4454744cba
- New HIY_ADMIN_USER / HIY_ADMIN_PASS env vars control access - Login page at /login with redirect-after-login support - Cookie-based sessions (HttpOnly, SameSite=Strict); cleared on restart - Auth middleware applied to all routes except /webhook/:app_id (HMAC) and /login - Auth is skipped when credentials are not configured (dev mode, warns at startup) - Logout link in both dashboard nav bars - Caddy admin port 2019 no longer published to the host in docker-compose https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
35 lines
1.2 KiB
Caddyfile
35 lines
1.2 KiB
Caddyfile
# HIY — Caddyfile
|
|
#
|
|
# Caddy automatically obtains a Let's Encrypt certificate for every domain it
|
|
# serves (HTTP-01 challenge). No Cloudflare or DNS API token required.
|
|
#
|
|
# Requirements:
|
|
# - Ports 80 and 443 must be publicly reachable (router port-forward to Pi)
|
|
# - DNS A record for {$DOMAIN_SUFFIX} must point to your public IP
|
|
# - Set ACME_EMAIL in infra/.env (Let's Encrypt needs a contact address)
|
|
#
|
|
# Local dev: set DOMAIN_SUFFIX=localhost in infra/.env — Caddy will use a
|
|
# self-signed cert automatically for localhost.
|
|
{
|
|
# Admin API — used by hiy-server to add/remove app routes dynamically.
|
|
# Listens on all interfaces so the server container can reach it via Docker
|
|
# networking (http://caddy:2019). Port 2019 must NOT be port-forwarded on
|
|
# the host or router — see docker-compose.yml.
|
|
admin 0.0.0.0:2019
|
|
|
|
# Email for Let's Encrypt expiry notices (set ACME_EMAIL in .env).
|
|
email {$ACME_EMAIL:}
|
|
}
|
|
|
|
# HIY dashboard — served at your root domain.
|
|
{$DOMAIN_SUFFIX:localhost} {
|
|
reverse_proxy server:3000
|
|
}
|
|
|
|
# Deployed apps are added here dynamically by hiy-server via the Caddy API.
|
|
# Each entry looks like:
|
|
#
|
|
# myapp.{$DOMAIN_SUFFIX} {
|
|
# reverse_proxy <container-ip>:<port>
|
|
# }
|