# Caddy with the layer-4 (TCP/UDP) app so it can proxy raw mail ports.
#
# Built the house way (see ~/docs/caddy.md "Custom Binary"): grab the prebuilt
# static binary from caddyserver.com's build server, NOT a local xcaddy/Go
# build. The compile burns ~1GB RAM, which this VPS can't spare — the download
# server does it for us. The base image only contributes its entrypoint + CA
# certs; we swap in the L4-enabled binary over the stock one.
#
#   docker build -t tailwart-caddy ./caddy
#
# Add more plugins by appending &p=<url-encoded module path> to CADDY_DOWNLOAD,
# e.g. ...&p=github.com%2Fmholt%2Fcaddy-ratelimit (the main box build has that).
FROM caddy:2.11

ARG CADDY_DOWNLOAD="https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fmholt%2Fcaddy-l4"

RUN apk add --no-cache curl \
 && curl -fsSL -o /usr/bin/caddy "$CADDY_DOWNLOAD" \
 && chmod 0755 /usr/bin/caddy
# Fail the build loudly if the L4 module isn't actually in the binary.
RUN caddy list-modules | grep -q 'layer4' || { echo 'caddy-l4 missing from binary!'; exit 1; }