Add Caddy with Cloudflare DNS plugin for PDS wildcard certificates

[Copilot]

ATProto PDS requires wildcard DNS (*.pds.tunebridge.media) for user-specific subdomains. Standard HTTP-01 ACME challenges cannot validate wildcard certificates, necessitating DNS-01 challenges via Cloudflare API.

Implementation

Custom Caddy Image

• Dockerfile.caddy: Multi-stage build with xcaddy integrating github.com/caddy-dns/cloudflare
• Base images: caddy:2-builder → caddy:2

Automated Publishing

• .github/workflows/publish-caddy-cloudflare-test.yml: Multi-arch builds (amd64/arm64)
• Publishes to ${DOCKERHUB_USERNAME}/caddy-cloudflare-test:latest
• Triggers: push to main/develop, PRs

Configuration

• Caddyfile: Added DNS-01 challenge block for PDS wildcard domain

  *.{$PDS_HOSTNAME}, {$PDS_HOSTNAME} {
      tls {
          dns cloudflare {file /run/secrets/cloudflare_api_token}
      }
      reverse_proxy pds:3000
  }

• docker-compose.yml: Updated Caddy service to use custom image, mounts Cloudflare API token as Docker secret
• setup-secrets.sh: Added cloudflare_api_token.txt to secrets setup script

Documentation

• docs/CADDY_CLOUDFLARE.md: Cloudflare API token setup (Zone:DNS:Edit), troubleshooting, security considerations
• README.md: Added documentation link

Security

• Minimal GitHub Actions permissions (contents: read)

• No hardcoded credentials

• Cloudflare token stored as Docker secret (not environment variable) following project pattern

• Cloudflare token scoped to Zone:DNS:Edit only

• Secret mounted read-only at /run/secrets/cloudflare_api_token

• Pinned action versions with SHA256 hashes

• CodeQL scan: no vulnerabilities

• Fixes Add Caddy with Cloudflare DNS plugin for PDS wildcard certificates #119

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Refactor projects to use aspire apphost model with unified startup for dashboard and TuneBridge app</issue_title>
<issue_description>Build a custom Docker image for Caddy that has the Cloudflare DNS plugin integrated. The image should be published with a GitHub Actions workflow.

Requirements:

• Integrate the Cloudflare DNS plugin into Caddy in a new Docker image.
• The image should be published at ${{ secrets.DOCKERHUB_USERNAME }}/caddy-cloudflare-test.
• Create a GitHub Actions workflow for automated Docker image build and publish.
• Update the repos caddyfile to use the cloudflare dns plugin for the PDS configuration.

Acceptance Criteria:

• Dockerfile for Caddy with Cloudflare DNS plugin is created and added to the repository.
• GitHub Actions workflow (.github/workflows/publish-caddy-cloudflare-test.yml) builds the image and pushes it to Docker Hub using the specified path.
• Documentation is included for usage and automated publishing steps.

Notes:

• Ensure Cloudflare credentials/secrets are configurable and documented for users.
• Use best practices for Dockerfile optimization and GitHub Actions security.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add Caddy with Cloudflare DNS plugin for PDS wildcard certificates #119

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[tsmarvin]

This should be a secret not in the .env files

[Copilot]

Updated to use Docker secrets instead of environment variables. The Cloudflare API token is now stored in secrets/cloudflare_api_token.txt and mounted as a read-only secret, following the same pattern as other credentials in the project. (commit 3efa601)

[tsmarvin]

@copilot back to you