# syntax=docker/dockerfile:1
# Custom Caddy image: vanilla Caddy + the Gandi DNS-01 plugin (ADR-024).
#
# WHY: mesh/LAN-only services have no public A-record, so they cannot satisfy ACME
# HTTP-01; they need DNS-01 against Gandi (the M1 *.<domain> wildcard strategy).
# Caddy's official image ships no third-party DNS plugins, so we compile one in.
#
# WHERE to build: on ubongo (the control node) — NOT on askari/Hetzner. Google's Go
# module proxy 403s Hetzner IP ranges, which broke the original on-host build (M4a).
# Build here, push the pinned tag/digest to the Forgejo registry, pull on askari.
#
# Versions pinned (ADR-011/ADR-014). caddy-dns/gandi v1.1.0 -> libdns/gandi v1.1.0,
# which authenticates with a Gandi Personal Access Token via "Authorization: Bearer"
# against https://api.gandi.net/v5/livedns (the legacy Apikey scheme is gone — using
# a PAT in the old Apikey slot 403s, which is what sank the M4a attempt).
#   verified: caddy-dns/gandi v1.1.0 sends the PAT as Bearer · WebFetch libdns/gandi
#   client.go @master (go.mod requires v1.1.0) · 2026-06-15
FROM caddy:2.11.4-builder AS build
RUN xcaddy build v2.11.4 --with github.com/caddy-dns/gandi@v1.1.0

FROM caddy:2.11.4
COPY --from=build /usr/bin/caddy /usr/bin/caddy
