From fa73ccbc9070bef1533476ee30a8c7287a5ea5d4 Mon Sep 17 00:00:00 2001
From: finn <git@hot.oily.dad>
Date: Sun, 12 Apr 2026 18:09:30 -0700
Subject: [PATCH] Switch to Caddy

---
 proxy/Caddyfile  | 52 +++++++++++++++++++++++++++++++++++++++++++++++
 proxy/Dockerfile | 12 +++++++++--
 proxy/baseconf   | 12 -----------
 proxy/conf       | 53 ------------------------------------------------
 proxy/giteaconf  | 17 ----------------
 proxy/sslconf    | 53 ------------------------------------------------
 6 files changed, 62 insertions(+), 137 deletions(-)
 create mode 100644 proxy/Caddyfile
 delete mode 100755 proxy/baseconf
 delete mode 100755 proxy/conf
 delete mode 100644 proxy/giteaconf
 delete mode 100755 proxy/sslconf

diff --git a/proxy/Caddyfile b/proxy/Caddyfile
new file mode 100644
index 0000000..dab5f02
--- /dev/null
+++ b/proxy/Caddyfile
@@ -0,0 +1,52 @@
+# Global options
+{
+	# Disable auto HTTPS since we're using existing certificates
+	auto_https off
+}
+
+# HTTP to HTTPS redirect
+:80 {
+	redir https://{host}{uri} permanent
+}
+
+# Main domain - oily.dad and www.oily.dad
+oily.dad, www.oily.dad {
+	# Root directory (not strictly needed for reverse proxy)
+	root * /var/www/html
+
+	# Use existing SSL certificates
+	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
+
+	# Onion-Location header
+	header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion{path}
+
+	# Reverse proxy to backend
+	reverse_proxy http://backend:8000 {
+		# Preserve original host header
+		header_up Host {host}
+		header_up X-Real-IP {remote}
+		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
+	}
+}
+
+# Subdomain for Gitea - gut.oily.dad
+gut.oily.dad {
+	# Root directory (not strictly needed for reverse proxy)
+	root * /var/www/html
+
+	# Use existing SSL certificates
+	tls /etc/letsencrypt/live/oily.dad/fullchain.pem /etc/letsencrypt/live/oily.dad/privkey.pem
+
+	# Reverse proxy to Gitea
+	reverse_proxy http://gitea:3000 {
+		# WebSocket support for Gitea
+		header_up Connection {>Connection}
+		header_up Upgrade {>Upgrade}
+
+		# Preserve original headers
+		header_up Host {host}
+		header_up X-Real-IP {remote}
+		# X-Forwarded-For and X-Forwarded-Proto are set automatically by Caddy
+	}
+}
+
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
index bd58a93..0939ac6 100755
--- a/proxy/Dockerfile
+++ b/proxy/Dockerfile
@@ -1,2 +1,10 @@
-FROM nginx:alpine
-COPY conf /etc/nginx/conf.d/default.conf
+FROM caddy:alpine
+
+# Copy Caddyfile configuration
+COPY Caddyfile /etc/caddy/Caddyfile
+
+# Create directory for www root
+RUN mkdir -p /var/www/html
+
+# Caddy runs as non-root user by default
+# Ports 80 and 443 are exposed by the base image
diff --git a/proxy/baseconf b/proxy/baseconf
deleted file mode 100755
index 04abcd7..0000000
--- a/proxy/baseconf
+++ /dev/null
@@ -1,12 +0,0 @@
-server {
-    listen       80;
-    server_name  localhost;
-    location / {
-        proxy_pass   http://backend:8000;
-    }
-    location /gutty{
-        proxy_pass   http://gitea:3000;
-    }
-
-
-}
diff --git a/proxy/conf b/proxy/conf
deleted file mode 100755
index 25ca6b9..0000000
--- a/proxy/conf
+++ /dev/null
@@ -1,53 +0,0 @@
-#server {
-#    listen       80;
-#    server_name  localhost;
-#    location / {
-#        proxy_pass   http://backend:8000;
-#    }
-
-
-# always redirect to https
-server {
-	listen 80 default_server;
-	server_name _;
-	return 301 https://$host$request_uri;
-}
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name oily.dad www.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-	add_header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion$request_uri;
-
-	location / {
-		proxy_pass http://backend:8000/;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name gut.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-	location / {
-		client_max_body_size 512M;
-	        #proxy_pass http://localhost:3000;
-	        proxy_set_header Connection $http_connection;
-        	proxy_set_header Upgrade $http_upgrade;
-	        proxy_set_header Host $host;
-	        proxy_set_header X-Real-IP $remote_addr;
-	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	        proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_pass http://gitea:3000/;
-	}
-}
-
diff --git a/proxy/giteaconf b/proxy/giteaconf
deleted file mode 100644
index 6291d31..0000000
--- a/proxy/giteaconf
+++ /dev/null
@@ -1,17 +0,0 @@
-server {
-
-    listen       80;
-    server_name  localhost;
-
-    location / {
-        client_max_body_size 512M;
-        #proxy_pass http://localhost:3000;
-        proxy_pass http://gitea:3000;
-        proxy_set_header Connection $http_connection;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-} 
diff --git a/proxy/sslconf b/proxy/sslconf
deleted file mode 100755
index 25ca6b9..0000000
--- a/proxy/sslconf
+++ /dev/null
@@ -1,53 +0,0 @@
-#server {
-#    listen       80;
-#    server_name  localhost;
-#    location / {
-#        proxy_pass   http://backend:8000;
-#    }
-
-
-# always redirect to https
-server {
-	listen 80 default_server;
-	server_name _;
-	return 301 https://$host$request_uri;
-}
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name oily.dad www.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-	add_header Onion-Location http://oilydada7ckiseinkbeathsefwgkvjrce743xy7x7iiybkuxh4vheead.onion$request_uri;
-
-	location / {
-		proxy_pass http://backend:8000/;
-	}
-}
-
-server {
-	listen 443 ssl http2;
-	# use the certificates
-	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
-	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
-	server_name gut.oily.dad;
-	root /var/www/html;
-	index index.php index.html index.htm;
-
-	location / {
-		client_max_body_size 512M;
-	        #proxy_pass http://localhost:3000;
-	        proxy_set_header Connection $http_connection;
-        	proxy_set_header Upgrade $http_upgrade;
-	        proxy_set_header Host $host;
-	        proxy_set_header X-Real-IP $remote_addr;
-	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-	        proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_pass http://gitea:3000/;
-	}
-}
-