feat(post): add Caddy2 and Adguard Home configuration guide

content/posts/how-to-configure-adguard-home-with-caddy2.md

@@ -0,0 +1,120 @@
++++
+title = 'How to Configure Adguard Home With Caddy2'
+date = 2024-09-22T12:57:01+02:00
+draft = false
+tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide']
++++
+
+## Preface
+
+Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to
+manage my reverse proxies and SSL certificates. It's a great tool, especially
+for beginners who do prefer a GUI to configure the reverse proxy service, but
+most of my TLS certificates expired suddenly and I did not like the idea to
+reload all of them manually. Some time ago I heard about Caddy2, which
+automatically renews TLS certificates using ACME, and I wanted to try it, but I
+learnt by experience the motto 'If it works don't touch it', so I kept doing
+other things rather than configuring Caddy without needing to do that. And I
+have to say that configuring it was easier than I thought!
+
+Both Adguard Home and Caddy2 are inside a Docker container, so I will show you
+how to configure them with Docker Compose. That said, it could be useful also
+for those who have them installed on their system.
+
+## Adguard Home
+
+The following is the Docker Compose configuration for Adguard Home. I used the
+official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome)
+to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager
+network, so that I could use the same network for Caddy2. It didn't change until
+I switched to Caddy2, after adding the volume for the certificates so that I
+could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are
+stored within the Caddy2 container, so you'll need to update the certificate
+path in the volume.
+
+```yaml
+services:
+  adguard:
+    image: adguard/adguardhome
+    container_name: adguard
+    restart: unless-stopped
+    volumes:
+      - ./work:/opt/adguardhome/work
+      - ./conf:/opt/adguardhome/conf
+      - ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert
+    ports:
+      - 853:853/tcp # DNS-over-TLS
+    environment:
+      - TZ=Europe/Rome
+    networks:
+      - reverse-proxy_default
+
+networks:
+  reverse-proxy_default:
+    external: true
+```
+
+## Caddy2
+
+I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy)
+as a starting point and I modified it to reuse the existing Nginx Proxy Manager
+network. I also changed the volumes to a local path because I find it more organized.
+
+```yaml
+services:
+  caddy:
+    image: caddy:latest
+    restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - $PWD/Caddyfile:/etc/caddy/Caddyfile
+      - $PWD/site:/srv
+      - $PWD/caddy_data:/data
+      - $PWD/caddy_config:/config
+    networks:
+      - reverse-proxy_default
+
+networks:
+  reverse-proxy_default:
+    external: true
+```
+
+Then I had to configure the Caddyfile, which is the configuration file for
+Caddy2. I didn't delve into the documentation, but I managed to find a working
+solution by searching how to reverse proxy. The only challenge was configuring
+Dns-Over-Https with Caddy, but
+
+```caddyfile
+domain.tld {
+    handle /dns-query {
+        reverse_proxy https://adguard {
+            transport http {
+                tls_insecure_skip_verify
+            }
+        }
+    }
+    reverse_proxy http://adguard
+}
+```
+
+The handle directive is used to match the path /dns-query, which is the path used
+by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request
+to the Adguard Home container. The tls_insecure_skip_verify directive is used to
+skip the tls verification, because I configured Adguard Home to use encryption so
+that I could use Dns-Over-Https.
+
+## Conclusion
+
+Now the last things to do were to configure the settings in <https://domain.tld/#encryption>
+by setting the certificate file path both for the chain and the private key:
+
+![Adguard Home Settings](/images/adguard-home-settings.png)
+
+And to open the port 443 in the firewall. That's it! Now I have a secure DNS server
+and a reverse proxy with automatic TLS certificates renewal. I hope this guide was
+useful to you!

hugo.toml

@@ -11,6 +11,8 @@ menu = [
   { Name = 'About', URL = '/about/', HasChildren = false },
   { Name = 'Useful links', URL = '' },
   { Name = 'Repositories', URL = 'https://git.riefolo.me/mariano', External = true },
+  { Name = "Posts", URL = "/posts/", Pre = "Recent", HasChildren = true, Limit = 5 },
+
 ]
 
 email_url = 'mailto:rfmariano@protonmail.com'