split: Caddy in eigenen proxy/ Stack ausgelagert

- Caddy läuft jetzt als separater Stack unter proxy/ - proxy_network ist jetzt external in beiden Stacks - Verhindert dass docker compose down auf pfannkuchen Caddy mitnimmt - sysctls entfernt (nicht nötig auf Hetzner VPS) # Conflicts: # compose.yaml
2026-04-13 09:01:36 +02:00 · 2026-04-13 09:01:36 +02:00 · 86ada3e322
commit 86ada3e322
parent 50a4b15148
3 changed files with 302 additions and 0 deletions
--- a/.env.enc
+++ b/.env.enc
@ -0,0 +1,19 @@
+EVOLUTION_API_KEY=ENC[AES256_GCM,data:FJ4RAC/CkR53EliADN8DwOJRaLpTKB8LzS9vu5ax2jM=,iv:cmrF0Q0q+x97UlYOvA4yGwr2GaQ5jXyf8APHrpq1DFU=,tag:oGWZepM9BJ6tbFTf36SqBQ==,type:str]
+EVOLUTION_INSTANCE=ENC[AES256_GCM,data:zsXfW/Cf1gi/UBQ=,iv:XHoT5quwQ2wnwWGdbNJiYCeDJEjamxSK4yrO0LZRNiA=,tag:y2mTdLrwNbc+zcllt2CqxQ==,type:str]
+#ENC[AES256_GCM,data:RgNVv5hbESTwAO39jW7YV40pZHZY,iv:t5mLeoLj9+GsPx8JgV1bJs6rsjnZ6Z9iPi2aNzfdib8=,tag:mnIRono2CzxAS/yamx+48Q==,type:comment]
+HOMEPAGE_VAR_EMBY_SASCHA_KEY=ENC[AES256_GCM,data:11ubBGzMWrjtxF/jQ4IZsyyfH7OA+F/frG1xO9u8fww=,iv:qeUsV9//FQ5Xv9he3U4HIEueGxoEsx+X6bVoEutmOwU=,tag:s3Jh8mJmNvQNRsEEydd3RA==,type:str]
+HOMEPAGE_VAR_EMBY_CHRIS_KEY=ENC[AES256_GCM,data:Jf/vP4AW55ZTfksVO6N5q8/uaOfQrNV/uXWQjmcUWAE=,iv:wgXMsrHUZ48Ev0+yBUMDJGhkfqv339mJcILnnSvmbiU=,tag:r+6tMI3bFnNTYHmuThlNqA==,type:str]
+HOMEPAGE_VAR_PROXMOX_TOKEN=ENC[AES256_GCM,data:aH4DGsOHn6UOr8GZVxYkvt8n7X8h2UQ4feOq9mJua8onJqok,iv:1p4tWJNoC7CgEDdrXnmIpkIvrBMpzMAQDcmRnkuCYLk=,tag:IIX02ta7uSP7qdCLD8RUKA==,type:str]
+HOMEPAGE_VAR_PBS_USERNAME=ENC[AES256_GCM,data:iWOXPV7YVeV4kBew/d6qw5w=,iv:x4Tr8zayKOUhkRmtzhoXtwG3zJIHq1cSva8CLe7tXu0=,tag:mlURtx1qCiRrWj8dCfqK/g==,type:str]
+HOMEPAGE_VAR_PBS_TOKEN=ENC[AES256_GCM,data:hFiIu+Q+U4z9FN1x3VzJXTe77om1GU63ceBuNgOy4GCjqFPx,iv:xhVt4c/ZbKoSnc43sOD71CJYctWSWFDSP+g0//ps8es=,tag:vIXFJeFXBfCfN3h5EvLx9w==,type:str]
+HOMEPAGE_VAR_SYNOLOGY_USER=ENC[AES256_GCM,data:Cko95ovD,iv:6zHK9iBwjOk/kuw2vEh7t3kxpRJwh7uuBeeV7fm1whc=,tag:K0+hyL+DkV6BA42kaWqtaA==,type:str]
+HOMEPAGE_VAR_SYNOLOGY_PASS=ENC[AES256_GCM,data:6f4CADqNXOQ=,iv:pVNrT2Hed9AWdkdI1S4IbL9uDqMPeYFt2X2obQ0Vjok=,tag:62ppHm2FuoVwqupw4SZ+TQ==,type:str]
+HOMEPAGE_VAR_SABNZBD_KEY=ENC[AES256_GCM,data:JBb764HRHIbsCGBfVwX2iv8Qbv6yze4nKnPHnh744/0=,iv:Rlz3HVhFVs4kDwIa8tJlbwNODvKL7DmfgPFft7Qsop0=,tag:BB+ymnScdkH3t+ByKYnVjQ==,type:str]
+HOMEPAGE_VAR_DOCKHAND_USER=ENC[AES256_GCM,data:nYMO8SM=,iv:8ymvdnromhTOAgJj6ZD2AZDftzY6xiXEJ5trHF5BKBA=,tag:Irv1++3JkPKlgAsW9bayXA==,type:str]
+HOMEPAGE_VAR_DOCKHAND_PASS=ENC[AES256_GCM,data:+dEOB4IVDnqwNsf3CUI=,iv:t9osFq+XfUHOcx5z3n4ry7Hc/3EJw3+Gb25m6Vgvr+g=,tag:7Wy2gRIBBeDoCfXcMtKYHQ==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRVYxOGtEVDdNYWNVem44\nQkpBRUZ5N1JRRUhtVXgweDF1Z0lEWENMRTEwCmJ2YzJ6bzM3OWRlSWp2N1Zzb3Jj\nWW9kbHJWUTA5T2FjZjErUDdMVkJabjAKLS0tIE5IemtqblRMeW1BSnU4R09TL2Rq\nUFJpbmZ6Z1h2V1ovWUpTSVhyaEhka3cKaLETCEC0rw7yk2UdGnMsQRD8R4IByrKm\nV3kysZbBvfHp8oy1hbYLGuw98CcxPgiBI9ragMwBSxCATQmablrZZQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1z8gak2l4h0vpcnhtcdxmem2u9h2n54vuksk8ys82609qtzampuvqh50wdr
+sops_lastmodified=2026-04-04T07:42:39Z
+sops_mac=ENC[AES256_GCM,data:yMLHULVORzUiWMDpjW1LxNsFVg6HLC9vLtZOgM53iY5A0XkFrQnFpYZsmuA5HxL7TGUhuUCccDXlJFyK54TopNsGA8oafyayapkFdUPhp6YZrea2VkmQIfd9T8m1bww69LpMMvJpmwKwtm/cSPfE2Xraab1Uk4KbKTJwTpvF+FA=,iv:IzC4QepR8lFcrkbun6L2SW0qShFYPBlJVdlkIwpJ7og=,tag:hWuWFfoD9xnqlsntlBgb8g==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.12.2
--- a/proxy/Caddyfile
+++ b/proxy/Caddyfile
@ -0,0 +1,258 @@
+{
+        metrics
+        admin :2019
+        log {
+                output file /var/log/caddy/caddy_main.log {
+                        roll_size 100MiB
+                        roll_keep 5
+                        roll_keep_for 100d
+                }
+                format json
+                level INFO
+        }
+}
+
+(emby_config) {
+        log {
+                output file "/var/log/caddy/{args[0]}.log" {
+                        roll_size 100MiB
+                        roll_keep 5
+                        roll_keep_for 100d
+                }
+                format json
+        }
+        @compress {
+                header Content-Type text/*
+                header Content-Type application/json*
+                header Content-Type application/javascript*
+                header Content-Type image/svg+xml
+        }
+        encode @compress zstd gzip
+        reverse_proxy {args[1]} {
+                flush_interval -1
+                header_up X-Accel-Buffering "no"
+        }
+        header {
+                Access-Control-Allow-Origin *
+                Cache-Control "no-cache, no-transform"
+                defer
+        }
+}
+
+
+tv.sascha-lutz.de {
+        import emby_config tv.sascha-lutz.de host.docker.internal:18096
+}
+
+guck.tv {
+        import emby_config guck.tv host.docker.internal:28096
+}
+
+netzflix.org {
+        import emby_config netzflix.org host.docker.internal:38096
+}
+
+
+vault.sascha-lutz.de {
+        reverse_proxy vaultwarden
+}
+
+auth.sascha-lutz.de {
+        reverse_proxy 10.5.85.5:9000
+}
+
+home.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy homepage:3000
+}
+
+grafana.sascha-lutz.de {
+        reverse_proxy 10.1.1.111:3000
+}
+
+patchmon.sascha-lutz.de {
+        reverse_proxy 10.4.1.116:3100
+}
+
+tesla.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy 10.1.1.111:4000
+}
+
+
+influx.sascha-lutz.de {
+        reverse_proxy 10.1.1.111:8086
+}
+
+status.guck.tv {
+        @root path /
+        rewrite @root /status/emby
+
+        reverse_proxy 10.200.200.254:3001 {
+                header_up Host {host}
+        }
+}
+
+plappern.com {
+    request_body {
+        max_size 500MB
+    }
+
+    handle /.well-known/matrix/server {
+        header Content-Type application/json
+        respond `{"m.server":"plappern.com:443"}` 200
+    }
+
+    handle /.well-known/matrix/client {
+        header Content-Type application/json
+        header Access-Control-Allow-Origin *
+        respond `{"m.homeserver":{"base_url":"https://plappern.com"},"m.identity_server":{"base_url":"https://vector.im"}}` 200
+    }
+
+    reverse_proxy 10.4.1.110:8008
+}
+
+web.plappern.com {
+    reverse_proxy 10.4.1.110:8080
+}
+
+plappern.com:8448 {
+    reverse_proxy 10.4.1.110:8008
+}
+
+docker.sascha-lutz.de {
+        reverse_proxy 10.4.1.116:3000
+}
+
+chat.plappern.com {
+            reverse_proxy 10.4.1.110:8090
+}
+n8n.sascha-lutz.de {
+        reverse_proxy 10.4.1.113:5678
+}
+
+dl.guck.tv {
+        reverse_proxy 10.2.1.100:5055 {
+                header_up Host {host}
+                header_up X-Real-IP {remote_host}
+                # Optional: Timeout-Werte anpassen, falls nötig (z.B. für große Mediendateien)
+                transport http {
+                        dial_timeout 10s
+                        read_timeout 30s
+                }
+        }
+}
+
+immich.sascha-lutz.de {
+        reverse_proxy 10.4.1.107:2283
+        handle {
+                request_body {
+                        max_size 64GB
+                }
+        }
+}
+
+# Proxmox VE Nodes - HTTPS Reverse Proxy (vermeidet selbst-signierte Zertifikat-Warnungen)
+pve1.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.11:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+pve2.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.12:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+pve3.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.13:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+pve4.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.14:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+pve5.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.15:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+pve6.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.16:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+pve7.sascha-lutz.de {
+        forward_auth 10.5.85.5:9000 {
+                uri /outpost.goauthentik.io/auth/caddy
+                copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
+                trusted_proxies private_ranges
+        }
+        reverse_proxy https://10.5.85.17:8006 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+}
+
+
+wiki.sascha-lutz.de {
+        reverse_proxy 10.1.1.100:3000
+}
--- a/proxy/compose.yaml
+++ b/proxy/compose.yaml
@ -0,0 +1,25 @@
+networks:
+  proxy_network:
+    external: true
+
+services:
+  caddy:
+    image: caddy
+    container_name: caddy
+    restart: always
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+    networks:
+      - proxy_network
+    expose:
+      - 2019
+    ports:
+      - 80:80
+      - 443:443/tcp
+      - 443:443/udp
+      - 8448:8448
+      - 10.200.200.254:2019:2019
+    volumes:
+      - /app-config/caddy/data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile
+      - /app-config/caddy/logs:/var/log/caddy