tailwart/caddy/Dockerfile

# Caddy with the layer-4 (TCP/UDP) app so it can proxy raw mail ports.
#
# Built the house way (see ~/docs/caddy.md "Custom Binary"): grab the prebuilt
# static binary from caddyserver.com's build server, NOT a local xcaddy/Go
# build. The compile burns ~1GB RAM, which this VPS can't spare — the download
# server does it for us. The base image only contributes its entrypoint + CA
# certs; we swap in the L4-enabled binary over the stock one.
#
#   docker build -t tailwart-caddy ./caddy
#
# Add more plugins by appending &p=<url-encoded module path> to CADDY_DOWNLOAD,
# e.g. ...&p=github.com%2Fmholt%2Fcaddy-ratelimit (the main box build has that).
FROM caddy:2.11

ARG CADDY_DOWNLOAD="https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fmholt%2Fcaddy-l4"

RUN apk add --no-cache curl \
 && curl -fsSL -o /usr/bin/caddy "$CADDY_DOWNLOAD" \
 && chmod 0755 /usr/bin/caddy
# Fail the build loudly if the L4 module isn't actually in the binary.
RUN caddy list-modules | grep -q 'layer4' || { echo 'caddy-l4 missing from binary!'; exit 1; }
caddy: build via caddyserver.com download URL, not local xcaddy The xcaddy/Go compile burns ~1GB RAM this VPS can't spare (per ~/docs/caddy.md "Custom Binary"). Pull the prebuilt L4-enabled binary from the Caddy build server instead and swap it over the stock binary in the official image. Built and verified: caddy v2.11.3 with layer4.handlers.proxy + proxy_protocol. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:39:33 -04:00			`# Caddy with the layer-4 (TCP/UDP) app so it can proxy raw mail ports.`
			`#`
			`# Built the house way (see ~/docs/caddy.md "Custom Binary"): grab the prebuilt`
			`# static binary from caddyserver.com's build server, NOT a local xcaddy/Go`
			`# build. The compile burns ~1GB RAM, which this VPS can't spare — the download`
			`# server does it for us. The base image only contributes its entrypoint + CA`
			`# certs; we swap in the L4-enabled binary over the stock one.`
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`#`
			`# docker build -t tailwart-caddy ./caddy`
			`#`
caddy: build via caddyserver.com download URL, not local xcaddy The xcaddy/Go compile burns ~1GB RAM this VPS can't spare (per ~/docs/caddy.md "Custom Binary"). Pull the prebuilt L4-enabled binary from the Caddy build server instead and swap it over the stock binary in the official image. Built and verified: caddy v2.11.3 with layer4.handlers.proxy + proxy_protocol. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:39:33 -04:00			`# Add more plugins by appending &p=<url-encoded module path> to CADDY_DOWNLOAD,`
			`# e.g. ...&p=github.com%2Fmholt%2Fcaddy-ratelimit (the main box build has that).`
Scaffold tailwart: Stalwart mailbox as a Tailscale sidecar Over-engineered play stack for infinidim.net — Stalwart wired into the shared Postgres + Redis + Garage S3 over the tailnet, with no WAN presence. Public mail ports are fronted by a separate caddy-l4 layer-4 proxy (caddy/) that can run on any tailnet host tagged tag:reverse-proxy — decoupled from the mailbox. - docker-compose.yml: ts-stalwart sidecar + stalwart, backends via MagicDNS - config/config.toml: PG (data/fts) + Redis (lookup) + S3 (blob) strawman - caddy/: xcaddy build with caddy-l4, JSON layer-4 mail proxy, own compose - acl-snippet.hujson: tag:stalwart owner + backend/edge grants - .env.example + gitignored .env (pulled from shared infra) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:25:38 -04:00			`FROM caddy:2.11`
caddy: build via caddyserver.com download URL, not local xcaddy The xcaddy/Go compile burns ~1GB RAM this VPS can't spare (per ~/docs/caddy.md "Custom Binary"). Pull the prebuilt L4-enabled binary from the Caddy build server instead and swap it over the stock binary in the official image. Built and verified: caddy v2.11.3 with layer4.handlers.proxy + proxy_protocol. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-03 22:39:33 -04:00
			`ARG CADDY_DOWNLOAD="https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fmholt%2Fcaddy-l4"`

			`RUN apk add --no-cache curl \`
			`&& curl -fsSL -o /usr/bin/caddy "$CADDY_DOWNLOAD" \`
			`&& chmod 0755 /usr/bin/caddy`
			`# Fail the build loudly if the L4 module isn't actually in the binary.`
			`RUN caddy list-modules \| grep -q 'layer4' \|\| { echo 'caddy-l4 missing from binary!'; exit 1; }`