main
infra-caddy — central Caddy config repo
This repository contains a recommended layout and tooling to manage Caddy site configurations in one place and deploy them safely to a system Caddy installation or container.
Layout
Caddyfile— top-level that importssites/*.caddy.sites/*.caddy— per-site small files (one site per file).deploy/— helper scripts and example hooks.
Quick example
- On the server, create a checkout path, e.g.
/srv/caddy-config. - Ensure the system Caddyfile (e.g.
/etc/caddy/Caddyfile) imports the checked-outCaddyfileorsites/*.caddy:
import /srv/caddy-config/Caddyfile
- Use the provided
deploy/deploy.shlocally (or a CI job) to sync and run validation+reload, or push to a server bare repo and use thedeploy/post-receivehook.
Safe deploy pattern
- Always run
caddy validate --config /etc/caddy/Caddyfile(orcaddy adapt) before reloading. - Use the
deploy/validate-and-reload.shscript as a canonical check-and-reload. - Grant the
gitor deploy user the narrow sudo permission to reload Caddy by adding the line fromdeploy/deploy-sudoers.exampleto/etc/sudoers.d/infra-caddy-deploy.
Post-receive hook (server)
- Create a bare repo (e.g.
/home/git/infra-caddy.git) and set thepost-receivehook to the contents indeploy/post-receive. - Ensure the checked-out working tree path in the hook (
/srv/caddy-config) matches your system and that thevalidate-and-reload.shis executable.
CI
- The included
.github/workflows/validate-and-deploy.ymlvalidates the Caddyfile using the officialcaddy:2image and demonstrates an rsync deploy step (requiresDEPLOY_USER,DEPLOY_HOSTsecrets).
Security notes
- Do not store private keys or secrets in this git repo.
- Use Vault, environment variables, or other secret stores for API keys or TLS private keys.
Adding a new site
- Add
sites/<hostname>.caddywith the host block and rules. - Push; CI or post-receive will validate and deploy.
Description
Languages
Shell
100%