# Caddyfile on production cluster
{
  # Global options, omly one such block at the head of the file
  servers {
    trusted_proxies static 192.168.1.0/24 2a00:23c6::/32
          }
  # make admin available to all trusted nodes on the network
  admin :2019
  metrics
}
#

#
# For Authelis
#
(trusted_proxy_list) {
       trusted_proxies 192.168.1.0/24 2a00:23c6::/32
}

(secure_site) {
       forward_auth {args[0]} 192.168.1.1:9091 {
                uri /api/verify?rd=https://auth.johnsnexus.click
                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
                import trusted_proxy_list
                header_up Host {upstream_hostport}
       }
}
#
# it appears you need this to allow prometheus on a remote node to scrape the metrics
:2019 {
  handle {
    metrics
  }
}
#
# Snippet for basic authorisation
#
(basic-auth) {
    basic_auth {
      john.anderson $2a$10$T.yetVs9CmektYsaU8RqYu37fVaFAsPDLf90lsDDfxLkaC.zWH3Oi
      mary.anderson $2a$10$UOuB5DpDcKRho0rRPDCmCeFlDSx/f6Bkwqpw8CEeQCbAGA0yULcny
      frazer.anderson $2a$10$UleGw5O0BB18XtSenFSawudO.qKbNVMFU772XMP4cAAUbWzRo/zr6
      chris.anderson $2a$10$1MeL9m8M7FW/k6/DW3HB1.rkijS3qao8RraNO/tJKN8OuRTCzc3fK
      ruth.hoyos $2a$10$9z/3SajAWhxJfu6Xs1lbEeuPpZWUzcuBI/8n5hfv5FUqt11Uxo92S
      sarah.anderson-beecham $2a$10$.8J1FMBwGDr8XSXCMWcn2ODxSW6txLEqSBHZmA6zQs8qQCDT2KbR2
      fiona.green $2a$10$Nid0Lg6Wauwi/5BN4N2H5u8T6XumK4EE2MBxZaKXajxUAuUXPEvGO
      helen.crichton $2a$10$zOcnxMCr62NtNK3YTaWbRuOclI/lC1Lkn1RidTOxkgBTgruQgfg9K
      david.rawsthorne $2a$10$OIALdPjjQT6i5exUg8GtmOGk4BD4WmanmDhF7wCVH/IbpQQSt6PAS
      peter.rawsthorne $2a$10$asUwJpdwc4QlGc8b1A1v7ukBCIQTlzm59uRnBH6AnWiK6NAECW03S
      marilyn.pope $2a$10$6iD1J3FVmFbY7i02gQaF0eu1fY4ufUsXiXMyc1G9YfXbYKwuamjI2
      alan.potts $2a$10$tzbIZwIuzcdrIzJICIS1oeadwoKyr3JqL2Ec9aB8Dj.MR4Q7lMcV.
      kate.griffin $2a$10$9R57yOgGilEPZNwCbjWHeOu/ytTv4SLbW0P/plRnI.GqHe3w3IJjO
      craig.johnson $2a$10$LQf3tK0ZHl63LHybpDfSdu1WT9OtcLeNZTfCwniPlmuqHiNF.yOq6
      grant.johnson $2a$10$7XZ3aoQdL/fLex48t6hgi.p9Xt3yNJNIXJKflxChprwT5O9zPy2hG
      barbara.wright $2a$10$Mlp0Y2wPzzomL1EnTInS2u18yv7ksMY.ATURzQz4luRRe2JwBMEJS
      janet.kennedy $2a$10$/8VCpm68CLSF2zSL5sHtR.hzwJ.h3cX3r8XHogHbz8o7KIYPDHOVW
    }
}  
#
# Authelia from HOSTS
#
auth.johnsnexus.click {
     reverse_proxy 192.168.1.1:9091 {
         import trusted_proxy_list
     }
}
#
# Locally hosted site
#
testcaddy.johnsnexus.click {
    root * /usr/share/caddy      # compose file points to this
    php_fastcgi 192.168.1.1:80
    file_server
}
#
# Family history web site via container on this cluster
#
sandancer.ddnsfree.com {
    root * /var/www/html
    file_server
#    reverse_proxy 192.168.1.1:8888
    reverse_proxy famhistweb_famhistweb
}
#
# PocketID OIDC security, come here from DYNU, running on OMEGA to access token device
#
https://hold.johnsnexus.click {
    reverse_proxy 192.168.1.5:1411
}
#
# Test GHOST site on ELITE cluster 
#
ghost.johnsnexus.click {
    root * /var/www/mymag
    file_server
    reverse_proxy 192.168.1.4:2368
}
#
# Fanily History Web site on Production cluster system, come here via HOSTS file
#
nextfamhistweb.johnsnexus.click {
#    import basic-auth
    import secure_site *
#    root * /usr/local/apache2/htdocs
#    file_server
    reverse_proxy nextfamhistweb_nextfamhistweb {
        import trusted_proxy_list
    }
}
#
# Test web site on Production Cluster, come here via HOSTS file
# an example of a non-secure site on a different domain
#
http://northweb.johns.study {
    import basic-auth
    root * /usr/local/apache2/htdocs
    file_server
    reverse_proxy testweb_testweb
}
#
# Test version of paperless-ngx on Elite cluster, come here via HOSTS file
#
wastebin.johnsnexus.click {
    file_server
    reverse_proxy 192.168.1.4:8600
}
#
# Version of pydio cells on NODE-16 using SAMBA volume - DYNU public address
#
pydiocells.johnsnexus.click {
#    tls tls@johnsnexus.click
    reverse_proxy 192.168.1.4:8888 {
       transport http {
          tls
          tls_insecure_skip_verify
       }
    }
}
#
# Nextcloud AIO on NODE-16, was Beta (220 or 9)
#
https://amudanan.johnsnexus.click:443 {
    header Strict-Transport-Security max-age=15552000
    file_server
    reverse_proxy http://192.168.1.16:11000 
}
#
# OWNCLOUD on BEES swarm via DYNU
#
mycloud.johnsnexus.click {
    header Strict-Transport-Security max-age=15552000
    file_server
    reverse_proxy 192.168.1.3:8080
}
#
code.johnsnexus.click {
       encode gzip
       file_server
       reverse_proxy https://192.168.1.3:9980 {
       transport http {
          tls_insecure_skip_verify
       }
    }
}
#
# Vaultwarden on Production Cluster, come here via HOSTS
#
#warden.johnsnexus.click {
#    reverse_proxy http://192.168.1.1:80
#}
#
# SongKong on VALHALLA, come here via DYNU
https://chord.johnsnexus.click {
    root * /music
    file_server
    reverse_proxy http://192.168.1.7:4567
}
##
# n8n running on DELTA, come here via DYNU
#
donut.johnsnexus.click {
   reverse_proxy http://192.168.1.10:5678 {
       flush_interval -1
   }
}
#
# CTiO magazine using Ghost on production
#
ctio.johnsnexus.click {
    file_server
    reverse_proxy 192.168.1.1:2368
}
#
#****************************************
#
# Hoarder from hosts file, keep in extenal domain
# Needs SSL; leave as explicit address; use 3200 as gitea uses 3000
#
hoarder.johnsnexus.click {
     reverse_proxy 192.168.1.4:3200 
}
#
# # although "prod" it runs on Elite Cluster
grafana.johnsnexus.click {
#     file_server
     reverse_proxy 192.168.1.4:3030
}
# new gitea on elite cluster
mygit.johnsnexus.click {
     reverse_proxy 192.168.1.4:3000
}
#
# copy of mygit on the production cluster
gitea.johnsnexus.click {
    file_server
    reverse_proxy 192.168.1.1:3000
}
#
gotify.johnsnexus.click {
     reverse_proxy 192.168.1.4:8111
}
#
# Portainer manageed on ELITE cluster, come here via HOSTS
# Use port 9000 not 9443
portainer.johnsnexus.click {
     reverse_proxy 192.168.1.4:9000
}
#
# Open Media Vault from HOSTS file
#
omv.valhalla.johnsnexus.click {
     reverse_proxy 192.168.1.7
}
#
omv.paradise.johnsnexus.click {
     reverse_proxy 192.168.1.8
}
