Skip to main content

Caddy webserver - valid certificates for hosted services

  1. Setup a debian machine or use an existing machine

  2. Install xcaddy  (add xcaddy apt repository)

    apt install -y debian-keyring debian-archive-keyring apt-transport-https
    curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
    curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-xcaddy.list
    sudo apt update
    sudo apt install xcaddy

  1. Install prebuild go language from go website

    mkdir golang
    cd golang
    
    #remove existing go version
    rm -rf /usr/local/go
    
    # check for latest release and download
    wget https://go.dev/dl/go1.22.2.linux-amd64.tar.gz
    tar -xvf go1.22.2.linux-amd64.tar.gz -C /usr/local
    
    # set environment variables for go / e.g. edit bash.bashrc
    export GOROOT=/usr/local/go
    export GOPATH=$HOME/go
    export PATH=$GOPATH/bin:$GOROOT/bin:$PATH
    

  2. Build your own caddy binary with needed plugins - in this case include dns-netcup module

    xcaddy build --with github.com/caddy-dns/netcup
    
    # move binary to /usr/bin
    # rename it to caddy_custom to mark it as custom build
    
    mv caddy /usr/bin/caddy_custom
    
    # create default config Directory fpr Caddyfile
    mkdir /etc/caddy
    touch /etc/caddy/Caddyfile



  3. Create systemd service file and enable it

    # create caddy group
    groupadd --system caddy
    
    #create caddy user
    useradd --system \
        --gid caddy \
        --create-home \
        --home-dir /var/lib/caddy \
        --shell /usr/sbin/nologin \
        --comment "Caddy web server" \
        caddy
    
    # create empty service file
    touch /etc/systemd/system/multi-user.target.wants/caddy.service

    This example service file includes env vars for the netcup dns module

    # caddy.service
    #
    # For using Caddy with a config file.
    #
    # Make sure the ExecStart and ExecReload commands are correct
    # for your installation.
    #
    # See https://caddyserver.com/docs/install for instructions.
    #
    # WARNING: This service does not use the --resume flag, so if you
    # use the API to make changes, they will be overwritten by the
    # Caddyfile next time the service is restarted. If you intend to
    # use Caddy's API to configure it, add the --resume flag to the
    # `caddy run` command or use the caddy-api.service file instead.
    
    [Unit]
    Description=Caddy
    Documentation=https://caddyserver.com/docs/
    After=network.target network-online.target
    Requires=network-online.target
    
    [Service]
    Environment="NETCUP_CUSTOMER_NUMBER=XXXXX"
    Environment="NETCUP_API_KEY=XXXXX"
    Environment="NETCUP_API_PASSWORD=XXXXX"
    Type=notify
    User=caddy
    Group=caddy
    ExecStart=/usr/bin/caddy_custom run --environ --config /etc/caddy/Caddyfile
    ExecReload=/usr/bin/caddy_custom reload --config /etc/caddy/Caddyfile --force
    TimeoutStopSec=5s
    LimitNOFILE=1048576
    LimitNPROC=512
    PrivateTmp=true
    ProtectSystem=full
    AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
    
    [Install]
    WantedBy=multi-user.target