From befbffb12edf052ac754c067da7d4cf1847c94d6 Mon Sep 17 00:00:00 2001
From: Neale Pickett <neale@woozle.org>
Date: Sun, 26 Feb 2023 20:40:10 -0700
Subject: [PATCH] Move back to simpleauth

---
 homelab/Caddyfile           | 28 ++---------
 homelab/Corefile            |  2 +-
 homelab/authelia.yaml       | 97 -------------------------------------
 homelab/docker-compose.yaml | 67 ++++++++++---------------
 homelab/www/index.mjs       |  5 +-
 5 files changed, 33 insertions(+), 166 deletions(-)
 delete mode 100644 homelab/authelia.yaml

diff --git a/homelab/Caddyfile b/homelab/Caddyfile
index 3b8bbd1..aa85e43 100644
--- a/homelab/Caddyfile
+++ b/homelab/Caddyfile
@@ -3,32 +3,12 @@
   #debug
 }
 
-(authelia) {
-  uri /api/verify?rd=https://auth.woozle.org/
-  copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-}
-
-# This has to be at the same level as other `handle` directives,
-# since `handle` is a mutually-exclusive thingy.
-# https://caddy.community/t/copy-header-into-new-header-iff-it-is-set/18827
 (restricted-access) {
-  @noAuth header !Authorization
-  @hasAuth not header !Authorization
-  forward_auth @noAuth authelia:9091 {
-    import authelia
+  forward_auth simpleauth:8080 {
+    uri /
+    copy_headers X-Simpleauth-Username
+    header_down X-Simpleauth-Domain "woozle.org"
   }
-  forward_auth @hasAuth authelia:9091 {
-    import authelia
-    header_up Proxy-Authorization {header.authorization}
-  }
-  
-  # XXX: If the client sends an "Accept" header, Authelia returns 401 with no Www-Authenticate header, violating HTTP
-  @unauthorized `{err.status_code} == 401`
-  header @unauthorized Www-Authenticate "Basic realm=goober"
-}
-
-auth.woozle.org {
-  reverse_proxy authelia:9091
 }
 
 git.woozle.org {
diff --git a/homelab/Corefile b/homelab/Corefile
index 33368bb..3369baa 100644
--- a/homelab/Corefile
+++ b/homelab/Corefile
@@ -1,5 +1,5 @@
 . {
-  bind lan
+  bind 192.168.86.2
   hosts {
     192.168.86.2 sweetums.woozle.org deergrove.woozle.org drive.woozle.org git.woozle.org ancestry.woozle.org media.woozle.org auth.woozle.org
     fallthrough
diff --git a/homelab/authelia.yaml b/homelab/authelia.yaml
deleted file mode 100644
index 99856d2..0000000
--- a/homelab/authelia.yaml
+++ /dev/null
@@ -1,97 +0,0 @@
-log:
-  level: info # error, warn, [info], debug, trace
-authentication_backend:
-  password_reset:
-    disable: true
-  file:
-    path: /run/secrets/users.yaml
-totp:
-  issuer: woozle.org
-session:
-  domain: woozle.org
-  same_site: strict
-  redis:
-    host: redis
-    port: 6379
-    database_index: 1
-storage:
-  local:
-    path: /srv/sys/authelia/db.sqlite3
-notifier:
-  filesystem:
-    filename: /run/emails.txt
-access_control:
-  default_policy: deny
-  rules:
-    - domain: deergrove.woozle.org
-      subject:
-        - "group:octoprint"
-      resources:
-        - '^/octoprint/'
-        - '^/webcam/'
-      policy: one_factor
-
-    - domain: deergrove.woozle.org
-      subject:
-        - "group:media"
-      resources:
-        - '^/[a-z]+arr/'
-        - '^/nzbget/'
-        - '^/transmission/'
-        - '^/sucker/'
-        - '^/unmanic/'
-      policy: one_factor
-
-    - domain: deergrove.woozle.org
-      resources:
-        - '^/[a-z.]*$'
-        - '^/netdata/'
-      policy: one_factor
-
-    - domain: drive.woozle.org
-      methods:
-        - HEAD
-        - GET
-        - PROPFIND
-      resources:
-        - '^/storage/public/'
-      policy: bypass
-
-    - domain: drive.woozle.org
-      subject:
-        - "group:storage"
-      resources: 
-        - '^/incoming/'
-        - '^/media/'
-        - '^/storage/(README.md)?$'
-        - '^/storage/(?P<User>\w+)/'
-        - '^/storage/(?P<Group>\w+)/'
-        - '^/storage/shared/'
-        - '^/storage/public/'
-      policy: one_factor
-
-    - domain: drive.woozle.org
-      methods:
-        - HEAD
-        - GET
-        - PROPFIND
-        - OPTIONS
-      resources: 
-        - '^/(README.md)?$'
-        - '^/incoming/'
-        - '^/media/'
-        - '^/storage/shared/'
-      policy: one_factor
-
-    - domain: photos.woozle.org
-      resources:
-        - '^(/pgapi)?/gallery/(?P<User>\w+)'
-        - '^(/pgapi)?/gallery/(?P<Group>\w+)'
-        - '^(/pgapi)?/gallery/content/'
-      policy: one_factor
-    - domain: photos.woozle.org
-      resources:
-        - '^(/pgapi)?/gallery/.'
-      policy: deny
-    - domain: photos.woozle.org
-      policy: one_factor
diff --git a/homelab/docker-compose.yaml b/homelab/docker-compose.yaml
index 235500a..2ceadd3 100644
--- a/homelab/docker-compose.yaml
+++ b/homelab/docker-compose.yaml
@@ -44,42 +44,29 @@ services:
       - host.docker.internal:host-gateway
       - host.lan:192.168.86.2
 
-  authelia:
-    image: authelia/authelia
-    environment:
-      AUTHELIA_JWT_SECRET_FILE: /run/secrets/jwt.secret
-      AUTHELIA_SESSION_SECRET_FILE: /run/secrets/session.secret
-      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /run/secrets/storage.secret
+  simpleauth:
+    image: git.woozle.org/neale/simpleauth
     secrets:
-      - jwt.secret
-      - session.secret
-      - storage.secret
-      - users.yaml
-      - authelia.oidc.yaml
-    configs:
-      - source: authelia.yaml
-        target: /authelia.yaml
-    command:
-      - authelia
-      - --config=/authelia.yaml
-      - --config=/run/secrets/authelia.oidc.yaml
-    volumes:
-      - type: bind
-        source: /srv/sys/authelia
-        target: /srv/sys/authelia
+      - passwd
+      - simpleauth.key
 
-  # Authelia wants this
-  redis:
-    image: redis:alpine
-    command:
-      - redis-server
-      - --save
-      - "60"
-      - "1"
+  jellyfin:
+    image: jellyfin/jellyfin
+    deploy:
+      replicas: 0
+    environment:
+      TZ: US/Mountain
     volumes:
       - type: bind
-        source: /srv/sys/redis
-        target: /data
+        source: /srv/sys/jellyfin/config
+        target: /config
+      - type: bind
+        source: /srv/sys/jellyfin/cache
+        target: /cache
+      - type: bind
+        source: /srv/media/
+        target: /srv/media/
+        read_only: true
 
   plex:
     image: lscr.io/linuxserver/plex:latest
@@ -93,8 +80,8 @@ services:
         source: /srv/sys/plex
         target: /config
       - type: bind
-        source: /srv
-        target: /srv
+        source: /srv/media/
+        target: /srv/media/
         read_only: true
 
   pigallery2:
@@ -115,7 +102,7 @@ services:
         read_only: true
 
   transmission:
-    image: lscr.io/linuxserver/transmission
+    image: lscr.io/linuxserver/transmission:latest
     volumes:
       - type: bind
         source: /srv/sys/transmission
@@ -293,7 +280,6 @@ services:
         target: 139
       - published: 445
         target: 445
-
   webdav:
     image: micromata/dave
     volumes:
@@ -347,16 +333,16 @@ configs:
     name: dave.yaml-v3
   Corefile:
     file: Corefile
-    name: Corefile-v4
+    name: Corefile-v5
   Caddyfile:
     file: Caddyfile
-    name: Caddyfile-v133
+    name: Caddyfile-v135
   index.html:
     file: www/index.html
     name: index.html-v43
   index.mjs:
     file: www/index.mjs
-    name: index.mjs-v12
+    name: index.mjs-v14
   index.css:
     file: www/index.css
     name: index.css-v2
@@ -369,9 +355,6 @@ configs:
   deergrove.png:
     file: www/deergrove.png
     name: deergrove.png-v1
-  authelia.yaml:
-    file: authelia.yaml
-    name: authelia.yaml-v36
   netdata.conf:
     file: netdata.conf
     name: netdata.conf-v1
diff --git a/homelab/www/index.mjs b/homelab/www/index.mjs
index 65264b2..68b1144 100644
--- a/homelab/www/index.mjs
+++ b/homelab/www/index.mjs
@@ -65,9 +65,10 @@ async function init() {
   let icons = doc.body.appendChild(doc.createElement("section"))
   icons.classList.add("icons")
 
-  let nav = document.querySelector("nav")
-  let resp = await fetch("portal.json")
+  let portalURL = new URL("portal.json", window.location)
+  let resp = await fetch(portalURL)
   let obj = await resp.json()
+  let nav = document.querySelector("nav")
   for (let app of obj) {
     let hlink = null
     if (app.target != "_blank") {