complete refactor of caddy · vielle.dev/server-config@d1ae920

+7 -217

caddy/Caddyfile

··· 2 2 debug 3 3 email {$ADMIN_EMAIL:404@vielle.dev} 4 4 on_demand_tls { 5 - ask http://pi:8000/tls-check 6 - } 7 - } 8 - 9 - (error) { 10 - handle_errors { 11 - @custom_err file /{err.status_code}.html 12 - handle @custom_err { 13 - rewrite * {file_match.relative} 14 - file_server 15 - } 16 - } 17 - 18 - handle_errors { 19 - respond "{err.status_code} {err.status_text}" 20 - } 21 - } 22 - 23 - (did-web) { 24 - handle /.well-known/atproto-did { 25 - header Access-Control-Allow-Origin "*" 26 - respond "did:web:{args[0]}" 27 - } 28 - 29 - handle /.well-known/did.json { 30 - header Content-Type "application/json" 31 - header Access-Control-Allow-Origin "*" 32 - respond <<JSON 33 - { 34 - "@context": [ 35 - "https://www.w3.org/ns/did/v1", 36 - "https://w3id.org/security/multikey/v1", 37 - "https://w3id.org/security/suites/secp256k1-2019/v1" 38 - ], 39 - "id": "did:web:{args[0]}", 40 - "alsoKnownAs": [ 41 - "at://{args[1]}" 42 - ], 43 - "verificationMethod": [ 44 - { 45 - "id": "did:web:{args[0]}#atproto", 46 - "type": "Multikey", 47 - "controller": "did:web:{args[0]}", 48 - "publicKeyMultibase": "{args[2]}" 49 - } 50 - ], 51 - "service": [ 52 - { 53 - "id": "#atproto_pds", 54 - "type": "AtprotoPersonalDataServer", 55 - "serviceEndpoint": "https://{args[3]}" 56 - } 57 - ] 58 - } 59 - JSON 200 5 + ask http://{$ADDR_PDS}/tls-check 60 6 } 61 7 } 62 8 63 - (log) { 64 - log {args[0]} { 65 - output stdout 66 - format console 67 - } 68 - } 9 + import ./caddy/snippets.caddy 69 10 70 11 ## main site 71 12 www.{$HOST:vielle.dev} { ··· 88 29 file_server 89 30 } 90 31 91 - ## misc did:web 92 - alt.{$HOST:vielle.dev} { 93 - import did-web "alt.{$HOST:vielle.dev}" "alt.{$HOST:vielle.dev}" "zQ3shpgbkbxvf5UjBwQcnjf68rg2DKTRQSttBEGokZbx2BzxY" "{$PDS_HOST:abnormal.zip}" 94 - } 95 - 96 - ## signal 97 - signal.{$HOST:vielle.dev} { 98 - redir * https://signal.me/#eu/xBqcDqZvKp6yn8gG-_gU1Zlrjgp1SHIJuRtfeMd8gXtWRKVxttZE6Yk8bCfUdDm8 301 99 - } 100 - 101 32 ## send old dong.vielle.dev => dongs.zip 102 33 dong.{$HOST:vielle.dev} { 103 34 redir https://{$DONG_HOST:dongs.zip}{uri} 104 35 } 105 36 106 - ## toy projects 107 - saltire-the-gays.{$HOST:vielle.dev} { 108 - import log saltire 109 - encode 110 - root /srv/saltire 111 - import error 112 - file_server 113 - } 114 - 115 - ## personal projects 116 - dnd.{$HOST:vielle.dev} { 117 - import log dnd 118 - reverse_proxy dnd:4321 119 - } 120 - 121 - webdev-telephone.{$HOST:vielle.dev} { 122 - import log webdev-telephone 123 - encode 124 - root /srv/webdev-telephone.vielle.dev 125 - import error 126 - file_server 127 - } 128 - 129 - mc.{$HOST:vielle.dev} { 130 - import log mc 131 - encode 132 - root /srv/mc.vielle.dev 133 - import error 134 - file_server 135 - } 136 - 137 - apaf.{$HOST:vielle.dev} { 138 - header content-type "text/html" 139 - respond <<HTML 140 - <!DOCTYPE html> 141 - <html> 142 - <head> 143 - <title>APAF</title> 144 - <style> 145 - @import url('https://fonts.googleapis.com/css2?family=EB+Garamond&family=Neuton&display=swap'); 146 - 147 - body { 148 - font-family: "EB Garamond", garamond, serif; 149 - font-size: 40px; 150 - text-align: center; 151 - } 152 - </style> 153 - </head> 154 - <body>ALL PRINTERS ARE FACIST</body> 155 - </html> 156 - HTML 200 157 - } 158 - 159 - ## atproto services 160 - ### pds 161 - # exists on abnormal.zip with .abnormal.zip .pds.vielle.dev .at.vielle.dev and .at.dongs.zip handles 162 - {$PDS_HOST:abnormal.zip}, 163 - *.{$PDS_HOST:abnormal.zip}, 164 - *.pds.{$HOST:vielle.dev}, 165 - *.at.{$HOST:vielle.dev}, 166 - *.at.{$DONG_HOST:dongs.zip} { 167 - import log pds 168 - tls { 169 - on_demand 170 - } 171 - 172 - rewrite / /pds 173 - @landing path /pds /styles.css 174 - reverse_proxy @landing landing:8000 175 - 176 - # disable age assurance 177 - handle /xrpc/app.bsky.ageassurance.getState { 178 - header content-type "application/json" 179 - header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" 180 - header access-control-allow-origin "*" 181 - respond `{"state":{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured","access":"full"},"metadata":{"accountCreatedAt":"2022-11-17T00:35:16.391Z"}}` 200 182 - } 183 - 184 - # pds gatekeeper 185 - @gatekeeper { 186 - path /xrpc/com.atproto.server.getSession 187 - path /xrpc/com.atproto.server.describeServer 188 - path /xrpc/com.atproto.server.updateEmail 189 - path /xrpc/com.atproto.server.createSession 190 - path /xrpc/com.atproto.server.createAccount 191 - path /@atproto/oauth-provider/~api/sign-in 192 - path /gate/* 193 - } 194 - 195 - handle @gatekeeper { 196 - reverse_proxy {$ADDR_PDS_GATEKEEPER} 197 - } 198 - 199 - reverse_proxy {$ADDR_PDS} { 200 - transport http { 201 - dial_timeout 5s 202 - } 203 - } 204 - } 205 - 206 - ### tangled knot 207 - # (see nginx.conf for ssh proxying) 208 - knot.{$HOST:vielle.dev} { 209 - import log knot 210 - rewrite / /knot 211 - @landing path /knot /styles.css 212 - reverse_proxy @landing landing:8000 213 - 214 - reverse_proxy {$ADDR_KNOT} 215 - } 216 - 217 - ### piper instance 218 - # technically publicly visible... its _fine_ (+ i cant do jack shit abt it rn so) 219 - piper.{$HOST:vielle.dev} { 220 - import log piper 221 - reverse_proxy {$ADDR_PIPER} 37 + ## misc did:web 38 + alt.{$HOST:vielle.dev} { 39 + import did-web "alt.{$HOST:vielle.dev}" "alt.{$HOST:vielle.dev}" "zQ3shpgbkbxvf5UjBwQcnjf68rg2DKTRQSttBEGokZbx2BzxY" "{$PDS_HOST:abnormal.zip}" 222 40 } 223 41 224 - ##### tmp web dev telephone cimd 225 - cimd.{$HOST:vielle.dev} { 226 - import log cimd 227 - 228 - handle /oauth-client-metadata.json { 229 - header Content-Type "application/json" 230 - header Access-Control-Allow-Origin "*" 231 - respond <<JSON 232 - { 233 - "client_id": "https://cimd.{$HOST:vielle.dev}/oauth-client-metadata.json?{http.request.orig_uri.query}", 234 - "application_type": "web", 235 - "grant_types": ["authorization_code"], 236 - "scope": "{http.request.uri.query.scopes}", 237 - "response_types": ["code"], 238 - "redirect_uris": [ 239 - "https://cimd.{$HOST:vielle.dev}{http.request.uri.query.callback}" 240 - ], 241 - "token_endpoint_auth_method": "none", 242 - "dpop_bound_access_tokens": true, 243 - "client_name": "cimd.{$HOST:vielle.dev}", 244 - "client_uri": "https://cimd.{$HOST:vielle.dev}" 245 - } 246 - JSON 200 247 - } 248 - 249 - @not-oauth `{path} != "/oauth-client-metadata.json"` 250 - handle @not-oauth { 251 - redir http://localhost:3000{uri} 252 - } 253 - } 42 + import ./caddy/misc.caddy 43 + import ./caddy/atp.caddy

-1

caddy/Dockerfile

··· 31 31 FROM caddy:2.10.2 32 32 33 33 # copy built files to /srv 34 - COPY ./Caddyfile /etc/caddy/Caddyfile 35 34 COPY ./srv /srv 36 35 COPY --from=build-dong /app/dong/dist /srv/dong 37 36 COPY --from=build-saltire /app/saltire/dist /srv/saltire

+125

caddy/caddy/atp.caddy

··· 1 + {$PDS_HOST:abnormal.zip} { 2 + import log pds 3 + 4 + import favicon abnormal.zip 5 + rewrite / /pds 6 + @landing path /pds /styles.css 7 + reverse_proxy @landing landing:8000 8 + 9 + # disable age assurance 10 + handle /xrpc/app.bsky.ageassurance.getState { 11 + header content-type "application/json" 12 + header access-control-allow-headers "authorization,dpop,atproto-accept-labelers,atproto-proxy" 13 + import cors * 14 + respond `{"state":{"lastInitiatedAt":"2025-07-14T14:22:43.912Z","status":"assured","access":"full"},"metadata":{"accountCreatedAt":"2022-11-17T00:35:16.391Z"}}` 200 15 + } 16 + 17 + # pds gatekeeper 18 + @gatekeeper { 19 + path /xrpc/com.atproto.server.getSession 20 + path /xrpc/com.atproto.server.describeServer 21 + path /xrpc/com.atproto.server.updateEmail 22 + path /xrpc/com.atproto.server.createSession 23 + path /xrpc/com.atproto.server.createAccount 24 + path /@atproto/oauth-provider/~api/sign-in 25 + path /gate/* 26 + } 27 + 28 + handle @gatekeeper { 29 + reverse_proxy {$ADDR_PDS_GATEKEEPER} 30 + } 31 + 32 + reverse_proxy {$ADDR_PDS} 33 + } 34 + 35 + *.{$PDS_HOST:abnormal.zip}, 36 + *.at.{$DONG_HOST:dongs.zip} { 37 + import log pds 38 + tls { 39 + on_demand 40 + } 41 + 42 + redir / https://aturi.to/{host} 43 + handle_path /aturi/* { 44 + redir https://aturi.to/at://{host}{uri} 45 + } 46 + 47 + redir /bsky https://bsky.app/profile/{host} 48 + redir /witchsky https://witchsky.app/profile/{host} 49 + redir /anisota https://anisota.net/profile/{host} 50 + 51 + handle_path /bsky/* { 52 + redir https://bsky.app/profile/{host}{uri} 53 + } 54 + handle_path /witchsky/* { 55 + redir https://witchsky.app/profile/{host}{uri} 56 + } 57 + handle_path /anisota/* { 58 + redir https://anisota.net/profile/{host}{uri} 59 + } 60 + 61 + redir /pdsls https://pdsls.dev/at://{host} 62 + redir /tangled https://tangled.org/{host} 63 + 64 + handle_path /pdsls/* { 65 + redir https://pdsls.dev/at://{host}{uri} 66 + } 67 + handle_path /tangled/* { 68 + redir https://tangled.org/{host}{uri} 69 + } 70 + 71 + redir /leaflet https://leaflet.pub/p/{host} 72 + redir /semble https://semble.so/profile/{host} 73 + redir /blento https://blento.app/{host} 74 + 75 + reverse_proxy /.well-known/atproto-did {$ADDR_PDS} 76 + } 77 + 78 + ### tangled knot 79 + # (see nginx.conf for ssh proxying) 80 + knot.{$HOST:vielle.dev} { 81 + import log knot 82 + import favicon abnormal.zip 83 + rewrite / /knot 84 + @landing path /knot /styles.css 85 + reverse_proxy @landing landing:8000 86 + 87 + reverse_proxy {$ADDR_KNOT} 88 + } 89 + 90 + ### piper instance 91 + # technically publicly visible... its _fine_ (+ i cant do jack shit abt it rn so) 92 + piper.{$HOST:vielle.dev} { 93 + import log piper 94 + import favicon abnormal.zip 95 + reverse_proxy {$ADDR_PIPER} 96 + } 97 + 98 + ##### custom cimd service 99 + cimd.{$HOST:vielle.dev} { 100 + import log cimd 101 + import favicon abnormal.zip 102 + 103 + handle /oauth-client-metadata.json { 104 + header Content-Type "application/json" 105 + import cors * 106 + respond <<JSON 107 + { 108 + "client_id": "https://cimd.{$HOST:vielle.dev}/oauth-client-metadata.json?{http.request.orig_uri.query}", 109 + "application_type": "web", 110 + "grant_types": ["authorization_code"], 111 + "scope": "{http.request.uri.query.scopes}", 112 + "response_types": ["code"], 113 + "redirect_uris": [ 114 + "https://cimd.{$HOST:vielle.dev}{http.request.uri.query.callback}" 115 + ], 116 + "token_endpoint_auth_method": "none", 117 + "dpop_bound_access_tokens": true, 118 + "client_name": "cimd.{$HOST:vielle.dev}", 119 + "client_uri": "https://cimd.{$HOST:vielle.dev}" 120 + } 121 + JSON 200 122 + } 123 + 124 + redir http://localhost:3000{uri} 125 + }

+57

caddy/caddy/misc.caddy

··· 1 + ## signal 2 + signal.{$HOST:vielle.dev} { 3 + redir * https://signal.me/#eu/xBqcDqZvKp6yn8gG-_gU1Zlrjgp1SHIJuRtfeMd8gXtWRKVxttZE6Yk8bCfUdDm8 301 4 + } 5 + 6 + ## toy projects 7 + saltire-the-gays.{$HOST:vielle.dev} { 8 + import log saltire 9 + encode 10 + root /srv/saltire 11 + import error 12 + file_server 13 + } 14 + 15 + ## personal projects 16 + dnd.{$HOST:vielle.dev} { 17 + import log dnd 18 + reverse_proxy dnd:4321 19 + } 20 + 21 + webdev-telephone.{$HOST:vielle.dev} { 22 + import log webdev-telephone 23 + encode 24 + root /srv/webdev-telephone.vielle.dev 25 + import error 26 + file_server 27 + } 28 + 29 + # mc.{$HOST:vielle.dev} { 30 + # import log mc 31 + # encode 32 + # root /srv/mc.vielle.dev 33 + # import error 34 + # file_server 35 + # } 36 + 37 + apaf.{$HOST:vielle.dev} { 38 + header content-type "text/html" 39 + respond <<HTML 40 + <!DOCTYPE html> 41 + <html> 42 + <head> 43 + <title>APAF</title> 44 + <style> 45 + @import url('https://fonts.googleapis.com/css2?family=EB+Garamond&family=Neuton&display=swap'); 46 + 47 + body { 48 + font-family: "EB Garamond", garamond, serif; 49 + font-size: 40px; 50 + text-align: center; 51 + } 52 + </style> 53 + </head> 54 + <body>ALL PRINTERS ARE FACIST</body> 55 + </html> 56 + HTML 200 57 + }

+71

caddy/caddy/snippets.caddy

··· 1 + (error) { 2 + handle_errors { 3 + @custom_err file /{err.status_code}.html 4 + handle @custom_err { 5 + rewrite * {file_match.relative} 6 + file_server 7 + } 8 + } 9 + 10 + handle_errors { 11 + respond "{err.status_code} {err.status_text}" 12 + } 13 + } 14 + 15 + (cors) { 16 + header Access-Control-Allow-Origin "{args[0]}" 17 + } 18 + 19 + (did-web) { 20 + handle /.well-known/atproto-did { 21 + import cors * 22 + respond "did:web:{args[0]}" 23 + } 24 + 25 + handle /.well-known/did.json { 26 + header Content-Type "application/json" 27 + import cors * 28 + respond <<JSON 29 + { 30 + "@context": [ 31 + "https://www.w3.org/ns/did/v1", 32 + "https://w3id.org/security/multikey/v1", 33 + "https://w3id.org/security/suites/secp256k1-2019/v1" 34 + ], 35 + "id": "did:web:{args[0]}", 36 + "alsoKnownAs": [ "at://{args[1]}" ], 37 + "verificationMethod": [ 38 + { 39 + "id": "did:web:{args[0]}#atproto", 40 + "type": "Multikey", 41 + "controller": "did:web:{args[0]}", 42 + "publicKeyMultibase": "{args[2]}" 43 + } 44 + ], 45 + "service": [ 46 + { 47 + "id": "#atproto_pds", 48 + "type": "AtprotoPersonalDataServer", 49 + "serviceEndpoint": "https://{args[3]}" 50 + } 51 + ] 52 + } 53 + JSON 200 54 + } 55 + } 56 + 57 + (favicon) { 58 + rewrite /favicon.ico /{args[0]}.ico 59 + handle /{args[0]}.ico { 60 + import cors * 61 + root /srv 62 + file_server 63 + } 64 + } 65 + 66 + (log) { 67 + log {args[0]} { 68 + output stdout 69 + format json 70 + } 71 + }

caddy/srv/abnormal.zip.ico

This is a binary file and will not be displayed.

+2 -4

compose.yaml

··· 30 30 - 80:80 31 31 - 443:443 32 32 volumes: 33 - - ./server-health.txt:/reverse_proxy_health.txt 33 + - ./caddy/Caddyfile:/etc/caddy/Caddyfile 34 + - ./caddy/caddy:/etc/caddy/caddy 34 35 - caddy_data:/data 35 36 - caddy_config:/config 36 - - ./minimal.zip:/srv/mc.vielle.dev/minimal.zip 37 - - ./reccomended.zip:/srv/mc.vielle.dev/reccomended.zip 38 - - ./prism-launcher.zip:/srv/mc.vielle.dev/prism-launcher.zip 39 37 environment: 40 38 HOST: vielle.dev 41 39 DONG_HOST: dongs.zip

Configure Feed

Configure Feed