#cloud-config
package_update: true
write_files:
  - path: /opt/caddy/Caddyfile
    permissions: '0644'
    content: |
      {
        email ${acme_email}
        on_demand_tls {
          # Caddy fragt die App, ob es für die Domain ein Zertifikat ausstellen darf
          ask http://${ask_upstream}/internal/tls-allowed
        }
      }

      # Portal (Haupt-Domain): automatisches TLS, Load-Balancing über die App-Nodes
      ${domain}, www.${domain} {
        reverse_proxy ${app_upstreams} {
          lb_policy round_robin
        }
      }

      # Custom-Domains der Firmenkunden: On-Demand-TLS (nur erlaubte Hosts)
      https:// {
        tls {
          on_demand
        }
        reverse_proxy ${app_upstreams} {
          lb_policy round_robin
        }
      }
runcmd:
  - command -v docker >/dev/null 2>&1 || curl -fsSL https://get.docker.com | sh
  - mkdir -p /opt/caddy/data /opt/caddy/config
  - |
    docker run -d --name caddy --restart unless-stopped \
      -p 80:80 -p 443:443 -p 443:443/udp \
      -v /opt/caddy/Caddyfile:/etc/caddy/Caddyfile:ro \
      -v /opt/caddy/data:/data \
      -v /opt/caddy/config:/config \
      caddy:2