I know Caddy can read env variables but they don’t feel secure with systemd and may be more complicated to configure.
Here’s what I’ve come up with:
/etc/caddy/Caddyfile can be readable by all, it doesn’t contain any secrets. This allows a regular user (me) to check the config without sudoing as caddy or root.
import a file from Caddyfile from the site section, e.g.
That is not safe on a multi-user host and should not be the recommended way. Any user on the machine can run systemctl show caddy or systemctl cat caddy and see the env variables and their values.
It’s probably not a good idea to run Caddy on a multi-user system anyways. But…
You could use EnvironmentFile= instead of Environment= and point it to a file that’s access restricted.
Or you can use Caddy’s --envfile flag:
Either way, environment variables should be used for secrets. Caddy’s current running config, adapted to JSON, gets saved to its config storage location in an autosave.json file, to make it possible to restart Caddy from the last run config (this is for the caddy-api usecase as mentioned here: Keep Caddy Running — Caddy Documentation). So using an {env.*} placeholder is necessary to not have the secret leak to the autosave file as well.