#!/bin/bash set -e TLS_DIR="/opt/tls" mkdir -p "$TLS_DIR" # TLS_CERT/TLS_KEY may arrive as either a host-side path OR raw PEM content. # Detect by looking for a PEM header; if present, write to disk. if [ -n "$TLS_CERT" ] && printf '%s' "$TLS_CERT" | grep -q 'BEGIN '; then printf '%s' "$TLS_CERT" > "$TLS_DIR/cert.pem" CERT="$TLS_DIR/cert.pem" else CERT="${TLS_CERT:-$TLS_DIR/cert.pem}" fi if [ -n "$TLS_KEY" ] && printf '%s' "$TLS_KEY" | grep -q 'BEGIN '; then printf '%s' "$TLS_KEY" > "$TLS_DIR/key.pem" chmod 600 "$TLS_DIR/key.pem" KEY="$TLS_DIR/key.pem" else KEY="${TLS_KEY:-$TLS_DIR/key.pem}" fi # Generate a self-signed certificate if none exists if [ ! -f "$CERT" ] || [ ! -f "$KEY" ]; then CN="${TLS_CN:-${NODE_NAME:-localhost}}" openssl req -x509 -newkey rsa:2048 -nodes \ -keyout "$KEY" -out "$CERT" \ -days 3650 -subj "/CN=$CN" \ 2>/dev/null fi # Parse HTTP_VERSIONS JSON → Caddy protocol tokens. # Caddy handles h3 natively; h3 SETTINGS are captured via FPHandler (http3.Settingser). CADDY_PROTOCOLS=$(python3 -c " import json, os versions = json.loads(os.environ.get('HTTP_VERSIONS', '[\"http/1.1\"]')) tokens = [] if 'http/1.1' in versions: tokens.append('h1') if 'http/2' in versions: tokens.append('h2') if 'http/3' in versions: tokens.append('h3') print(' '.join(tokens) if tokens else 'h1') ") DECNET_FP_SOCK="${DECNET_FP_SOCK:-/run/decnet/fp.sock}" # Remove stale socket from a previous run rm -f "$DECNET_FP_SOCK" cat > /etc/caddy/Caddyfile </dev/null; exit 1; } exec caddy run --config /etc/caddy/Caddyfile