Add caddy-autogen app, tests, and agent policy updates

2026-03-18 16:19:01 +01:00
commit 9ea8ca421b
19 changed files with 1273 additions and 0 deletions
@@ -0,0 +1,162 @@
+name: caddy-autogen
+
+services:
+  caddy:
+    build:
+      context: ./caddy
+      dockerfile: Dockerfile
+    container_name: caddy-autogen
+    restart: unless-stopped
+    environment:
+      TZ: ${TZ}
+      CADDY_ADMIN: ${CADDY_ADMIN:-0.0.0.0:2019}
+      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
+    ports:
+      - target: 80
+        published: ${HTTP_PORT:-80}
+        protocol: tcp
+      - target: 443
+        published: ${HTTPS_PORT:-443}
+        protocol: tcp
+    volumes:
+      - type: bind
+        source: /DATA/AppData/$AppID/caddy/data
+        target: /data
+      - type: bind
+        source: /DATA/AppData/$AppID/caddy/config
+        target: /config
+    extra_hosts:
+      - host.docker.internal:host-gateway
+    security_opt:
+      - no-new-privileges:true
+    x-casaos:
+      envs:
+        - container: CADDY_ADMIN
+          description:
+            en_us: Caddy admin endpoint bind address
+        - container: CLOUDFLARE_API_TOKEN
+          description:
+            en_us: Cloudflare API token (Zone Read + DNS Edit)
+      ports:
+        - container: "80"
+          description:
+            en_us: HTTP ingress
+        - container: "443"
+          description:
+            en_us: HTTPS ingress
+      volumes:
+        - container: /data
+          description:
+            en_us: Caddy runtime data and certificates
+        - container: /config
+          description:
+            en_us: Caddy configuration state
+
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:version-24.02.26
+    container_name: caddy-autogen-socket-proxy
+    restart: unless-stopped
+    environment:
+      TZ: ${TZ}
+      CONTAINERS: 1
+      EVENTS: 1
+      INFO: 1
+      NETWORKS: 1
+      PING: 1
+      POST: 0
+      VERSION: 1
+    read_only: true
+    tmpfs:
+      - /run
+    volumes:
+      - type: bind
+        source: /var/run/docker.sock
+        target: /var/run/docker.sock
+        read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+
+  discovery-agent:
+    build:
+      context: ./agent
+      dockerfile: Dockerfile
+    container_name: caddy-autogen-discovery
+    restart: unless-stopped
+    depends_on:
+      - caddy
+      - socket-proxy
+    environment:
+      TZ: ${TZ}
+      DOCKER_API_URL: ${DOCKER_API_URL:-http://socket-proxy:2375}
+      CADDY_LOAD_URL: ${CADDY_LOAD_URL:-http://caddy:2019/load}
+      BASE_DOMAIN: ${BASE_DOMAIN}
+      WILDCARD_DOMAIN: ${WILDCARD_DOMAIN:-}
+      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
+      CERT_EMAIL: ${CERT_EMAIL:-}
+      REQUIRE_CLOUDFLARE: ${REQUIRE_CLOUDFLARE:-true}
+      ALLOW_INTERNAL_TLS_FALLBACK: ${ALLOW_INTERNAL_TLS_FALLBACK:-false}
+      ENV_PREFIX: ${ENV_PREFIX:-LABEL_CADDY_}
+      POLL_SECONDS: ${POLL_SECONDS:-15}
+      CONTAINER_NAME_DENYLIST: ${CONTAINER_NAME_DENYLIST:-caddy-autogen,caddy-autogen-discovery,caddy-autogen-socket-proxy}
+      DEFAULT_SCHEME: ${DEFAULT_SCHEME:-http}
+      DEFAULT_PATH: ${DEFAULT_PATH:-/}
+      DEFAULT_HEALTH_URI: ${DEFAULT_HEALTH_URI:-}
+      CONFIG_FILE: ${CONFIG_FILE:-/app/config/defaults.yaml}
+    volumes:
+      - type: bind
+        source: /DATA/AppData/$AppID/config
+        target: /app/config
+        read_only: true
+    read_only: true
+    tmpfs:
+      - /tmp
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    x-casaos:
+      envs:
+        - container: BASE_DOMAIN
+          description:
+            en_us: Base domain used for endpoints, e.g. home.example.com
+        - container: WILDCARD_DOMAIN
+          description:
+            en_us: Optional wildcard certificate domain, e.g. home.example.com
+        - container: REQUIRE_CLOUDFLARE
+          description:
+            en_us: Fail closed when Cloudflare token is missing
+        - container: ALLOW_INTERNAL_TLS_FALLBACK
+          description:
+            en_us: Enable internal Caddy certificates when Cloudflare is unavailable
+        - container: POLL_SECONDS
+          description:
+            en_us: Docker state reconciliation interval
+      volumes:
+        - container: /app/config
+          description:
+            en_us: Discovery defaults configuration (read-only)
+
+x-casaos:
+  architectures:
+    - amd64
+    - arm64
+    - arm
+  main: caddy
+  category: Network
+  author: Zima Apps Team
+  developer: Zima Apps Team
+  icon: https://caddyserver.com/resources/images/caddy-circle-lock.svg
+  tagline:
+    en_us: Auto-generate Caddy endpoints from running containers
+  description:
+    en_us: >-
+      Discovers ZimaOS containers through Docker API and generates Caddy routes on the fly.
+      Uses explicit env-based opt-in (LABEL_CADDY_*) with fail-closed defaults, Cloudflare DNS-01
+      certificates, and local split-horizon DNS compatibility.
+  title:
+    en_us: Caddy AutoGen
+  index: /
+  port_map: ${HTTPS_PORT:-443}
+  scheme: https