Caddy: Add option to have a separate Admin domain

- Our setup docs recommend having Ghost Admin on a separate domain from the content domain
- This lets users optionally set this up if they want whilst continuing to align Admin <-> content domain through templates

.env.example

@@ -8,6 +8,11 @@ GHOST_VERSION=5-alpine
 # Public domain Ghost is going to run on
 DOMAIN=example.com
 
+# If you have Ghost Admin setup on a separate domain
+# uncomment the below along with the corresponding block
+# in your Caddyfile
+# ADMIN_DOMAIN=
+
 # Database settings
 DATABASE_ROOT_PASSWORD=reallysecurerootpassword
 DATABASE_USER=optionalusername

caddy/Caddyfile.example

@@ -17,20 +17,31 @@
 	encode gzip
 
 	# Optional: Add security headers
-	header {
-		# Enable HSTS
-		Strict-Transport-Security max-age=31536000;
-		# Prevent embedding in frames
-		X-Frame-Options DENY
-		# Enable XSS protection
-		X-XSS-Protection "1; mode=block"
-		# Prevent MIME sniffing
-		X-Content-Type-Options nosniff
-		# Referrer policy
-		Referrer-Policy strict-origin-when-cross-origin
-	}
+	import snippets/SecurityHeaders
 }
 
+# If you have a separate domain for Ghost Admin uncomment the below block
+# {$ADMIN_DOMAIN} {
+# 	import snippets/Logging
+#
+# 	# Traffic Analytics service
+# 	import snippets/TrafficAnalytics
+#
+# 	# ActivityPub Service
+# 	import snippets/ActivityPub
+#
+# 	# Default proxy everything else to Ghost
+# 	handle {
+# 		reverse_proxy ghost:2368
+# 	}
+#
+# 	# Optional: Enable gzip compression
+# 	encode gzip
+#
+# 	# Optional: Add security headers
+# 	import snippets/SecurityHeaders
+# }
+
 # If you want to redirect the www variant of your domain to the non-www varient uncomment the below 4 lines
 # Note: You must have DNS setup correctly for this to work
 # www.{$DOMAIN} {

caddy/snippets/SecurityHeaders

@@ -0,0 +1,12 @@
+header {
+	# Enable HSTS
+	Strict-Transport-Security max-age=31536000;
+	# Prevent embedding in frames
+	X-Frame-Options DENY
+	# Enable XSS protection
+	X-XSS-Protection "1; mode=block"
+	# Prevent MIME sniffing
+	X-Content-Type-Options nosniff
+	# Referrer policy
+	Referrer-Policy strict-origin-when-cross-origin
+}

compose.yml

@@ -9,6 +9,7 @@ services:
       - "443:443"
     environment:
       DOMAIN: ${DOMAIN:?DOMAIN environment variable is required}
+      ADMIN_DOMAIN: ${ADMIN_DOMAIN:-}
       ACTIVITYPUB_TARGET: ${ACTIVITYPUB_TARGET:-https://ap.ghost.org}
     volumes:
       - ./caddy:/etc/caddy