HackMD
Multi-Domain Management System with Caddy and Tailscale
Co-authored with Claude 3.5 Sonet
Requirements
- Public-facing Caddy server for certificate management
- Multiple internal Caddy servers accessible only via Tailscale
- Cloudflare for DNS management
- Tailscale network set up on all servers
- Bash scripting capabilities on all servers
jqinstalled on all servers for JSON parsing
System Components
1. Public Caddy Server
- Exposed to the internet
- Manages Let's Encrypt certificates for all domains
- Runs Caddy admin API (accessible only within Tailscale network)
2. Internal Caddy Servers
- Accessible only via Tailscale
- Serve actual content/services
- Fetch certificates from the public Caddy server
3. Certificate Distribution System
- Script to fetch certificates from public server
- Runs periodically on internal servers
4. Domain Management System
- Scripts to add/remove domains from the system
5. DNS Configuration
- Cloudflare for public DNS
- Tailscale for internal DNS resolution
Configurations
Public Caddy Server Caddyfile
{
email your-email@example.com
acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
admin 127.0.0.1:2019
}
domain1.com, domain2.com, domain3.com {
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
respond "Certificate management server"
}
Internal Caddy Server Base Caddyfile
{
# Global options
}
(domain_template) {
tls /etc/caddy/certificates/{$DOMAIN}.crt /etc/caddy/certificates/{$DOMAIN}.key
@service1 path /service1/*
handle @service1 {
uri strip_prefix /service1
reverse_proxy {$SERVICE1_IP}:{$SERVICE1_PORT}
}
@service2 path /service2/*
handle @service2 {
uri strip_prefix /service2
reverse_proxy {$SERVICE2_IP}:{$SERVICE2_PORT}
}
}
import /etc/caddy/conf.d/*.conf
Internal Caddy Server Domain-Specific Config
File: /etc/caddy/conf.d/domain1.com.conf
domain1.com {
import domain_template {
DOMAIN domain1.com
SERVICE1_IP 100.a.b.c
SERVICE1_PORT 8080
SERVICE2_IP 100.d.e.f
SERVICE2_PORT 9090
}
}
Script Outlines
Certificate Distribution Script
#!/bin/bash
PUBLIC_CADDY_IP="100.x.y.z"
DOMAINS=("domain1.com" "domain2.com" "domain3.com")
CERT_DIR="/etc/caddy/certificates"
# Logic to fetch certificates for each domain
# Save certificates and keys to $CERT_DIR
# Reload Caddy
Domain Management Script
#!/bin/bash
function add_domain() {
# Logic to add domain to:
# 1. Public Caddy server
# 2. Certificate distribution script
# 3. Internal Caddy configuration
# 4. Tailscale DNS
}
function remove_domain() {
# Logic to remove domain from:
# 1. Public Caddy server
# 2. Certificate distribution script
# 3. Internal Caddy configuration
# 4. Tailscale DNS
# 5. Remove certificates
}
# Main script logic to handle add/remove commands
DNS Configuration
Cloudflare (Public DNS)
- For each domain, create an A record pointing to the public IP of the certificate management Caddy server
Tailscale (Internal DNS)
- Set up Split DNS for each domain, pointing to 100.100.100.100
- Add A records for each domain, pointing to the appropriate internal Caddy server's Tailscale IP
Security Considerations
- Secure the Caddy admin API to be accessible only within the Tailscale network
- Use Tailscale ACLs to restrict access to the certificate management server
- Keep the Cloudflare API token secure
- Regularly update and patch all servers
- Monitor certificate expiration dates
- Implement logging for all scripts and processes
Maintenance Tasks
- Regularly test the certificate renewal process
- Monitor disk space on all servers, especially where certificates are stored
- Review and update Tailscale ACLs as needed
- Perform regular backups of configurations and scripts
- Keep Caddy and other software components updated
Scalability Considerations
- Consider load balancing for internal Caddy servers if traffic increases
- Implement monitoring and alerting for all components
- Document the process for adding new internal servers to the system
- Plan for potential migration to a clustered Caddy setup for high availability
