https://github.com/jwillikers/caddy-ovh-image

Caddy container image built with the OVH module for the DNS-01 ACME challenge
https://github.com/jwillikers/caddy-ovh-image

buildah caddy container dns image nix oci oci-image ovh podman

Last synced: about 1 month ago
JSON representation

Caddy container image built with the OVH module for the DNS-01 ACME challenge

• Host: GitHub
• URL: https://github.com/jwillikers/caddy-ovh-image
• Owner: jwillikers
• License: other
• Created: 2023-02-27T22:41:06.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2024-10-24T20:02:15.000Z (about 2 months ago)
• Last Synced: 2024-10-26T16:50:52.715Z (about 2 months ago)
• Topics: buildah, caddy, container, dns, image, nix, oci, oci-image, ovh, podman
• Language: Nix
• Homepage:
• Size: 160 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.adoc
  • License: LICENSE.adoc
  • Code of conduct: CODE_OF_CONDUCT.adoc

Awesome Lists containing this project

README

        
= Caddy OVH Image

Jordan Williams 

:experimental:

:icons: font

ifdef::env-github[]

:tip-caption: :bulb:

:note-caption: :information_source:

:important-caption: :heavy_exclamation_mark:

:caution-caption: :fire:

:warning-caption: :warning:

endif::[]

:Asciidoctor_: https://asciidoctor.org/[Asciidoctor]

:Buildah: https://buildah.io/[Buildah]

:Caddy: https://caddyserver.com[Caddy]

:Caddy-OVH-Module: https://github.com/caddy-dns/ovh[Caddy OVH Module]

:certbot-dns-ovh-documentation: https://certbot-dns-ovh.readthedocs.io/en/stable/[certbot-dns-ovh Documentation]

:Git: https://git-scm.com/[Git]

:Linux: https://www.linuxfoundation.org/[Linux]

:OVH-Create-Token-Page: https://www.ovh.com/auth/api/createToken[OVH Create Token Page]

:Podman: https://podman.io/[Podman]

:pre-commit: https://pre-commit.com/[pre-commit]

image:https://github.com/jwillikers/caddy-ovh-image/workflows/Build/badge.svg["Build Status", link="https://github.com/jwillikers/caddy-ovh-image/actions?query=workflow%3ABuild"]

A container image for the running the Caddy reverse-proxy complete with the {Caddy-OVH-Module} capable of completing the ACME DNS-01 challenge.

== Synopsis

Image:: https://quay.io/repository/jwillikers/caddy-ovh[quay.io/jwillikers/caddy-ovh]

Tags::

* `latest`

Supported architectures::

* `aarch64`

// * todo RISC-V

* `x86_64`

Labels::

`io.containers.autoupdate=registry`::: Enables automatic updates when using {Podman} and the _fully-qualified_ image name.

== Quick Start

I recommend putting the Caddy container along with all of the containers it will proxy on a dedicated Podman network with the DNS option enabled.

This makes it easy to delegate to the corresponding containers and doesn't require port-forwarding on their part, which means port address conflicts won't be an issue.

A dedicated Podman network also provides better isolation.

If you need to, you can also use the Caddy container with host networking with other containers using host networking or those using the default `slirp4netns` networking mode.

The example instructions here use dedicated Podman network.

For more information on the configuring OVH DNS via the DNS-01 challenge, refer to the {certbot-dns-ovh-documentation}.

It explains the related configuration in more detail.

. Allow rootless containers to publish to ports 80 and 443 by lowering the starting port for the range of unprivileged ports.

This makes it possible to run the Caddy container rootless and use the standard HTTP and HTTPS ports.

+

./etc/sysctl.d/99-lower-unprivileged_port_start.conf

[source]

----

; Allow publishing to lower port numbers without requiring superuser privileges.

net.ipv4.ip_unprivileged_port_start=80

----

. Load the new sysctl configuration.

+

[,sh]

----

sudo sysctl --system

----

. Open the default HTTP and HTTPS ports, 80 and 443 respectively, in the firewall, since rootless Podman won't be able to open these ports for the container.

+

[,sh]

----

sudo firewall-cmd --add-port=80/tcp --add-port=443/tcp --permanent

----

. Reload the firewall rules that were just saved.

+

[,sh]

----

sudo firewall-cmd --reload

----

. Create a new Podman network which will have DNS networking enabled by default.

+

[,sh]

----

podman network create --ipv6

----

. Open the {OVH-Create-Token-Page} in a web browser.

. Enter the _Application name_, i.e. `Caddy ROCKPro64`.

. Enter an _Application description.

I used `ACME DNS-01 Challenge Provider`.

. Select the time after which the token will expire in the _Validity_ field.

I use `Unlimited` to avoid the token expiring.

. The required _Rights_ are `/domain/zone/*` for each of `GET`, `PUT`, `POST`, and `DELETE`.

. Store your OVH application key as a Podman secret to avoid exposing it.

+

[,sh]

----

printf '****' '%s' | podman secret create ovh_application_key -

----

. Store your OVH application secret as a Podman secret to avoid exposing it.

+

[,sh]

----

printf '****' '%s' | podman secret create ovh_application_secret -

----

. Store your OVH consumer key as a Podman secret to avoid exposing it.

+

[,sh]

----

printf '****' '%s' | podman secret create ovh_consumer_key -

----

. In your Caddyfile, be sure to provide the previously stored secrets to the module.

Then it's just a matter of proxying to hosts using the network's domain name, `dns.podman` by default.

The following Caddyfile demonstrates enabling the OVH DNS-01 ACME challenge globally and configuring a reverse-proxy to a container running Gitea on the same Podman network.

+

.Caddyfile

[source]

----

{

	email [email protected]

	acme_dns ovh {

		endpoint {$OVH_ENDPOINT}

		application_key {$OVH_APPLICATION_KEY}

		application_secret {$OVH_APPLICATION_SECRET}

		consumer_key {$OVH_CONSUMER_KEY}

	}

	# For testing

	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory

}

gitea.example {

	reverse_proxy gitea.dns.podman:3000

}

----

. Run Caddy rootless, forwarding the appropriate ports, proving the OVH secrets, and mounting the Caddyfile along with the necessary directories.

+

[,sh]

----

podman run \

  --cap-add NET_BIND_SERVICE \

  --detach \

  --env OVH_ENDPOINT="ovh-eu" \

  --label "io.containers.autoupdate=registry" \

  --name caddy \

  --network podman1 \

  --publish 80:80/tcp \

  --publish 443:443/tcp \

  --rm \

  --secret ovh_application_key,type=env,target=OVH_APPLICATION_KEY \

  --secret ovh_application_secret,type=env,target=OVH_APPLICATION_SECRET \

  --secret ovh_consumer_key,type=env,target=OVH_CONSUMER_KEY \

  --volume $PWD:/etc/caddy:Z \

  --volume caddy-config:/config/:Z \

  --volume caddy-data:/data/:Z \

  quay.io/jwillikers/caddy-ovh:latest

----

=== Kubernetes

The Caddy container can also be configured and run via Kubernetes YAML.

These instructions use the same Podman network created in the previous section.

. Configure a Kubernetes YAML file with the necessary secrets for OVH.

+

.caddy-secrets.yaml

[,yaml]

----

include::caddy-secrets.yaml[]

----

. Load the secrets into Podman.

+

[,sh]

----

podman play kube caddy-secrets.yaml

----

. Delete the secrets file.

+

[,sh]

----

rm caddy-secrets.yaml

----

. Configure the path to the `Caddyfile` in the `caddy.yaml` Kubernetes YAML file.

+

.caddy.yaml

[,yaml]

----

include::caddy.yaml[]

----

. Run the Caddy pod using the Kubernetes YAML file.

+

[,sh]

----

podman play kube --network podman --replace

----

== Build

. Install an implementation of Nix, such as https://lix.systems[Lix] used here.

+

[,sh]

----

curl -sSf -L https://install.lix.systems/lix | sh -s -- install

----

. Clone this repository.

+

[,sh]

----

git clone [email protected]:jwillikers/caddy-ovh-image.git

----

. Change into the project directory.

+

[,sh]

----

cd caddy-ovh-image

----

. Install direnv for your system according to the https://direnv.net/docs/installation.html[direnv installation instructions].

+

[,sh]

----

sudo rpm-ostree install direnv

sudo systemctl reboot

----

. Integrate direnv with your shell by following the instructions on the https://direnv.net/docs/hook.html[direnv Setup page].

. Permit the direnv configuration in the repository.

+

[,sh]

----

direnv allow

----

. Build the image with `nix build`.

+

[,sh]

----

nix build

----

== Contributing

Contributions in the form of issues, feedback, and even pull requests are welcome.

Make sure to adhere to the project's link:CODE_OF_CONDUCT.adoc[Code of Conduct].

== Open Source Software

This project is built on the hard work of countless open source contributors.

Several of these projects are enumerated below.

* {Asciidoctor_}

* {Buildah}

* {Caddy}

* {Caddy-OVH-Module}

* {Git}

* {Linux}

* {Podman}

* {pre-commit}

== Code of Conduct

Refer to the project's link:CODE_OF_CONDUCT.adoc[Code of Conduct] for details.

== License

This repository is licensed under the https://www.gnu.org/licenses/gpl-3.0.html[GPLv3], a copy of which is provided in the link:LICENSE.adoc[license file].

© 2023-2024 Jordan Williams

== Authors

mailto:{email}[{author}]