feat(caddy): cert-getter addendum for pronode.prosopo.io#2734
Merged
Conversation
Extracts the existing route/handler block in docker/provider.Caddyfile into a (provider_site) snippet imported by the per-host site, then adds docker/provider.cert-getter.Caddyfile as a deploy-time addendum that ansible concatenates onto the base file on hosts flagged as the cert getter (currently pronode4). The addendum defines a second site block for the load-balanced pronode.prosopo.io hostname that reads a PEM provisioned out of band by certbot via Bunny DNS-01. Follows the snippet-extraction approach from #2670; the live PEM is distributed by ansible (see the captcha-private companion PR). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds `./certs/pronode-global:/certs/pronode-global:ro` to the caddy service in docker-compose.provider.yml. The mount source is created and populated by ansible (provider.yml distributes the PEM from the cert getter to every pronode), and the path inside the container matches the `tls /certs/pronode-global/...` line in provider.cert-getter.Caddyfile. A previous attempt added this mount and got silently stripped (likely an editor format-on-save). Re-adding with a comment so it's clear it must stay. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docker/provider.Caddyfileinto a(provider_site)snippet imported by the per-host site (same shape as feat(caddy): respond to load-balanced pronode.prosopo.io alongside per-host #2670).docker/provider.cert-getter.Caddyfileas a deploy-time addendum that ansible concatenates onto the base file on hosts flaggedcert_getter: truein the inventory. The addendum defines a second site block on:8443for the load-balancedpronode.prosopo.iohostname./certs/pronode-global/{fullchain,privkey}.pem. The PEM is provisioned out of band by certbot via Bunny DNS-01 — installed and renewed by a sibling ansible playbook in the captcha-private repo (see companion PR there).Why this PR
#2670 left the global hostname TLS strategy as a
tls internalplaceholder and called the real cert distribution mechanism a follow-up. This is that follow-up for the cert-getter side: one node (pronode4) owns ACME forpronode.prosopo.ioagainst Bunny DNS, terminates TLS for it, and the addendum lives only on that node. Distribution of the PEM to the other 13 pronodes is a manual ansible step done out of band.Test plan
openssl s_client -connect <ip>:443 -servername pronode.prosopo.ioreturns a Let's Encrypt cert withCN=pronode.prosopo.io.openssl s_client -connect <ip>:443 -servername pronode4.prosopo.iostill returns the original per-host LE cert (no regression).curl -sS -o /dev/null -w '%{http_code} %{ssl_verify_result}' https://pronode.prosopo.io/healthzreturns200 0.provider.Caddyfile(without the addendum) still loads cleanly and serves the per-host hostname (snippet extraction is the only base-file change; behaviour-equivalent).🤖 Generated with Claude Code