sascha/pfannkuchen
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

split: Caddy in eigenen proxy/ Stack ausgelagert

Browse source 
- Caddy läuft jetzt als separater Stack unter proxy/
- proxy_network ist jetzt external in beiden Stacks
- Verhindert dass docker compose down auf pfannkuchen Caddy mitnimmt
- sysctls entfernt (nicht nötig auf Hetzner VPS)

# Conflicts:
#	compose.yaml
This commit is contained in:
feldjaeger 2026-04-13 09:01:36 +02:00
parent 50a4b15148
commit 86ada3e322
3 changed files with 302 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
.env.enc Normal file
View file

@ -0,0 +1,19 @@
EVOLUTION_API_KEY=ENC[AES256_GCM,data:FJ4RAC/CkR53EliADN8DwOJRaLpTKB8LzS9vu5ax2jM=,iv:cmrF0Q0q+x97UlYOvA4yGwr2GaQ5jXyf8APHrpq1DFU=,tag:oGWZepM9BJ6tbFTf36SqBQ==,type:str]
EVOLUTION_INSTANCE=ENC[AES256_GCM,data:zsXfW/Cf1gi/UBQ=,iv:XHoT5quwQ2wnwWGdbNJiYCeDJEjamxSK4yrO0LZRNiA=,tag:y2mTdLrwNbc+zcllt2CqxQ==,type:str]
#ENC[AES256_GCM,data:RgNVv5hbESTwAO39jW7YV40pZHZY,iv:t5mLeoLj9+GsPx8JgV1bJs6rsjnZ6Z9iPi2aNzfdib8=,tag:mnIRono2CzxAS/yamx+48Q==,type:comment]
HOMEPAGE_VAR_EMBY_SASCHA_KEY=ENC[AES256_GCM,data:11ubBGzMWrjtxF/jQ4IZsyyfH7OA+F/frG1xO9u8fww=,iv:qeUsV9//FQ5Xv9he3U4HIEueGxoEsx+X6bVoEutmOwU=,tag:s3Jh8mJmNvQNRsEEydd3RA==,type:str]
HOMEPAGE_VAR_EMBY_CHRIS_KEY=ENC[AES256_GCM,data:Jf/vP4AW55ZTfksVO6N5q8/uaOfQrNV/uXWQjmcUWAE=,iv:wgXMsrHUZ48Ev0+yBUMDJGhkfqv339mJcILnnSvmbiU=,tag:r+6tMI3bFnNTYHmuThlNqA==,type:str]
HOMEPAGE_VAR_PROXMOX_TOKEN=ENC[AES256_GCM,data:aH4DGsOHn6UOr8GZVxYkvt8n7X8h2UQ4feOq9mJua8onJqok,iv:1p4tWJNoC7CgEDdrXnmIpkIvrBMpzMAQDcmRnkuCYLk=,tag:IIX02ta7uSP7qdCLD8RUKA==,type:str]
HOMEPAGE_VAR_PBS_USERNAME=ENC[AES256_GCM,data:iWOXPV7YVeV4kBew/d6qw5w=,iv:x4Tr8zayKOUhkRmtzhoXtwG3zJIHq1cSva8CLe7tXu0=,tag:mlURtx1qCiRrWj8dCfqK/g==,type:str]
HOMEPAGE_VAR_PBS_TOKEN=ENC[AES256_GCM,data:hFiIu+Q+U4z9FN1x3VzJXTe77om1GU63ceBuNgOy4GCjqFPx,iv:xhVt4c/ZbKoSnc43sOD71CJYctWSWFDSP+g0//ps8es=,tag:vIXFJeFXBfCfN3h5EvLx9w==,type:str]
HOMEPAGE_VAR_SYNOLOGY_USER=ENC[AES256_GCM,data:Cko95ovD,iv:6zHK9iBwjOk/kuw2vEh7t3kxpRJwh7uuBeeV7fm1whc=,tag:K0+hyL+DkV6BA42kaWqtaA==,type:str]
HOMEPAGE_VAR_SYNOLOGY_PASS=ENC[AES256_GCM,data:6f4CADqNXOQ=,iv:pVNrT2Hed9AWdkdI1S4IbL9uDqMPeYFt2X2obQ0Vjok=,tag:62ppHm2FuoVwqupw4SZ+TQ==,type:str]
HOMEPAGE_VAR_SABNZBD_KEY=ENC[AES256_GCM,data:JBb764HRHIbsCGBfVwX2iv8Qbv6yze4nKnPHnh744/0=,iv:Rlz3HVhFVs4kDwIa8tJlbwNODvKL7DmfgPFft7Qsop0=,tag:BB+ymnScdkH3t+ByKYnVjQ==,type:str]
HOMEPAGE_VAR_DOCKHAND_USER=ENC[AES256_GCM,data:nYMO8SM=,iv:8ymvdnromhTOAgJj6ZD2AZDftzY6xiXEJ5trHF5BKBA=,tag:Irv1++3JkPKlgAsW9bayXA==,type:str]
HOMEPAGE_VAR_DOCKHAND_PASS=ENC[AES256_GCM,data:+dEOB4IVDnqwNsf3CUI=,iv:t9osFq+XfUHOcx5z3n4ry7Hc/3EJw3+Gb25m6Vgvr+g=,tag:7Wy2gRIBBeDoCfXcMtKYHQ==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuRVYxOGtEVDdNYWNVem44\nQkpBRUZ5N1JRRUhtVXgweDF1Z0lEWENMRTEwCmJ2YzJ6bzM3OWRlSWp2N1Zzb3Jj\nWW9kbHJWUTA5T2FjZjErUDdMVkJabjAKLS0tIE5IemtqblRMeW1BSnU4R09TL2Rq\nUFJpbmZ6Z1h2V1ovWUpTSVhyaEhka3cKaLETCEC0rw7yk2UdGnMsQRD8R4IByrKm\nV3kysZbBvfHp8oy1hbYLGuw98CcxPgiBI9ragMwBSxCATQmablrZZQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1z8gak2l4h0vpcnhtcdxmem2u9h2n54vuksk8ys82609qtzampuvqh50wdr
sops_lastmodified=2026-04-04T07:42:39Z
sops_mac=ENC[AES256_GCM,data:yMLHULVORzUiWMDpjW1LxNsFVg6HLC9vLtZOgM53iY5A0XkFrQnFpYZsmuA5HxL7TGUhuUCccDXlJFyK54TopNsGA8oafyayapkFdUPhp6YZrea2VkmQIfd9T8m1bww69LpMMvJpmwKwtm/cSPfE2Xraab1Uk4KbKTJwTpvF+FA=,iv:IzC4QepR8lFcrkbun6L2SW0qShFYPBlJVdlkIwpJ7og=,tag:hWuWFfoD9xnqlsntlBgb8g==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.12.2

258
proxy/Caddyfile Normal file
View file

@ -0,0 +1,258 @@
{
metrics
admin :2019
log {
output file /var/log/caddy/caddy_main.log {
roll_size 100MiB
roll_keep 5
roll_keep_for 100d
}
format json
level INFO
}
}
(emby_config) {
log {
output file "/var/log/caddy/{args[0]}.log" {
roll_size 100MiB
roll_keep 5
roll_keep_for 100d
}
format json
}
@compress {
header Content-Type text/*
header Content-Type application/json*
header Content-Type application/javascript*
header Content-Type image/svg+xml
}
encode @compress zstd gzip
reverse_proxy {args[1]} {
flush_interval -1
header_up X-Accel-Buffering "no"
}
header {
Access-Control-Allow-Origin *
Cache-Control "no-cache, no-transform"
defer
}
}
tv.sascha-lutz.de {
import emby_config tv.sascha-lutz.de host.docker.internal:18096
}
guck.tv {
import emby_config guck.tv host.docker.internal:28096
}
netzflix.org {
import emby_config netzflix.org host.docker.internal:38096
}
vault.sascha-lutz.de {
reverse_proxy vaultwarden
}
auth.sascha-lutz.de {
reverse_proxy 10.5.85.5:9000
}
home.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy homepage:3000
}
grafana.sascha-lutz.de {
reverse_proxy 10.1.1.111:3000
}
patchmon.sascha-lutz.de {
reverse_proxy 10.4.1.116:3100
}
tesla.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy 10.1.1.111:4000
}
influx.sascha-lutz.de {
reverse_proxy 10.1.1.111:8086
}
status.guck.tv {
@root path /
rewrite @root /status/emby
reverse_proxy 10.200.200.254:3001 {
header_up Host {host}
}
}
plappern.com {
request_body {
max_size 500MB
}
handle /.well-known/matrix/server {
header Content-Type application/json
respond `{"m.server":"plappern.com:443"}` 200
}
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver":{"base_url":"https://plappern.com"},"m.identity_server":{"base_url":"https://vector.im"}}` 200
}
reverse_proxy 10.4.1.110:8008
}
web.plappern.com {
reverse_proxy 10.4.1.110:8080
}
plappern.com:8448 {
reverse_proxy 10.4.1.110:8008
}
docker.sascha-lutz.de {
reverse_proxy 10.4.1.116:3000
}
chat.plappern.com {
reverse_proxy 10.4.1.110:8090
}
n8n.sascha-lutz.de {
reverse_proxy 10.4.1.113:5678
}
dl.guck.tv {
reverse_proxy 10.2.1.100:5055 {
header_up Host {host}
header_up X-Real-IP {remote_host}
# Optional: Timeout-Werte anpassen, falls nötig (z.B. für große Mediendateien)
transport http {
dial_timeout 10s
read_timeout 30s
}
}
}
immich.sascha-lutz.de {
reverse_proxy 10.4.1.107:2283
handle {
request_body {
max_size 64GB
}
}
}
# Proxmox VE Nodes - HTTPS Reverse Proxy (vermeidet selbst-signierte Zertifikat-Warnungen)
pve1.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.11:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
pve2.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.12:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
pve3.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.13:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
pve4.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.14:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
pve5.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.15:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
pve6.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.16:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
pve7.sascha-lutz.de {
forward_auth 10.5.85.5:9000 {
uri /outpost.goauthentik.io/auth/caddy
copy_headers X-authentik-username X-authentik-groups X-authentik-email X-authentik-name X-authentik-uid
trusted_proxies private_ranges
}
reverse_proxy https://10.5.85.17:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
wiki.sascha-lutz.de {
reverse_proxy 10.1.1.100:3000
}

25
proxy/compose.yaml Normal file
View file

@ -0,0 +1,25 @@
networks:
proxy_network:
external: true
services:
caddy:
image: caddy
container_name: caddy
restart: always
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
- proxy_network
expose:
- 2019
ports:
- 80:80
- 443:443/tcp
- 443:443/udp
- 8448:8448
- 10.200.200.254:2019:2019
volumes:
- /app-config/caddy/data:/data
- ./Caddyfile:/etc/caddy/Caddyfile
- /app-config/caddy/logs:/var/log/caddy