From 06c9b0abe8f05fbf79d42fff7343302d204d360d Mon Sep 17 00:00:00 2001
From: john <john.study55@gmail.com>
Date: Thu, 27 Nov 2025 16:51:18 +0000
Subject: [PATCH] Add caddy/Caddyfile

---
 caddy/Caddyfile | 237 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 237 insertions(+)
 create mode 100644 caddy/Caddyfile

diff --git a/caddy/Caddyfile b/caddy/Caddyfile
new file mode 100644
index 0000000..65b1865
--- /dev/null
+++ b/caddy/Caddyfile
@@ -0,0 +1,237 @@
+# Caddyfile on production cluster
+{
+  # Global options, omly one such block at the head of the file
+  servers {
+    trusted_proxies static 192.168.1.0/24 2a00:23c6::/32
+          }
+  # make admin available to all trusted nodes on the network
+  admin :2019
+  metrics
+}
+#
+
+#
+# For Authelis
+#
+(trusted_proxy_list) {
+       trusted_proxies 192.168.1.0/24 2a00:23c6::/32
+}
+
+(secure_site) {
+       forward_auth {args[0]} 192.168.1.1:9091 {
+                uri /api/verify?rd=https://auth.johnsnexus.click
+                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+                import trusted_proxy_list
+                header_up Host {upstream_hostport}
+       }
+}
+#
+# it appears you need this to allow prometheus on a remote node to scrape the metrics
+:2019 {
+  handle {
+    metrics
+  }
+}
+#
+# Snippet for basic authorisation
+#
+(basic-auth) {
+    basic_auth {
+      john.anderson $2a$10$T.yetVs9CmektYsaU8RqYu37fVaFAsPDLf90lsDDfxLkaC.zWH3Oi
+      mary.anderson $2a$10$UOuB5DpDcKRho0rRPDCmCeFlDSx/f6Bkwqpw8CEeQCbAGA0yULcny
+      frazer.anderson $2a$10$UleGw5O0BB18XtSenFSawudO.qKbNVMFU772XMP4cAAUbWzRo/zr6
+      chris.anderson $2a$10$1MeL9m8M7FW/k6/DW3HB1.rkijS3qao8RraNO/tJKN8OuRTCzc3fK
+      ruth.hoyos $2a$10$9z/3SajAWhxJfu6Xs1lbEeuPpZWUzcuBI/8n5hfv5FUqt11Uxo92S
+      sarah.anderson-beecham $2a$10$.8J1FMBwGDr8XSXCMWcn2ODxSW6txLEqSBHZmA6zQs8qQCDT2KbR2
+      fiona.green $2a$10$Nid0Lg6Wauwi/5BN4N2H5u8T6XumK4EE2MBxZaKXajxUAuUXPEvGO
+      helen.crichton $2a$10$zOcnxMCr62NtNK3YTaWbRuOclI/lC1Lkn1RidTOxkgBTgruQgfg9K
+      david.rawsthorne $2a$10$OIALdPjjQT6i5exUg8GtmOGk4BD4WmanmDhF7wCVH/IbpQQSt6PAS
+      peter.rawsthorne $2a$10$asUwJpdwc4QlGc8b1A1v7ukBCIQTlzm59uRnBH6AnWiK6NAECW03S
+      marilyn.pope $2a$10$6iD1J3FVmFbY7i02gQaF0eu1fY4ufUsXiXMyc1G9YfXbYKwuamjI2
+      alan.potts $2a$10$tzbIZwIuzcdrIzJICIS1oeadwoKyr3JqL2Ec9aB8Dj.MR4Q7lMcV.
+      kate.griffin $2a$10$9R57yOgGilEPZNwCbjWHeOu/ytTv4SLbW0P/plRnI.GqHe3w3IJjO
+      craig.johnson $2a$10$LQf3tK0ZHl63LHybpDfSdu1WT9OtcLeNZTfCwniPlmuqHiNF.yOq6
+      grant.johnson $2a$10$7XZ3aoQdL/fLex48t6hgi.p9Xt3yNJNIXJKflxChprwT5O9zPy2hG
+      barbara.wright $2a$10$Mlp0Y2wPzzomL1EnTInS2u18yv7ksMY.ATURzQz4luRRe2JwBMEJS
+      janet.kennedy $2a$10$/8VCpm68CLSF2zSL5sHtR.hzwJ.h3cX3r8XHogHbz8o7KIYPDHOVW
+    }
+}  
+#
+# Authelia from HOSTS
+#
+auth.johnsnexus.click {
+     reverse_proxy 192.168.1.1:9091 {
+         import trusted_proxy_list
+     }
+}
+#
+# Locally hosted site
+#
+testcaddy.johnsnexus.click {
+    root * /usr/share/caddy      # compose file points to this
+    php_fastcgi 192.168.1.1:80
+    file_server
+}
+#
+# Family history web site via container on this cluster
+#
+sandancer.ddnsfree.com {
+    root * /var/www/html
+    file_server
+#    reverse_proxy 192.168.1.1:8888
+    reverse_proxy famhistweb_famhistweb
+}
+#
+# PocketID OIDC security, come here from DYNU, running on OMEGA to access token device
+#
+https://hold.johnsnexus.click {
+    reverse_proxy 192.168.1.5:1411
+}
+#
+# Test GHOST site on ELITE cluster 
+#
+ghost.johnsnexus.click {
+    root * /var/www/mymag
+    file_server
+    reverse_proxy 192.168.1.4:2368
+}
+#
+# Fanily History Web site on Production cluster system, come here via HOSTS file
+#
+nextfamhistweb.johnsnexus.click {
+#    import basic-auth
+    import secure_site *
+#    root * /usr/local/apache2/htdocs
+#    file_server
+    reverse_proxy nextfamhistweb_nextfamhistweb {
+        import trusted_proxy_list
+    }
+}
+#
+# Test web site on Production Cluster, come here via HOSTS file
+# an example of a non-secure site on a different domain
+#
+http://northweb.johns.study {
+    import basic-auth
+    root * /usr/local/apache2/htdocs
+    file_server
+    reverse_proxy testweb_testweb
+}
+#
+# Test version of paperless-ngx on Elite cluster, come here via HOSTS file
+#
+wastebin.johnsnexus.click {
+    file_server
+    reverse_proxy 192.168.1.4:8600
+}
+#
+# Version of pydio cells on NODE-16 using SAMBA volume - DYNU public address
+#
+pydiocells.johnsnexus.click {
+#    tls tls@johnsnexus.click
+    reverse_proxy 192.168.1.4:8888 {
+       transport http {
+          tls
+          tls_insecure_skip_verify
+       }
+    }
+}
+#
+# Nextcloud AIO on NODE-16, was Beta (220 or 9)
+#
+https://amudanan.johnsnexus.click:443 {
+    header Strict-Transport-Security max-age=15552000
+    file_server
+    reverse_proxy http://192.168.1.16:11000 
+}
+#
+# OWNCLOUD on BEES swarm via DYNU
+#
+mycloud.johnsnexus.click {
+    header Strict-Transport-Security max-age=15552000
+    file_server
+    reverse_proxy 192.168.1.3:8080
+}
+#
+code.johnsnexus.click {
+       encode gzip
+       file_server
+       reverse_proxy https://192.168.1.3:9980 {
+       transport http {
+          tls_insecure_skip_verify
+       }
+    }
+}
+#
+# Vaultwarden on Production Cluster, come here via HOSTS
+#
+#warden.johnsnexus.click {
+#    reverse_proxy http://192.168.1.1:80
+#}
+#
+# SongKong on VALHALLA, come here via DYNU
+https://chord.johnsnexus.click {
+    root * /music
+    file_server
+    reverse_proxy http://192.168.1.7:4567
+}
+##
+# n8n running on DELTA, come here via DYNU
+#
+donut.johnsnexus.click {
+   reverse_proxy http://192.168.1.10:5678 {
+       flush_interval -1
+   }
+}
+#
+# CTiO magazine using Ghost on production
+#
+ctio.johnsnexus.click {
+    file_server
+    reverse_proxy 192.168.1.1:2368
+}
+#
+#****************************************
+#
+# Hoarder from hosts file, keep in extenal domain
+# Needs SSL; leave as explicit address; use 3200 as gitea uses 3000
+#
+hoarder.johnsnexus.click {
+     reverse_proxy 192.168.1.4:3200 
+}
+#
+# # although "prod" it runs on Elite Cluster
+grafana.johnsnexus.click {
+#     file_server
+     reverse_proxy 192.168.1.4:3030
+}
+# new gitea on elite cluster
+mygit.johnsnexus.click {
+     reverse_proxy 192.168.1.4:3000
+}
+#
+# copy of mygit on the production cluster
+gitea.johnsnexus.click {
+    file_server
+    reverse_proxy 192.168.1.1:3000
+}
+#
+gotify.johnsnexus.click {
+     reverse_proxy 192.168.1.4:8111
+}
+#
+# Portainer manageed on ELITE cluster, come here via HOSTS
+# Use port 9000 not 9443
+portainer.johnsnexus.click {
+     reverse_proxy 192.168.1.4:9000
+}
+#
+# Open Media Vault from HOSTS file
+#
+omv.valhalla.johnsnexus.click {
+     reverse_proxy 192.168.1.7
+}
+#
+omv.paradise.johnsnexus.click {
+     reverse_proxy 192.168.1.8
+}