rsp2k/coredns
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
coredns/caddy/Dockerfile
Ryan Malloy c1afe77b27 coredns: production Let's Encrypt cert via Caddy sidecar (DNS-01 + Vultr) 
Replaces the self-signed dev cert flow with a real LE prod cert for
dns.l.supported.systems, issued and auto-renewed by a Caddy sidecar
using DNS-01 challenge against the Vultr API.

Components:
- caddy/Dockerfile builds Caddy 2.10.0 with caddy-dns/vultr plugin
  via xcaddy. GOTOOLCHAIN=auto so xcaddy can fetch newer Go on demand
  when plugin versions advance their minimum Go.
- caddy/Caddyfile uses DNS-01 with explicit public resolvers (1.1.1.1,
  9.9.9.9) for the propagation check. Without that, Docker's embedded
  DNS leaks the container into the host's split-horizon LAN DNS, which
  returns LAN IPs for ns1.vultr.com and the propagation check fails.
- docker-compose: caddy service shares ./caddy-data with coredns via a
  read-only subpath mount that excludes /acme (account private key).
- Healthcheck doubles as a symlinker: maintains stable cert.pem /
  key.pem names at /data/caddy/ and chmods cert files + their dirs to
  be readable by CoreDNS's nonroot user. Flips to "healthy" only once
  the symlinks dereference (i.e. cert exists), gating CoreDNS start
  via depends_on: service_healthy.
- Corefile unchanged — same /etc/coredns/certs/cert.pem path; only the
  bind-mount source switches from ./certs to ./caddy-data/caddy.
- New Makefile target: tls-up orchestrates the bring-up sequence.

Cert is valid until Aug 12 2026. Verified end-to-end:
  dig @127.0.0.1 -p 8853 +tls +tls-hostname=dns.l.supported.systems ...
  dig @127.0.0.1 -p 8443 +https +tls-hostname=dns.l.supported.systems ...
2026-05-14 01:34:57 -06:00

15 lines
609 B
Docker
Raw Blame History

# Custom Caddy build that bundles the Vultr DNS provider plugin.
# Stock caddy:2 doesn't include DNS-provider modules — they're plugins.
# xcaddy compiles them in at build time.
FROM caddy:2.10.0-builder AS builder
# The Caddy builder image bakes in Go 1.23, but caddy-dns/vultr now
# requires Go >= 1.24. GOTOOLCHAIN=auto lets `go get` fetch a newer
# toolchain on demand so we don't have to bump base images every time
# a plugin's minimum Go version moves.
ENV GOTOOLCHAIN=auto
RUN xcaddy build \
--with github.com/caddy-dns/vultr
FROM caddy:2.10.0
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Reference in New Issue View Git Blame Copy Permalink