# --- Global Options ---{ # ACME DNS Challenge using Cloudflare. Token MUST

1. # --- Global Options ---
2. {
3. # ACME DNS Challenge using Cloudflare. Token MUST be provided via ENV var.
4. acme_dns cloudflare {$CADDY_CLOUDFLARE_API_TOKEN}
5.  
6. # Default directive order
7. order handle_errors last
8. }
9.  
10. # --- Reusable Snippets ---
11. (log_common) {
12. log {
13. output file /logs/caddy_access.log {
14. roll_size 20mb
15. roll_keep 5
16. }
17. }
18. }
19. (security_headers) {
20. header {
21. # X-Frame-Options DENY
22. X-Content-Type-Options nosniff
23. -Server
24. }
25. }
26. (encoding) {
27. encode gzip zstd {
28. minimum_length 128
29. }
30. }
31. (proxy_headers) {
32. # Common headers sent to backend for proxy awareness
33. header_up Host {http.request.host}
34. header_up X-Real-IP {http.request.remote.host}
35. header_up X-Forwarded-For {http.request.remote.host}
36. header_up X-Forwarded-Port {http.request.port}
37. header_up X-Forwarded-Proto {http.request.scheme}
38. }
39.  
40. # --- Localhost Test Site ---
41. # Useful for checking if Caddy itself is running correctly on its host/container.
42. localhost {
43. import log_common
44. import encoding
45. respond "Hello, world from Caddy!"
46. }
47.  
48. # --- Main Wildcard Site Block ---
49. # Handles all *.{$DOMAIN_NETWORK} requests with a single wildcard certificate.
50. *.{$DOMAIN_NETWORK} {
51. # Apply logging and encoding to ALL requests entering this block
52. import log_common
53. import encoding
54.  
55. # --- Define Host Matchers ---
56. @dozzle host dozzle.{$DOMAIN_NETWORK}
57. @glance host glance.{$DOMAIN_NETWORK}
58. @pve host pve.{$DOMAIN_NETWORK}
59. @pbs host pbs.{$DOMAIN_NETWORK}
60. @nas host nas.{$DOMAIN_NETWORK}
61. @radarr host radarr.{$DOMAIN_NETWORK}
62. @sonarr host sonarr.{$DOMAIN_NETWORK}
63. @sync host sync.{$DOMAIN_NETWORK}
64. @home host home.{$DOMAIN_NETWORK}
65. @homepage host homepage.{$DOMAIN_NETWORK}
66. @grafana host grafana.{$DOMAIN_NETWORK}
67. @influxdb host influxdb.{$DOMAIN_NETWORK}
68. @prometheus host prometheus.{$DOMAIN_NETWORK}
69. @overseerr host overseerr.{$DOMAIN_NETWORK}
70. @plex host plex.{$DOMAIN_NETWORK}
71. @kavita host kavita.{$DOMAIN_NETWORK}
72. @abs host abs.{$DOMAIN_NETWORK}
73. @paperless host paperless.{$DOMAIN_NETWORK}
74. @teslamate host teslamate.{$DOMAIN_NETWORK}
75. @irc host irc.{$DOMAIN_NETWORK}
76. @tesla host tesla.{$DOMAIN_NETWORK} # TODO: Uses hardcoded IP below. SOrt it out later.
77. @hoarder host hoarder.{$DOMAIN_NETWORK}
78. @etv host etv.{$DOMAIN_NETWORK}
79.  
80. # --- Handle Requests - Grouped by Target Host IP Variable ---
81.  
82. # --- Services on Localhost / Caddy Host ---
83. handle @dozzle {
84. import security_headers
85.  
86. reverse_proxy {$LOCAL_IP}:{$PORT_DOZZLE}
87. }
88.  
89. handle @pve {
90. import security_headers # Apply standard security headers
91.  
92. # Reverse proxy to the Proxmox VE cluster nodes.
93. reverse_proxy https://{$IP_PVE_1}:8006 https://{$IP_PVE_2}:8006 https://{$IP_PVE_3}:8006 https://{$IP_PVE_4}:8006 https://{$IP_PVE_5}:8006 {
94. # Load Balancing Policy
95. lb_policy first
96.  
97.  
98. # Transport Layer Security (for actual proxy requests)
99. transport http {
100. tls_insecure_skip_verify
101. }
102.  
103. # Standard Proxy Headers
104. import proxy_headers
105. }
106. }
107. # --- Services on Proxmox Backup Server ({$IP_PBS}) ---
108. handle @pbs {
109. import security_headers
110. reverse_proxy https://{$IP_PBS}:8007 {
111. transport http {
112. tls_insecure_skip_verify
113. }
114. import proxy_headers
115. }
116. }
117.  
118. # --- Services on Home Assistant ({$IP_HASS}) ---
119. handle @home {
120. import security_headers
121. reverse_proxy http://{$IP_HASS}:8123 {
122. # transport http { versions h2c 2 } # TODO: needs more testing. Optional http/2
123. # Required headers for HA Websockets
124. header_up Connection {header.Connection}
125. header_up Upgrade {header.Upgrade}
126. }
127. }
128.  
129. # --- Services on Synology ({$IP_SYNOLOGY}) ---
130. handle @nas {
131. import security_headers
132. reverse_proxy https://{$IP_SYNOLOGY}:5001 {
133. transport http {
134. tls_insecure_skip_verify
135. }
136. header_up Host {upstream_hostport} #Required?
137. header_up X-Real-IP {http.request.remote.host}
138. header_up X-Forwarded-For {http.request.remote.host}
139. header_up X-Forwarded-Proto {http.request.scheme}
140. }
141. }
142. handle @radarr {
143. import security_headers
144. reverse_proxy {$IP_SYNOLOGY}:7878
145. }
146. handle @sonarr {
147. import security_headers
148. reverse_proxy {$IP_SYNOLOGY}:8989 {
149. # Sonarr specific headers if needed (e.g., for base path)
150. header_up X-Real-IP {http.request.remote.host}
151. header_up X-Forwarded-For {http.request.remote.host}
152. header_up X-Forwarded-Proto {http.request.scheme}
153. }
154. }
155. handle @sync {
156. import security_headers
157. reverse_proxy {$IP_SYNOLOGY}:8384
158. }
159.  
160. # --- Services on 'Moriarty' ({$IP_MORIARTY}) ---
161. handle @glance {
162. import security_headers
163. reverse_proxy {$IP_MORIARTY}:8254
164. }
165. handle @homepage {
166. import security_headers
167. reverse_proxy {$IP_MORIARTY}:3003
168. }
169. handle @kavita {
170. import security_headers
171. reverse_proxy {$IP_MORIARTY}:5454
172. }
173. handle @abs {
174. # Audiobookshelf
175. import security_headers
176. reverse_proxy {$IP_MORIARTY}:13378
177. }
178. handle @paperless {
179. import security_headers
180. reverse_proxy {$IP_MORIARTY}:8000
181. }
182. handle @teslamate {
183. import security_headers
184. reverse_proxy {$IP_MORIARTY}:4000
185. }
186. handle @irc {
187. # Assuming Web IRC client
188. import security_headers
189. reverse_proxy {$IP_MORIARTY}:9909
190. }
191. handle @hoarder {
192. import security_headers
193. reverse_proxy {$IP_MORIARTY}:3693
194. }
195.  
196. # --- Services on 'Curie' ({$IP_CURIE}) ---
197. handle @grafana {
198. import security_headers
199. reverse_proxy {$IP_CURIE}:3010 {
200. # NOTE: Do i need to keep for this setup?
201. header_up X-WEBAUTH-USER admin
202. }
203. }
204. handle @influxdb {
205. import security_headers
206. # NOTE: Ensure InfluxDB has authentication enabled!
207. reverse_proxy {$IP_CURIE}:8086
208. }
209. handle @prometheus {
210. import security_headers
211. reverse_proxy {$IP_CURIE}:9090
212. }
213.  
214. # --- Services on 'ThreeDog' ({$IP_THREEDOG}) ---
215. handle @overseerr {
216. import security_headers
217. reverse_proxy {$IP_THREEDOG}:5055 {
218. import proxy_headers
219. }
220. }
221. handle @plex {
222. # NOTE: No 'import security_headers'
223. reverse_proxy {$IP_THREEDOG}:32400
224. }
225. handle @etv {
226. # ErsatzTV
227. import security_headers
228. reverse_proxy {$IP_THREEDOG}:8409
229. }
230.  
231. # --- Services on Other Hosts (Hardcoded IP) ---
232. handle @tesla {
233. # Powerwall Tests
234. import security_headers
235. # No ENV var provided for this one, using hardcoded IP
236. reverse_proxy 10.10.40.220:9000
237. }
238.  
239. # --- Fallback for Unmatched Subdomains ---
240. # Catches any *.{$DOMAIN_NETWORK} request not matching above handles.
241. # Inherits log/encoding from the top level of the site block.
242. handle {
243. respond "Service not configured or subdomain not found for {http.request.host}" 404
244. }
245. }
246.