From 01f11df4177b85de544b66f599eb95459d82bd17 Mon Sep 17 00:00:00 2001
From: S <islam.ahmad@outlook.com>
Date: Sun, 1 Mar 2026 12:18:53 -0500
Subject: [PATCH] fix: wire CADDY_DOMAIN into Caddyfile template for wildcard
 cert
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CADDY_DOMAIN was required/validated/prompted but never used — the
Caddyfile only referenced GITEA_DOMAIN, producing a single-domain
cert. Now the template uses *.CADDY_DOMAIN as the site address
(wildcard cert) with a host matcher routing GITEA_DOMAIN to Gitea.
This means the cert covers all subdomains under the base domain.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .env.example            |  2 +-
 phase8_cutover.sh       |  4 ++--
 templates/Caddyfile.tpl | 13 +++++++++++--
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.env.example b/.env.example
index 07ac8c7..67633b9 100644
--- a/.env.example
+++ b/.env.example
@@ -121,7 +121,7 @@ GITHUB_MIRROR_INTERVAL=8h         # How often Gitea pushes to GitHub (offsite ba
 # TLS / REVERSE PROXY (Caddy — dedicated container per host)
 # -----------------------------------------------------------------------------
 TLS_MODE=cloudflare               # TLS mode: "cloudflare" (DNS-01 via CF API) or "existing" (manual certs)
-CADDY_DOMAIN=                     # Wildcard base domain (e.g. privacyindesign.com)
+CADDY_DOMAIN=                     # Wildcard cert base domain (e.g. privacyindesign.com → cert for *.privacyindesign.com)
 CADDY_DATA_PATH=                  # Absolute path on host for Caddy data (e.g. /mnt/nvme/caddy)
 CLOUDFLARE_API_TOKEN=             # Cloudflare API token with Zone:DNS:Edit (only if TLS_MODE=cloudflare)
 SSL_CERT_PATH=                    # Absolute path to SSL cert (only if TLS_MODE=existing)
diff --git a/phase8_cutover.sh b/phase8_cutover.sh
index 71576e5..108836b 100755
--- a/phase8_cutover.sh
+++ b/phase8_cutover.sh
@@ -145,7 +145,7 @@ if ssh_exec UNRAID "test -f '${CADDY_DATA_PATH}/Caddyfile'" 2>/dev/null; then
 else
   TMPFILE=$(mktemp)
   GITEA_CONTAINER_IP="${UNRAID_GITEA_IP}"
-  export GITEA_CONTAINER_IP GITEA_DOMAIN
+  export GITEA_CONTAINER_IP GITEA_DOMAIN CADDY_DOMAIN
 
   # Build TLS block based on TLS_MODE
   if [[ "$TLS_MODE" == "cloudflare" ]]; then
@@ -158,7 +158,7 @@ else
   export TLS_BLOCK
 
   render_template "${SCRIPT_DIR}/templates/Caddyfile.tpl" "$TMPFILE" \
-    "\${GITEA_DOMAIN} \${TLS_BLOCK} \${GITEA_CONTAINER_IP}"
+    "\${CADDY_DOMAIN} \${GITEA_DOMAIN} \${TLS_BLOCK} \${GITEA_CONTAINER_IP}"
   scp_to UNRAID "$TMPFILE" "${CADDY_DATA_PATH}/Caddyfile"
   rm -f "$TMPFILE"
   log_success "Caddyfile deployed"
diff --git a/templates/Caddyfile.tpl b/templates/Caddyfile.tpl
index 0d6ab45..5929c64 100644
--- a/templates/Caddyfile.tpl
+++ b/templates/Caddyfile.tpl
@@ -2,8 +2,17 @@
 # TLS_BLOCK is replaced by the phase script based on TLS_MODE:
 #   cloudflare → dns cloudflare {env.CF_API_TOKEN}
 #   existing   → tls /path/to/cert /path/to/key
+# Wildcard cert covers *.CADDY_DOMAIN; @gitea routes GITEA_DOMAIN to Gitea.
 
-${GITEA_DOMAIN} {
+*.${CADDY_DOMAIN} {
 ${TLS_BLOCK}
-    reverse_proxy ${GITEA_CONTAINER_IP}:3000
+
+    @gitea host ${GITEA_DOMAIN}
+    handle @gitea {
+        reverse_proxy ${GITEA_CONTAINER_IP}:3000
+    }
+
+    handle {
+        respond "Service not configured" 404
+    }
 }