Adds ADR-024 pinning Caddy (xcaddy + caddy-dns/gandi) as boma's reverse proxy, superseding the soft Traefik assumption in the roadmap and ADR-017 prose. Updates CLAUDE.md Further reading table and ROADMAP.md Phase-2 step 5. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
107 lines
5 KiB
Markdown
107 lines
5 KiB
Markdown
# ADR-024 — Reverse proxy: Caddy with ACME DNS-01 (Gandi)
|
|
|
|
## Status
|
|
|
|
Accepted (2026-06-14). Amends the soft Traefik assumption carried by the roadmap
|
|
(Phase-2 step 5) and ADR-017 prose; those are updated to read "Caddy (ADR-024)".
|
|
|
|
## Context
|
|
|
|
boma needs a reverse proxy to front its services with TLS. ADR-002 requires every
|
|
service to sit behind a proxy with authentication before it is reachable; ADR-007/M1
|
|
delivers a `*.boma.<domain>` wildcard cert via ACME DNS-01 against Gandi — the only
|
|
viable cert path for mesh/LAN-only services that cannot satisfy HTTP-01 (no public
|
|
A-record to point at).
|
|
|
|
The roadmap (Phase-2, step 5) and ADR-017 prose assumed **Traefik + Authentik** as the
|
|
auth-and-proxy pair without an ADR ever pinning Traefik. On closer inspection:
|
|
|
|
- Traefik's headline feature is **dynamic Docker-label discovery** — it discovers and
|
|
routes services automatically from container labels without any static config.
|
|
- boma already renders *all* config from Ansible templates and the `group_vars` catalog
|
|
(ADR-004). That makes dynamic label discovery a disadvantage: a service that is not in
|
|
the catalog does not exist (CLAUDE.md), so any route that Traefik auto-discovers
|
|
outside the catalog would be unaudited.
|
|
- The first reverse-proxy instance is needed on `askari` for M4 (NetBird), a host where
|
|
`docker_hosts` patterns are being established under off-site/VPS constraints, not a
|
|
full Proxmox cluster with many services.
|
|
|
|
No production investment in Traefik config has been made; the decision can be made
|
|
cleanly here.
|
|
|
|
## Decision
|
|
|
|
boma's reverse proxy is **Caddy**.
|
|
|
|
### 1. Rationale for Caddy over Traefik
|
|
|
|
1. Traefik's dynamic label discovery is wasted — boma renders config from the catalog;
|
|
Caddy's static Caddyfile maps naturally to "render from templates" (ADR-004).
|
|
2. Caddy's Caddyfile is simple to template with `ansible.builtin.template`; one file,
|
|
one `ansible_managed` header, no side-channel label state.
|
|
3. **Automatic HTTPS** via ACME DNS-01: the `caddy-dns/gandi` plugin satisfies the
|
|
Gandi DNS-01 challenge, which is the only cert path for services with no public
|
|
A-record (ADR-007/M1 wildcard strategy).
|
|
4. Far simpler for a solo operator: no dashboard-as-a-service, no routing-rule DSL,
|
|
no dynamic config files to reconcile.
|
|
5. `forward_auth` to Authentik is a first-class Caddy directive — the planned
|
|
Authentik auth story (ADR-002) is preserved without Traefik as the middleman.
|
|
|
|
### 2. Custom image
|
|
|
|
Caddy's official Docker image does not include third-party DNS plugins. The `caddy-dns/gandi`
|
|
plugin must be compiled in via `xcaddy`. boma builds a custom image:
|
|
|
|
```
|
|
FROM caddy:builder AS builder
|
|
RUN xcaddy build --with github.com/caddy-dns/gandi
|
|
|
|
FROM caddy:latest
|
|
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
|
|
```
|
|
|
|
This image is maintained as a boma artifact (Forgejo registry, pinned digest in the
|
|
Compose template). It is the cost of the Gandi DNS-01 path — unavoidable regardless of
|
|
proxy choice.
|
|
|
|
### 3. Deployment scope
|
|
|
|
The first Caddy instance fronts the NetBird stack on `askari` (M4). The pattern
|
|
generalises to the Proxmox cluster in Phase 2 when services multiply.
|
|
|
|
### 4. Authentik integration (deferred)
|
|
|
|
`forward_auth` to Authentik is deferred to Phase 2 (when Authentik is deployed on the
|
|
cluster). The Caddyfile template will carry a placeholder comment. No Traefik-Authentik
|
|
middleware migration is required.
|
|
|
|
## Consequences
|
|
|
|
- **Roadmap Phase-2 step 5** is updated from "Authentik + Traefik" to "Authentik +
|
|
Caddy (ADR-024)".
|
|
- **ADR-017 prose** that mentioned Traefik is updated to read "Caddy (ADR-024)".
|
|
- A custom Caddy image (`xcaddy` + `caddy-dns/gandi`) must be built, pushed to the
|
|
Forgejo registry, and kept current (plugin + base image updates).
|
|
- Caddyfile config is rendered by Ansible from `group_vars` — consistent with ADR-004
|
|
and easier to review than distributed container labels.
|
|
- `forward_auth` to Authentik is available when Authentik is deployed; no extra
|
|
middleware layer required.
|
|
- The `proxy` concern tag (already in `tests/tags.yml`) covers Caddy config tasks.
|
|
|
|
## What was ruled out
|
|
|
|
- **Traefik** — dynamic label discovery is a mismatch for boma's catalog-rendered
|
|
config model (ADR-004); more complex for a solo operator; no prior investment to
|
|
protect.
|
|
- **nginx / HAProxy** — no built-in ACME; require a separate ACME client (certbot,
|
|
acme.sh) adding operational surface; Caddy's integrated ACME is simpler.
|
|
- **NetBird's bundled TLS** — NetBird's management UI can serve its own TLS, but that
|
|
doesn't generalise; a real proxy separates concerns and applies to every service.
|
|
|
|
## Related
|
|
|
|
- ADR-002 — services behind a proxy with authentication (the requirement this satisfies).
|
|
- ADR-004 — Docker & Compose model (template-rendered config, catalog-driven).
|
|
- ADR-007 / M1 — Gandi DNS-01 ACME path (the TLS strategy Caddy implements).
|
|
- ADR-016 — NetBird (M4 is the first deployment of this proxy).
|
|
- ADR-017 — service-UI verification; forward_auth to Authentik is the future auth story.
|