Skip to content

Commit

Permalink
feat: Improve Caddy config, use single cert
Browse files Browse the repository at this point in the history 
The previous config would end requesting a TLS certificate for each
individual subdomain and not use the wildcard certificate. This change
modifies the labels used on the containers to create host matchers and
handlers to do the routing under a single wildcard Caddyfile site. This
is a little trickier and more verbose while defining the labels but ends
a much cleaner Caddyfile[1][2] and only requires a single certificate.

Hopefully this will all be moot once the auto_https prefer_wildcard
option is released in `2.9.x`.

1. https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates
2. https://caddy.community/t/docker-proxy-wildcard-subdomains/22170
3. caddyserver/caddy#6146
  • Loading branch information
@richid
richid committed Nov 7, 2024
1 parent 92e19d0 commit 8596004
Show file tree
Hide file tree
Showing 15 changed files with 73 additions and 54 deletions.
8 changes: 5 additions & 3 deletions nix/services/audiobookshelf.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.audiobookshelf.ip}"
"--label=caddy=books.fatsch.us"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@books=host books.fatsch.us"
"--label=caddy.handle=@books"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
"--label=diun.include_tags=^\\d+\\.\\d+\\.\\d+$"
];
};
Expand Down
11 changes: 6 additions & 5 deletions nix/services/gotify.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,12 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.gotify.ip}"
"--label=caddy=gotify.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.reverse_proxy.header_up=-Origin"
"--label=caddy.import=cors"
"--label=caddy.tls=internal"
"--label=caddy=*.fatsch.us"
"--label=caddy.@gotify=host gotify.fatsch.us"
"--label=caddy.handle=@gotify"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.reverse_proxy.header_up=-Origin"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
8 changes: 5 additions & 3 deletions nix/services/grafana.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.grafana.ip}"
"--label=caddy=grafana.schu"
"--label=caddy.reverse_proxy={{upstreams 3000}}"
"--label=caddy.tls=internal"
"--label=caddy=*.fatsch.us"
"--label=caddy.@grafana=host grafana.fatsch.us"
"--label=caddy.handle=@grafana"
"--label=caddy.handle.reverse_proxy={{upstreams 3000}}"
"--label=caddy.handle.import=cors"
];
};

Expand Down
7 changes: 4 additions & 3 deletions nix/services/homer.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.homer.ip}"
"--label=caddy=home.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy=*.fatsch.us"
"--label=caddy.@home=host home.fatsch.us"
"--label=caddy.handle=@home"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=diun.include_tags=^v\\d+\\.\\d+\\.\\d+$"
];
};
Expand Down
8 changes: 5 additions & 3 deletions nix/services/influxdb.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.influxdb.ip}"
"--label=caddy=influx.schu"
"--label=caddy.reverse_proxy={{upstreams 8086}}"
"--label=caddy.tls=internal"
"--label=caddy=*.fatsch.us"
"--label=caddy.@influx=host influx.fatsch.us"
"--label=caddy.handle=@influx"
"--label=caddy.handle.reverse_proxy={{upstreams 8086}}"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
10 changes: 6 additions & 4 deletions nix/services/jellyfin.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,12 @@ in
"--device=/dev/dri:/dev/dri"
"--network=services"
"--ip=${vars.services.jellyfin.ip}"
"--label=caddy=watch.schu jellyfin.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@jellyfin=host jellyfin.fatsch.us watch.fatsch.us"
"--label=caddy.handle=@jellyfin"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
"--label=diun.include_tags=^v\\d+\\.\\d+\\.\\d+-omnibus$"
];
};
};
Expand Down
1 change: 1 addition & 0 deletions nix/services/jellyseerr.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ in
};

systemd.services.docker-jellyseerr = {
enable = false;
unitConfig = {
RequiresMountsFor = appPath;
};
Expand Down
9 changes: 5 additions & 4 deletions nix/services/prowlarr.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.prowlarr.ip}"
"--label=caddy=prowlarr.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@prowlarr=host prowlarr.fatsch.us"
"--label=caddy.handle=@prowlarr"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
"--label=diun.include_tags=^\\d+\\.\\d+\\.\\d+$"
];
};
Expand Down
10 changes: 5 additions & 5 deletions nix/services/radarr.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.radarr.ip}"
"--label=caddy=radarr.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
#"--label=diun.include_tags=^\d+\.\d+\.\d+$"
"--label=caddy=*.fatsch.us"
"--label=caddy.@radarr=host radarr.fatsch.us"
"--label=caddy.handle=@radarr"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
9 changes: 5 additions & 4 deletions nix/services/scrutiny.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,11 @@ in
"--device=/dev/sdo"
"--network=services"
"--ip=${vars.services.scrutiny.ip}"
"--label=caddy=disks.schu"
"--label=caddy.reverse_proxy={{upstreams 8080}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@disks=host disks.fatsch.us"
"--label=caddy.handle=@disks"
"--label=caddy.handle.reverse_proxy={{upstreams 8080}}"
"--label=caddy.handle.import=cors"
"--label=diun.include_tags=^v\\d+\\.\\d+\\.\\d+-omnibus$"
];
};
Expand Down
9 changes: 5 additions & 4 deletions nix/services/smokeping.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.smokeping.ip}"
"--label=caddy=smokeping.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@smokeping=host smokeping.fatsch.us"
"--label=caddy.handle=@smokeping"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
9 changes: 5 additions & 4 deletions nix/services/sonarr.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.sonarr.ip}"
"--label=caddy=sonarr.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@sonarr=host sonarr.fatsch.us"
"--label=caddy.handle=@sonarr"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
9 changes: 5 additions & 4 deletions nix/services/tandoor.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.tandoor.ip}"
"--label=caddy=recipes.schu tandoor.schu"
"--label=caddy.reverse_proxy={{upstreams 8080}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@recipes=host recipes.fatsch.us"
"--label=caddy.handle=@recipes"
"--label=caddy.handle.reverse_proxy={{upstreams 8080}}"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
9 changes: 5 additions & 4 deletions nix/services/transmission.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,11 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.transmission.ip}"
"--label=caddy=transmission.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@transmission=host transmission.fatsch.us"
"--label=caddy.handle=@transmission"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
];
};
};
Expand Down
10 changes: 6 additions & 4 deletions nix/services/uptime-kuma.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,12 @@ in
extraOptions = [
"--network=services"
"--ip=${vars.services.uptime-kuma.ip}"
"--label=caddy=status.schu"
"--label=caddy.reverse_proxy={{upstreams}}"
"--label=caddy.tls=internal"
"--label=caddy.import=cors"
"--label=caddy=*.fatsch.us"
"--label=caddy.@status=host status.fatsch.us"
"--label=caddy.handle=@status"
"--label=caddy.handle.reverse_proxy={{upstreams}}"
"--label=caddy.handle.import=cors"
"--pull=newer"
];
};
};
Expand Down

0 comments on commit 8596004

Please sign in to comment.