Custom Caddy build (via xcaddy) with:
- github.com/caddy-dns/he (Hurricane Electric DNS provider for ACME)
- github.com/xcaddyplugins/caddy-trusted-cloudfront (auto-trust CloudFront origin IPs)
The image is designed for Docker/Compose and supports multi-arch builds, plus containerized cosign signing & verification.
docker compose up -dcompose.yaml maps:
./Caddyfile→/etc/caddy/Caddyfile(global opts +import /etc/caddy/conf.d/*.caddy)/mnt/opt/caddy/etc/conf.d→/etc/caddy/conf.d(your per-vhost*.caddy)/mnt/opt/caddy/data→/data(ACME certs, etc.)/mnt/opt/caddy/config→/config
Reload (after editing config):
./scripts/reload.sh{
servers {
trusted_proxies cloudfront {
interval 12h
}
client_ip_headers X-Forwarded-For CloudFront-Viewer-Address
trusted_proxies_strict
}
}
# Domain-specific vhosts:
import /etc/caddy/conf.d/*.caddyCommon targets:
make release— multi-arch build+push → resolve digest → ensure signed → print final image refmake digest— write/print registry digest for currentIMAGE:TAGmake sign/make verify— sign/verify by digest via containerized cosignmake bump-tag— rotateTAGto a fresh timestamp
Key vars (override via env):
IMAGE(defaultdocker.io/nebularover77/caddy-he-cfpl)PLATFORMS(defaultlinux/amd64,linux/arm64)TAG(from.tagorgit describeor timestamp)
Example release:
make releasePublic key lives at cosign.pub. The Makefile runs cosign in a container and mounts your key(s):
- Put your private key at
~/.cosign/cosign.key(or setCOSIGN_KEY). - Verify a pushed image by digest:
make verifyscripts/reload.sh—caddy reloadusing the mountedCaddyfilescripts/validate.sh— quick config reload/validation
- Ensure
/mnt/opt/caddy/etc/conf.dexists on the host and contains your*.caddyvhosts. - If using HE DNS for ACME, export the required env vars for the provider in your Compose or secrets.