The running ct-forge droplet (134.199.243.61 / lilith-forge) terminates TLS with a HOST Caddy (/etc/caddy/Caddyfile, systemd) proxying to localhost ports — it does NOT run a Caddy container or the cloud-init compose stack. Rework: - compose.yml publishes 127.0.0.1:8090 (loopback) instead of joining an edge net - deploy.sh appends the dns.ct vhost to /etc/caddy/Caddyfile, caddy-validates, systemctl reload caddy; default target is the IP (forge.ct won't resolve until DNSSEC is removed) - revert the forge.yaml cloud-init edits (edge network + container vhost) that assumed a Caddy container - README documents the host-Caddy reality Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
22 lines
755 B
YAML
22 lines
755 B
YAML
# dns-updater stack on the ct-forge droplet.
|
|
#
|
|
# The live forge droplet terminates TLS with a HOST Caddy (/etc/caddy/Caddyfile,
|
|
# systemd), not a Caddy container. So this service publishes a loopback-only port
|
|
# and the host Caddy reverse-proxies dns.ct.uvlava.com -> 127.0.0.1:8090.
|
|
# deploy.sh wires the vhost + reloads Caddy.
|
|
#
|
|
# Secrets (.env, gitignored): DO_TOKEN, DNS_UPDATER_TOKENS. See env.example.
|
|
services:
|
|
dns-updater:
|
|
build: .
|
|
container_name: dns-updater
|
|
restart: always
|
|
env_file:
|
|
- .env
|
|
environment:
|
|
- DNS_DOMAIN=${DNS_DOMAIN:-uvlava.com}
|
|
- PORT=8090
|
|
- TRUST_PROXY=true
|
|
# Loopback-only: reachable by the host Caddy, never directly from the internet.
|
|
ports:
|
|
- "127.0.0.1:8090:8090"
|