Caddy: Move to more templated approach

no ref - The goal here is to be able to provide more functionality to self-hosters through snippets and other segmented config - Some customers run Admin <-> content domains on separate ones which our current config doesn't support - Our current config also hardcodes a www redirect which complicates setups when you don't have that domain setup or don't even want it - Moving to a default template customers will have to copy which includes snippets allows us to update these later on without breaking peoples setups
2026-05-13 15:09:34 +00:00 · 2025-07-15 15:44:28 +10:00
parent 190a350bd5
commit 8d0d565df9
8 changed files with 73 additions and 65 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -24,3 +24,6 @@ indent_size = 2

 [Makefile]
 indent_style = tab
+
+[Caddyfile]
+indent_style = tab
--- a/.env.example
+++ b/.env.example
@@ -23,9 +23,13 @@ DATABASE_PASSWORD=ghostpassword
 ENABLE_DEVELOPER_EXPERIMENTS=false

 # Developer Experiments must be enabled above
-ENABLE_ACTIVITYPUB=false
 ENABLE_TRAFFIC_ANALYTICS=false

+# ActivityPub
+ENABLE_ACTIVITYPUB=false
+# If you'd prefer to self-host ActivityPub yourself uncomment the below line
+# ACTIVITYPUB_TARGET=activitypub:8080
+
 # Tinybird configuration
 TINYBIRD_API_URL=https://api.tinybird.co
 TINYBIRD_TRACKER_TOKEN=p.eyJxxxxx
--- a/63
+++ b/63
@@ -1,63 +0,0 @@
-# Replace your-domain.com with your actual domain
-{$DOMAIN} {
-    # Log all requests
-    log {
-        output stdout
-        format console
-        level INFO
-    }
-
-    # Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/)
-    @analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$
-    handle @analytics_paths {
-        rewrite * {re.analytics_match.2}
-        reverse_proxy traffic-analytics:3000
-    }
-
-    # ActivityPub
-    # Proxy activitypub requests /.ghost/activitypub/
-    handle /.ghost/activitypub/* {
-        reverse_proxy https://ap.ghost.org
-    }
-
-    handle /.well-known/webfinger {
-        reverse_proxy https://ap.ghost.org
-    }
-
-    handle /.well-known/nodeinfo {
-        reverse_proxy https://ap.ghost.org
-    }
-
-    # Default proxy everything else to Ghost
-    handle {
-        reverse_proxy ghost:2368
-    }
-
-    # Optional: Enable gzip compression
-    encode gzip
-
-    # Optional: Add security headers
-    header {
-        # Enable HSTS
-        Strict-Transport-Security max-age=31536000;
-        # Prevent embedding in frames
-        X-Frame-Options DENY
-        # Enable XSS protection
-        X-XSS-Protection "1; mode=block"
-        # Prevent MIME sniffing
-        X-Content-Type-Options nosniff
-        # Referrer policy
-        Referrer-Policy strict-origin-when-cross-origin
-    }
-}
-
-# Redirect www to non-www (optional)
-www.{$DOMAIN} {
-    # Log all requests
-    log {
-        output stdout
-        format console
-        level INFO
-    }
-    redir https://{$DOMAIN}{uri}
-}
--- a/caddy/Caddyfile.example
+++ b/caddy/Caddyfile.example
@@ -0,0 +1,38 @@
+# Replace your-domain.com with your actual domain
+{$DOMAIN} {
+	import snippets/Logging
+
+	# Traffic Analytics service
+	import snippets/TrafficAnalytics
+
+	# ActivityPub Service
+	import snippets/ActivityPub
+
+	# Default proxy everything else to Ghost
+	handle {
+		reverse_proxy ghost:2368
+	}
+
+	# Optional: Enable gzip compression
+	encode gzip
+
+	# Optional: Add security headers
+	header {
+		# Enable HSTS
+		Strict-Transport-Security max-age=31536000;
+		# Prevent embedding in frames
+		X-Frame-Options DENY
+		# Enable XSS protection
+		X-XSS-Protection "1; mode=block"
+		# Prevent MIME sniffing
+		X-Content-Type-Options nosniff
+		# Referrer policy
+		Referrer-Policy strict-origin-when-cross-origin
+	}
+}
+
+# Redirect www to non-www (optional)
+www.{$DOMAIN} {
+	import snippets/Logging
+	redir https://{$DOMAIN}{uri}
+}
--- a/caddy/snippets/ActivityPub
+++ b/caddy/snippets/ActivityPub
@@ -0,0 +1,13 @@
+# ActivityPub
+# Proxy activitypub requests /.ghost/activitypub/
+handle /.ghost/activitypub/* {
+	reverse_proxy {$ACTIVITYPUB_TARGET}
+}
+
+handle /.well-known/webfinger {
+	reverse_proxy {$ACTIVITYPUB_TARGET}
+}
+
+handle /.well-known/nodeinfo {
+	reverse_proxy {$ACTIVITYPUB_TARGET}
+}
--- a/caddy/snippets/Logging
+++ b/caddy/snippets/Logging
@@ -0,0 +1,6 @@
+# Log all requests
+log {
+	output stdout
+	format console
+	level INFO
+}
--- a/caddy/snippets/TrafficAnalytics
+++ b/caddy/snippets/TrafficAnalytics
@@ -0,0 +1,6 @@
+# Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/)
+@analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$
+handle @analytics_paths {
+	rewrite * {re.analytics_match.2}
+	reverse_proxy traffic-analytics:3000
+}
--- a/compose.yml
+++ b/compose.yml
@@ -9,8 +9,9 @@ services:
      - "443:443"
    environment:
      DOMAIN: ${DOMAIN:?DOMAIN environment variable is required}
+      ACTIVITYPUB_TARGET: ${ACTIVITYPUB_TARGET:-https://ap.ghost.org}
    volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile
+      - ./caddy:/etc/caddy
      - caddy_data:/data
      - caddy_config:/config
    depends_on: