Files
Gan, Jimmy 9992105b49
Deploy Dashboard (Dev) / deploy-dev (push) Successful in 1m14s
feat: RBAC multi-user role-based access control
- Add rbac.py with User model, LDAP group-to-role mapping, page/write dependencies
- Proxy auth reads Remote-Groups header to resolve role from LDAP groups
- JWT tokens carry role claim, /me returns role + allowed pages
- Per-router page access control and viewer write protection
- Terminal WebSocket RBAC check
- Frontend filters sidebar links and routes by allowed pages
- Admin-only Settings page and RBAC override endpoints
- Mount rbac.json in docker-compose for page config persistence
2026-03-01 14:13:43 +08:00

150 lines
3.3 KiB
Plaintext
Executable File

{
https_port 8443
http_port 8880
servers {
protocols h1 h2
}
}
# Authelia endpoint (no forward_auth on itself)
auth.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy 127.0.0.1:9092
}
# Protected services with forward_auth
nas.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:4000
}
music.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:4533 {
flush_interval -1
}
}
n8n.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:5678
}
ldap.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:17170
}
dev.nas.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:4001
}
git.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:3300
}
photos.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:2283 {
header_up X-Forwarded-Proto https
header_up X-Forwarded-Host {host}
}
}
media.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:8096
}
books.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:13378
}
pdf.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:8030
}
vault.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
forward_auth 127.0.0.1:9092 {
uri /api/verify?rd=https://auth.jimmygan.com:8443
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy 127.0.0.1:8222
}
speed.jimmygan.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
reverse_proxy 127.0.0.1:8080
}