Replacing NGINX with Caddy

I wanted to find a way to sync content between my (awesome) vanity URL at https://omg.dje.li with the same static site built by Hugo for https://djelibeybi.github.io.

So, I was planning on doing further CI work to build another version of the site using a different base URL and then scp‘ing it to a front-end NGINX reverse proxy with Let’s Encrypt SSL certificates providing SSL termination.

Then I discovered Caddy.

Caddy has some fantastic features:

• Automatic SSL configuration using Let’s Encrypt
• Automatic git integration
• Automatic Hugo integration
• Proxy support

What’s even better is that Caddy scores an ‘A+’ from Qualys SSL Labs with just a single additional configuration setting (the header line in the Caddyfile below).

Migrating from NGINX to Caddy literally took a few minutes. I’ve setup Caddy with a webhook that is triggered by my local GitLab CE instance every time I push new content. That will update the git repo on the Caddy server and run Hugo to generate the static output.

And the Caddyfile that enables all this automation is pretty simple:

Caddyfile

omg.dje.li {

    root	/path/to/caddy/omg.dje.li
    log		/path/to/caddy/logs/omg.dje.li-access.log {
        rotate {
            age  7   # Keep log files for 14 days
            keep 10  # Keep at most 10 log files
        }
    }

    gzip
    header / Strict-Transport-Security "max-age=31536000"

    tls {
        dns route53
    }

    git {
        repo git@<internal.gitlab.host>:<username>/<repo>.git
        key /path/to/caddy/.ssh/id_rsa
        then git submodule update --init
        then hugo --destination=/path/to/caddy/omg.dje.li --baseURL https://omg.dje.li
        hook /hidden_webhook_location secret-password-which-is-not-this
    }

}

I use Route 53 to serve dje.li and Caddy includes automatic DNS integration for Let’s Encrypt validation. I provide my AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY via EnvironmentFile in the systemd service definition for Caddy. And that file is chmod 400 to the caddy user.

The git block should be fairly straight-forward to read as well. I have a unique public/private key pair for Caddy which has pull access from my internal GitLab CE instance. Caddy will automatically update the Hugo theme (via the submodule update) call and then run Hugo to generate the static output.