Add TLS setup to start.sh; drop Cloudflare requirement

start.sh now generates proxy/caddy.json at launch time with Let's Encrypt automatic HTTPS (HTTP-01 or TLS-ALPN-01 challenge — no Cloudflare needed). Reads DOMAIN_SUFFIX and ACME_EMAIL from infra/.env before starting. Added infra/.env.example to document required vars.
2026-03-20 10:18:01 +00:00 · 2026-03-20 10:18:01 +00:00 · d5a5875899
commit d5a5875899
parent b060ec68af
2 changed files with 66 additions and 1 deletions
--- a/infra/.env.example
+++ b/infra/.env.example
@ -0,0 +1,7 @@
+# Copy to infra/.env and fill in before running ./start.sh
+
+# Your domain — subdomains will be: <appname>.yourdomain.com
+DOMAIN_SUFFIX=yourdomain.com
+
+# Email for Let's Encrypt registration (not public, just for cert renewal notices).
+ACME_EMAIL=you@yourdomain.com
--- a/infra/start.sh
+++ b/infra/start.sh
@ -1,7 +1,65 @@
 #!/usr/bin/env bash
 set -euo pipefail

-cd "$(dirname "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+cd "$SCRIPT_DIR"

+# ── Load .env ──────────────────────────────────────────────────────────────────
+if [ -f .env ]; then
+    set -a; source .env; set +a
+fi
+
+DOMAIN_SUFFIX="${DOMAIN_SUFFIX:-}"
+ACME_EMAIL="${ACME_EMAIL:-}"
+
+# ── Validate ───────────────────────────────────────────────────────────────────
+if [ -z "$DOMAIN_SUFFIX" ] || [ "$DOMAIN_SUFFIX" = "localhost" ]; then
+    echo "ERROR: Set DOMAIN_SUFFIX to your real domain in infra/.env"
+    exit 1
+fi
+
+if [ -z "$ACME_EMAIL" ]; then
+    echo "ERROR: Set ACME_EMAIL in infra/.env (required for Let's Encrypt)"
+    exit 1
+fi
+
+# ── Generate production caddy.json ─────────────────────────────────────────────
+# Writes TLS-enabled config using Let's Encrypt (no Cloudflare required).
+# Caddy will use the HTTP-01 challenge (port 80) or TLS-ALPN-01 (port 443).
+cat > "$SCRIPT_DIR/../proxy/caddy.json" <<EOF
+{
+  "admin": { "listen": "0.0.0.0:2019" },
+  "apps": {
+    "tls": {
+      "automation": {
+        "policies": [{
+          "subjects": ["${DOMAIN_SUFFIX}"],
+          "issuers": [{"module": "acme", "email": "${ACME_EMAIL}"}]
+        }]
+      }
+    },
+    "http": {
+      "servers": {
+        "hiy": {
+          "listen": [":80", ":443"],
+          "automatic_https": {},
+          "routes": [
+            {
+              "match": [{"host": ["${DOMAIN_SUFFIX}"]}],
+              "handle": [{"handler": "reverse_proxy", "upstreams": [{"dial": "server:3000"}]}]
+            }
+          ]
+        }
+      }
+    }
+  }
+}
+EOF
+
+echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
+
+# ── Build images ───────────────────────────────────────────────────────────────
 make build
+
+# ── Start services (detached) ──────────────────────────────────────────────────
 docker compose up -d