From d5f9890dc830ab1849e2e6dd7e314a4c6ac1e1e7 Mon Sep 17 00:00:00 2001
From: Davide Polonio <poloniodavide@gmail.com>
Date: Sat, 23 Aug 2025 14:12:38 +0200
Subject: [PATCH] feat(navidrome): migrate to DNS challenge with automated SSL

- Add caddy.env to gitignore for sensitive DNS credentials
- Replace manual SSL certificates with Let's Encrypt DNS challenge using
Namecheap
- Build custom Caddy image with namecheap DNS plugin
- Configure wildcard SSL for *.lan.poldebra.me domain
- Update docker-compose to use custom Caddy build and environment file

Note: we had to downgrade to Caddy 2.9, see
https://github.com/caddy-dns/namecheap/issues/14 for more information
---
 .gitignore                   |  1 +
 navidrome/Caddyfile          | 21 +++++++++++++++++----
 navidrome/Dockerfile.caddy   |  7 +++++++
 navidrome/docker-compose.yml | 10 ++++++----
 4 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100644 navidrome/Dockerfile.caddy

diff --git a/.gitignore b/.gitignore
index c0df46a..199a9d7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -49,3 +49,4 @@ flycheck_*.el
 /network-security.data
 
 
+*.env
diff --git a/navidrome/Caddyfile b/navidrome/Caddyfile
index ece9648..f6695b5 100644
--- a/navidrome/Caddyfile
+++ b/navidrome/Caddyfile
@@ -1,6 +1,19 @@
-https://music.lan.poldebra.me {
-        tls /cert.crt /key.key
-        reverse_proxy 172.20.0.5:4533 {
-        }
+{
+    email {env.LETSENCRYPT_EMAIL}
 }
 
+*.lan.poldebra.me {
+    tls {
+        dns namecheap {
+            api_key {env.NAMECHEAP_API_KEY}
+            user {env.NAMECHEAP_API_USER}
+            api_endpoint https://api.namecheap.com/xml.response
+        }
+        resolvers 1.1.1.1 8.8.8.8
+    }
+
+    @music host music.lan.poldebra.me
+    handle @music {
+        reverse_proxy 172.20.0.5:4533
+    }
+}
\ No newline at end of file
diff --git a/navidrome/Dockerfile.caddy b/navidrome/Dockerfile.caddy
new file mode 100644
index 0000000..d463ca1
--- /dev/null
+++ b/navidrome/Dockerfile.caddy
@@ -0,0 +1,7 @@
+from caddy:2.9-builder-alpine as builder
+
+run xcaddy build \
+    --with github.com/caddy-dns/namecheap
+
+from caddy:alpine
+copy --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/navidrome/docker-compose.yml b/navidrome/docker-compose.yml
index 79806d4..a56204c 100644
--- a/navidrome/docker-compose.yml
+++ b/navidrome/docker-compose.yml
@@ -22,13 +22,15 @@ services:
       - internal
 
   reverse_proxy:
-    image: caddy:alpine
+    build:
+      context: .
+      dockerfile: Dockerfile.caddy
     restart: unless-stopped
     network_mode: service:tailscale
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - /srv/docker/navidrome/certs/fullchain.pem:/cert.crt:ro
-      - /srv/docker/navidrome/certs/key.pem:/key.key:ro
+    env_file:
+      - caddy.env
     healthcheck:
       test: ["CMD", "wget", "--spider", "-q", "https://music.lan.poldebra.me"]
       interval: 5s
@@ -40,7 +42,7 @@ services:
       tailscale:
         condition: service_healthy
 
-  app:
+  app: # TODO rename me in navidrome!
     image: deluan/navidrome:latest
     user: 1000:1000 # should be owner of volumes
     hostname: app