Caddy

Caddy is the reverse proxy for all public-facing services on fismen. It handles TLS automatically via ACME, with one exception (Vaultwarden uses Cloudflare DNS challenge).

Forward auth

A global tinyauth snippet is defined at the top of the Caddyfile and used selectively:

• fismen.no — protected (Glance dashboard)
• status.fismen.no — protected (Gatus)
• docs.fismen.no — partially protected; /raw/* paths are public

All other services are either internal-only or unprotected by design.

Special cases

• vault.fismen.no — bound to the Tailscale IP (100.86.115.86) only; not publicly reachable. Uses Cloudflare DNS challenge for TLS since it cannot use HTTP challenge.
• ugle.fismen.no — proxies to royset over Tailscale with TLS verification disabled (tls_insecure_skip_verify).
• photos.fismen.no — proxies to cube.little-lenok.ts.net over Tailscale.
• video.fismen.no (Plex) — forces HTTP/1.1 and 2 explicitly; passes standard forwarding headers.

Caddyfile

The authoritative Caddyfile is kept at /raw/caddyfile.

Notes

• Caddy is installed natively on fismen, not in a container
• Cloudflare API token for DNS challenge is passed via environment variable CLOUDFLARE_API_TOKEN
• Caddy is installed on heimvon as well but not serving anything currently