fix: switch Docker access to TCP via socat proxy; add Caddy error logging

- Add docker-proxy (alpine/socat) sidecar that exposes the Docker Unix socket as TCP on port 2375, so server needs no privileged socket mount - Set DOCKER_HOST=tcp://docker-proxy:2375 in server environment - App containers are still spawned on the host daemon and join hiy-net, so Caddy can still reach them - Log actual Caddy PUT response body and HTTP status on failure instead of a silent warning
2026-03-19 11:24:50 +00:00 · 2026-03-19 11:24:50 +00:00 · 2df3c579e4
commit 2df3c579e4
parent 2e98ce957e
2 changed files with 27 additions and 5 deletions
--- a/builder/build.sh
+++ b/builder/build.sh
@ -148,11 +148,22 @@ routes.append(DASHBOARD)
 print(json.dumps(routes))
 " "$ROUTE_JSON")

-    curl --silent --fail "${CADDY_API}/config/apps/http/servers/hiy/routes" \
+    log "Upstream: ${UPSTREAM}"
+    log "Routes JSON: ${UPDATED}"
+    set +e
+    CADDY_RESP=$(curl --silent --show-error \
+        --write-out "\nHTTP_STATUS:%{http_code}" \
+        "${CADDY_API}/config/apps/http/servers/hiy/routes" \
        --header "Content-Type: application/json" \
        --request PUT \
-        --data "$UPDATED" && log "Caddy updated." \
-        || log "WARNING: Caddy update failed (app is running; fix routing manually)."
+        --data "$UPDATED" 2>&1)
+    set -e
+    if echo "$CADDY_RESP" | grep -q "HTTP_STATUS:2"; then
+        log "Caddy updated."
+    else
+        log "WARNING: Caddy update failed (app is running; fix routing manually)."
+        log "Caddy response: ${CADDY_RESP}"
+    fi
 else
    log "Caddy admin API not reachable; skipping route update."
    log "Container ${CONTAINER_NAME} is running on port ${PORT} but not publicly routed."
--- a/infra/docker-compose.yml
+++ b/infra/docker-compose.yml
@ -6,6 +6,16 @@

 services:

+  # ── Docker socket proxy (unix → TCP) ──────────────────────────────────────
+  docker-proxy:
+    image: alpine/socat
+    command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      - hiy-net
+
  # ── Control plane ─────────────────────────────────────────────────────────
  server:
    build:
@ -16,8 +26,6 @@ services:
      - "3000:3000"
    volumes:
      - hiy-data:/data
-      # Mount Docker socket so the server can spawn build containers.
-      - /var/run/docker.sock:/var/run/docker.sock
      # Mount the builder script so edits take effect without rebuilding.
      - ../builder:/app/builder:ro
    environment:
@ -25,11 +33,14 @@ services:
      HIY_ADDR: 0.0.0.0:3000
      HIY_BUILD_SCRIPT: /app/builder/build.sh
      CADDY_API_URL: http://caddy:2019
+      DOCKER_HOST: tcp://docker-proxy:2375
      DOMAIN_SUFFIX: ${DOMAIN_SUFFIX:-localhost}
      RUST_LOG: hiy_server=debug,tower_http=info
    depends_on:
      caddy:
        condition: service_started
+      docker-proxy:
+        condition: service_started
    networks:
      - hiy-net
      - default