Initial madcat-caddy: Caddy + Cloudflare DNS + caddy-security

Forked from tengu-apps/tengu-caddy, adding:
- caddy-security plugin (OAuth 2.0, Basic Auth, JWT)
- Gitea apt registry publishing in CI
- Linux-only builds (arm64 + amd64)
- Replaces/conflicts with caddy and tengu-caddy packages

.github/workflows/build.yml

@@ -0,0 +1,106 @@
+name: Build and Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+env:
+  CADDY_PLUGINS: "github.com/caddy-dns/cloudflare@v0.2.4&p=github.com/greenpau/caddy-security@v1.1.62"
+
+jobs:
+  build-deb:
+    strategy:
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-latest
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+
+    runs-on: ${{ matrix.runner }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build .deb package
+        run: make deb ARCH=${{ matrix.arch }}
+
+      - name: Upload deb artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: madcat-caddy-deb-${{ matrix.arch }}
+          path: build/*.deb
+
+  build-binaries:
+    strategy:
+      matrix:
+        include:
+          - os: linux
+            arch: amd64
+            asset: madcat-caddy-linux-amd64
+          - os: linux
+            arch: arm64
+            asset: madcat-caddy-linux-arm64
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Download Caddy with plugins
+        run: |
+          curl -fsSL "https://caddyserver.com/api/download?os=${{ matrix.os }}&arch=${{ matrix.arch }}&p=${CADDY_PLUGINS}" \
+            -o ${{ matrix.asset }}
+          chmod +x ${{ matrix.asset }}
+          file ${{ matrix.asset }}
+
+      - name: Upload binary artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.asset }}
+          path: ${{ matrix.asset }}
+
+  release:
+    needs: [build-deb, build-binaries]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: artifacts/*
+          generate_release_notes: true
+
+  publish-apt:
+    needs: [build-deb]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+
+    steps:
+      - name: Download deb artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Publish to Gitea Debian registry
+        env:
+          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        run: |
+          for deb in artifacts/*.deb; do
+            echo "Publishing $(basename $deb)..."
+            curl --fail --user "madcat:${GITEA_TOKEN}" \
+              --upload-file "$deb" \
+              "https://repos.saiden.dev/api/packages/madcat-os/debian/pool/bookworm/main/upload"
+            echo " -> done"
+          done

.gitignore

@@ -0,0 +1,2 @@
+build/
+*.deb

Makefile

@@ -0,0 +1,65 @@
+VERSION := 2.11.2
+REVISION := 1
+CADDY_PLUGINS := github.com/caddy-dns/cloudflare@v0.2.4&p=github.com/greenpau/caddy-security@v1.1.62
+
+ARCH := $(shell dpkg --print-architecture 2>/dev/null || uname -m | sed 's/x86_64/amd64/' | sed 's/aarch64/arm64/')
+OS := linux
+PACKAGE_NAME := madcat-caddy
+DEB_NAME := $(PACKAGE_NAME)_$(VERSION)-$(REVISION)_$(ARCH).deb
+
+BUILD_DIR := build
+STAGING_DIR := $(BUILD_DIR)/staging
+
+.PHONY: all clean build deb install
+
+all: deb
+
+clean:
+	rm -rf $(BUILD_DIR)
+
+# Download pre-built Caddy with plugins from official API
+$(BUILD_DIR)/caddy:
+	@mkdir -p $(BUILD_DIR)
+	@echo "Downloading Caddy $(VERSION) for $(OS)/$(ARCH) with plugins..."
+	curl -sL "https://caddyserver.com/api/download?os=$(OS)&arch=$(ARCH)&p=$(CADDY_PLUGINS)" -o $@
+	chmod +x $@
+	@echo "Verifying binary..."
+	@file $@
+
+build: $(BUILD_DIR)/caddy
+
+# Build .deb package
+deb: $(BUILD_DIR)/caddy
+	@echo "Building .deb package..."
+	@mkdir -p $(STAGING_DIR)/DEBIAN
+	@mkdir -p $(STAGING_DIR)/usr/bin
+	@mkdir -p $(STAGING_DIR)/usr/lib/systemd/system
+	@mkdir -p $(STAGING_DIR)/etc/caddy
+
+	@# Binary
+	cp $(BUILD_DIR)/caddy $(STAGING_DIR)/usr/bin/caddy
+
+	@# Systemd service
+	cp debian/caddy.service $(STAGING_DIR)/usr/lib/systemd/system/
+
+	@# Default Caddyfile
+	cp debian/Caddyfile $(STAGING_DIR)/etc/caddy/
+
+	@# Control file
+	sed 's/{{VERSION}}/$(VERSION)-$(REVISION)/g; s/{{ARCH}}/$(ARCH)/g' debian/control > $(STAGING_DIR)/DEBIAN/control
+
+	@# Scripts
+	cp debian/postinst $(STAGING_DIR)/DEBIAN/
+	cp debian/prerm $(STAGING_DIR)/DEBIAN/
+	cp debian/postrm $(STAGING_DIR)/DEBIAN/
+	chmod 755 $(STAGING_DIR)/DEBIAN/postinst $(STAGING_DIR)/DEBIAN/prerm $(STAGING_DIR)/DEBIAN/postrm
+
+	@# Conffiles
+	cp debian/conffiles $(STAGING_DIR)/DEBIAN/
+
+	@# Build package
+	dpkg-deb --build $(STAGING_DIR) $(BUILD_DIR)/$(DEB_NAME)
+	@echo "Built: $(BUILD_DIR)/$(DEB_NAME)"
+
+install: deb
+	sudo dpkg -i $(BUILD_DIR)/$(DEB_NAME)

README.md

@@ -0,0 +1,81 @@
+# madcat-caddy
+
+Caddy web server with **Cloudflare DNS** and **caddy-security** plugins built in.
+Pre-built `.deb` packages for Linux servers.
+
+## Plugins
+
+| Plugin | Purpose |
+|---|---|
+| [caddy-dns/cloudflare](https://github.com/caddy-dns/cloudflare) | DNS-01 ACME challenge via Cloudflare API |
+| [caddy-security](https://github.com/greenpau/caddy-security) | OAuth 2.0 (GitHub, Google, etc.), Basic Auth, JWT authorization |
+
+## Install
+
+### APT (Debian/Ubuntu)
+
+```bash
+# Add signing key
+sudo curl https://repos.saiden.dev/api/packages/madcat-os/debian/repository.key \
+  -o /etc/apt/keyrings/madcat-os.asc
+
+# Add repository
+echo "deb [signed-by=/etc/apt/keyrings/madcat-os.asc] https://repos.saiden.dev/api/packages/madcat-os/debian bookworm main" \
+  | sudo tee /etc/apt/sources.list.d/madcat-os.list
+
+# Install
+sudo apt update
+sudo apt install madcat-caddy
+```
+
+### Manual .deb
+
+Download from [Releases](https://github.com/madcat-os/madcat-caddy/releases):
+
+```bash
+# ARM64
+curl -fsSLO https://github.com/madcat-os/madcat-caddy/releases/latest/download/madcat-caddy_2.11.2-1_arm64.deb
+sudo dpkg -i madcat-caddy_2.11.2-1_arm64.deb
+
+# AMD64
+curl -fsSLO https://github.com/madcat-os/madcat-caddy/releases/latest/download/madcat-caddy_2.11.2-1_amd64.deb
+sudo dpkg -i madcat-caddy_2.11.2-1_amd64.deb
+```
+
+## Configuration
+
+Edit `/etc/caddy/Caddyfile`:
+
+```
+{
+    email you@example.com
+    acme_dns cloudflare {env.CF_API_TOKEN}
+}
+
+example.com {
+    reverse_proxy localhost:8080
+}
+```
+
+For Cloudflare API token:
+
+```bash
+sudo mkdir -p /etc/systemd/system/caddy.service.d
+sudo tee /etc/systemd/system/caddy.service.d/env.conf << EOF
+[Service]
+Environment="CF_API_TOKEN=your-cloudflare-api-token"
+EOF
+sudo systemctl daemon-reload
+sudo systemctl restart caddy
+```
+
+## Building
+
+```bash
+make deb ARCH=arm64
+make deb ARCH=amd64
+```
+
+## License
+
+Caddy is licensed under Apache 2.0. This packaging is MIT.

debian/caddy.service

@@ -0,0 +1,23 @@
+[Unit]
+Description=Caddy web server (madcat-caddy)
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=512
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target

debian/conffiles

@@ -0,0 +1 @@
+/etc/caddy/Caddyfile

debian/control

@@ -0,0 +1,12 @@
+Package: madcat-caddy
+Version: {{VERSION}}
+Architecture: {{ARCH}}
+Maintainer: madcat-os <madcat@saiden.dev>
+Description: Caddy web server with Cloudflare DNS and caddy-security plugins
+ Custom Caddy build with Cloudflare DNS-01 ACME challenge support
+ and caddy-security (OAuth 2.0, Basic Auth, JWT authorization).
+ Provides GitHub OAuth + Basic Auth gateway capabilities.
+Section: web
+Priority: optional
+Conflicts: caddy
+Replaces: caddy, tengu-caddy

debian/postinst

@@ -0,0 +1,24 @@
+#!/bin/sh
+set -e
+
+# Create caddy user/group if they don't exist
+if ! getent group caddy >/dev/null 2>&1; then
+    groupadd --system caddy
+fi
+
+if ! getent passwd caddy >/dev/null 2>&1; then
+    useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin caddy
+fi
+
+# Create config and data directories
+mkdir -p /etc/caddy
+mkdir -p /var/lib/caddy/.config/caddy
+mkdir -p /var/lib/caddy/.local/share/caddy
+chown -R caddy:caddy /var/lib/caddy
+
+# Enable and start the service
+if [ -d /run/systemd/system ]; then
+    systemctl daemon-reload
+    systemctl enable caddy.service
+    systemctl start caddy.service || true
+fi

debian/postrm

@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+if [ "$1" = "purge" ]; then
+    rm -rf /etc/caddy
+    rm -rf /var/lib/caddy
+    userdel caddy 2>/dev/null || true
+    groupdel caddy 2>/dev/null || true
+fi
+
+if [ -d /run/systemd/system ]; then
+    systemctl daemon-reload
+fi

debian/prerm

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+if [ -d /run/systemd/system ]; then
+    systemctl stop caddy.service || true
+    systemctl disable caddy.service || true
+fi