From 864a245acf9c7a7b849169f936ced45c33420756 Mon Sep 17 00:00:00 2001
From: Petr Simecek <petr@keboola.com>
Date: Sun, 26 Apr 2026 01:46:42 +0200
Subject: [PATCH] fix(deploy): pass CADDY_TLS through to caddy container (#55)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(deploy): pass CADDY_TLS through to caddy container

PR #52 added the {$CADDY_TLS:default} substitution to the Caddyfile but
forgot to expose CADDY_TLS to the caddy service in docker-compose.yml.
Result: Caddyfile substitution falls back to the default
(`tls /certs/fullchain.pem /certs/privkey.pem`) regardless of what the
operator wrote into .env, and Caddy crash-loops with "open
/certs/fullchain.pem: no such file or directory" on any LE / internal
deployment.

Compose `- CADDY_TLS` (no `=value`) is the bare-form passthrough — Compose
reads the value from .env (or the host shell) at up time. No-op when
CADDY_TLS is unset (Caddyfile default kicks in), exact behavior preserved
for cert-file deployments.

Caught by Keboola's first agnes-dev recreate (kids-ai-data-analysis project,
agnes-dev.keboola.com) — VM came up with .env containing
CADDY_TLS="tls petr@keboola.com" but Caddy ignored it and tried to load
the corp PKI cert file.

* docs(changelog): document the CADDY_TLS passthrough fix per discipline rule
---
 CHANGELOG.md       | 4 ++++
 docker-compose.yml | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 29d19b8..f45d5c9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,10 @@ CalVer image tags (`stable-YYYY.MM.N`, `dev-YYYY.MM.N`) are produced for every C
 <!-- Add bullets here. Group: Added / Changed / Fixed / Removed / Internal.
      Mark breaking changes with **BREAKING** at the start of the bullet. -->
 
+### Fixed
+
+- `docker-compose.yml` caddy service now passes `CADDY_TLS` through to the container (`- CADDY_TLS` bare-form passthrough). Without it the `Caddyfile` `{$CADDY_TLS:default}` substitution always falls back to cert-file mode regardless of what the operator wrote into `.env`, and Caddy crash-loops on Let's Encrypt / internal-CA deployments. Should have shipped with #52; first attempt was #55, accidentally closed before merging.
+
 ### Internal
 
 - `CLAUDE.md` — non-negotiable changelog discipline: every PR touching user-visible behavior must update `CHANGELOG.md` under `## [Unreleased]` in the same PR.
diff --git a/docker-compose.yml b/docker-compose.yml
index 5f1317c..a40d10f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -127,6 +127,12 @@ services:
       - caddy_config:/config
     environment:
       - DOMAIN=${DOMAIN:-localhost}
+      # Passes through whatever the operator set in .env. Caddyfile uses
+      # {$CADDY_TLS:tls /certs/fullchain.pem /certs/privkey.pem} so:
+      # - unset            → cert-file mode (corp PKI rotated by tls-rotate.sh)
+      # - "tls <email>"    → Let's Encrypt auto-issue
+      # - "tls internal"   → Caddy-managed self-signed
+      - CADDY_TLS
     depends_on:
       app:
         condition: service_healthy