Fix deergrove portal, finer-grained permissions
This commit is contained in:
parent
1bf3249d49
commit
30b7290e31
|
|
@ -8,17 +8,22 @@
|
|||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
|
||||
# This has to be at the same level as other `handle` directives,
|
||||
# since `handle` is a mutually-exclusive thingy.
|
||||
# https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827
|
||||
(restricted-access) {
|
||||
@noauth header !Authorization
|
||||
handle @noauth {
|
||||
forward_auth authelia:9091 {
|
||||
import authelia
|
||||
}
|
||||
}
|
||||
handle {
|
||||
forward_auth authelia:9091 {
|
||||
import authelia
|
||||
header_up Proxy-Authorization {header.authorization}
|
||||
@noauth header !Authorization
|
||||
handle @noauth {
|
||||
forward_auth authelia:9091 {
|
||||
import authelia
|
||||
}
|
||||
}
|
||||
handle {
|
||||
forward_auth authelia:9091 {
|
||||
import authelia
|
||||
header_up Proxy-Authorization {header.authorization}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -62,84 +67,53 @@ ancestry.woozle.org {
|
|||
## handle_path truncates path
|
||||
##
|
||||
|
||||
(deergrove) {
|
||||
deergrove.woozle.org {
|
||||
import restricted-access
|
||||
|
||||
handle_path /ddns/* {
|
||||
import restricted-access
|
||||
reverse_proxy ddns:8000
|
||||
}
|
||||
|
||||
handle /transmission/* {
|
||||
import restricted-access
|
||||
reverse_proxy host.docker.internal:9091
|
||||
}
|
||||
|
||||
handle /nzbget/* {
|
||||
import restricted-access
|
||||
reverse_proxy nzbget:6789
|
||||
}
|
||||
|
||||
handle /sonarr/* {
|
||||
import restricted-access
|
||||
reverse_proxy sonarr:8989
|
||||
}
|
||||
handle /radarr/* {
|
||||
import restricted-access
|
||||
reverse_proxy radarr:7878
|
||||
}
|
||||
handle /readarr/* {
|
||||
import restricted-access
|
||||
reverse_proxy readarr:8787
|
||||
}
|
||||
handle /lidarr/* {
|
||||
import restricted-access
|
||||
reverse_proxy lidarr:8686
|
||||
}
|
||||
handle /prowlarr/* {
|
||||
import restricted-access
|
||||
reverse_proxy prowlarr:9696
|
||||
}
|
||||
|
||||
handle_path /sucker/* {
|
||||
import restricted-access
|
||||
reverse_proxy 192.168.86.2:5801
|
||||
}
|
||||
|
||||
# Octoprint serves up broken webcam URLs
|
||||
uri replace /webcam/ /octoprint/webcam/
|
||||
handle_path /octoprint/* {
|
||||
import restricted-access
|
||||
reverse_proxy {
|
||||
to 192.168.86.20:80
|
||||
header_up X-Script-Name "/octoprint"
|
||||
}
|
||||
}
|
||||
|
||||
handle /webcam/* {
|
||||
# Octoprint doesn't properly prefix webcam URLs
|
||||
import restricted-access
|
||||
reverse_proxy {
|
||||
to 192.168.86.20:80
|
||||
}
|
||||
}
|
||||
|
||||
handle_path /public/* {
|
||||
file_server {
|
||||
root /srv/storage/public
|
||||
}
|
||||
}
|
||||
|
||||
handle {
|
||||
import restricted-access
|
||||
file_server {
|
||||
root /www
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
deergrove.woozle.org {
|
||||
import deergrove
|
||||
}
|
||||
|
||||
sweetums.lan {
|
||||
tls internal
|
||||
import deergrove
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -24,19 +24,38 @@ access_control:
|
|||
default_policy: deny
|
||||
rules:
|
||||
- domain: deergrove.woozle.org
|
||||
subject:
|
||||
- "group:octoprint"
|
||||
resources:
|
||||
- '^/octoprint/'
|
||||
- '^/webcam/'
|
||||
policy: one_factor
|
||||
|
||||
- domain: deergrove.woozle.org
|
||||
subject:
|
||||
- "group:media"
|
||||
resources:
|
||||
- '^/[a-z]+arr/'
|
||||
- '^/nzbget/'
|
||||
- '^/transmission/'
|
||||
- '^/sucker/'
|
||||
policy: one_factor
|
||||
|
||||
- domain: deergrove.woozle.org
|
||||
resources:
|
||||
- '^/[a-z.]*$'
|
||||
policy: one_factor
|
||||
|
||||
- domain: drive.woozle.org
|
||||
policy: bypass
|
||||
methods:
|
||||
- HEAD
|
||||
- GET
|
||||
- PROPFIND
|
||||
resources:
|
||||
- '^/storage/public/'
|
||||
policy: bypass
|
||||
|
||||
- domain: drive.woozle.org
|
||||
policy: one_factor
|
||||
subject:
|
||||
- "group:storage"
|
||||
resources:
|
||||
|
|
@ -47,9 +66,9 @@ access_control:
|
|||
- '^/storage/(?P<Group>\w+)/'
|
||||
- '^/storage/shared/'
|
||||
- '^/storage/public/'
|
||||
policy: one_factor
|
||||
|
||||
- domain: drive.woozle.org
|
||||
policy: one_factor
|
||||
methods:
|
||||
- HEAD
|
||||
- GET
|
||||
|
|
@ -59,4 +78,5 @@ access_control:
|
|||
- '^/incoming/'
|
||||
- '^/media/'
|
||||
- '^/storage/shared/'
|
||||
policy: one_factor
|
||||
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ services:
|
|||
target: /browser.html
|
||||
extra_hosts:
|
||||
- host.docker.internal:host-gateway
|
||||
- host.lan:128.165.86.2
|
||||
|
||||
authelia:
|
||||
image: authelia/authelia
|
||||
|
|
@ -307,16 +308,16 @@ configs:
|
|||
name: Corefile-v4
|
||||
Caddyfile:
|
||||
file: Caddyfile
|
||||
name: Caddyfile-v103
|
||||
name: Caddyfile-v110
|
||||
index.html:
|
||||
file: www/index.html
|
||||
name: index.html-v36
|
||||
name: index.html-v41
|
||||
index.mjs:
|
||||
file: www/index.mjs
|
||||
name: index.mjs-v1
|
||||
name: index.mjs-v8
|
||||
index.css:
|
||||
file: www/index.css
|
||||
name: index.css-v1
|
||||
name: index.css-v2
|
||||
browser.html:
|
||||
file: www/browser.html
|
||||
name: browser.html-v3
|
||||
|
|
@ -325,7 +326,7 @@ configs:
|
|||
name: deergrove.png-v1
|
||||
authelia.yaml:
|
||||
file: authelia.yaml
|
||||
name: authelia.yaml-v18
|
||||
name: authelia.yaml-v24
|
||||
|
||||
secrets:
|
||||
passwd:
|
||||
|
|
@ -354,7 +355,7 @@ secrets:
|
|||
name: session.secret-v1
|
||||
users.yaml:
|
||||
file: secrets/users.yaml
|
||||
name: users.yaml-v6
|
||||
name: users.yaml-v9
|
||||
authelia.oidc.yaml:
|
||||
file: secrets/authelia.oidc.yaml
|
||||
name: authelia.oidc.yaml-v2
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ nav a {
|
|||
text-decoration: none;
|
||||
white-space: nowrap;
|
||||
}
|
||||
nav a[target] {
|
||||
nav a[data-no-menu] {
|
||||
display: none;
|
||||
}
|
||||
nav a:hover {
|
||||
|
|
|
|||
|
|
@ -22,10 +22,13 @@
|
|||
<hr>
|
||||
<a href="/octoprint/" data-icon="/octoprint/static/img/logo.png" title="3D Printer Front-End">Octoprint</a>
|
||||
|
||||
<!-- Items that launch a new tab don't appear in the top menu -->
|
||||
<a href="https://git.woozle.org" target="_blank" data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
|
||||
<a href="https://drive.woozle.org/" target="_blank" data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
|
||||
<a href="https://ancestry.woozle.org/" target="_blank" data-icon="https://ancestry.woozle.org/images/favicon_gwd.png" title="Genealogy">Ancestry</a>
|
||||
<!-- Items that don't appear in the top menu -->
|
||||
<a href="https://git.woozle.org" target="_blank" data-no-menu data-icon="https://git.woozle.org/assets/img/logo.svg" title="Git repositories">Git</a>
|
||||
<a href="https://drive.woozle.org/" target="_blank" data-no-menu data-icon="/public/icons/cloud-folder.png" titled="Shared storage">Drive</a>
|
||||
<a href="https://ancestry.woozle.org/" target="_blank" data-no-menu data-icon="https://ancestry.woozle.org/images/arbre_start.png" title="Genealogy">Ancestry</a>
|
||||
|
||||
<hr>
|
||||
<a href="https://auth.woozle.org/logout/" target="_top" data-icon="" title="Logout">Logout</a>
|
||||
</nav>
|
||||
<section id="app">
|
||||
<iframe></iframe>
|
||||
|
|
|
|||
|
|
@ -72,9 +72,12 @@ function init() {
|
|||
let dlink = icons.appendChild(link.cloneNode(true))
|
||||
dlink.textContent = ""
|
||||
|
||||
if (link.dataset.icon) {
|
||||
if (link.dataset.icon == "") {
|
||||
dlink.remove()
|
||||
} else if (link.dataset.icon) {
|
||||
let icon = dlink.appendChild(doc.createElement("img"))
|
||||
icon.src = link.dataset.icon
|
||||
icon.alt = link.title
|
||||
icon.style.objectFit = "cover"
|
||||
} else {
|
||||
let text = dlink.appendChild(doc.createElement("div"))
|
||||
|
|
|
|||
Loading…
Reference in New Issue