Netdata.cloud bot for Zulip
anil.recoil.org
1# Caddyfile for Netdata Zulip Bot with mutual TLS
2#
3# This configuration provides:
4# - Automatic HTTPS with Let's Encrypt certificates
5# - Mutual TLS authentication for Netdata webhooks
6# - Reverse proxy to the backend bot service
7#
8# Usage:
9# 1. Replace YOUR_DOMAIN with your actual domain
10# 2. Save the Netdata CA certificate to netdata-ca.pem
11# 3. Run: caddy run --config Caddyfile
12
13YOUR_DOMAIN {
14 # Enable automatic HTTPS with Let's Encrypt
15 tls {
16 # Optional: specify email for Let's Encrypt account
17 # email admin@example.com
18 }
19
20 # Configure mutual TLS for the /webhook/netdata endpoint
21 @webhook {
22 path /webhook/netdata
23 }
24
25 # Apply mutual TLS authentication for Netdata webhooks
26 handle @webhook {
27 tls {
28 client_auth {
29 mode require_and_verify
30 trusted_ca_cert_file netdata-ca.pem
31 }
32 }
33
34 # Reverse proxy to the bot service
35 reverse_proxy localhost:8080 {
36 # Pass client certificate info as headers (optional)
37 header_up X-Client-Cert {http.request.tls.client.certificate_pem}
38 header_up X-Client-Subject {http.request.tls.client.subject}
39 }
40 }
41
42 # Health check endpoint (no mutual TLS required)
43 handle /health {
44 reverse_proxy localhost:8080
45 }
46
47 # Default handler for other paths
48 handle {
49 respond "Not Found" 404
50 }
51
52 # Logging
53 log {
54 output file /var/log/caddy/netdata-bot.log {
55 roll_size 100mb
56 roll_keep 10
57 roll_keep_for 720h
58 }
59 format json
60 level INFO
61 }
62}
63
64# Alternative configuration for testing with self-signed certificates
65# Uncomment the block below and comment out the main block above
66
67# YOUR_DOMAIN {
68# tls internal # Use Caddy's internal CA for self-signed certificates
69#
70# @webhook {
71# path /webhook/netdata
72# }
73#
74# handle @webhook {
75# # For testing without mutual TLS
76# reverse_proxy localhost:8080
77# }
78#
79# handle /health {
80# reverse_proxy localhost:8080
81# }
82#
83# handle {
84# respond "Not Found" 404
85# }
86# }