Add guarding mechanic using Authentik and Caddy

modules/01-networking/caddy-service/main.tf

@@ -25,6 +25,7 @@ locals {
           site_address          = "${subdomain}.${domain}"
           endpoint              = service.endpoint
           service_name          = service.name
+          is_route_protected    = service.is_guarded
           has_custom_config     = service.caddy_config != ""
           custom_config         = service.caddy_config
           reverse_proxy_options = service.caddy_options
@@ -63,27 +64,34 @@ locals {
   // Generate the main Caddyfile content
   caddyfile_content = format("%s%s", local.caddyfile_default, join("\n\n", [
     for site in local.caddy_site_configs :
-    site.has_custom_config ?
     // Use the custom Caddy config if provided
     <<-EOT
     ${site.site_address} {
       import headers
-      ${site.custom_config}
-    }
-    EOT
-    :
-    // Otherwise use the standard reverse proxy config with options
-    <<-EOT
-    ${site.site_address} {
-      import headers
-      reverse_proxy ${site.endpoint} {
-        ${join("\n        ", [
-    for key, value in site.reverse_proxy_options :
-    "${key} ${value}"
-])}
+      route {
+        %{ if site.is_route_protected }
+        reverse_proxy /outpost.goauthentik.io/* http://authentik:9000
+
+        forward_auth http://authentik:9000 {
+            uri /outpost.goauthentik.io/auth/caddy
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Entitlements X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+            trusted_proxies private_ranges
+        }
+        %{ endif }
+        %{ if site.has_custom_config }
+        ${site.custom_config}
+        %{ else }
+        reverse_proxy ${site.endpoint} {
+          ${join("\n        ", [
+            for key, value in site.reverse_proxy_options : 
+            "${key} ${value}"
+          ])}
+        }
+        %{ endif }
       }
     }
     EOT
+
 ]))
 }
 

modules/01-networking/caddy-service/variables.tf

@@ -34,6 +34,7 @@ variable "service_definitions" {
     publish_via   = optional(string)
     caddy_config  = optional(string, "")
     caddy_options = optional(map(string), {})
+    is_guarded    = optional(bool, false)
   }))
 }
 

modules/10-generic/docker-service/variables.tf

@@ -83,12 +83,6 @@ variable "labels" {
   default     = {}
 }
 
-variable "managed_by_caddy" {
-  description = "Enable mounting container through labels"
-  type        = bool
-  default     = true
-}
-
 variable "host_mappings" {
   description = "Additional host mappings for the container (/etc/hosts entries)"
   type = list(object({

modules/20-services-entertainment/jellyfin-service/main.tf

@@ -55,5 +55,6 @@ output "service_definition" {
     primary_port = local.jellyfin_internal_port
     endpoint     = "http://${local.container_name}:${local.jellyfin_internal_port}"
     subdomains   = ["tv"]
+    is_guarded   = true
   }
 }