1{
 2	debug
 3
 4	# Configure caddy-security.
 5	order authenticate before respond
 6	security {
 7		oauth identity provider generic {
 8			delay_start 3
 9			realm generic
10			driver generic
11			# TODO: get values from environemnt variables
12			client_id 9cc959e7-64cc-429a-8a5e-763e97308698
13			client_secret UwtIJ3nhcXzpixfwzyOp9Z07eiHbsu6U
14			scopes openid email profile
15			base_auth_url https://id.trustme.click
16			metadata_url https://id.trustme.click/.well-known/openid-configuration
17		}
18
19		authentication portal myportal {
20			crypto default token lifetime 3600 # Seconds until you have to re-authenticate
21			enable identity provider generic
22			cookie insecure off
23			transform user {
24				match realm generic
25				action add role user
26			}
27		}
28
29		authorization policy mypolicy {
30			set auth url /caddy-security/oauth2/generic
31			allow roles user
32			inject headers with claims
33		}
34	}
35}
36
37trustme.click, *.trustme.click {
38	tls /etc/ssl/certs/trustme.click.crt /etc/ssl/private/trustme.click.key
39	respond "{host} reached"
40}
41
42id.trustme.click {
43	reverse_proxy unix//run/pocket-id/pocket-id.sock
44}
45
46secure.trustme.click {
47	@auth {
48		path /caddy-security/*
49	}
50
51	route @auth {
52		authenticate with myportal
53	}
54
55	route /* {
56		authorize with mypolicy
57		respond "login {host} reached"
58	}
59}
60
61ttyd.trustme.click {
62	@auth {
63		path /caddy-security/*
64	}
65
66	route @auth {
67		authenticate with myportal
68	}
69
70	route /* {
71		authorize with mypolicy
72		reverse_proxy unix//run/ttyd/ttyd.sock {
73			header_up Host {host}
74			header_up X-Forwarded-Proto {scheme}
75			header_up X-Forwarded-For {remote_host}
76		}
77	}
78}