Caddy + Authentik Proxy + Netbird

caddy.sh

#!/usr/bin/env bash
source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
# Copyright (c) 2021-2025 community-scripts
# Author: Aldo
# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
# Source: https://caddyserver.com/

APP="Caddy"
var_tags="reverse-proxy"
var_cpu="1"
var_ram="512"
var_disk="2"
var_os="debian"
var_version="13"
var_unprivileged="1"

header_info "$APP"
variables
color
catch_errors

function update_script() {
  header_info
  check_container_storage
  check_container_resources
  if [[ ! -f /usr/bin/caddy ]]; then
    msg_error "No ${APP} Installation Found!"
    exit
  fi
  msg_info "Updating ${APP}"
  apt-get update
  apt-get install -y caddy
  msg_ok "Updated ${APP}"
  msg_info "Restarting ${APP}"
  systemctl restart caddy
  msg_ok "Restarted ${APP}"
  msg_ok "Updated Successfully!"
  exit
}

start
build_container
description

msg_ok "Completed Successfully!\n"
echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
echo -e "${INFO}${YW} Access it using the following URL:${CL}"
echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:80${CL}"

install.sh

#!/usr/bin/env bash

# Copyright (c) 2021-2025 community-scripts
# Author: Aldo
# License: MIT
# https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE

source /dev/stdin <<< "$FUNCTIONS_FILE_PATH"
color
verb_ip6
catch_errors
setting_up_container
network_check
update_os

msg_info "Installing Dependencies"
$STD apt-get install -y \
  curl \
  sudo \
  mc \
  debian-keyring \
  debian-archive-keyring \
  apt-transport-https \
  gnupg2 \
  wget
msg_ok "Installed Dependencies"

msg_info "Installing Caddy"
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
$STD apt-get update
$STD apt-get install -y caddy
systemctl enable -q --now caddy
msg_ok "Installed Caddy"

# Helper function to install Go
install_go() {
  msg_info "Installing Go (required for xcaddy)"
  GO_VERSION=$(curl -s https://go.dev/VERSION?m=text | head -n1)
  cd /tmp
  wget -q "https://go.dev/dl/${GO_VERSION}.linux-amd64.tar.gz"
  rm -rf /usr/local/go
  tar -C /usr/local -xzf "${GO_VERSION}.linux-amd64.tar.gz"
  rm "${GO_VERSION}.linux-amd64.tar.gz"
  
  export PATH=$PATH:/usr/local/go/bin
  export GOPATH=$HOME/go
  
  echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
  echo 'export GOPATH=$HOME/go' >> /etc/profile
  
  msg_ok "Installed Go ${GO_VERSION}"
}

# Helper function to create systemd service
create_systemd_service() {
  local service_name="$1"
  local description="$2"
  local exec_start="$3"
  local env_file="$4"
  
  cat > "/etc/systemd/system/${service_name}.service" << EOF
[Unit]
Description=${description}
After=network.target

[Service]
Type=simple
User=root
${env_file:+EnvironmentFile=${env_file}}
ExecStart=${exec_start}
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
EOF
  
  systemctl daemon-reload
  systemctl enable "${service_name}"
}

# Cloudflare DNS Plugin
msg_info "Installing Cloudflare DNS plugin"
install_go

msg_info "Installing xcaddy"
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-xcaddy.list
$STD apt-get update
$STD apt-get install -y xcaddy
msg_ok "Installed xcaddy"

msg_info "Building Caddy with Cloudflare DNS plugin"
cd /opt
systemctl stop caddy

xcaddy build --with github.com/caddy-dns/cloudflare

if [[ -f ./caddy ]]; then
  mv /usr/bin/caddy /usr/bin/caddy.original
  mv ./caddy /usr/bin/caddy
  chmod +x /usr/bin/caddy
  setcap cap_net_bind_service=+ep /usr/bin/caddy
  systemctl start caddy
  msg_ok "Built and installed Caddy with Cloudflare DNS plugin"
  
  echo -e "\n${INFO} Configure Cloudflare token in /etc/caddy/caddy.env"
  echo -e "${INFO} Example: export CLOUDFLARE_API_TOKEN=\"your-token\""
else
  msg_error "Failed to build Caddy with Cloudflare plugin"
  systemctl start caddy
fi

# Authentik Proxy
msg_info "Installing Authentik Proxy"
cd /opt

AUTHENTIK_VERSION=$(curl -s https://api.github.com/repos/goauthentik/authentik/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/version\///')
wget -q "https://github.com/goauthentik/authentik/releases/download/version/${AUTHENTIK_VERSION}/authentik-proxy-linux-amd64" -O authentik-proxy

if [[ -f authentik-proxy ]]; then
  mv authentik-proxy /usr/local/bin/authentik-proxy
  chmod +x /usr/local/bin/authentik-proxy
  msg_ok "Installed Authentik Proxy ${AUTHENTIK_VERSION}"
  
  mkdir -p /etc/authentik
  cat > /etc/authentik/proxy.env << 'EOF'
AUTHENTIK_HOST=https://your-authentik-domain.com
AUTHENTIK_TOKEN=your-outpost-token-here
AUTHENTIK_INSECURE=false
EOF
  chmod 600 /etc/authentik/proxy.env
  
  create_systemd_service "authentik-proxy" "Authentik Proxy Outpost" "/usr/local/bin/authentik-proxy" "/etc/authentik/proxy.env"
  msg_ok "Created Authentik Proxy service"
  
  echo -e "\n${INFO} Configure /etc/authentik/proxy.env before starting"
  echo -e "${INFO} Start with: systemctl start authentik-proxy"
else
  msg_error "Failed to download Authentik Proxy"
fi

# NetBird
msg_info "Installing NetBird"

curl -fsSL https://pkgs.netbird.io/debian/public.key | gpg --dearmor -o /usr/share/keyrings/netbird-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/netbird-archive-keyring.gpg] https://pkgs.netbird.io/debian stable main" | tee /etc/apt/sources.list.d/netbird.list

$STD apt-get update
$STD apt-get install -y netbird

msg_ok "Installed NetBird"

echo -e "\n${INFO} Connect with: netbird up"
echo -e "${INFO} Or with setup key: netbird up --setup-key YOUR_KEY"

motd_ssh
customize

msg_info "Cleaning up"
$STD apt-get -y autoremove
$STD apt-get -y autoclean
msg_ok "Cleaned"