summaryrefslogtreecommitdiff
path: root/caddy
AgeCommit message (Collapse)AuthorLines
4 daysDedupe Caddyfile with snippets, sync docs with reality, add tests/check.shyyamashita-21/+24
- Caddyfile: extract repeated header blocks into (noindex)/(crawler_bypass) snippets (adapted JSON verified byte-identical to previous config) - CLAUDE.md: add mosquitone-admin/microblog to repos table; document that proxy auth is disabled (PROXY_NO_AUTH=1) with JP-only IP filter instead - Deploy.md/caddy/README.md: reflect all-service deploy and forward proxy - tests/check.sh: shell/python syntax, repos.txt<->hooks<->sessions.txt consistency, app.py COMMANDS vs run-command.sh whitelist, secrets check Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
13 daysRestrict proxy to Japan IPs using ipdeny.com CIDR listyyamashita-14/+12
Downloads jp-aggregated.zone from ipdeny.com at container startup (no account required). Falls back to open access if download fails. Removed caddy-maxmind-geoip module (no longer needed). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysAdd GeoIP Japan-only filter to forward proxyyyamashita-6/+26
Uses caddy-maxmind-geoip module to restrict proxy access to JP IPs. DB file (GeoLite2-Country.mmdb) must be placed manually on the server. Filter is inactive when DB file is absent, allowing safe rollout. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysFix HTTP proxy directive order: forward_proxy must run before rediryyamashita-1/+1
Caddy's default directive ordering places redir before forward_proxy, causing HTTP proxy requests to be redirected to HTTPS instead of being forwarded. Changing order to forward_proxy before redir fixes this. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 dayscaddy: add --build to deploy.sh so entrypoint changes are picked upyyamashita-2/+1
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysFix HTTP proxy: use catch-all http:// block for port 80yyamashita-1/+2
The forward_proxy site block must catch all hosts on port 80 because proxy clients send Host: <target> not Host: proxy.yyamashita.com. Non-proxy requests fall through to the redir for HTTPS upgrade. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysDisable proxy auth permanently (PROXY_NO_AUTH=1)yyamashita-0/+2
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysRe-enable proxy auth (remove PROXY_NO_AUTH=1)yyamashita-2/+0
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysAdd global order option for forward_proxy directiveyyamashita-0/+4
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysFix forward_proxy config: remove unsupported hide_ip/hide_via directivesyyamashita-6/+2
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysTemporarily disable proxy auth (PROXY_NO_AUTH=1)yyamashita-2/+4
Add PROXY_NO_AUTH env var support to entrypoint.sh to skip basicauth generation. Set to 1 in docker-compose.yml to allow unauthenticated access. Revert by removing the environment block from docker-compose.yml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysMove forward proxy from Squid to Caddy (port 80/443)yyamashita-7/+47
Replace standalone Squid container with caddy-forwardproxy plugin so the proxy shares Caddy's existing ports and TLS. HTTP on :80 and HTTPS on :443. Auth is read from the same vpn/users.conf at Caddy startup via entrypoint.sh. DNS: add proxy to setup-route53.py WEB_SUBDOMAINS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
13 daysAdd HTTPS forward proxy service (Squid on port 8443)yyamashita-0/+7
- proxy/: Squid container with HTTPS port, Basic auth from vpn/users.conf - caddy/Caddyfile: add proxy.yyamashita.com block (RSA cert for compat) - git/hooks: add proxy/deploy.sh to post-receive hook - CLAUDE.md: document proxy setup and client config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
14 daysForce RSA4096 cert for VPN domain to fix iOS IKEv2yyamashita-0/+3
ECDSA chain (YE1→Root YE→ISRG Root X2) is not trusted by iOS IKEv2. RSA chain (Leaf→R10→ISRG Root X1) is universally trusted. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-07-01Serve YE1 intermediate CA cert for Android VPN trust chainyyamashita-0/+7
Android (XREAL Beam Pro) can't validate the server cert because it lacks the Let's Encrypt YE1 hierarchy in its system trust store. The fix: - Serve YE1 cert at https://vpn.yyamashita.com/ca.pem via Caddy - Android VPN profile: set CA certificate to this downloaded cert - install.sh / renew-cert.sh now extract and copy YE1 to caddy dir Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-30Add strongSwan IKEv2 VPN serviceyyamashita-0/+6
- vpn/: Dockerfile, docker-compose.yml, swanctl.conf.tpl, entrypoint.sh - install.sh: Caddy 証明書流用 + コンテナ起動 - renew-cert.sh: 証明書更新 + swanctl ホットリロード - caddy/Caddyfile: vpn.yyamashita.com 追加(Let's Encrypt 証明書取得用) - post-receive: vpn/deploy.sh を追加 - setup-route53.py: WEB_SUBDOMAINS に vpn を追加 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Add microblog serviceyyamashita-0/+6
- Caddy: route blog.yyamashita.com → microblog-app:3000 - git: add microblog post-receive hook and update work tree path to /app/microblog - DNS: add blog subdomain to Route 53 WEB_SUBDOMAINS Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Rename hetzner-admin domain and use CNAME for web subdomainsyyamashita-1/+1
- caddy/Caddyfile: admin.yyamashita.com → hetzner-admin.yyamashita.com - mail/dns/setup-route53.py: add A record for primary, CNAME records for all web service subdomains pointing to hetzner.yyamashita.com - CLAUDE.md: update access URL Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-19Add hetzner-admin: SSH-based server management web UIyyamashita-0/+6
Basic Auth protected web UI with buttons to restart services and reboot. SSH key with authorized_keys command= restriction limits executable commands. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Add cgit web interface at git.yyamashita.comyyamashita-0/+6
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Add README.md to each directoryyyamashita-0/+11
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17Reorganize repo into caddy/, git/, claude/ directoriesyyamashita-0/+53
- caddy/: Caddyfile, docker-compose.yml, deploy.sh (hook runs this only) - git/: repos.txt, hooks/*/post-receive, install.sh, server-setup.sh - claude/: sessions.txt, systemd/claude-code@.service, sync.sh Post-receive hook is now: checkout + bash caddy/deploy.sh Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>