Caddyfile:
{
# admin "unix//run/caddy/admin.socket"
admin off
# debug
# ACME setup, this is also the email used externally for letsencrypt
email vociferous@smex.dk
# Override the default acme_ca url to point to the internal one
# This is ONLY needed if you ONLY want to serve internal Certs
# When serving both internal and letsencrypt, omit acma_ca
acme_ca https://ca.lair.lan/acme/lairlan/directory
# Configuring the internal CA
pki {
ca lairlan {
name "Lair.lan CA"
# root_cn <name>
# intermediate_cn <name>
# intermediate_lifetime <duration>
# if using own custom signed cert, e.g. if you already have an internal CA and want to use certs signed by it
# root {
# format <format>
# cert <path>
# key <path>
# }
# intermediate {
# format <format>
# cert <path>
# key <path>
}
}
}
}
# add import tls_lairlan to each site config you want to use internal CA
(tls_lairlan) {
tls {
issuer internal {
ca lairlan
lifetime 14d
}
}
}
# example of site logging per file for import use
(mylog) {
log {
output file /var/log/caddy/{args[0]}-access.log {
roll_size 500M
roll_keep 5
roll_keep_for 720h
}
}
}
# This is to force caddy to serve these files as plain text
(plaintext) {
@astext path *.yaml *.yml *.service *.timer *.caddy *.sh
header @astext {
# X-Content-Type-Options nosniff
Content-Type text/plain
Content-Disposition inline
}
}
# Import additional caddy config files in /etc/caddy/conf.d/
import /etc/caddy/conf.d/*conf.d/somesite
somesite.lair.lan {
encode gzip zstd
reverse_proxy http://someservice.lair.lan:1337
import tls_lairlan
}{
email some@mail.domain
acme_ca https://acme.lair.lan/acme/failpm/directory
acme_ca_root /etc/caddy/failpm.internal.root.crt
}
Sources: - https://johnsiu.com/blog/caddyfile/
Last modified: Sat Jun 28 20:04:19 2025