feat(navidrome): migrate to DNS challenge with automated SSL

- Add caddy.env to gitignore for sensitive DNS credentials - Replace manual SSL certificates with Let's Encrypt DNS challenge using Namecheap - Build custom Caddy image with namecheap DNS plugin - Configure wildcard SSL for *.lan.poldebra.me domain - Update docker-compose to use custom Caddy build and environment file Note: we had to downgrade to Caddy 2.9, see https://github.com/caddy-dns/namecheap/issues/14 for more information
2025-08-23 14:12:38 +02:00 · 2025-08-23 14:12:38 +02:00 · d5f9890dc8
commit d5f9890dc8
parent 9ec5361e40
4 changed files with 31 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -49,3 +49,4 @@ flycheck_*.el
 /network-security.data


+*.env
--- a/navidrome/Caddyfile
+++ b/navidrome/Caddyfile
@ -1,6 +1,19 @@
-https://music.lan.poldebra.me {
-        tls /cert.crt /key.key
-        reverse_proxy 172.20.0.5:4533 {
-        }
+{
+    email {env.LETSENCRYPT_EMAIL}
 }

+*.lan.poldebra.me {
+    tls {
+        dns namecheap {
+            api_key {env.NAMECHEAP_API_KEY}
+            user {env.NAMECHEAP_API_USER}
+            api_endpoint https://api.namecheap.com/xml.response
+        }
+        resolvers 1.1.1.1 8.8.8.8
+    }
+
+    @music host music.lan.poldebra.me
+    handle @music {
+        reverse_proxy 172.20.0.5:4533
+    }
+}
--- a/navidrome/Dockerfile.caddy
+++ b/navidrome/Dockerfile.caddy
@ -0,0 +1,7 @@
+from caddy:2.9-builder-alpine as builder
+
+run xcaddy build \
+    --with github.com/caddy-dns/namecheap
+
+from caddy:alpine
+copy --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/navidrome/docker-compose.yml
+++ b/navidrome/docker-compose.yml
@ -22,13 +22,15 @@ services:
      - internal

  reverse_proxy:
-    image: caddy:alpine
+    build:
+      context: .
+      dockerfile: Dockerfile.caddy
    restart: unless-stopped
    network_mode: service:tailscale
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
-      - /srv/docker/navidrome/certs/fullchain.pem:/cert.crt:ro
-      - /srv/docker/navidrome/certs/key.pem:/key.key:ro
+    env_file:
+      - caddy.env
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "https://music.lan.poldebra.me"]
      interval: 5s
@ -40,7 +42,7 @@ services:
      tailscale:
        condition: service_healthy

-  app:
+  app: # TODO rename me in navidrome!
    image: deluan/navidrome:latest
    user: 1000:1000 # should be owner of volumes
    hostname: app