_start.png" title="Genealogy">Ancestry</a>
      <hr>
      <a href="https://auth.woozle.org/logout/" target="_top" data-icon="" title="Logout">Logout</a>
    </nav>
    <section id="app">
      <iframe></iframe>
--- a/homelab/www/index.mjs
+++ b/homelab/www/index.mjs
@ -72,9 +72,12 @@ function init() {
    let dlink = icons.appendChild(link.cloneNode(true))
    dlink.textContent = ""
-    if (link.dataset.icon) {
+    if (link.dataset.icon == "") {
      dlink.remove()
    } else if (link.dataset.icon) {
      let icon = dlink.appendChild(doc.createElement("img"))
      icon.src = link.dataset.icon
      icon.alt = link.title
      icon.style.objectFit = "cover"
    } else {
      let text = dlink.appendChild(doc.createElement("div"))