Add Cloudflare DNS support to Caddy configuration

- Updated .env.example to include CF_ZONE_READ and CF_DNS_EDIT variables. - Enhanced Caddyfile to utilize Cloudflare DNS for TLS. - Created Dockerfile for building Caddy with Cloudflare DNS support. - Modified docker-compose.yml to use the new caddy-cloudflare image and set environment variables.
2025-12-05 22:50:17 -08:00 · 2025-04-29 14:34:25 -04:00
parent 5f9bfe5b8c
commit 85979c3701
4 changed files with 169 additions and 7 deletions
--- a/caddy/.env.example
+++ b/caddy/.env.example
@@ -1,4 +1,8 @@

 # create the API token in https://dash.cloudflare.com/profile/api-tokens
-# provide access to ptrwd.com for DNS zone 
-CLOUDFLARE_TOKEN=
+# create auth tokens -
+# `Zone.Zone:Read` for all zones, and 
+# `Zone.DNS:Edit` permissions for ptrwd.com
+# https://github.com/caddy-dns/cloudflare
+CF_ZONE_READ=
+CF_DNS_EDIT=
--- a/caddy/Caddyfile
+++ b/caddy/Caddyfile
@@ -1,9 +1,155 @@
 {
-    debug
-    email peter@peterwood.dev
+	# debug
+	email peter@peterwood.dev
+}
+
+ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# this is the the wiki 
+	reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
+}
+
+wiki.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Route ACME challenges explicitly to be handled internally by Caddy
+	route /.well-known/acme-challenge/* {
+		# No directive needed here; Caddy's internal handler takes precedence.
+		# This prevents the challenge requests from being proxied.
+	}
+
+	# Proxy all other requests to the wiki
+	route {
+		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
+	}
 }

 jellyfin.peterwood.rocks {
-    encode gzip
-    reverse_proxy host.docker.internal:8096
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	reverse_proxy host.docker.internal:8096
+}
+
+# Serve a simple text message for home.ptrwd.com
+home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Debugging: Log all requests
+	log {
+		output stdout
+		format console
+	}
+	# Allow connections only from private ranges and home IP using Cf-Connecting-Ip header
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		respond "Welcome home!" 200 {
+			close # Close the connection after responding
+		}
+	}
+	handle {
+		respond "Access denied" 403
+	}
+}
+
+# Reverse proxy for sonarr.home.ptrwd.com
+sonarr.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:8989
+	}
+	handle {
+		respond 403
+	}
+}
+
+radarr.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:7878
+	}
+	handle {
+		respond 403
+	}
+}
+
+io.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
+}
+
+europa.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-europa.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
+}
+
+racknerd.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
 }
--- a/caddy/Dockerfile
+++ b/caddy/Dockerfile
@@ -0,0 +1,9 @@
+
+FROM caddy:2.10-builder AS builder
+
+RUN xcaddy build \
+  --with github.com/caddy-dns/cloudflare
+
+FROM caddy:2.10
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@@ -1,7 +1,7 @@
 services:

  caddy:
-    image: caddy/caddy:latest
+    image: caddy-cloudflare
    restart: always
    ports:
      - 80:80
@@ -11,6 +11,9 @@ services:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
+    environment:
+      CF_ZONE_READ: ${CF_ZONE_READ}
+      CF_DNS_EDIT: ${CF_DNS_EDIT}
    extra_hosts:
      - host.docker.internal:host-gateway
    labels: