fix(caddy): TLS certificates trust on all platforms

README.md

@@ -46,10 +46,10 @@ Restart your browsers !
 
 The base stack contains the minimal configuration related to web development.
 
- - caddy
- - adminer
- - maildev
- - memcached
+ - AdminerEvo
+ - Caddy
+ - MailDev
+ - Memcached
 
 ## Compose your stack
 
@@ -69,13 +69,3 @@ The repository currently supports these message brokers:
  - rabbitmq 3.8
 
 An optional watchtower service is available to update docker images automatically. Add `watchtower.yml` to `COMPOSE_FILE` variable and set a schedule with `WATCHTOWER_SCHEDULE` variable in your `.env` file (default is `0 0 17 * * *`). You should also [login to your docker hub account](https://docs.docker.com/security/for-developers/access-tokens/#create-an-access-token) to prevent rate limit issues.
-
-## Troubleshooting
-
-- If setup.sh respond `trust: install is not supported on this system`:
-
-```shell
-    sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/root.crt
-    sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/intermediate.crt
-    sudo update-ca-trust
-```

docker-compose.yml

@@ -17,6 +17,10 @@ services:
       - target: 443
         published: ${HTTP3_PORT:-443}
         protocol: udp
+      # Caddy admin API
+      - target: 2019
+        published: ${CADDY_ADMIN_PORT:-2019}
+        protocol: tcp
     environment:
       CADDY_INGRESS_NETWORKS: dev_public
     volumes:
@@ -28,12 +32,6 @@ services:
       caddy.tls: internal
       caddy.respond: |-
         / "Healthy" 200
-    healthcheck:
-      test: [ "CMD", "wget", "-qO-", "http://localhost:2019/config" ]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 30s
 
   maildev:
     restart: always

proxy/Dockerfile

@@ -1,11 +1,11 @@
-FROM --platform=$TARGETPLATFORM caddy:2-alpine
+FROM caddy:2-alpine
 ARG TARGETOS
 ARG TARGETARCH
 
 ADD --chmod=500 https://caddyserver.com/api/download?os=${TARGETOS}&arch=${TARGETARCH}&p=github.com/lucaslorentz/caddy-docker-proxy/v2&p=github.com/dunglas/mercure/caddy&p=github.com/dunglas/vulcain/caddy /usr/bin/caddy
 
 COPY Caddyfile /etc/caddy/Caddyfile
 
-HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD [ "wget", "-qO-", "http://localhost:2019/config" ]
+HEALTHCHECK --interval=5s --timeout=5s --start-period=5s --retries=3 CMD [ "wget", "-qO-", "http://127.0.0.1:2019/config" ]
 
 CMD ["caddy", "docker-proxy", "--caddyfile-path=/etc/caddy/Caddyfile"]

setup.sh

@@ -1,14 +1,23 @@
 #!/usr/bin/env bash
 
-docker compose --ansi never up -d --build 2>& 1> /dev/null
-docker compose cp proxy:/usr/bin/caddy /tmp/caddy
+docker compose up -d 2>/dev/null
 
-XDG_DATA_HOME=/var/lib/docker/volumes/dev_caddy_data/_data
+docker compose exec proxy wget -q -O- --post-data='"0.0.0.0:2019"' --header='Content-Type:application/json' 'http://127.0.0.1:2019/config/admin/listen'
 
-sudo XDG_DATA_HOME=${XDG_DATA_HOME} \
-/tmp/caddy start 2&> /dev/null; \
-/tmp/caddy untrust; \
-/tmp/caddy trust; \
-/tmp/caddy stop 2&> /dev/null; \
+docker compose cp proxy:/usr/bin/caddy /tmp/caddy 2>/dev/null
 
-rm /tmp/caddy
+/tmp/caddy trust
+
+# ArchLinux and derivatives, see https://wiki.archlinux.org/title/Transport_Layer_Security#Add_a_certificate_to_a_trust_store
+if command -v trust &> /dev/null; then
+  sudo trust anchor /usr/local/share/ca-certificates/*.crt
+  sudo update-ca-trust
+fi
+
+rm -f /tmp/caddy
+
+# Copy the certificate to a stable location (to simplify mounting on all Docker platforms)
+sudo docker compose cp proxy:/data/caddy/pki/authorities/local/root.crt /etc/ssl/certs/Caddy.crt 2>/dev/null
+
+echo "Certificats Caddy installés avec succès !"
+echo "Vous pouvez désormais monter le fichier /etc/ssl/certs/Caddy.crt sur vos projets Docker."