sjat
d407aeabb2
Compiles caddy-dns/gandi v1.1.0 into Caddy v2.11.4 via xcaddy so mesh/LAN-only
hosts (no public A-record) can issue certs via ACME DNS-01. Pinned per ADR-011/014.
The M4a attempt failed for two reasons, both addressed here:
- built on a Hetzner IP -> Google's Go module proxy 403s those ranges. The
Makefile target is documented to build on ubongo, then push to Forgejo.
- older libdns/gandi sent Gandi's deprecated Apikey header. v1.1.0 sends the
PAT as Authorization: Bearer to api.gandi.net/v5/livedns.
make caddy-image / caddy-image-push mirror the molecule-image targets.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
22 lines
1.2 KiB
Docker
22 lines
1.2 KiB
Docker
# syntax=docker/dockerfile:1
|
|
# Custom Caddy image: vanilla Caddy + the Gandi DNS-01 plugin (ADR-024).
|
|
#
|
|
# WHY: mesh/LAN-only services have no public A-record, so they cannot satisfy ACME
|
|
# HTTP-01; they need DNS-01 against Gandi (the M1 *.<domain> wildcard strategy).
|
|
# Caddy's official image ships no third-party DNS plugins, so we compile one in.
|
|
#
|
|
# WHERE to build: on ubongo (the control node) — NOT on askari/Hetzner. Google's Go
|
|
# module proxy 403s Hetzner IP ranges, which broke the original on-host build (M4a).
|
|
# Build here, push the pinned tag/digest to the Forgejo registry, pull on askari.
|
|
#
|
|
# Versions pinned (ADR-011/ADR-014). caddy-dns/gandi v1.1.0 -> libdns/gandi v1.1.0,
|
|
# which authenticates with a Gandi Personal Access Token via "Authorization: Bearer"
|
|
# against https://api.gandi.net/v5/livedns (the legacy Apikey scheme is gone — using
|
|
# a PAT in the old Apikey slot 403s, which is what sank the M4a attempt).
|
|
# verified: caddy-dns/gandi v1.1.0 sends the PAT as Bearer · WebFetch libdns/gandi
|
|
# client.go @master (go.mod requires v1.1.0) · 2026-06-15
|
|
FROM caddy:2.11.4-builder AS build
|
|
RUN xcaddy build v2.11.4 --with github.com/caddy-dns/gandi@v1.1.0
|
|
|
|
FROM caddy:2.11.4
|
|
COPY --from=build /usr/bin/caddy /usr/bin/caddy
|