Ryan Malloy
cc33fcbcc8
Wires Caddy as the ACME client side of our new self-hosted DNS-01 flow. Proves the design end-to-end: caddy-dns/rfc2136 -> our CoreDNS rfc2136 plugin -> zone file write -> git auto-commit -> HE AXFR -> LE validates -> cert issued. Changes: - caddy/Dockerfile: --with github.com/caddy-dns/rfc2136 added alongside the existing caddy-dns/vultr. - caddy/Caddyfile: new test-rfc2136.supported.systems site that uses the new provider. server coredns:53 (docker internal), key from env, propagation_delay 60s + timeout 600s to accommodate HE pull. - docker-compose.yml: ACME_TSIG_SECRET passed to the caddy container (the same secret CoreDNS verifies on the other side of the loop). First cert issued in production: 2026-05-21 ~13:23 UTC. ~5.5 min end-to-end from Caddy starting to cert in hand. Documented in session notes; the cert sits unused in caddy-data/ until/unless something publishes ports 80/443 for that hostname.
16 lines
651 B
Docker
16 lines
651 B
Docker
# Custom Caddy build that bundles the Vultr DNS provider plugin.
|
|
# Stock caddy:2 doesn't include DNS-provider modules — they're plugins.
|
|
# xcaddy compiles them in at build time.
|
|
FROM caddy:2.10.0-builder AS builder
|
|
# The Caddy builder image bakes in Go 1.23, but caddy-dns/vultr now
|
|
# requires Go >= 1.24. GOTOOLCHAIN=auto lets `go get` fetch a newer
|
|
# toolchain on demand so we don't have to bump base images every time
|
|
# a plugin's minimum Go version moves.
|
|
ENV GOTOOLCHAIN=auto
|
|
RUN xcaddy build \
|
|
--with github.com/caddy-dns/vultr \
|
|
--with github.com/caddy-dns/rfc2136
|
|
|
|
FROM caddy:2.10.0
|
|
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
|