RWejlgaard/pez-docs
1
0
Fork 0
mirror of https://github.com/RWejlgaard/pez-docs.git synced 2026-05-06 03:34:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
pez-docs/principles/caddy/README.md
Rasmus Wejlgaard 4508f740e5 Update documentation for current setup 
- Update locations/london.md with current server state (london-a FreeBSD monitoring, london-b Ubuntu/ZFS storage, london-c offline)
- Update locations/copenhagen.md with current servers (copenhagen-a Minecraft+WoW, copenhagen-b offline, copenhagen-c general)
- Add locations/helsinki.md documenting helsinki-a (Caddy gateway, Authelia, Bitwarden, LDAP) and nuremberg-a (mail/poste.io)
- Add workloads/jellyfin, navidrome, nextcloud, arr-stack, minecraft, wow, mail, monitoring, bitwarden, authelia
- Add principles/zfs documenting the london-b ZFS pool setup
- Add principles/caddy documenting the reverse proxy setup on helsinki-a
- Update introduction.md to mention all locations
2026-03-04 09:41:57 +00:00

1.5 KiB
Raw Blame History

Caddy

Why

Caddy is my reverse proxy of choice. It handles TLS termination automatically via Let's Encrypt — no manual certificate management, no certbot cron jobs, no renewals to think about. You write a Caddyfile, point it at a subdomain, and TLS just works.

Compared to Nginx, the config is far less verbose. A reverse proxy block that takes 20 lines in Nginx takes 4 in Caddy.

Where

Runs on helsinki-a, which is the public-facing edge server. All traffic from the internet hits helsinki-a first, then Caddy forwards it over Tailscale to the appropriate backend.

How It Works

All public subdomains (pez.sh, pez.solutions) are DNS-proxied through Cloudflare. Cloudflare terminates the external TLS and forwards traffic to helsinki-a. Caddy then handles routing to the correct backend.

Backends are addressed by Tailscale IP or hostname — no need to open ports between servers on the public internet.

Authelia Integration

For protected services, Caddy uses a forward_auth directive that calls Authelia before proxying the request. If the user isn't authenticated, Caddy redirects them to auth.pez.sh.

Example Caddyfile block:

radarr.pez.sh {
    forward_auth helsinki-a:9091 {
        uri /api/verify?rd=https://auth.pez.sh
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
    reverse_proxy london-b:7878
}

TLS

Caddy obtains and renews certificates automatically via ACME (Let's Encrypt). No manual intervention required.