Erich Blume
272ea1e767
## Summary - Upgrade Caddy from v2.10.2 to v2.11.2 (7 CVE fixes across v2.11.1 and v2.11.2) - Create `mirrors/caddy-l4` forge mirror for Layer 4 plugin - Migrate all `~/code/3rd` clones on indri from `localhost:3001` to HTTPS `forge.ops.eblu.me/mirrors/` remotes - Remove stale clones (`apple-silicon-detector`, `whisper.cpp`) - Update caddy docs and service-versions tracking ## CVEs Fixed - CVE-2026-27585 through CVE-2026-27590 (path/host bypass, TLS fail-open, FastCGI issues) - Forward auth identity injection (privilege escalation) - `vars_regexp` placeholder secret exposure - Built on Go 1.26.1 (patches Go-level CVEs) ## What was done on indri (not in repo) - `xcaddy build` with Gandi DNS + Layer 4 plugins → `~/code/3rd/caddy/bin/caddy` now v2.11.2 - Remotes updated: caddy, forgejo-runner, zot → `https://forge.ops.eblu.me/mirrors/*.git` - Deleted: `~/code/3rd/apple-silicon-detector`, `~/code/3rd/whisper.cpp` ## Deployment and Testing - [x] Ansible dry-run passed (`--tags caddy --check --diff`) - [ ] Restart caddy LaunchAgent to pick up the new binary - [ ] Verify all proxied services respond via `*.ops.eblu.me` - [ ] Run `mise run services-check` Reviewed-on: #294
3.5 KiB
| title | modified | tags | |||
|---|---|---|---|---|---|
| Caddy | 2026-03-15 |
|
Caddy
Reverse proxy for *.ops.eblu.me services with automatic TLS via ACME DNS-01.
Quick Reference
| Property | Value |
|---|---|
| Domain | *.ops.eblu.me |
| HTTPS Port | 443 |
| Config | ansible/roles/caddy/templates/Caddyfile.j2 |
| Binary | Custom build with Gandi DNS plugin |
Why Caddy?
Caddy provides a single TLS termination point for all BlumeOps services:
- Wildcard certificate for
*.ops.eblu.mevia Let's Encrypt - DNS-01 challenge using Gandi API (no port 80 needed)
- Unified access from k8s pods, containers, and tailnet clients
See routing for when to use *.ops.eblu.me vs *.tail8d86e.ts.net.
Proxied Services
Indri-Local Services
| Subdomain | Backend | Service |
|---|---|---|
forge.ops.eblu.me |
localhost:3001 |
forgejo |
registry.ops.eblu.me |
localhost:5050 |
zot |
jellyfin.ops.eblu.me |
localhost:8096 |
jellyfin |
Kubernetes Services
K8s services are proxied via their Tailscale Ingress endpoints:
| Subdomain | Backend | Service |
|---|---|---|
grafana.ops.eblu.me |
grafana.tail8d86e.ts.net |
grafana |
argocd.ops.eblu.me |
argocd.tail8d86e.ts.net |
argocd |
cv.ops.eblu.me |
cv.tail8d86e.ts.net |
cv |
docs.ops.eblu.me |
docs.tail8d86e.ts.net |
docs (now publicly available at docs.eblu.me via flyio-proxy) |
feed.ops.eblu.me |
feed.tail8d86e.ts.net |
miniflux |
| ... | ... | (see defaults/main.yml for full list) |
TCP Services (Layer 4)
| Port | Backend | Service |
|---|---|---|
| 2222 | localhost:2200 |
Forgejo SSH |
| 5432 | pg.tail8d86e.ts.net:5432 |
postgresql |
Configuration
Caddy is managed via the caddy Ansible role:
# Deploy caddy changes
mise run provision-indri -- --tags caddy
Key files:
ansible/roles/caddy/defaults/main.yml- Service definitionsansible/roles/caddy/templates/Caddyfile.j2- Caddy config template
Secrets
| Secret | Source | Description |
|---|---|---|
GANDI_BEARER_TOKEN |
1Password | API token for DNS-01 challenges |
The token is written to ~/.config/caddy/gandi-token (chmod 0600) and sourced by the Caddy wrapper script.
Security Considerations
Caddy has no authentication layer — it is a plain reverse proxy. Access control relies entirely on Tailscale ACLs restricting which devices can reach indri on port 443. Currently tag:homelab and autogroup:admin can reach Caddy. The flyio-proxy no longer routes through Caddy — it pushes logs and metrics directly to loki and prometheus via their Tailscale Ingress endpoints.
Custom Build
Caddy is built from source using xcaddy with two plugins:
github.com/caddy-dns/gandi— ACME DNS-01 challenges via Gandi APIgithub.com/mholt/caddy-l4— Layer 4 (TCP/UDP) proxying
# Source and build location (mirrored on forge)
~/code/3rd/caddy/bin/caddy
# Build via mise task in the caddy clone
cd ~/code/3rd/caddy && mise run build
Forge mirrors: mirrors/caddy, mirrors/caddy-gandi, mirrors/xcaddy, mirrors/caddy-l4.
Related
- gandi - DNS hosting and ACME DNS-01 provider
- routing - Service routing architecture
- forgejo - Git forge (proxied by Caddy)
- zot - Container registry (proxied by Caddy)
- tailscale-operator - K8s services use Tailscale Ingress, then Caddy