homelab/services/caddy/Caddyfile

import /opt/homelab/services/caddy/snippets/*.caddy
{
  email pavel123357@gmail.com

  log {
    output file /var/log/caddy/access.log
    format json
  }
}

pass.sesur.dev {
  reverse_proxy 127.0.0.1:9000
}

home.sesur.dev {
  route {
    import authentik_forward_auth
    reverse_proxy 127.0.0.1:3050
  }
}

dozzle.sesur.dev {
  route {
    import authentik_forward_auth
    reverse_proxy 127.0.0.1:9999
  }
}

photos.sesur.dev {
  log {
    output file /var/log/caddy/access.log
    format json
  }
  reverse_proxy 127.0.0.1:2283

  # Optional: allow large uploads (adjust as you like)
  request_body {
    max_size 20GB
  }
}

vault.sesur.dev {
  # Admin: allow LAN only
  @admin path /admin*
  handle @admin {
    @notlan not remote_ip 192.168.1.0/24
    respond @notlan 403
    reverse_proxy 127.0.0.1:8222
  }
  
  @negotiate path /notifications/hub/negotiate
  reverse_proxy @negotiate 127.0.0.1:8222

  # WebSocket notifications (Bitwarden clients). Must be routed to 3012.
  @hub path /notifications/hub*
  reverse_proxy @hub 127.0.0.1:3012

  # Everything else (UI + API) goes to main port.
  reverse_proxy 127.0.0.1:8222
  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options "nosniff"
    Referrer-Policy "strict-origin-when-cross-origin"
  }
  log {
    output file /var/log/caddy/access.log
    format json
  }
}

http://adguard.lan {
  reverse_proxy 127.0.0.1:3000
}

http://192.168.1.47 {
  respond "i am working, master"
}

http://dozzle.lan {
  reverse_proxy 127.0.0.1:9999
}

rat.sesur.dev {
   handle /api/sub/* {
    reverse_proxy 127.0.0.1:4000
  }
  route {
    import authentik_forward_auth
    reverse_proxy 127.0.0.1:4000
  }
}

rat-api.sesur.dev {
   @notAllowed {
    not remote_ip 31.57.61.253
    }
   respond @notAllowed "Forbidden" 403
   reverse_proxy 127.0.0.1:4000
}

http://cyberchef.lan {
  reverse_proxy 127.0.0.1:8085
}
truenews.sesur.dev {
    root * /srv/vk-podcast-bot/data
    file_server
}