fix: wire CADDY_DOMAIN into Caddyfile template for wildcard cert

CADDY_DOMAIN was required/validated/prompted but never used — the Caddyfile only referenced GITEA_DOMAIN, producing a single-domain cert. Now the template uses *.CADDY_DOMAIN as the site address (wildcard cert) with a host matcher routing GITEA_DOMAIN to Gitea. This means the cert covers all subdomains under the base domain. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 12:18:53 -05:00
parent 61b46eb876
commit 01f11df417
3 changed files with 14 additions and 5 deletions
--- a/templates/Caddyfile.tpl
+++ b/templates/Caddyfile.tpl
@@ -2,8 +2,17 @@
 # TLS_BLOCK is replaced by the phase script based on TLS_MODE:
 #   cloudflare → dns cloudflare {env.CF_API_TOKEN}
 #   existing   → tls /path/to/cert /path/to/key
+# Wildcard cert covers *.CADDY_DOMAIN; @gitea routes GITEA_DOMAIN to Gitea.

-${GITEA_DOMAIN} {
+*.${CADDY_DOMAIN} {
 ${TLS_BLOCK}
-    reverse_proxy ${GITEA_CONTAINER_IP}:3000
+
+    @gitea host ${GITEA_DOMAIN}
+    handle @gitea {
+        reverse_proxy ${GITEA_CONTAINER_IP}:3000
+    }
+
+    handle {
+        respond "Service not configured" 404
+    }
 }