From 4987ba91c7bd716a988382a36fbb7c818044b729 Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@noreply.git.autonomic.zone>
Date: Thu, 18 Jun 2026 05:41:29 +0000
Subject: [PATCH] fix: caddy resolves own app via ${STACK_NAME}_app on shared
 proxy net

The caddy on-demand-TLS ask + reverse_proxy used bare host "app", which on the
shared external proxy net collides with every other stack aliasing its main
service "app" (docker DNS returns a foreign endpoint -> cert ask refused -> 000
on warm-canonical promote). Use the fully-qualified swarm service name
${STACK_NAME}_app (caddy {$APP_HOST} env) so caddy resolves THIS stack only.
Established coop-cloud pattern (cf. matrix-synapse, mailu, mumble). Bump
CADDYFILE_VERSION v1->v2.
---
 Caddyfile   | 4 ++--
 abra.sh     | 2 +-
 compose.yml | 1 +
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Caddyfile b/Caddyfile
index 1a18550..9952fa6 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,6 +1,6 @@
 {
 	on_demand_tls {
-		ask http://app:3000/tls-check
+		ask http://{$APP_HOST}:3000/tls-check
 	}
 }
 
@@ -8,5 +8,5 @@
 	tls {
 		on_demand
 	}
-	reverse_proxy app:3000
+	reverse_proxy {$APP_HOST}:3000
 }
diff --git a/abra.sh b/abra.sh
index 8a81819..e1a07c4 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,2 +1,2 @@
 export ENTRYPOINT_VERSION=v1
-export CADDYFILE_VERSION=v1
+export CADDYFILE_VERSION=v2
diff --git a/compose.yml b/compose.yml
index 22b2891..5a25c22 100644
--- a/compose.yml
+++ b/compose.yml
@@ -52,6 +52,7 @@ services:
       - internal
     environment:
       - DOMAIN=${DOMAIN}
+      - APP_HOST=${STACK_NAME}_app
     configs:
       - source: caddyfile
         target: /etc/caddy/Caddyfile