More auth work, ugh

2023-02-09 14:34:56 -07:00 · 2023-02-09 14:34:56 -07:00 · a9e4c9fea1
parent e10bde0646
commit a9e4c9fea1
4 changed files with 46 additions and 15 deletions
--- a/homelab/Caddyfile
+++ b/homelab/Caddyfile
@ -12,20 +12,19 @@
 # since `handle` is a mutually-exclusive thingy.
 # https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827
 (restricted-access) {
-  handle {
-    @noauth header !Authorization
-    handle @noauth {
-      forward_auth authelia:9091 {
-        import authelia
-      }
-    }
-    handle {
-      forward_auth authelia:9091 {
-        import authelia
-        header_up Proxy-Authorization {header.authorization}
-      }
-    }
+  @noAuth header !Authorization
+  @hasAuth not header !Authorization
+  forward_auth @noAuth authelia:9091 {
+    import authelia
  }
+  forward_auth @hasAuth authelia:9091 {
+    import authelia
+    header_up Proxy-Authorization {header.authorization}
+  }
+  
+  # XXX: If the client sends an "Accept" header, Authelia returns 401 with no Www-Authenticate header, violating HTTP
+  @unauthorized `{err.status_code} == 401`
+  header @unauthorized Www-Authenticate "Basic realm=goober"
 }

 auth.woozle.org {
@ -102,6 +101,10 @@ deergrove.woozle.org {
    reverse_proxy host.lan:5801
  }

+  handle_path /netdata/* {
+    reverse_proxy netdata:19999
+  }
+
  # Octoprint serves up broken webcam URLs
  uri replace /webcam/ /octoprint/webcam/
  handle_path /octoprint/* {
--- a/homelab/authelia.yaml
+++ b/homelab/authelia.yaml
@ -44,6 +44,7 @@ access_control:
    - domain: deergrove.woozle.org
      resources:
        - '^/[a-z.]*$'
+        - '^/netdata/'
      policy: one_factor

    - domain: drive.woozle.org
@ -73,6 +74,7 @@ access_control:
        - HEAD
        - GET
        - PROPFIND
+        - OPTIONS
      resources: 
        - '^/(README.md)?$'
        - '^/incoming/'
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@ -218,6 +218,29 @@ services:
        source: /srv/sys/atlas/status
        target: /var/atlas-probe/status

+  netdata:
+    image: netdata/netdata
+    hostname: "{{.Node.Hostname}}"
+    environment:
+      NETDATA_DISABLE_CLOUD: "1"
+    cap_add:
+      - SYS_PTRACE
+    volumes:
+      - type: bind
+        source: /
+        target: /host
+        read_only: true
+      - type: bind
+        source: /srv/sys/netdata/lib
+        target: /var/lib/netdata
+      - type: bind
+        source: /srv/sys/netdata/cache
+        target: /var/cache/netdata
+    configs:
+      - source: netdata.conf
+        target: /etc/netdata/netdata.conf
+     
+
  geneweb:
    image: ravermeister/geneweb
    volumes:
@ -311,7 +334,7 @@ configs:
    name: Corefile-v4
  Caddyfile:
    file: Caddyfile
-    name: Caddyfile-v111
+    name: Caddyfile-v120
  index.html:
    file: www/index.html
    name: index.html-v42
@ -329,7 +352,10 @@ configs:
    name: deergrove.png-v1
  authelia.yaml:
    file: authelia.yaml
-    name: authelia.yaml-v24
+    name: authelia.yaml-v28
+  netdata.conf:
+    file: netdata.conf
+    name: netdata.conf-v1

 secrets:
  passwd:
--- a/homelab/unused/netdata.conf
+++ b/homelab/unused/netdata.conf