From a9e4c9fea149b405e0d62ab1b6db37ded792dc61 Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Thu, 9 Feb 2023 14:34:56 -0700 Subject: [PATCH] More auth work, ugh --- homelab/Caddyfile | 29 ++++++++++++++++------------- homelab/authelia.yaml | 2 ++ homelab/docker-compose.yaml | 30 ++++++++++++++++++++++++++++-- homelab/{unused => }/netdata.conf | 0 4 files changed, 46 insertions(+), 15 deletions(-) rename homelab/{unused => }/netdata.conf (100%) diff --git a/homelab/Caddyfile b/homelab/Caddyfile index f6a0d7f..5306960 100644 --- a/homelab/Caddyfile +++ b/homelab/Caddyfile @@ -12,20 +12,19 @@ # since `handle` is a mutually-exclusive thingy. # https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827 (restricted-access) { - handle { - @noauth header !Authorization - handle @noauth { - forward_auth authelia:9091 { - import authelia - } - } - handle { - forward_auth authelia:9091 { - import authelia - header_up Proxy-Authorization {header.authorization} - } - } + @noAuth header !Authorization + @hasAuth not header !Authorization + forward_auth @noAuth authelia:9091 { + import authelia } + forward_auth @hasAuth authelia:9091 { + import authelia + header_up Proxy-Authorization {header.authorization} + } + + # XXX: If the client sends an "Accept" header, Authelia returns 401 with no Www-Authenticate header, violating HTTP + @unauthorized `{err.status_code} == 401` + header @unauthorized Www-Authenticate "Basic realm=goober" } auth.woozle.org { @@ -102,6 +101,10 @@ deergrove.woozle.org { reverse_proxy host.lan:5801 } + handle_path /netdata/* { + reverse_proxy netdata:19999 + } + # Octoprint serves up broken webcam URLs uri replace /webcam/ /octoprint/webcam/ handle_path /octoprint/* { diff --git a/homelab/authelia.yaml b/homelab/authelia.yaml index eeffdab..059ffc4 100644 --- a/homelab/authelia.yaml +++ b/homelab/authelia.yaml @@ -44,6 +44,7 @@ access_control: - domain: deergrove.woozle.org resources: - '^/[a-z.]*$' + - '^/netdata/' policy: one_factor - domain: drive.woozle.org @@ -73,6 +74,7 @@ access_control: - HEAD - GET - PROPFIND + - OPTIONS resources: - '^/(README.md)?$' - '^/incoming/' diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml index b505696..a2f2899 100644 --- a/homelab/docker-compose.yaml +++ b/homelab/docker-compose.yaml @@ -218,6 +218,29 @@ services: source: /srv/sys/atlas/status target: /var/atlas-probe/status + netdata: + image: netdata/netdata + hostname: "{{.Node.Hostname}}" + environment: + NETDATA_DISABLE_CLOUD: "1" + cap_add: + - SYS_PTRACE + volumes: + - type: bind + source: / + target: /host + read_only: true + - type: bind + source: /srv/sys/netdata/lib + target: /var/lib/netdata + - type: bind + source: /srv/sys/netdata/cache + target: /var/cache/netdata + configs: + - source: netdata.conf + target: /etc/netdata/netdata.conf + + geneweb: image: ravermeister/geneweb volumes: @@ -311,7 +334,7 @@ configs: name: Corefile-v4 Caddyfile: file: Caddyfile - name: Caddyfile-v111 + name: Caddyfile-v120 index.html: file: www/index.html name: index.html-v42 @@ -329,7 +352,10 @@ configs: name: deergrove.png-v1 authelia.yaml: file: authelia.yaml - name: authelia.yaml-v24 + name: authelia.yaml-v28 + netdata.conf: + file: netdata.conf + name: netdata.conf-v1 secrets: passwd: diff --git a/homelab/unused/netdata.conf b/homelab/netdata.conf similarity index 100% rename from homelab/unused/netdata.conf rename to homelab/netdata.conf