infra/start.sh

@@ -20,45 +20,10 @@ if [ -z "$DOMAIN_SUFFIX" ] || [ "$DOMAIN_SUFFIX" = "localhost" ]; then
 fi
 
 if [ -z "$ACME_EMAIL" ]; then
-    echo "ERROR: Set ACME_EMAIL in infra/.env (required for Let's Encrypt)"
+    echo "[hiy] ACME_EMAIL not set — Caddy will use its internal CA (self-signed)."
-    exit 1
+    echo "[hiy] For a public domain with Let's Encrypt, set ACME_EMAIL in infra/.env"
 fi
 
-# ── Generate production caddy.json ─────────────────────────────────────────────
-# Writes TLS-enabled config using Let's Encrypt (no Cloudflare required).
-# Caddy will use the HTTP-01 challenge (port 80) or TLS-ALPN-01 (port 443).
-cat > "$SCRIPT_DIR/../proxy/caddy.json" <<EOF
-{
-  "admin": { "listen": "0.0.0.0:2019" },
-  "apps": {
-    "tls": {
-      "automation": {
-        "policies": [{
-          "subjects": ["${DOMAIN_SUFFIX}"],
-          "issuers": [{"module": "acme", "email": "${ACME_EMAIL}"}]
-        }]
-      }
-    },
-    "http": {
-      "servers": {
-        "hiy": {
-          "listen": [":80", ":443"],
-          "automatic_https": {},
-          "routes": [
-            {
-              "match": [{"host": ["${DOMAIN_SUFFIX}"]}],
-              "handle": [{"handler": "reverse_proxy", "upstreams": [{"dial": "server:3000"}]}]
-            }
-          ]
-        }
-      }
-    }
-  }
-}
-EOF
-
-echo "[hiy] Generated proxy/caddy.json for ${DOMAIN_SUFFIX}"
-
 # ── Ensure cgroup swap accounting is enabled (required by runc/Podman) ────────
 # runc always writes memory.swap.max when the memory cgroup controller is
 # present.  On Raspberry Pi OS swap accounting is disabled by default, so that

proxy/Caddyfile

@@ -23,7 +23,11 @@
 }
 
 # HIY dashboard — served at your root domain.
+# TLS behaviour:
+#   ACME_EMAIL set   → Caddy requests a Let's Encrypt cert (production)
+#   ACME_EMAIL unset → Caddy uses its built-in internal CA (local / LAN domains)
 {$DOMAIN_SUFFIX:localhost} {
+    tls {$ACME_EMAIL:internal}
     reverse_proxy server:3000
 }