Skip to content

Caddy

Reverse proxy configuration for sepia.

Overview

Caddy serves as the HTTPS ingress point for all web services on sepia. It handles: - Automatic HTTPS via Let's Encrypt (Route53 DNS challenge) - Reverse proxying to backend containers - Basic auth protection for sensitive services

Configuration

Caddy config is in /opt/caddy/:

caddy/
├── Caddyfile          # Main config
├── Dockerfile         # Custom Caddy build
├── conf/              # Imported configs
│   ├── auth.caddy     # Authentication config (OIDC)
│   ├── dynamic_dns.caddy  # Route53 DNS challenge
│   └── geoip2.caddy   # GeoIP
└── sites/             # Per-service routing
    ├── auth.caddy     # Auth endpoints
    └── ha.caddy       # Home Assistant

Key Snippets

Dynamic DNS (Route53)

{$DOMAIN}. {$SUBDOMAIN}
tls {
  dns g<3> route53 {env.AWS_ACCESS_KEY_ID} {env.AWS_SECRET_ACCESS_KEY}
}

Unprotected Services

(unprotected) {
  {args[0]}.{$SUBDOMAIN}.{$DOMAIN} {
    reverse_proxy {args[1]}
  }
}

Protected Services (basic auth)

(protected) {
  {args[0]}.{$SUBDOMAIN}.{$DOMAIN} {
    basic_auth {
      user $2a$14$...
    }
    reverse_proxy {args[1]}
  }
}

Service Routes

Unprotected: - ha.uitgeest.veenboer.xyz -> homeassistant:8123 - seafile.uitgeest.veenboer.xyz -> seafile:8082

Protected (basic auth): - esp.uitgeest.veenboer.xyz -> esphome:6052 - grafana.uitgeest.veenboer.xyz -> grafana:3333 - dsmr.uitgeest.veenboer.xyz -> dsmr:8888