update caddy setup

.env.sample

@@ -1,10 +1,22 @@
 # ------------------------------------------------------------------------------
-# Environment Variables
-# Uncommented keys are mandatory.
+# Keygen is a twelve-factor app, and as such is configured through environment
+# variables. Uncommented environment variables are mandatory. Failure to
+# provide all mandatory environment variables will result in pain.
 #
 # For more information, visit: https://keygen.sh/docs/self-hosting
 # ------------------------------------------------------------------------------
 
+# The email used by Caddy for generating and managing Let's Encrypt TLS certificates.
+#
+# Leave blank in non-production environments and Caddy will generate a self-signed certificate, which can be trusted like so:
+#
+#   docker cp caddy:/data/caddy/pki/authorities/local/root.crt ./caddy-root.crt
+#   sudo cp ./caddy-root.crt /usr/local/share/ca-certificates/caddy-root.crt
+#   sudo update-ca-certificates
+#
+# In production environments, this is required to use Let's Encrypt.
+# CADDY_ACME_EMAIL=
+
 # The username for the PostgreSQL database.
 POSTGRES_USER=
 
@@ -15,7 +27,7 @@ POSTGRES_PASSWORD=
 POSTGRES_DB=
 
 # The Redis database URL, e.g. redis://localhost:6379.
-REDIS_URL=
+REDIS_URL=redis://redis:6379
 
 # An internal secret key used by Ruby on Rails.
 # Use `rails secret` or `openssl rand -hex 64` to generate one. We recommend a random 64-byte secret.
@@ -42,7 +54,7 @@ KEYGEN_MODE=singleplayer
 
 # The account ID used for setting the tenant of Keygen in singleplayer mode.
 # Use `uuidgen` or `cat /proc/sys/kernel/random/uuid` to set a pre-determined ID.
-# * Required in singleplayer mode.
+# Required in singleplayer mode.
 KEYGEN_ACCOUNT_ID=
 
 # The admin email used during setup. Must be a valid email address for your organization.
@@ -60,15 +72,15 @@ KEYGEN_HOST=
 # KEYGEN_HOSTS=
 
 # The path to a Keygen EE license file, e.g. /etc/keygen/ee.lic.
-# * Either KEYGEN_LICENSE_FILE_PATH or KEYGEN_LICENSE_FILE are required in Keygen EE.
+# Either KEYGEN_LICENSE_FILE_PATH or KEYGEN_LICENSE_FILE are required in Keygen EE.
 # KEYGEN_LICENSE_FILE_PATH=
 
 # A base64 encoded Keygen EE license file. This is useful when a file system is not available for KEYGEN_LICENSE_FILE_PATH, e.g. with Heroku.
-# * Either KEYGEN_LICENSE_FILE_PATH or KEYGEN_LICENSE_FILE are required in Keygen EE.
+# Either KEYGEN_LICENSE_FILE_PATH or KEYGEN_LICENSE_FILE are required in Keygen EE.
 # KEYGEN_LICENSE_FILE=
 
 # The license key used to decrypt the Keygen EE license file.
-# * Required in Keygen EE.
+# Required in Keygen EE.
 # KEYGEN_LICENSE_KEY=
 
 # The primary domain Keygen's API will be accessible at. By default, this is parsed from KEYGEN_HOST, but that may result in inaccuracies under certain TLDs, e.g. co.uk.
@@ -139,39 +151,39 @@ KEYGEN_HOST=
 # REDIS_RECONNECT_ATTEMPTS=5
 
 # The Cloudflare R2 access key ID.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # CF_ACCESS_KEY_ID=
 
 # The Cloudflare R2 secret access key.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # CF_SECRET_ACCESS_KEY=
 
 # The Cloudflare R2 account ID.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # CF_ACCOUNT_ID=
 
 # The Cloudflare R2 bucket to upload artifacts to.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # CF_BUCKET=
 
 # The Cloudflare R2 region.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # CF_REGION=
 
 # The AWS S3 access key ID.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # AWS_ACCESS_KEY_ID=
 
 # The AWS S3 secret access key.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # AWS_SECRET_ACCESS_KEY=
 
 # The AWS S3 bucket to upload artifacts to.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # AWS_BUCKET=
 
 # The AWS S3 region.
-# * Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
+# Without Cloudflare R2 or AWS S3, uploading and downloading release artifacts will fail.
 # AWS_REGION=
 
 # The environment for Ruby on Rails.

Caddyfile

@@ -0,0 +1,4 @@
+{$KEYGEN_HOST} {
+	tls {$CADDY_ACME_EMAIL:internal}
+	reverse_proxy web:3000
+}

docker-compose.yaml

@@ -1,4 +1,3 @@
-version: '3.8'
 services:
   setup:
     profiles: [ "setup" ]
@@ -76,18 +75,12 @@ services:
       - "80:80"
       - "443:443"
     volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
       - caddy_data:/data
       - caddy_config:/config
     env_file:
       - .env
-    command: >
-      sh -c '
-        echo "${KEYGEN_HOST}$${KEYGEN_HOSTS:+,} $${KEYGEN_HOSTS//,/, } {
-          tls internal
-          reverse_proxy web:3000
-        }" > /etc/caddy/Caddyfile &&
-        caddy run --config /etc/caddy/Caddyfile
-      '
+    command: ["caddy", "run", "--config", "/etc/caddy/Caddyfile"]
     depends_on:
       - web
     networks: