strazcetajemstvi 3

new basic auth

Caddyfile.wrapper

@@ -15,6 +15,7 @@
 (common_auth) {
 	basicauth {
 		Standa $2a$14$Qt8qzPSymY09baSwfhTVw./vsB4debh4UcS5Ty/2yg44vXrGnxTz.
+		eit $2a$14$PGERi8FOypvxFoy3vVGPAOgMbP1XZtwe9/4uQVDQeUGOSBqO0SAOO
 	}
 }
 

scripts/deploy_from_git.sh

@@ -2,26 +2,20 @@
 set -euo pipefail
 
 REPO_DIR="/opt/homelab"
-BRANCH="main"
 
-echo "[1/4] Switching to repo..."
+echo "[1/5] Switching to repo..."
 cd "$REPO_DIR"
 
-echo "[2/4] Fetching changes..."
+echo "[2/5] Fetching changes..."
-git fetch origin "$BRANCH"
+git fetch origin
 
-LOCAL="$(git rev-parse HEAD)"
+echo "[3/5] Resetting to origin/main..."
-REMOTE="$(git rev-parse origin/$BRANCH)"
+git reset --hard origin/main
 
-if [[ "$LOCAL" == "$REMOTE" ]]; then
+echo "[4/5] Cleaning untracked files..."
-    echo "[3/4] No changes to deploy."
+git clean -fd
-    exit 0
-fi
 
-echo "[3/4] Pulling latest changes..."
+echo "[5/5] Running deploy..."
-git pull --ff-only origin "$BRANCH"
+./scripts/deploy_caddy.sh
 
-echo "[4/4] Running Caddy deployment..."
+echo "[Done]"
-"$REPO_DIR/scripts/deploy_caddy.sh"
-
-echo "[Done] Git-based deployment completed."

scripts/generate_caddy.py

@@ -24,7 +24,8 @@ def validate_service(data: dict, source: Path) -> None:
             raise ValueError(f"{source.name}: missing required key '{key}'")
 
     svc_type = data["type"]
-    if svc_type not in {"static", "proxy"}:
+
+    if svc_type not in {"static", "proxy", "redirect"}:
         raise ValueError(f"{source.name}: unsupported type '{svc_type}'")
 
     if svc_type == "static" and "root" not in data:
@@ -33,6 +34,9 @@ def validate_service(data: dict, source: Path) -> None:
     if svc_type == "proxy" and "backend" not in data:
         raise ValueError(f"{source.name}: proxy service requires 'backend'")
 
+    if svc_type == "redirect" and "target" not in data:
+        raise ValueError(f"{source.name}: redirect service requires 'target'")
+
 
 def render_service(env: Environment, data: dict) -> str:
     svc_type = data["type"]
@@ -43,6 +47,13 @@ def render_service(env: Environment, data: dict) -> str:
         "real_ip": False,
         "health_uri": None,
         "health_interval": None,
+        "internal": False,
+        "internal_ranges": [
+            "10.0.0.0/8",
+            "172.16.0.0/12",
+            "192.168.0.0/16",
+        ],
+        "redirect_code": 301,
     }
 
     merged = {**defaults, **data}
@@ -51,6 +62,10 @@ def render_service(env: Environment, data: dict) -> str:
         template = env.get_template("static.caddy.j2")
         return template.render(**merged).strip() + "\n"
 
+    if svc_type == "redirect":
+        template = env.get_template("redirect.caddy.j2")
+        return template.render(**merged).strip() + "\n"
+
     reverse_proxy_block = any(
         [
             merged.get("real_ip"),
@@ -91,6 +106,5 @@ def main() -> int:
 
     return 0
 
-
 if __name__ == "__main__":
     sys.exit(main())

services/bistrousky-dev.yml

@@ -0,0 +1,6 @@
+name: bistrousky-dev
+type: proxy
+domain: bistrousky-dev.hubacek.cloud
+headers: true
+auth: false
+backend: 192.168.50.109:80

services/bistrousky.yml

@@ -1,5 +1,6 @@
 name: bistrousky
-type: static
+type: proxy
-domain: bistrousky.hubacek.cloud
+domain: bistrousky.cz, www.bistrousky.cz
 headers: true
-root: /var/www/html
+auth: false
+backend: 192.168.50.107:80

services/bystrousky.yml

@@ -0,0 +1,5 @@
+name: bystrousky
+type: redirect
+domain: www.bystrousky.cz, bystrousky.cz
+target: https://bistrousky.cz{uri}
+code: 301

services/catalog-generator.yml

@@ -0,0 +1,9 @@
+name: Catalogue Generator
+type: proxy
+domain: catalogue-generator.hubacek.cloud
+headers: true
+auth: false
+internal: true
+internal_ranges:
+  - 192.168.50.0/24
+backend: 192.168.50.112:8080

services/dalik.yml

@@ -0,0 +1,6 @@
+name: dalik
+type: proxy
+domain: daliborturza.hubacek.cloud
+headers: true
+auth: false
+backend: 192.168.50.105:80

services/eshop-bistrousky.yml

@@ -0,0 +1,6 @@
+name: eshop.bistrousky
+type: proxy
+domain: eshop-bistrousky.hubacek.cloud
+headers: true
+auth: false
+backend: 192.168.50.113:80

services/fakturace.yml

@@ -0,0 +1,6 @@
+name: fakturace
+type: proxy
+domain: fakturace.hubacek.cloud
+headers: true
+auth: false
+backend: 192.168.50.118:80

services/git.yml

@@ -2,5 +2,5 @@ name: gitea
 type: proxy
 domain: git.hubacek.cloud
 headers: true
-auth: true
+auth: false
 backend: 192.168.50.110:3000

services/homarr.yml

@@ -0,0 +1,9 @@
+name: homarr
+type: proxy
+domain: homarr.hubacek.cloud
+headers: true
+auth: false
+internal: true
+internal_ranges:
+  - 192.168.50.0/24
+backend: 192.168.50.236:7575

services/homepage.yml

@@ -0,0 +1,9 @@
+name: homepage
+type: proxy
+domain: home.hubacek.cloud
+headers: true
+auth: true
+internal: true
+internal_ranges:
+  - 192.168.50.0/24
+backend: 192.168.50.245:3000

services/immich.yml

@@ -0,0 +1,6 @@
+name: immich-app
+type: proxy
+domain: immich.hubacek.cloud
+headers: true
+auth: false
+backend: 192.168.50.10:2283

services/ipplan.yml

@@ -0,0 +1,9 @@
+name: IPplan
+type: proxy
+domain: ipplan.hubacek.cloud
+headers: true
+auth: true
+internal: true
+internal_ranges:
+  - 192.168.50.0/24
+backend: 192.168.50.237:5000

services/portal.yml

@@ -0,0 +1,6 @@
+name: portal
+type: proxy
+domain: portal.hubacek.cloud
+headers: true
+auth: false
+backend: 192.168.50.111:8000

services/provisioner.yml

@@ -0,0 +1,9 @@
+name: provisioner
+type: proxy
+domain: provisioner.hubacek.cloud
+headers: true
+auth: false
+internal: true
+internal_ranges:
+  - 192.168.50.0/24
+backend: 192.168.50.103:8000

services/smsgw.yml

@@ -0,0 +1,6 @@
+name: smsgw
+type: proxy
+domain: smsgw.hubacek.cloud
+headers: true
+auth: true
+backend: 192.168.50.116:80

services/spravcetajemstvi.yml

@@ -0,0 +1,6 @@
+name: spravcetajemstvi
+type: proxy
+domain: spravcetajemstvi.cz, www.spravcetajemstvi.cz
+headers: true
+auth: false
+backend: 192.168.50.115:3000

templates/proxy.caddy.j2

@@ -5,6 +5,12 @@
 {% if auth %}
 	import common_auth
 {% endif %}
+
+{% if internal %}
+	@internal {
+		remote_ip {{ internal_ranges | join(' ') }}
+	}
+	handle @internal {
 {% if reverse_proxy_block %}
 		reverse_proxy {{ backend }} {
 {% if real_ip %}
@@ -19,5 +25,29 @@
 		}
 {% else %}
 		reverse_proxy {{ backend }}
+{% endif %}
+	}
+	handle {
+		respond "Forbidden" 403
+	}
+
+{% else %}
+
+{% if reverse_proxy_block %}
+	reverse_proxy {{ backend }} {
+{% if real_ip %}
+		header_up X-Real-IP {remote_host}
+{% endif %}
+{% if health_uri %}
+		health_uri {{ health_uri }}
+{% endif %}
+{% if health_interval %}
+		health_interval {{ health_interval }}
+{% endif %}
+	}
+{% else %}
+	reverse_proxy {{ backend }}
+{% endif %}
+
 {% endif %}
 }

templates/redirect.caddy.j2

@@ -0,0 +1,3 @@
+{{ domain }} {
+	redir {{ target }} {{ code | default(redirect_code) }}
+}