From 26dcdb0f832bcfc631bed7bda58fcd45ed3c0497 Mon Sep 17 00:00:00 2001
From: Jannik Kramer <kramer@consider-it.de>
Date: Sat, 29 Nov 2025 08:13:47 +0100
Subject: [PATCH] updates caddy, separates caddyfiles, introduces env file for
 secrets, improves deployment/update process

---
 .../reverse-proxy/Caddyfile                   | 101 +-----------------
 .../reverse-proxy/compose.yaml                |  14 +--
 .../reverse-proxy/sites/oauthed.caddy         |  50 +++++++++
 .../reverse-proxy/sites/redirect.caddy        |  11 ++
 .../reverse-proxy/sites/services.caddy        |  24 +++++
 playbooks/05-update-caddy.yml                 |   4 +-
 6 files changed, 96 insertions(+), 108 deletions(-)
 create mode 100644 docker_compose_applications/reverse-proxy/sites/oauthed.caddy
 create mode 100644 docker_compose_applications/reverse-proxy/sites/redirect.caddy
 create mode 100644 docker_compose_applications/reverse-proxy/sites/services.caddy

diff --git a/docker_compose_applications/reverse-proxy/Caddyfile b/docker_compose_applications/reverse-proxy/Caddyfile
index d209588..64874b5 100644
--- a/docker_compose_applications/reverse-proxy/Caddyfile
+++ b/docker_compose_applications/reverse-proxy/Caddyfile
@@ -1,100 +1 @@
-(oauth2_protect) {
-	handle /oauth2/* {
-		reverse_proxy oauth2-proxy:4180
-	}
-
-	handle {
-		forward_auth oauth2-proxy:4180 {
-			uri /oauth2/auth
-			copy_headers Authorization
-
-			@bad status 4xx
-			handle_response @bad {
-				redir https://{args[0]}/oauth2/start
-			}
-		}
-
-		reverse_proxy {args[1]}
-	}
-}
-
-pseudo.cortex.consider-funding.de {
-	import oauth2_protect pseudo.cortex.consider-funding.de http://transcript-anonymizer-frontend:5000
-}
-
-# transcript-prompter
-p-3001.cortex.consider-funding.de {
-	reverse_proxy http://10.20.0.2:3001
-}
-
-#hubspot-writer
-p-8002.cortex.consider-funding.de {
-	reverse_proxy http://10.20.0.2:8002
-}
-
-# pseudomizer
-p-8003.cortex.consider-funding.de {
-	reverse_proxy http://transcript-anonymizer:8003
-}
-
-pdf.consider-it.de {
-	import oauth2_protect pdf.consider-it.de http://stirling-pdf:8080
-}
-
-registry.cortex.consider-funding.de {
-	handle /oauth2/* {
-		reverse_proxy oauth2-proxy:4180
-	}
-
-	handle {
-		forward_auth oauth2-proxy:4180 {
-			uri /oauth2/auth
-			copy_headers Authorization
-			copy_headers X-Auth-Request-Email
-
-			@bad status 4xx
-			handle_response @bad {
-				redir https://registry.cortex.consider-funding.de/oauth2/start
-			}
-		}
-
-		reverse_proxy https://ai-registry.neukiefer.de {
-			header_up Host ai-registry.neukiefer.de
-			header_up Authorization "Basic Y2l0OnBDMVpUNVFtZjc2WWVGYzA="
-		}
-	}
-}
-
-enricher.cortex.consider-funding.de {
-	handle /oauth2/* {
-		reverse_proxy oauth2-proxy:4180
-	}
-
-	handle {
-		forward_auth oauth2-proxy:4180 {
-			uri /oauth2/auth
-			copy_headers Authorization
-			copy_headers X-Auth-Request-Email
-
-			@bad status 4xx
-			handle_response @bad {
-				redir https://enricher.cortex.consider-funding.de/oauth2/start
-			}
-		}
-
-		reverse_proxy https://ai-enricher.neukiefer.de {
-			header_up Host ai-enricher.neukiefer.de
-			header_up Authorization "Basic Y2l0OnBDMVpUNVFtZjc2WWVGYzA="
-		}
-	}
-}
-
-n8n.consider-funding.de {
-	reverse_proxy n8n:5678 {
-		flush_interval -1
-	}
-}
-
-metabase.consider-it.de {
-	reverse_proxy metabase:3000
-}
+import /etc/caddy/sites/*.caddy
diff --git a/docker_compose_applications/reverse-proxy/compose.yaml b/docker_compose_applications/reverse-proxy/compose.yaml
index c51e87f..48fa0b6 100644
--- a/docker_compose_applications/reverse-proxy/compose.yaml
+++ b/docker_compose_applications/reverse-proxy/compose.yaml
@@ -3,19 +3,21 @@
 # - https://caddyserver.com/docs/
 
 services:
-
   caddy:
-    image: caddy
     container_name: caddy
+    image: caddy:2.10
+    restart: unless-stopped
+    ports:
+      - 0.0.0.0:80:80
+      - 0.0.0.0:443:443
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./sites/:/etc/caddy/sites/:ro
       - /ansible_docker_compose/project_data/reverse-proxy/caddy/data:/data
-    ports:
-      - '0.0.0.0:80:80'
-      - '0.0.0.0:443:443'
+    env_file:
+      - .env
     networks:
       - caddy_net
-    restart: unless-stopped
 
 networks:
   caddy_net:
diff --git a/docker_compose_applications/reverse-proxy/sites/oauthed.caddy b/docker_compose_applications/reverse-proxy/sites/oauthed.caddy
new file mode 100644
index 0000000..202b272
--- /dev/null
+++ b/docker_compose_applications/reverse-proxy/sites/oauthed.caddy
@@ -0,0 +1,50 @@
+(oauth2) {
+	handle /oauth2/* {
+		reverse_proxy oauth2-proxy:4180
+	}
+
+	handle {
+		forward_auth oauth2-proxy:4180 {
+			uri /oauth2/auth
+			copy_headers Authorization
+			copy_headers X-Auth-Request-Email
+
+			@bad status 4xx
+			handle_response @bad {
+				redir https://{args[0]}/oauth2/start
+			}
+		}
+
+		{block}
+	}
+}
+
+registry.cortex.consider-funding.de {
+	import oauth2 registry.cortex.consider-funding.de {
+		reverse_proxy https://ai-registry.neukiefer.de {
+			header_up Host ai-registry.neukiefer.de
+			header_up Authorization {env.REGISTRY_DOWNSTREAM_AUTH}
+		}
+	}
+}
+
+pdf.consider-it.de {
+	import oauth2 pdf.consider-it.de {
+		reverse_proxy http://stirling-pdf:8080
+	}
+}
+
+pseudo.cortex.consider-funding.de {
+	import oauth2 pseudo.cortex.consider-funding.de {
+		reverse_proxy http://transcript-anonymizer-frontend:5000
+	}
+}
+
+enricher.cortex.consider-funding.de {
+	import oauth2 enricher.cortex.consider-funding.de {
+		reverse_proxy https://ai-enricher.neukiefer.de {
+			header_up Host ai-enricher.neukiefer.de
+			header_up Authorization {env.ENRICHER_DOWNSTREAM_AUTH}
+		}
+	}
+}
diff --git a/docker_compose_applications/reverse-proxy/sites/redirect.caddy b/docker_compose_applications/reverse-proxy/sites/redirect.caddy
new file mode 100644
index 0000000..db6ff88
--- /dev/null
+++ b/docker_compose_applications/reverse-proxy/sites/redirect.caddy
@@ -0,0 +1,11 @@
+adlerpersonal.de, www.adlerpersonal.de {
+	redir https://consider-it.de permanent
+}
+
+arbeiterkneipe.de, www.arbeiterkneipe.de {
+	redir https://consider-it.de permanent
+}
+
+consider-us.com, www.consider-us.com {
+	redir https://consider-it.de permanent
+}
diff --git a/docker_compose_applications/reverse-proxy/sites/services.caddy b/docker_compose_applications/reverse-proxy/sites/services.caddy
new file mode 100644
index 0000000..72d42f4
--- /dev/null
+++ b/docker_compose_applications/reverse-proxy/sites/services.caddy
@@ -0,0 +1,24 @@
+n8n.consider-funding.de {
+	reverse_proxy n8n:5678 {
+		flush_interval -1
+	}
+}
+
+metabase.consider-it.de {
+	reverse_proxy metabase:3000
+}
+
+# transcript-prompter
+p-3001.cortex.consider-funding.de {
+	reverse_proxy http://10.20.0.2:3001
+}
+
+#hubspot-writer
+p-8002.cortex.consider-funding.de {
+	reverse_proxy http://10.20.0.2:8002
+}
+
+# pseudomizer
+p-8003.cortex.consider-funding.de {
+	reverse_proxy http://transcript-anonymizer:8003
+}
diff --git a/playbooks/05-update-caddy.yml b/playbooks/05-update-caddy.yml
index 380b61c..d70a517 100644
--- a/playbooks/05-update-caddy.yml
+++ b/playbooks/05-update-caddy.yml
@@ -3,8 +3,8 @@
   tasks:
     - name: Deploy desired projects, adding new ones and updating existing ones
       ansible.posix.synchronize:
-        src: "../docker_compose_applications/reverse-proxy/Caddyfile"
-        dest: "/ansible_docker_compose/projects/reverse-proxy/Caddyfile"
+        src: "../docker_compose_applications/reverse-proxy/"
+        dest: "/ansible_docker_compose/projects/reverse-proxy/"
         mode: push
         archive: false
         copy_links: false