fix(caddy): TLS certificates trust on all platforms

README.md

@@ -18,7 +18,7 @@ cp .env.dist .env
 docker compose up -d
 ```
 
-Github Container Registry :
+GitHub Container Registry :
 
 1. Go to [Settings / Developer Settings / Personal Access Token](https://github.com/settings/tokens/new?scopes=write:packages)
 2. Enter "Docker stack" in the **Name** field and check **write:packages** and **read:packages**
@@ -45,41 +45,38 @@ Restart your browsers!
 
 The base stack contains the minimal configuration related to web development.
 
- - caddy
- - adminer
- - maildev
- - memcached
+- Adminer
+- Caddy
+- MailDev
+- Memcached
 
 ## Compose your stack
 
-The default configuration include 3 databases containers : mysql 5, postgres 9 and postgres 17. You can change the loaded containers by changing the `COMPOSE_FILE` environment variable in the `.env` file.
+The default configuration include 3 databases containers : MySQL 5, PostgreSQL 9 and PostgreSQL 17.
 
-The default configuration can be found in the `.env.dist` file.
+You can change the loaded containers by changing the `COMPOSE_FILE` environment variable in the `.env` file.
 
+The default configuration can be found in the `.env.dist` file.
 
 The repository currently supports these databases:
 
- - postgresql 9, 10, 11, 12, 13, 14, 15, 16, 17
- - mysql 5
- - mariadb 10
+- PostgreSQL 9, 10, 11, 12, 13, 14, 15, 16, 17
+- MySQL 5
+- MariaDB 10
 
 The repository currently supports these message brokers:
 
- - rabbitmq 3.8
+- RabbitMQ 3.8
 
 [Redisinsight](https://redis.io/insight/) is available:
 
  - Add `./redis/redisinsight.yml` to your `.env`
- - Go to `https://redisinsight.${DOCKER_HOST_SUFFIX}`
-
-An optional watchtower service is available to update docker images automatically. Add `watchtower.yml` to `COMPOSE_FILE` variable and set a schedule with `WATCHTOWER_SCHEDULE` variable in your `.env` file (default is `0 0 17 * * *`). You should also [login to your docker hub account](https://docs.docker.com/security/for-developers/access-tokens/#create-an-access-token) to prevent rate limit issues.
+ - Got to [redisinsight.${DOCKER_HOST_SUFFIX}.lph](https://redisinsight.${DOCKER_HOST_SUFFIX}.lph/) or [redisinsight.lph](https://redisinsight.lph/)
 
-## Troubleshooting
+An optional watchtower service is available to update docker images automatically:
+Add `watchtower.yml` to `COMPOSE_FILE` variable and set a schedule with `WATCHTOWER_SCHEDULE` variable in your `.env` file
+(default is `0 0 17 * * *`).
 
-- If setup.sh respond `trust: install is not supported on this system`:
-
-```shell
-    sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/root.crt
-    sudo trust anchor --store /var/lib/docker/volumes/dev_caddy_data/_data/caddy/pki/authorities/local/intermediate.crt
-    sudo update-ca-trust
-```
+You should also
+[login to your docker hub account](https://docs.docker.com/security/for-developers/access-tokens/#create-an-access-token)
+to prevent rate limit issues.

docker-compose.yml

@@ -17,6 +17,10 @@ services:
       - target: 443
         published: ${HTTP3_PORT:-443}
         protocol: udp
+      # Caddy admin API
+      - target: 2019
+        published: ${CADDY_ADMIN_PORT:-2019}
+        protocol: tcp
     environment:
       CADDY_INGRESS_NETWORKS: dev_public
     volumes:

setup.sh

@@ -1,14 +1,33 @@
-#!/usr/bin/env bash
+#!/usr/bin/env sh
 
-docker compose --ansi never up -d --build 2>& 1> /dev/null
-docker compose cp proxy:/usr/bin/caddy /tmp/caddy
+set -e
 
-XDG_DATA_HOME=/var/lib/docker/volumes/dev_caddy_data/_data
+docker compose up -d 2>/dev/null
 
-sudo XDG_DATA_HOME=${XDG_DATA_HOME} \
-/tmp/caddy start 2&> /dev/null; \
-/tmp/caddy untrust; \
-/tmp/caddy trust; \
-/tmp/caddy stop 2&> /dev/null; \
+CERTIFICATES_STORAGE_DIRECTORY=/usr/local/share/ca-certificates
+CADDY_ROOT_CERTIFICATE_FILE=$CERTIFICATES_STORAGE_DIRECTORY/Le_Phare_Docker_stack_Caddy_root.crt
 
-rm /tmp/caddy
+if [ -e $CADDY_ROOT_CERTIFICATE_FILE ]; then
+  echo "Le certificat Caddy existe déjà ($CADDY_ROOT_CERTIFICATE_FILE)."
+  echo "Si vous souhaitez le remplacer par un nouveau : supprimez-le puis relancez cette commande."
+  echo "Sinon, vous n'avez rien à faire."
+
+  exit
+fi
+
+sudo mkdir -p $CERTIFICATES_STORAGE_DIRECTORY
+
+sudo docker compose cp proxy:/data/caddy/pki/authorities/local/root.crt /usr/local/share/ca-certificates/ 2>/dev/null
+
+if [ "$(uname -s)" != "Darwin" ]; then
+  docker compose exec proxy wget -qO- --post-data='"0.0.0.0:2019"' --header='Content-Type:application/json' 'http://127.0.0.1:2019/config/admin/listen'
+
+  sudo docker compose cp proxy:/usr/bin/caddy /tmp/caddy 2>/dev/null
+
+  /tmp/caddy trust
+else
+  sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /usr/local/share/ca-certificates/Le_Phare_Docker_stack_Caddy_root.crt
+fi
+
+echo "Certificats Caddy installés avec succès !"
+echo "En cas de problèmes de certificats HTTPS non reconnus (dans votre navigateur par ex.), importez le fichier suivant dans les certificats du logiciel : /usr/local/share/ca-certificates/Le_Phare_Docker_stack_Caddy_root.crt"