refactor!: unify into one compose, drop airgap/mirror/dnsmasq/avahi/blessingskin

Collapse the override-file matrix into a single docker-compose.yml holding the
whole stack: drasl, minecraft, mc-backup, caddy, nmsr, uptime-kuma. Bring-up is
now just `docker compose up -d --build`.

Removed features (dead-ends for this deployment):
- airgap / full asset mirror (mirror-airgap.sh, mirror-mods.sh, 20-mirror.caddy,
  caddy local-CA export, /ca.crt)
- dnsmasq + avahi/mDNS + dns-records.sh + mdns-host-setup.sh + ENABLE_MDNS;
  DNS is now handled outside this repo (HOST_LAN_IP dropped)
- Blessing Skin auth variant (compose + 00-core-blessingskin.caddy + BS_* env)
- host-nginx-static variant (docker-compose.nginx.yml, nginx/ulicraft.conf.tmpl)
- build-stack.sh and its run modes (online/airgap/core)

Production ingress is the only path now: host nginx terminates TLS (LE certs)
in front of caddy on a localhost-only port; caddy routes every vhost by Host
header. Launcher downloads move mirror/launcher -> launcher/.

Docs: README, deploy skill, and plan/ rewritten to match; obsolete plan docs
(dnsmasq, blessing-skin, assets-mirror, full-airgap-mirror, dns-and-run-modes)
deleted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-09 02:14:09 +02:00
parent ff645de2c8
commit 67d1f82e6a
53 changed files with 522 additions and 2244 deletions

View File

@@ -1,15 +1,18 @@
# Caddy — ingress, local CDN, landing page
# Caddy — internal router behind host nginx
## Summary
Single HTTP ingress for the stack. Three roles:
1. **Reverse proxy**`auth.ulicraft.local` → drasl.
2. **Local CDN / static**`packwiz.ulicraft.local` serves pack metadata AND the
mirrored mod jars (offline installs).
3. **Landing page** — apex `ulicraft.local` serves launcher downloads + guest guide.
caddy is the stack's **internal HTTP router**, sitting behind the host's own
nginx (which terminates TLS — see `15-letsencrypt.md`). caddy is published only
on a localhost-only port (`CADDY_HTTP_BIND=127.0.0.1`, `CADDY_HTTP_PORT=8880`);
nginx reverse-proxies every public vhost to it by Host header. Roles:
Plain `:80` for now (LAN). TLS via step-ca deferred. Image: `caddy:alpine`.
Caddy natively reads `{$BASE_DOMAIN}` env placeholders — no template render needed.
1. **Reverse proxy**`auth.` → drasl, `avatar.` → nmsr, `status.` → uptime-kuma.
2. **Static**`pack.` serves packwiz metadata; apex serves the landing page +
`/launcher/` downloads; `distribution.` serves a static site from another repo.
Image: `caddy:alpine`. caddy natively reads `{$BASE_DOMAIN}` env placeholders —
no template render needed.
## Network aliases (internal resolution)
@@ -19,51 +22,41 @@ caddy:
mcnet:
aliases:
- "auth.${BASE_DOMAIN}"
- "packwiz.${BASE_DOMAIN}"
- "pack.${BASE_DOMAIN}"
```
Lets `minecraft` reach `http://auth.ulicraft.local/authlib-injector` and
`http://packwiz.ulicraft.local/pack.toml` without dnsmasq.
Lets `minecraft` reach `http://auth.ulicraft.net/authlib-injector` and
`http://pack.ulicraft.net/pack.toml` from inside the stack.
## Caddyfile sketch
## conf.d snippets
```
{
auto_https off
}
The Caddyfile imports per-vhost snippets from `caddy/conf.d/`:
http://{$BASE_DOMAIN} {
root * /srv/www
file_server
}
- `00-core.caddy``auth.` → drasl, `pack.``/srv/pack` (browse).
- `10-static.caddy` — apex landing (`/srv/www`) + `/launcher/*` (`/srv/launcher`).
- `30-distribution.caddy``distribution.``/srv/distribution` (static, from
`DISTRIBUTION_WEB_ROOT`, another repo).
- `40-avatar.caddy``avatar.``nmsr:8080` (skin/avatar renderer).
- `50-status.caddy``status.``uptime-kuma:3001` (status page).
http://auth.{$BASE_DOMAIN} {
reverse_proxy drasl:25585
}
http://packwiz.{$BASE_DOMAIN} {
root * /srv/pack
file_server browse
}
```
Mounts: `./www:/srv/www:ro`, `./pack:/srv/pack:ro`, `./mirror/launcher:/srv/www/launcher:ro`.
All vhosts are plain `http://…`; TLS is nginx's job. Mounts: `./www:/srv/www:ro`,
`./pack:/srv/pack:ro`, `./launcher:/srv/launcher:ro`,
`${DISTRIBUTION_WEB_ROOT}:/srv/distribution:ro`.
## Notes / risks
- drasl behind a proxy: docs don't detail `X-Forwarded-*` trust. On plain HTTP LAN
with matching `BaseURL` it should be fine; revisit when TLS is added.
- drasl behind a proxy: with matching `BaseURL` and nginx terminating TLS it is
fine; nginx passes the original Host through to caddy → drasl.
- `file_server browse` gives a directory listing — handy for debugging the pack.
- Mod-jar mirror lives under `/srv/pack/mods/` so packwiz URLs and jars share host.
- `/launcher/` is a sibling mount (`/srv/launcher`), not nested under the
read-only `/srv/www`; `handle_path` strips the prefix.
## Tasks
- [ ] Add `caddy` service to `docker-compose.yml`, ports `80:80` (+`443` later)
- [ ] Pass `BASE_DOMAIN` into caddy env
- [ ] Create `caddy/Caddyfile` with apex + auth + packwiz vhosts
- [ ] Add network aliases for `auth.` and `packwiz.` subdomains
- [ ] Mount `./www`, `./pack`, `./mirror/launcher`
- [ ] `caddy` service in `docker-compose.yml`, published `127.0.0.1:${CADDY_HTTP_PORT}:80`
- [ ] Pass `BASE_DOMAIN` + `DISTRIBUTION_WEB_ROOT` into caddy env
- [ ] Caddyfile imports `conf.d/*.caddy`
- [ ] Network aliases for `auth.` and `pack.` subdomains
- [ ] Mount `./www`, `./pack`, `./launcher`, `${DISTRIBUTION_WEB_ROOT}`
- [ ] Confirm reverse_proxy to drasl works (auth web UI loads, Yggdrasil API responds)
- [ ] Verify internal alias resolution from `minecraft` container (curl pack.toml)
- [ ] Air-gap mirror: add per-host `tls internal` vhosts + aliases + mounts (see 11)
- [ ] Export Caddy root CA for guest trust (LAN-party TLS = `tls internal`; step-ca deferred)
- [ ] Defer (reminder): graduate `tls internal` → step-ca for persistent homelab
- [ ] Verify nmsr + uptime-kuma proxied (`avatar.` renders, `status.` loads)