zima-apps/Apps/caddy-autogen/docker-compose.yaml

name: caddy-autogen

x-image:
  namespace: ${IMAGE_NAMESPACE:-joafri}
  tag: ${IMAGE_TAG:-main}

services:
  caddy:
    image: ${IMAGE_NAMESPACE:-joafri}/caddy-autogen-caddy:${IMAGE_TAG:-main}
    build:
      context: ./caddy
      dockerfile: Dockerfile
    container_name: caddy-autogen
    restart: unless-stopped
    environment:
      TZ: ${TZ}
      CADDY_ADMIN: ${CADDY_ADMIN:-0.0.0.0:2019}
      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
    ports:
      - target: 80
        published: ${HTTP_PORT:-80}
        protocol: tcp
      - target: 443
        published: ${HTTPS_PORT:-443}
        protocol: tcp
    volumes:
      - type: bind
        source: /DATA/AppData/$AppID/caddy/data
        target: /data
      - type: bind
        source: /DATA/AppData/$AppID/caddy/config
        target: /config
    extra_hosts:
      - host.docker.internal:host-gateway
    security_opt:
      - no-new-privileges:true
    x-casaos:
      envs:
        - container: CADDY_ADMIN
          description:
            en_us: Caddy admin endpoint bind address
        - container: CLOUDFLARE_API_TOKEN
          description:
            en_us: Cloudflare API token (Zone Read + DNS Edit)
      ports:
        - container: "80"
          description:
            en_us: HTTP ingress
        - container: "443"
          description:
            en_us: HTTPS ingress
      volumes:
        - container: /data
          description:
            en_us: Caddy runtime data and certificates
        - container: /config
          description:
            en_us: Caddy configuration state

  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:version-24.02.26
    container_name: caddy-autogen-socket-proxy
    restart: unless-stopped
    environment:
      TZ: ${TZ}
      CONTAINERS: 1
      EVENTS: 1
      INFO: 1
      NETWORKS: 1
      PING: 1
      POST: 0
      VERSION: 1
    read_only: true
    tmpfs:
      - /run
    volumes:
      - type: bind
        source: /var/run/docker.sock
        target: /var/run/docker.sock
        read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL

  discovery-agent:
    image: ${IMAGE_NAMESPACE:-joafri}/caddy-autogen-discovery-agent:${IMAGE_TAG:-main}
    build:
      context: ./agent
      dockerfile: Dockerfile
    container_name: caddy-autogen-discovery
    restart: unless-stopped
    depends_on:
      - caddy
      - socket-proxy
    environment:
      TZ: ${TZ}
      DOCKER_API_URL: ${DOCKER_API_URL:-http://socket-proxy:2375}
      CADDY_LOAD_URL: ${CADDY_LOAD_URL:-http://caddy:2019/load}
      BASE_DOMAIN: ${BASE_DOMAIN}
      WILDCARD_DOMAIN: ${WILDCARD_DOMAIN:-}
      CLOUDFLARE_API_TOKEN: ${CLOUDFLARE_API_TOKEN}
      CERT_EMAIL: ${CERT_EMAIL:-}
      REQUIRE_CLOUDFLARE: ${REQUIRE_CLOUDFLARE:-true}
      ALLOW_INTERNAL_TLS_FALLBACK: ${ALLOW_INTERNAL_TLS_FALLBACK:-false}
      ENV_PREFIX: ${ENV_PREFIX:-LABEL_CADDY_}
      POLL_SECONDS: ${POLL_SECONDS:-15}
      CONTAINER_NAME_DENYLIST: ${CONTAINER_NAME_DENYLIST:-caddy-autogen,caddy-autogen-discovery,caddy-autogen-socket-proxy}
      DEFAULT_SCHEME: ${DEFAULT_SCHEME:-http}
      DEFAULT_PATH: ${DEFAULT_PATH:-/}
      DEFAULT_HEALTH_URI: ${DEFAULT_HEALTH_URI:-}
      CONFIG_FILE: ${CONFIG_FILE:-/app/config/defaults.yaml}
    volumes:
      - type: bind
        source: /DATA/AppData/$AppID/config
        target: /app/config
        read_only: true
    read_only: true
    tmpfs:
      - /tmp
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    x-casaos:
      envs:
        - container: BASE_DOMAIN
          description:
            en_us: Base domain used for endpoints, e.g. home.example.com
        - container: WILDCARD_DOMAIN
          description:
            en_us: Optional wildcard certificate domain, e.g. home.example.com
        - container: REQUIRE_CLOUDFLARE
          description:
            en_us: Fail closed when Cloudflare token is missing
        - container: ALLOW_INTERNAL_TLS_FALLBACK
          description:
            en_us: Enable internal Caddy certificates when Cloudflare is unavailable
        - container: POLL_SECONDS
          description:
            en_us: Docker state reconciliation interval
      volumes:
        - container: /app/config
          description:
            en_us: Discovery defaults configuration (read-only)

x-casaos:
  architectures:
    - amd64
    - arm64
    - arm
  main: caddy
  category: Network
  author: Zima Apps Team
  developer: Zima Apps Team
  icon: https://caddyserver.com/resources/images/caddy-circle-lock.svg
  tagline:
    en_us: Auto-generate Caddy endpoints from running containers
  description:
    en_us: >-
      Discovers ZimaOS containers through Docker API and generates Caddy routes on the fly.
      Uses explicit env-based opt-in (LABEL_CADDY_*) with fail-closed defaults, Cloudflare DNS-01
      certificates, and local split-horizon DNS compatibility.
  title:
    en_us: Caddy AutoGen
  index: /
  port_map: ${HTTPS_PORT:-443}
  scheme: https