feat: RBAC multi-user role-based access control
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies - Proxy auth reads Remote-Groups header to resolve role from LDAP groups - JWT tokens carry role claim, /me returns role + allowed pages - Per-router page access control and viewer write protection - Terminal WebSocket RBAC check - Frontend filters sidebar links and routes by allowed pages - Admin-only Settings page and RBAC override endpoints - Mount rbac.json in docker-compose for page config persistence
This commit is contained in:
@@ -73,12 +73,77 @@ dev.nas.jimmygan.com {
|
||||
}
|
||||
|
||||
git.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:3300
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:3300
|
||||
}
|
||||
|
||||
photos.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:2283 {
|
||||
header_up X-Forwarded-Proto https
|
||||
header_up X-Forwarded-Host {host}
|
||||
}
|
||||
}
|
||||
|
||||
media.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:8096
|
||||
}
|
||||
|
||||
books.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:13378
|
||||
}
|
||||
|
||||
pdf.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:8030
|
||||
}
|
||||
|
||||
vault.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
forward_auth 127.0.0.1:9092 {
|
||||
uri /api/verify?rd=https://auth.jimmygan.com:8443
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
reverse_proxy 127.0.0.1:8222
|
||||
}
|
||||
|
||||
speed.jimmygan.com {
|
||||
tls {
|
||||
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
|
||||
}
|
||||
reverse_proxy 127.0.0.1:8080
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user