Add Cloudflare DNS support to Caddy configuration

- Updated .env.example to include CF_ZONE_READ and CF_DNS_EDIT variables.
- Enhanced Caddyfile to utilize Cloudflare DNS for TLS.
- Created Dockerfile for building Caddy with Cloudflare DNS support.
- Modified docker-compose.yml to use the new caddy-cloudflare image and set environment variables.

caddy/Caddyfile

@@ -1,9 +1,155 @@
 {
-    debug
-    email peter@peterwood.dev
+	# debug
+	email peter@peterwood.dev
+}
+
+ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# this is the the wiki 
+	reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
+}
+
+wiki.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Route ACME challenges explicitly to be handled internally by Caddy
+	route /.well-known/acme-challenge/* {
+		# No directive needed here; Caddy's internal handler takes precedence.
+		# This prevents the challenge requests from being proxied.
+	}
+
+	# Proxy all other requests to the wiki
+	route {
+		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
+	}
 }
 
 jellyfin.peterwood.rocks {
-    encode gzip
-    reverse_proxy host.docker.internal:8096
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	reverse_proxy host.docker.internal:8096
+}
+
+# Serve a simple text message for home.ptrwd.com
+home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Debugging: Log all requests
+	log {
+		output stdout
+		format console
+	}
+	# Allow connections only from private ranges and home IP using Cf-Connecting-Ip header
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		respond "Welcome home!" 200 {
+			close # Close the connection after responding
+		}
+	}
+	handle {
+		respond "Access denied" 403
+	}
+}
+
+# Reverse proxy for sonarr.home.ptrwd.com
+sonarr.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:8989
+	}
+	handle {
+		respond 403
+	}
+}
+
+radarr.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:7878
+	}
+	handle {
+		respond 403
+	}
+}
+
+io.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
+}
+
+europa.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-europa.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
+}
+
+racknerd.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
 }