roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

feat: route PIC services as subdomains of the cell's effective domain
Unit Tests / test (push) Successful in 11m33s
Details

Browse Source 
In DDNS modes (pic_ngo, cloudflare, duckdns, http01), all built-in
services are now reachable as subdomains of the cell domain, e.g.
calendar.pic1.pic.ngo instead of pic1.pic.ngo/calendar.

Key changes:
- CaddyManager._build_core_service_routes(): new helper generates
  Caddy named-matcher host blocks for calendar, mail/webmail, files,
  webdav, and api subdomains within the wildcard TLS server block.
- All ACME modes (pic_ngo, cloudflare, duckdns) use the new
  subdomain matchers; http01 emits a dedicated server block per service.
- http01: installed store-plugin services whose name clashes with a
  core service are skipped to prevent duplicate server blocks.
- routes/config.py: ip_utils.write_caddyfile() is skipped in non-LAN
  modes so LAN Caddy config never overwrites the ACME config.
- firewall_manager.generate_corefile(): new split_horizon_zones param
  adds local authoritative file zones so LAN clients resolve
  *.pic1.pic.ngo to the internal Caddy IP without hairpin NAT.
- NetworkManager.update_split_horizon_zone(): writes the wildcard zone
  file and regenerates the Corefile with the split-horizon block;
  called automatically after every identity change in non-LAN mode.
- Added @ to allowed record-name chars in update_dns_zone validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-05-28 04:31:57 -04:00
parent 1f016de855
commit d7dbd596ab
7 changed files with 285 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/caddy_manager.py
+54 -13
View File
@@ -161,6 +161,32 @@ class CaddyManager(BaseServiceManager):
lines.append("}")
return "\n".join(lines)
@staticmethod
def _build_core_service_routes(domain: str) -> str:
"""Return 4-space-indented named-matcher + handle blocks for core services."""
return (
f" @calendar host calendar.{domain}\n"
f" handle @calendar {{\n"
f" reverse_proxy cell-radicale:5232\n"
f" }}\n"
f" @mail host mail.{domain} webmail.{domain}\n"
f" handle @mail {{\n"
f" reverse_proxy cell-rainloop:8888\n"
f" }}\n"
f" @files host files.{domain}\n"
f" handle @files {{\n"
f" reverse_proxy cell-filegator:8080\n"
f" }}\n"
f" @webdav host webdav.{domain}\n"
f" handle @webdav {{\n"
f" reverse_proxy cell-webdav:80\n"
f" }}\n"
f" @api host api.{domain}\n"
f" handle @api {{\n"
f" reverse_proxy cell-api:3000\n"
f" }}"
)
@staticmethod
def _indent_routes(routes: str, spaces: int = 4) -> str:
"""Indent a multi-line route block by ``spaces`` columns."""
@@ -203,16 +229,17 @@ class CaddyManager(BaseServiceManager):
def _caddyfile_pic_ngo(self, cell_name: str,
service_routes: str, core_routes: str) -> str:
"""pic_ngo mode: wildcard DNS-01 via the pic_ngo plugin."""
body = []
domain = f"{cell_name}.pic.ngo"
body = [self._build_core_service_routes(domain)]
if service_routes:
body.append(self._indent_routes(service_routes))
body.append(core_routes)
inner = "\n".join(body)
email = f"admin@{cell_name}.pic.ngo"
email = f"admin@{domain}"
return (
f"{self._global_acme_block(email)}\n"
"\n"
f"*.{cell_name}.pic.ngo, {cell_name}.pic.ngo {{\n"
f"*.{domain}, {domain} {{\n"
" tls {\n"
" dns pic_ngo {\n"
" token {$PIC_NGO_DDNS_TOKEN}\n"
@@ -226,7 +253,7 @@ class CaddyManager(BaseServiceManager):
def _caddyfile_cloudflare(self, custom_domain: str,
service_routes: str, core_routes: str) -> str:
"""cloudflare mode: wildcard DNS-01 via the cloudflare plugin."""
body = []
body = [self._build_core_service_routes(custom_domain)]
if service_routes:
body.append(self._indent_routes(service_routes))
body.append(core_routes)
@@ -245,7 +272,8 @@ class CaddyManager(BaseServiceManager):
def _caddyfile_duckdns(self, cell_name: str,
service_routes: str, core_routes: str) -> str:
"""duckdns mode: DNS-01 via the duckdns plugin."""
body = []
domain = f"{cell_name}.duckdns.org"
body = [self._build_core_service_routes(domain)]
if service_routes:
body.append(self._indent_routes(service_routes))
body.append(core_routes)
@@ -253,7 +281,7 @@ class CaddyManager(BaseServiceManager):
return (
f"{self._global_acme_block(None)}\n"
"\n"
f"*.{cell_name}.duckdns.org {{\n"
f"*.{domain} {{\n"
" tls {\n"
" dns duckdns {$DUCKDNS_TOKEN}\n"
" }\n"
@@ -265,23 +293,36 @@ class CaddyManager(BaseServiceManager):
installed_services: List[Dict[str, Any]],
core_routes: str) -> str:
"""http01 mode: no wildcard. Each service gets its own block."""
# Main host block — only the core routes (api + webui). Service
# routes that could otherwise be served as path-prefixes are NOT
# placed here because in http01 mode each service is intended to
# live on its own subdomain (otherwise it could also use a path
# prefix here, but the spec calls for separate blocks).
# Main host block — only the core routes (api + webui).
out = [self._global_acme_block('{$ACME_EMAIL}'), ""]
out.append(f"{host} {{")
out.append(core_routes)
out.append("}")
# One block per installed service that has a caddy_route.
# One block per core service subdomain.
_core_services = [
('calendar', 'cell-radicale:5232'),
('mail', 'cell-rainloop:8888'),
('webmail', 'cell-rainloop:8888'),
('files', 'cell-filegator:8080'),
('webdav', 'cell-webdav:80'),
('api', 'cell-api:3000'),
]
for subdomain, backend in _core_services:
out.append("")
out.append(f"{subdomain}.{host} {{")
out.append(f" reverse_proxy {backend}")
out.append("}")
# One block per installed (store plugin) service that has a caddy_route,
# skipping any name that conflicts with a core service.
_core_names = {s for s, _ in _core_services}
for svc in installed_services or []:
if not svc:
continue
route = svc.get('caddy_route')
name = svc.get('name') or svc.get('subdomain')
if not route or not name:
if not route or not name or name in _core_names:
continue
out.append("")
out.append(f"{name}.{host} {{")
api/firewall_manager.py
+18 -2
View File
@@ -710,7 +710,8 @@ def _build_acl_block(blocked_peers_by_service: Dict[str, List[str]],
def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE_PATH,
domain: str = 'cell',
cell_links: Optional[List[Dict[str, Any]]] = None) -> bool:
cell_links: Optional[List[Dict[str, Any]]] = None,
split_horizon_zones: Optional[List[str]] = None) -> bool:
"""
Rewrite the CoreDNS Corefile with per-peer ACL rules and reload plugin.
The file is written to corefile_path (API-side path mapped into CoreDNS container).
@@ -718,6 +719,10 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
cell_links: optional list of cell-to-cell DNS forwarding entries, each a dict with
'domain' and 'dns_ip' keys (same shape as CellLinkManager.list_connections()).
When non-empty, a forwarding stanza is appended for each entry.
split_horizon_zones: optional list of FQDNs (e.g. ['pic1.pic.ngo']) for which a
local authoritative zone block is added so LAN clients resolve
service subdomains to the internal Caddy IP without hairpin NAT.
Each zone must have a corresponding zone file under /data/<fqdn>.zone.
"""
try:
# Collect which peers block which services
@@ -748,6 +753,17 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
{primary_zone_block}"""
# Split-horizon zones for DDNS/public domains — LAN clients resolve
# *.pic1.pic.ngo to the internal Caddy IP without hairpin NAT.
if split_horizon_zones:
for sz in split_horizon_zones:
corefile += (
f'\n{sz} {{\n'
f' file /data/{sz}.zone\n'
f' log\n'
f'}}\n'
)
# Append cell-to-cell DNS forwarding stanzas if provided
if cell_links:
for link in cell_links:
@@ -762,7 +778,7 @@ def generate_corefile(peers: List[Dict[str, Any]], corefile_path: str = COREFILE
f' log\n'
f'}}\n'
)
else:
elif not split_horizon_zones:
corefile += '\n'
# local.{domain} block intentionally omitted: /data/local.zone does not exist
api/network_manager.py
+29 -1
View File
@@ -45,7 +45,7 @@ class NetworkManager(BaseServiceManager):
for rec in records:
rname = rec.get('name', '')
rvalue = rec.get('value', '')
if rname and not re.match(r'^[a-zA-Z0-9_.*-]{1,253}$', str(rname)):
if rname and not re.match(r'^[a-zA-Z0-9_@.*-]{1,253}$', str(rname)):
logger.error(f"update_dns_zone: invalid record name {rname!r}")
return False
if rvalue and not re.match(r'^[a-zA-Z0-9._: -]{1,512}$', str(rvalue)):
@@ -165,6 +165,34 @@ class NetworkManager(BaseServiceManager):
self.update_dns_zone(domain, records)
logger.info(f"Created {len(records)} default DNS records for zone '{domain}'")
def update_split_horizon_zone(self, effective_domain: str, caddy_ip: str,
primary_domain: str = 'cell',
peers: Optional[List[Dict]] = None,
cell_links: Optional[List[Dict]] = None) -> bool:
"""Write a local authoritative zone for effective_domain pointing all
hosts (wildcard) to caddy_ip so LAN clients resolve service subdomains
without hairpin NAT. Regenerates the Corefile and reloads CoreDNS."""
import firewall_manager as _fm
# SOA/NS are generated by _generate_zone_content; just pass the A records.
records = [
{'name': '@', 'type': 'A', 'value': caddy_ip},
{'name': '*', 'type': 'A', 'value': caddy_ip},
]
ok = self.update_dns_zone(effective_domain, records)
if not ok:
logger.warning('update_split_horizon_zone: zone file write failed for %s', effective_domain)
corefile = os.path.join(self.config_dir, 'dns', 'Corefile')
peers_data = peers or []
ok_cf = _fm.generate_corefile(
peers_data, corefile, primary_domain,
cell_links=cell_links,
split_horizon_zones=[effective_domain],
)
if ok_cf:
_fm.reload_coredns()
return ok and ok_cf
def apply_ip_range(self, ip_range: str, cell_name: str, domain: str) -> Dict[str, Any]:
"""Rewrite the primary DNS zone file with IPs derived from the new subnet."""
restarted: List[str] = []
api/routes/config.py
+34 -18
View File
@@ -316,11 +316,12 @@ def update_config():
net_result = network_manager.apply_domain(domain, reload=False)
all_warnings.extend(net_result.get('warnings', []))
_cur_id = config_manager.configs.get('_identity', {})
ip_utils.write_caddyfile(
_cur_id.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16')),
_cur_id.get('cell_name', os.environ.get('CELL_NAME', 'mycell')),
domain, '/app/config-caddy/Caddyfile'
)
if _cur_id.get('domain_mode', 'lan') == 'lan':
ip_utils.write_caddyfile(
_cur_id.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16')),
_cur_id.get('cell_name', os.environ.get('CELL_NAME', 'mycell')),
domain, '/app/config-caddy/Caddyfile'
)
_set_pending_restart(
[f'domain changed to {domain}'],
['dns', 'caddy'],
@@ -334,12 +335,13 @@ def update_config():
cn_result = network_manager.apply_cell_name(old_name, new_name, reload=False)
all_warnings.extend(cn_result.get('warnings', []))
_cur_id2 = config_manager.configs.get('_identity', {})
ip_utils.write_caddyfile(
_cur_id2.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16')),
new_name,
identity_updates.get('domain') or _cur_id2.get('domain', os.environ.get('CELL_DOMAIN', 'cell')),
'/app/config-caddy/Caddyfile'
)
if _cur_id2.get('domain_mode', 'lan') == 'lan':
ip_utils.write_caddyfile(
_cur_id2.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16')),
new_name,
identity_updates.get('domain') or _cur_id2.get('domain', os.environ.get('CELL_DOMAIN', 'cell')),
'/app/config-caddy/Caddyfile'
)
_set_pending_restart(
[f'cell_name changed to {new_name}'],
['dns'],
@@ -370,7 +372,8 @@ def update_config():
firewall_manager.ensure_caddy_virtual_ips()
env_file = os.environ.get('COMPOSE_ENV_FILE', '/app/.env.compose')
ip_utils.write_env_file(new_range, env_file, _collect_service_ports(config_manager.configs))
ip_utils.write_caddyfile(new_range, cur_cell_name, cur_domain, '/app/config-caddy/Caddyfile')
if cur_identity.get('domain_mode', 'lan') == 'lan':
ip_utils.write_caddyfile(new_range, cur_cell_name, cur_domain, '/app/config-caddy/Caddyfile')
_set_pending_restart(
[f'ip_range changed to {new_range} — network will be recreated'],
['*'], network_recreate=True,
@@ -379,13 +382,25 @@ def update_config():
if identity_updates:
_cur_identity = config_manager.configs.get('_identity', {})
_eff_domain = config_manager.get_effective_domain()
service_bus.publish_event(EventType.IDENTITY_CHANGED, 'config', {
'cell_name': _cur_identity.get('cell_name'),
'domain': _cur_identity.get('domain'),
'domain_name': _cur_identity.get('domain_name'),
'domain_mode': _cur_identity.get('domain_mode'),
'effective_domain': config_manager.get_effective_domain(),
'effective_domain': _eff_domain,
})
if _cur_identity.get('domain_mode', 'lan') != 'lan' and _eff_domain:
try:
import ip_utils as _ip_sh
_ip_range = _cur_identity.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16'))
_caddy_ip = _ip_sh.get_service_ips(_ip_range).get('caddy', '172.20.0.2')
_primary_domain = _cur_identity.get('domain', os.environ.get('CELL_DOMAIN', 'cell'))
network_manager.update_split_horizon_zone(
_eff_domain, _caddy_ip, primary_domain=_primary_domain
)
except Exception as _sh_exc:
logger.warning('split-horizon zone update failed: %s', _sh_exc)
_PORT_CHANGE_MAP = {
('network', 'dns_port'): ('dns_port', ['dns']),
@@ -644,11 +659,12 @@ def cancel_pending_config():
if cur_cell_name and old_cell_name and cur_cell_name != old_cell_name:
network_manager.apply_cell_name(cur_cell_name, old_cell_name, reload=False)
_ip_revert.write_caddyfile(
_id.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16')),
_id.get('cell_name', os.environ.get('CELL_NAME', 'mycell')),
_dom, '/app/config-caddy/Caddyfile'
)
if _id.get('domain_mode', 'lan') == 'lan':
_ip_revert.write_caddyfile(
_id.get('ip_range', os.environ.get('CELL_IP_RANGE', '172.20.0.0/16')),
_id.get('cell_name', os.environ.get('CELL_NAME', 'mycell')),
_dom, '/app/config-caddy/Caddyfile'
)
_clear_pending_restart()
return jsonify({'message': 'Pending changes discarded'})