refactor(caddy): split vhosts into conf.d snippets (core/static/mirror)

Base Caddyfile now imports conf.d/*.caddy. Snippets are mounted selectively
so the stack runs with or without the static site / air-gap mirror:
  00-core   auth + packwiz (always)
  10-static apex landing + launcher downloads
  20-mirror air-gap upstream hosts (tls internal)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-05-24 05:07:20 +02:00
parent 78e92a65be
commit 3bf714a224
4 changed files with 40 additions and 36 deletions

View File

@@ -1,40 +1,12 @@
# auto_https off would disable TLS entirely, breaking `tls internal` for the
# air-gap mirror vhosts. disable_redirects keeps the apex/auth/packwiz sites
# plaintext on :80 (they use explicit http://) while still allowing internal
# TLS on the mirror hosts below.
# Base Caddy config. Vhosts live in conf.d/*.caddy snippets that are mounted
# in selectively so the stack can run with or without the static site / mirror:
# conf.d/00-core.caddy auth + packwiz (always — core ingress)
# conf.d/10-static.caddy apex landing + launcher downloads (static toggle)
# conf.d/20-mirror.caddy air-gap upstream mirror (tls internal) (mirror toggle)
# auto_https disable_redirects: http:// sites stay plaintext on :80; the mirror
# snippet's hosts still get internal TLS on :443 when that snippet is present.
{
auto_https disable_redirects
}
http://{$BASE_DOMAIN} {
# Launcher downloads live in a sibling mount (not nested under /srv/www,
# which is a read-only mount → can't create a nested mountpoint).
# handle_path strips the /launcher prefix before serving /srv/launcher.
handle_path /launcher/* {
root * /srv/launcher
file_server browse
}
handle {
root * /srv/www
file_server
}
}
http://auth.{$BASE_DOMAIN} {
reverse_proxy drasl:25585
}
http://packwiz.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}
# Full client air-gap mirror (see plan/11-full-airgap-mirror.md): byte-exact
# copies of the real upstream hosts served over HTTPS with Caddy's local CA.
# dnsmasq spoofs these hostnames -> our host; the {host} placeholder roots each
# hostname at its own mirror subtree. Guests import the Caddy root CA once.
meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net {
tls internal
root * /srv/mirror/{host}
file_server
}
import /etc/caddy/conf.d/*.caddy

View File

@@ -0,0 +1,9 @@
# Core ingress — always mounted. Drasl auth + packwiz pack metadata.
http://auth.{$BASE_DOMAIN} {
reverse_proxy drasl:25585
}
http://packwiz.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}

View File

@@ -0,0 +1,14 @@
# Static toggle — apex landing page + launcher downloads.
# Mounted only when the stack runs with static files (build-stack.sh up static|full).
http://{$BASE_DOMAIN} {
# Launcher downloads are a sibling mount (/srv/launcher), not nested under
# the read-only /srv/www. handle_path strips the /launcher prefix.
handle_path /launcher/* {
root * /srv/launcher
file_server browse
}
handle {
root * /srv/www
file_server
}
}

View File

@@ -0,0 +1,9 @@
# Mirror toggle — full client air-gap mirror (see plan/11-full-airgap-mirror.md).
# Byte-exact copies of the real upstream hosts over HTTPS with Caddy's local CA.
# dnsmasq spoofs these hostnames -> our host; {host} roots each at its subtree.
# Mounted only when the stack runs with the mirror (build-stack.sh up mirror|full).
meta.prismlauncher.org, piston-meta.mojang.com, piston-data.mojang.com, libraries.minecraft.net, maven.neoforged.net, resources.download.minecraft.net {
tls internal
root * /srv/mirror/{host}
file_server
}