Previously I used Caddy with subdomains registered with my hosting provider's DNS panel, and ports 80 and 443 opened to the public internet. Anybody could access my services from the outside.

I've now changed to using WireGuard and a custom build of Caddy with a wildcard certificate for my domain. Pi-hole handles DNS for subdomains, e.g. cloud.example.com for Nextcloud.

I'm using podman system quadlets for Pi-hole and Caddy (both use privileged ports), and podman secrets for sensitive data.

In /etc/containers/systemd/caddy, I have 3 files:

Containerfile
--------------------
FROM docker.io/caddy:builder AS builder

RUN xcaddy build --with github.com/caddy-dns/simplydotcom

FROM docker.io/caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--------------------

caddy.build
------------------
[Build]
ImageTag=localhost/caddy
SetWorkingDirectory=unit
------------------

caddy.container
-------------------------
[Unit]
Description=Caddy container
After=network-online.target

[Container]
AutoUpdate=registry
ContainerName=caddy
Image=caddy.build
Secret=simply_account_name,type=env,target=SIMPLY_ACCOUNT_NAME
Secret=simply_api_key,type=env,target=SIMPLY_API_KEY
Volume=/srv/containers/caddy/conf:/etc/caddy:Z
Volume=/srv/containers/caddy/data:/data:Z
PublishPort=443:443

[Install]
WantedBy=default.target
-------------------------

The Caddyfile is stored in /srv/containers/caddy/conf/:

Caddyfile
---------------
*.example.com {
tls {
dns simplydotcom {env.SIMPLY_ACCOUNT_NAME} {env.SIMPLY_API_KEY}
}

@caddy host caddy.example.com
handle @caddy {
respond "Hello World!"
}
}
---------------

See Caddy documentation for more on wildcard certificates.

https://caddyserver.com/docs/caddyfile/patterns#wildcard-certificates

EDIT: changed TOKEN to KEY in Caddyfile

#selfhosting #homelab #podman #caddy