From 150340becb27151565a5013819e99f2d986836f1 Mon Sep 17 00:00:00 2001
From: Eduardo Silva <eduardo@eth0.com.br>
Date: Wed, 11 Mar 2026 15:34:08 -0300
Subject: [PATCH] gatekeeper config examples

---
 .../caddy/config_example/applications.json    | 21 ++++
 .../caddy/config_example/auth_policies.json   | 99 +++++++++++++++++++
 containers/caddy/config_example/routes.json   | 43 ++++++++
 .../config_example/wireguard_webadmin.json    | 22 +++++
 4 files changed, 185 insertions(+)
 create mode 100644 containers/caddy/config_example/applications.json
 create mode 100644 containers/caddy/config_example/auth_policies.json
 create mode 100644 containers/caddy/config_example/routes.json
 create mode 100644 containers/caddy/config_example/wireguard_webadmin.json

diff --git a/containers/caddy/config_example/applications.json b/containers/caddy/config_example/applications.json
new file mode 100644
index 0000000..a7a8461
--- /dev/null
+++ b/containers/caddy/config_example/applications.json
@@ -0,0 +1,21 @@
+{
+  "entries": [
+    {
+      "id": "grafana",
+      "name": "Grafana",
+      "hosts": [
+        "grafana.example.com"
+      ],
+      "upstream": "grafana:3000"
+    },
+    {
+      "id": "routerfleet",
+      "name": "RouterFleet",
+      "hosts": [
+        "routerfleet.example.com",
+        "rf.example.com"
+      ],
+      "upstream": "routerfleet:8080"
+    }
+  ]
+}
diff --git a/containers/caddy/config_example/auth_policies.json b/containers/caddy/config_example/auth_policies.json
new file mode 100644
index 0000000..93b79ac
--- /dev/null
+++ b/containers/caddy/config_example/auth_policies.json
@@ -0,0 +1,99 @@
+{
+  "auth_methods": {
+    "password_local": {
+      "type": "local_password"
+    },
+    "totp_default": {
+      "type": "totp"
+    },
+    "google_workspace_admins": {
+      "type": "oidc",
+      "provider": "google",
+      "client_id": "GOOGLE_CLIENT_ID",
+      "client_secret": "GOOGLE_CLIENT_SECRET",
+      "allowed_domains": [
+        "example.com"
+      ],
+      "allowed_emails": [
+        "eduardo@example.com",
+        "alice@example.com"
+      ]
+    }
+  },
+  "groups": {
+    "admins": {
+      "users": [
+        "eduardo",
+        "alice"
+      ]
+    },
+    "ops": {
+      "users": [
+        "bob",
+        "charlie"
+      ]
+    },
+    "staff": {
+      "users": [
+        "david"
+      ]
+    }
+  },
+  "users": {
+    "eduardo": {
+      "email": "eduardo@example.com",
+      "password_hash": "$argon2id$hash"
+    },
+    "alice": {
+      "email": "alice@example.com",
+      "password_hash": "$argon2id$hash"
+    },
+    "bob": {
+      "email": "bob@example.com",
+      "password_hash": "$argon2id$hash"
+    }
+  },
+  "policies": {
+    "public": {
+      "policy_type": "bypass"
+    },
+    "api_users": {
+      "policy_type": "one_factor",
+      "groups": [
+        "staff"
+      ],
+      "methods": [
+        "password_local"
+      ]
+    },
+    "ops_access": {
+      "policy_type": "one_factor",
+      "groups": [
+        "ops"
+      ],
+      "methods": [
+        "password_local"
+      ]
+    },
+    "admin_access": {
+      "policy_type": "two_factor",
+      "groups": [
+        "admins"
+      ],
+      "methods": [
+        "password_local",
+        "totp_default"
+      ]
+    },
+    "google_admin_access": {
+      "policy_type": "two_factor",
+      "groups": [
+        "admins"
+      ],
+      "methods": [
+        "google_workspace_admins",
+        "totp_default"
+      ]
+    }
+  }
+}
diff --git a/containers/caddy/config_example/routes.json b/containers/caddy/config_example/routes.json
new file mode 100644
index 0000000..02807ee
--- /dev/null
+++ b/containers/caddy/config_example/routes.json
@@ -0,0 +1,43 @@
+{
+  "entries": {
+    "wireguard_webadmin": {
+      "default_policy": "admin_access",
+      "routes": [
+        {
+          "id": "public_area",
+          "path_prefix": "/public",
+          "policy": "public"
+        },
+        {
+          "id": "admin_area",
+          "path_prefix": "/admin",
+          "policy": "admin_access"
+        },
+        {
+          "id": "api_area",
+          "path_prefix": "/api",
+          "policy": "api_users"
+        }
+      ]
+    },
+    "grafana": {
+      "default_policy": "ops_access",
+      "routes": []
+    },
+    "routerfleet": {
+      "default_policy": "admin_access",
+      "routes": [
+        {
+          "id": "public_api",
+          "path_prefix": "/api/public",
+          "policy": "public"
+        },
+        {
+          "id": "admin_area",
+          "path_prefix": "/admin",
+          "policy": "admin_access"
+        }
+      ]
+    }
+  }
+}
diff --git a/containers/caddy/config_example/wireguard_webadmin.json b/containers/caddy/config_example/wireguard_webadmin.json
new file mode 100644
index 0000000..db220d4
--- /dev/null
+++ b/containers/caddy/config_example/wireguard_webadmin.json
@@ -0,0 +1,22 @@
+{
+  "entries": [
+    {
+      "id": "wireguard_webadmin",
+      "name": "WireGuard WebAdmin",
+      "hosts": [
+        "wireguard-webadmin-dev.local",
+        "wireguard-webadmin-dev2.local",
+        "wireguard-webadmin-dev3.local"
+      ],
+      "upstream": "wireguard-webadmin:8000",
+      "static_routes": [
+        {
+          "path_prefix": "/static",
+          "root": "/static",
+          "strip_prefix": "/static",
+          "cache_control": "public, max-age=3600"
+        }
+      ]
+    }
+  ]
+}