Add Cloudflare DNS support to Caddy configuration

- Updated .env.example to include CF_ZONE_READ and CF_DNS_EDIT variables.
- Enhanced Caddyfile to utilize Cloudflare DNS for TLS.
- Created Dockerfile for building Caddy with Cloudflare DNS support.
- Modified docker-compose.yml to use the new caddy-cloudflare image and set environment variables.

caddy/.env.example

@@ -1,4 +1,8 @@
 
 # create the API token in https://dash.cloudflare.com/profile/api-tokens
-# provide access to ptrwd.com for DNS zone 
+# create auth tokens -
-CLOUDFLARE_TOKEN=
+# `Zone.Zone:Read` for all zones, and 
+# `Zone.DNS:Edit` permissions for ptrwd.com
+# https://github.com/caddy-dns/cloudflare
+CF_ZONE_READ=
+CF_DNS_EDIT=

caddy/Caddyfile

@@ -1,9 +1,155 @@
 {
-    debug
+	# debug
-    email peter@peterwood.dev
+	email peter@peterwood.dev
+}
+
+ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# this is the the wiki 
+	reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
+}
+
+wiki.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Route ACME challenges explicitly to be handled internally by Caddy
+	route /.well-known/acme-challenge/* {
+		# No directive needed here; Caddy's internal handler takes precedence.
+		# This prevents the challenge requests from being proxied.
+	}
+
+	# Proxy all other requests to the wiki
+	route {
+		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:8300
+	}
 }
 
 jellyfin.peterwood.rocks {
-    encode gzip
+	tls {
-    reverse_proxy host.docker.internal:8096
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	reverse_proxy host.docker.internal:8096
+}
+
+# Serve a simple text message for home.ptrwd.com
+home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Debugging: Log all requests
+	log {
+		output stdout
+		format console
+	}
+	# Allow connections only from private ranges and home IP using Cf-Connecting-Ip header
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		respond "Welcome home!" 200 {
+			close # Close the connection after responding
+		}
+	}
+	handle {
+		respond "Access denied" 403
+	}
+}
+
+# Reverse proxy for sonarr.home.ptrwd.com
+sonarr.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:8989
+	}
+	handle {
+		respond 403
+	}
+}
+
+radarr.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:7878
+	}
+	handle {
+		respond 403
+	}
+}
+
+io.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-io.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
+}
+
+europa.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-europa.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
+}
+
+racknerd.docker.home.ptrwd.com {
+	tls {
+		dns cloudflare {
+			zone_token {env.CF_ZONE_READ}
+			api_token {env.CF_DNS_EDIT}
+		}
+	}
+	# Allow connections only from private ranges and home IP
+	@allowAccess client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 162.203.102.154/32
+	handle @allowAccess {
+		reverse_proxy ts-racknerd.whale-woodpecker.ts.net:5001
+	}
+	handle {
+		respond 403
+	}
 }

caddy/Dockerfile

@@ -0,0 +1,9 @@
+
+FROM caddy:2.10-builder AS builder
+
+RUN xcaddy build \
+  --with github.com/caddy-dns/cloudflare
+
+FROM caddy:2.10
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy

caddy/docker-compose.yml

@@ -1,7 +1,7 @@
 services:
 
   caddy:
-    image: caddy/caddy:latest
+    image: caddy-cloudflare
     restart: always
     ports:
       - 80:80
@@ -11,6 +11,9 @@ services:
       - ./Caddyfile:/etc/caddy/Caddyfile
       - caddy_data:/data
       - caddy_config:/config
+    environment:
+      CF_ZONE_READ: ${CF_ZONE_READ}
+      CF_DNS_EDIT: ${CF_DNS_EDIT}
     extra_hosts:
       - host.docker.internal:host-gateway
     labels: