Add caddy-cloudflare-ddns-security custom build (closes #11)

serfriz · Jan 22, 2024 · ec8c0b6 · ec8c0b6
1 parent a536ead
commit ec8c0b6
Show file tree

Hide file tree

Showing 7 changed files with 243 additions and 3 deletions.
diff --git a/.github/workflows/build.caddy-cloudflare-ddns-security.yml b/.github/workflows/build.caddy-cloudflare-ddns-security.yml
@@ -0,0 +1,105 @@
+# Workflow to build and push a Docker image to Docker Hub, GitHub and Quay Container Registries
+name: Build caddy-cloudflare-ddns-security
+
+# Controls when the action will run
+on:
+  workflow_dispatch:  # allows to run the workflow manually from the Actions tab
+  push:
+    branches: main
+    paths:
+      - caddy-cloudflare-ddns-security/Dockerfile
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+  DOCKER_BUILDKIT: 1
+  DOCKER_NAME: caddy-cloudflare-ddns-security
+  DOCKER_DESCRIPTION: "Caddy Docker custom build with Cloudflare dynamic DNS/IPs and Caddy Security modules"
+
+# Jobs to run once the workflow is triggered
+jobs:
+  # Job to get image and repository details
+  metadata:
+    name: Get image and repository details
+    runs-on: ubuntu-latest
+
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      labels: ${{ steps.metadata.outputs.labels }}
+      tags: ${{ steps.metadata.outputs.tags }}
+      platforms: linux/amd64,linux/arm64,linux/ppc64le,linux/s390x,linux/arm/v7,linux/arm/v6
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Parse Caddy version
+        id: version
+        run: echo "version=$(grep -Eo 'caddy:[0-9]+\.[0-9]+\.[0-9]+$' $DOCKER_NAME/Dockerfile | cut -d ':' -f2)" | tee -a $GITHUB_OUTPUT
+
+      - name: Generate image metadata with Caddy version
+        uses: docker/metadata-action@v5
+        id: metadata
+        with:
+          images: |
+            docker.io/${{ github.actor }}/${{ env.DOCKER_NAME }}
+            ghcr.io/${{ github.actor }}/${{ env.DOCKER_NAME }}
+            quay.io/${{ github.actor }}/${{ env.DOCKER_NAME }}
+          tags: |
+            type=semver,pattern={{version}},value=v${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}}.{{minor}},value=v${{ steps.version.outputs.version }}
+            type=semver,pattern={{major}},value=v${{ steps.version.outputs.version }}
+          labels: |
+            org.opencontainers.image.title=${{ env.DOCKER_NAME }}
+            org.opencontainers.image.description=${{ env.DOCKER_DESCRIPTION }}
+
+  # Job to build and publish Docker image
+  build:
+    name: Build and publish Docker image
+    runs-on: ubuntu-latest
+    needs: metadata
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: main
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ github.actor }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GitHub Container Repository
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
+      - name: Login to Quay Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Build and publish container image
+        uses: docker/build-push-action@v5
+        id: build
+        with:
+          context: .
+          file: ./${{ env.DOCKER_NAME }}/Dockerfile
+          push: true
+          provenance: false
+          tags: ${{ needs.metadata.outputs.tags }}
+          labels: ${{ needs.metadata.outputs.labels }}
+          platforms: ${{ needs.metadata.outputs.platforms }}
diff --git a/.github/workflows/update-tag-release.yml b/.github/workflows/update-tag-release.yml
@@ -16,6 +16,7 @@ env:
     caddy-cloudflare-ddns
     caddy-cloudflare-crowdsec
     caddy-cloudflare-ddns-crowdsec
+    caddy-cloudflare-ddns-security
     caddy-duckdns
     caddy-duckdns-ddns
     caddy-duckdns-crowdsec

diff --git a/caddy-cloudflare-crowdsec/README.md b/caddy-cloudflare-crowdsec/README.md
@@ -1,4 +1,4 @@
-# Caddy Docker build with Cloudflare DNS/IP and CrowdSec Bouncer modules
+# Caddy Docker build with Cloudflare DNS/IPs and CrowdSec Bouncer modules
 
 [![Docker Hub](https://img.shields.io/badge/Docker%20Hub%20-%20serfriz%2Fcaddy--cloudflare--crowdsec%20-%20%230db7ed?style=flat&logo=docker)](https://hub.docker.com/r/serfriz/caddy-cloudflare-crowdsec)
 [![GitHub](https://img.shields.io/badge/GitHub%20-%20serfriz%2Fcaddy--cloudflare--crowdsec%20-%20%23333?style=flat&logo=github)](https://ghcr.io/serfriz/caddy-cloudflare-crowdsec)

diff --git a/caddy-cloudflare-ddns-crowdsec/README.md b/caddy-cloudflare-ddns-crowdsec/README.md
@@ -1,4 +1,4 @@
-# Caddy Docker build with Cloudflare dynamic DNS/IP and CrowdSec Bouncer modules
+# Caddy Docker build with Cloudflare dynamic DNS/IPs and CrowdSec Bouncer modules
 
 [![Docker Hub](https://img.shields.io/badge/Docker%20Hub%20-%20serfriz%2Fcaddy--cloudflare--ddns--crowdsec%20-%20%230db7ed?style=flat&logo=docker)](https://hub.docker.com/r/serfriz/caddy-cloudflare-ddns-crowdsec)
 [![GitHub](https://img.shields.io/badge/GitHub%20-%20serfriz%2Fcaddy--cloudflare--ddns--crowdsec%20-%20%23333?style=flat&logo=github)](https://ghcr.io/serfriz/caddy-cloudflare-ddns-crowdsec)

diff --git a/caddy-cloudflare-ddns-security/Dockerfile b/caddy-cloudflare-ddns-security/Dockerfile
@@ -0,0 +1,12 @@
+# syntax=docker/dockerfile:1
+FROM caddy:2.7.6-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/cloudflare \
+    --with github.com/WeidiDeng/caddy-cloudflare-ip \
+    --with github.com/mholt/caddy-dynamicdns \
+    --with github.com/greenpau/caddy-security
+
+FROM caddy:2.7.6
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/caddy-cloudflare-ddns-security/README.md b/caddy-cloudflare-ddns-security/README.md
@@ -0,0 +1,122 @@
+# Caddy Docker build with Cloudflare dynamic DNS/IPs and Caddy Security modules
+
+[![Docker Hub](https://img.shields.io/badge/Docker%20Hub%20-%20serfriz%2Fcaddy--cloudflare--ddns--security%20-%20%230db7ed?style=flat&logo=docker)](https://hub.docker.com/r/serfriz/caddy-cloudflare-ddns-security)
+[![GitHub](https://img.shields.io/badge/GitHub%20-%20serfriz%2Fcaddy--cloudflare--ddns--security%20-%20%23333?style=flat&logo=github)](https://ghcr.io/serfriz/caddy-cloudflare-ddns-security)
+[![Quay](https://img.shields.io/badge/Quay%20-%20serfriz%2Fcaddy--cloudflare--ddns--security%20-%20%23CC0000?style=flat&logo=redhat)](https://quay.io/serfriz/caddy-cloudflare-ddns-security)
+
+[![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/serfriz/caddy-custom-builds?label=Release)](https://github.com/serfriz/caddy-custom-builds/releases)
+[![GitHub build status](https://img.shields.io/github/actions/workflow/status/serfriz/caddy-custom-builds/build.caddy-cloudflare-ddns-security.yml?label=Build)](https://github.com/serfriz/caddy-custom-builds/actions/workflows/build.caddy-cloudflare-ddns-security.yml)
+[![License](https://img.shields.io/github/license/serfriz/caddy-custom-builds?label=License)](https://github.com/serfriz/caddy-custom-builds/blob/main/LICENSE)
+
+This image is built automatically when a new version of [Caddy](https://github.com/caddyserver/caddy) is released using the official [Caddy Docker](https://hub.docker.com/_/caddy) image with the following modules:
+- [caddy-dns/cloudflare](https://github.com/caddy-dns/cloudflare) for Cloudflare DNS-01 ACME validation support.
+- [WeidiDeng/caddy-cloudflare-ip](https://github.com/WeidiDeng/caddy-cloudflare-ip) to retrieve Cloudflare's current [IP ranges](https://www.cloudflare.com/ips/).
+- [mholt/caddy-dynamicdns](https://caddyserver.com/docs/modules/dynamic_dns) to update the DNS records with the public IP address of your instance.
+- [greenpau/caddy-security](https://github.com/greenpau/caddy-security) for implementing different authentication methods (Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0, SAML) including MFA/2FA support.
+
+Docker builds for all supported platforms available at the following repositories:
+- [Docker Hub](https://hub.docker.com/r/serfriz/caddy-cloudflare-ddns-security) `docker pull serfriz/caddy-cloudflare-ddns-security:latest`
+- [GitHub Container Registry](https://ghcr.io/serfriz/caddy-cloudflare-ddns-security) `docker pull ghcr.io/serfriz/caddy-cloudflare-ddns-security:latest`
+- [Quay Container Registry](https://quay.io/serfriz/caddy-cloudflare-ddns-security) `docker pull quay.io/serfriz/caddy-cloudflare-ddns-security:latest`
+
+## Tags
+
+The following tags are available for the `serfriz/caddy-cloudflare-ddns-security` image.
+
+- `latest`
+- `<version>` (eg: `2.7.4`, including: `2.7`, `2`, etc.)
+
+## Usage
+
+Since this is built off the official Docker image all of the same volumes, port mapping, environment variables, etc. can be used with this container. Please refer to the official [Caddy Docker](https://hub.docker.com/_/caddy) image and [docs](https://caddyserver.com/docs/) for more information on using Caddy.
+
+### Create the Docker container
+
+Simply create the container as usual including your `CLOUDFLARE_API_TOKEN` as [environment variable](https://caddyserver.com/docs/caddyfile/concepts#environment-variables).
+
+```sh
+docker run --rm -it \
+  --name caddy \
+  -p 80:80 \
+  -p 443:443 \
+  -v caddy-data:/data \
+  -v caddy-config:/config \
+  -v $PWD/Caddyfile:/etc/caddy/Caddyfile \
+  -e CLOUDFLARE_API_TOKEN=UhKLc...JD9jk \
+  serfriz/caddy-cloudflare-ddns-security:latest
+```
+
+### Cloudflare DNS-01 ACME validation
+
+To make use of the Cloudflare DNS-01 ACME validation support at the server level, set the global [acme_dns](https://caddyserver.com/docs/caddyfile/options#acme-dns) directive in your `Caddyfile`.
+
+```Caddyfile
+{
+  acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+}
+```
+
+Or use the [`tls`](https://caddyserver.com/docs/caddyfile/directives/tls#tls) directive at each site. See the [caddy-dns/cloudflare](https://github.com/caddy-dns/cloudflare) module for additional details.
+
+```Caddyfile
+my.domain.tld {
+  tls {
+    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
+  }
+}
+```
+
+#### Creating a Cloudflare API Token
+
+You can generate a Cloudflare API token via the Cloudflare web dashboard through the following steps:
+
+1. Login to your Cloudflare [Dashboard](https://dash.cloudflare.com/)
+2. Go to [Account Profile](https://dash.cloudflare.com/profile) > [API Tokens](https://dash.cloudflare.com/profile/api-tokens)
+3. Click "Create token" (Use the "Create Custom Token" option)
+4. Grant the following permissions:
+   - `Zone > Zone > Read`
+   - `Zone > DNS > Edit`
+
+### Cloudflare IP ranges
+
+To restrict access to your server only to Cloudflare's IP ranges, add the [trusted_proxies](https://caddyserver.com/docs/caddyfile/options#trusted-proxies) directive to the [global options](https://caddyserver.com/docs/caddyfile/options), under servers, in your `Caddyfile`. For additional details, refer to [trusted_proxies/cloudflare](https://caddyserver.com/docs/json/apps/http/servers/trusted_proxies/cloudflare/) documentation and [WeidiDeng/caddy-cloudflare-ip](https://github.com/WeidiDeng/caddy-cloudflare-ip) repository.
+
+```Caddyfile
+{
+  servers {
+    trusted_proxies cloudflare {
+      interval 12h
+      timeout 15s
+    }
+  }
+}
+```
+
+### Dynamic DNS
+
+To keep your Cloudflare DNS records updated with the public IP address of your instance, add the [dynamic_dns](https://caddyserver.com/docs/modules/dynamic_dns) directive to the [global options](https://caddyserver.com/docs/caddyfile/options) in your `Caddyfile`. This module regularly queries a service for your public IP address and updates the DNS records via Cloudflare's API whenever it changes. For additional details and advanced configuration examples refer to [mholt/caddy-dynamicdns](https://github.com/mholt/caddy-dynamicdns) repository.
+
+```Caddyfile
+{
+	dynamic_dns {
+		provider cloudflare {env.CLOUDFLARE_API_TOKEN}
+		domains {
+			domain.tld
+		}
+	}
+}
+```
+
+Using the option [dynamic_domains](https://github.com/mholt/caddy-dynamicdns#dynamic-domains), it can also be configured to scan through the domains configured in the Caddyfile and try to manage those DNS records.
+
+### Caddy Security
+
+Please, refer to the official [greenpau/caddy-security](https://authp.github.io/) documentation for additional details and configuration examples.
+
+## Contributing
+
+Feel free to contribute, request additional Caddy custom builds with your preferred modules, and make things better by opening an [Issue](https://github.com/serfriz/caddy-custom-builds/issues) or [Pull Request](https://github.com/serfriz/caddy-custom-builds/pulls).
+
+## License
+
+Software under [GPL-3.0](https://github.com/serfriz/caddy-custom-builds/blob/main/LICENSE) ensures users' freedom to use, modify, and distribute it while keeping the source code accessible. It promotes transparency, collaboration, and knowledge sharing. Users agree to comply with the GPL-3.0 license terms and provide the same freedom to others.
diff --git a/caddy-cloudflare-ddns/README.md b/caddy-cloudflare-ddns/README.md
@@ -1,4 +1,4 @@
-# Caddy Docker build with Cloudflare dynamic DNS and IP modules
+# Caddy Docker build with Cloudflare dynamic DNS and IPs modules
 
 [![Docker Hub](https://img.shields.io/badge/Docker%20Hub%20-%20serfriz%2Fcaddy--cloudflare--ddns%20-%20%230db7ed?style=flat&logo=docker)](https://hub.docker.com/r/serfriz/caddy-cloudflare-ddns)
 [![GitHub](https://img.shields.io/badge/GitHub%20-%20serfriz%2Fcaddy--cloudflare--ddns%20-%20%23333?style=flat&logo=github)](https://ghcr.io/serfriz/caddy-cloudflare-ddns)