fix: resolve Caddy env vars at write time to prevent parse errors

acme_ca and the pic_ngo DNS credentials ({$PIC_NGO_DDNS_TOKEN}, {$PIC_NGO_DDNS_API}) were written as Caddy env-var placeholders, but the Caddy container does not inherit the API container's environment, so the substitutions always failed — Caddy saw bare directive names with no arguments and rejected the Caddyfile. - _global_acme_block: only emit the acme_ca directive when ACME_CA_URL is actually set; omitting it makes Caddy default to Let's Encrypt production. - _caddyfile_pic_ngo: embed the DDNS_TOTP_SECRET and DDNS_URL values directly into the Caddyfile at write time rather than relying on Caddy env expansion. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-30 15:01:15 -04:00
parent e87022dc55
commit a906c26b5d
2 changed files with 42 additions and 10 deletions
@@ -158,8 +158,12 @@ class CaddyManager(BaseServiceManager):
        lines.append("    admin 0.0.0.0:2019")
        if email:
            lines.append(f"    email {email}")
-        # Always allow tests to override the ACME directory via env var.
-        lines.append("    acme_ca {$ACME_CA_URL}")
+        # Only write acme_ca when a URL is configured — an empty ACME_CA_URL
+        # causes Caddy to reject the Caddyfile with "wrong argument count".
+        # When absent, Caddy defaults to Let's Encrypt production.
+        acme_ca_url = os.environ.get('ACME_CA_URL', '').strip()
+        if acme_ca_url:
+            lines.append(f"    acme_ca {acme_ca_url}")
        lines.append("}")
        return "\n".join(lines)

@@ -272,14 +276,21 @@ class CaddyManager(BaseServiceManager):
        body.append(core_routes)
        inner = "\n".join(body)
        email = f"admin@{domain}"
+
+        # Resolve credentials at write time — Caddy runs in its own container
+        # and does not inherit the API's environment variables, so we embed the
+        # actual values instead of {$VAR} placeholders.
+        ddns_token = (os.environ.get('DDNS_TOTP_SECRET') or '').strip()
+        ddns_api   = (os.environ.get('DDNS_URL') or 'https://ddns.pic.ngo/api/v1').strip()
+
        return (
            f"{self._global_acme_block(email)}\n"
            "\n"
            f"*.{domain}, {domain} {{\n"
            "    tls {\n"
            "        dns pic_ngo {\n"
-            "            token {$PIC_NGO_DDNS_TOKEN}\n"
-            "            api_base_url {$PIC_NGO_DDNS_API}\n"
+            f"            token {ddns_token}\n"
+            f"            api_base_url {ddns_api}\n"
            "        }\n"
            "    }\n"
            f"{inner}\n"