# homelab-compose/Caddyfile
#
# All hostnames resolve on the LAN via pihole CNAMEs.
# TLS is issued by an internal step-ca root; client machines trust the root.
# See mercemay.top/src/homelab-compose/ for the full stack.
{
email admin@homelab.local
acme_ca https://ca.homelab.local/acme/acme/directory
acme_ca_root /data/caddy/step-root.crt
}
(lan_only) {
@lan remote_ip 192.168.10.0/24 192.168.20.0/24
handle @lan {
reverse_proxy {args.0}
}
respond "not on lan" 403
}
jellyfin.homelab.local {
import lan_only jellyfin:8096
encode zstd gzip
}
photos.homelab.local {
import lan_only immich-server:3001
request_body {
max_size 200MB
}
encode zstd gzip
}
docs.homelab.local {
import lan_only paperless:8000
encode zstd gzip
}
git.homelab.local {
import lan_only gitea:3000
encode zstd gzip
}
sync.homelab.local {
import lan_only syncthing:8384
}
dns.homelab.local {
import lan_only pihole:80
}
grafana.homelab.local {
basic_auth {
admin {$GRAFANA_CADDY_HASH}
}
import lan_only grafana:3000
encode zstd gzip
}
prometheus.homelab.local {
basic_auth {
admin {$PROM_CADDY_HASH}
}
import lan_only prometheus:9090
}
# catch-all: any unknown host on the box gets a terse 404 rather than
# serving Caddy's default welcome page, which leaks the version.
:80, :443 {
respond "nope" 404
}