feat(config): ✨ Add Caddy configuration and environment setup

Wayne-Jones · Wayne-Jones · commit 359b436d0c72 · 2026-01-20T02:06:04.000-05:00
Introduced a comprehensive Caddy configuration for the Ghost CMS setup, including support for ActivityPub and Traffic Analytics. The new configuration allows for better management of domains, logging, and security headers.

- Added Caddyfile and Caddyfile.example for configuration.
- Included snippets for logging, security headers, ActivityPub, and Traffic Analytics.
- Updated .env-example with new environment variables for configuration.
- Created a docker-compose.yml file to manage services and dependencies.

This setup enhances the deployment process and improves the overall functionality of the Ghost CMS.
diff --git a/.env-example b/.env-example
@@ -1,2 +1,63 @@
 CONTENT_API_KEY=
-BLOG_URL=
+BLOG_URL=
+
+# Use the below flags to enable the Analytics or ActivityPub containers as well
+# COMPOSE_PROFILES=analytics,activitypub
+
+# Ghost domain
+# Custom public domain Ghost will run on
+DOMAIN=example.com
+
+# Ghost Admin domain
+# If you have Ghost Admin setup on a separate domain uncomment the line below and add the domain
+# You also need to uncomment the corresponding block in your Caddyfile
+# ADMIN_DOMAIN=
+
+# Database settings
+# All database settings must not be changed once the database is initialised
+DATABASE_ROOT_PASSWORD=reallysecurerootpassword
+# DATABASE_USER=optionalusername
+DATABASE_PASSWORD=ghostpassword
+
+# ActivityPub
+# If you'd prefer to self-host ActivityPub yourself uncomment the line below
+# ACTIVITYPUB_TARGET=activitypub:8080
+
+# Tinybird configuration
+# If you want to run Analytics, paste the output from `docker compose run --rm tinybird-login get-tokens` below
+# TINYBIRD_API_URL=https://api.tinybird.co
+# TINYBIRD_TRACKER_TOKEN=p.eyJxxxxx
+# TINYBIRD_ADMIN_TOKEN=p.eyJxxxxx
+# TINYBIRD_WORKSPACE_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
+
+# Ghost configuration (https://ghost.org/docs/config/)
+
+# SMTP Email (https://ghost.org/docs/config/#mail)
+# Transactional email is required for logins, account creation (staff invites), password resets and other features
+# This is not related to bulk mail / newsletter sending
+mail__transport=SMTP
+mail__options__host=smtp.example.com
+mail__options__port=465
+mail__options__secure=true
+mail__options__auth__user=support@example.com
+mail__options__auth__pass=1234567890
+mail__from="'Acme Support' <support@example.com>"
+
+# Advanced customizations
+
+# Force Ghost version
+# You should only do this if you need to pin a specific version
+# The update commands won't work
+# GHOST_VERSION=6-alpine
+
+# Port Ghost should listen on
+# You should only need to edit this if you want to host
+# multiple sites on the same server
+# GHOST_PORT=2368
+
+# Data locations
+# Location to store uploaded data
+UPLOAD_LOCATION=./data/ghost
+
+# Location for database data
+MYSQL_DATA_LOCATION=./data/mysql
diff --git a/.gitignore b/.gitignore
@@ -37,4 +37,7 @@ yarn-error.log*
 next-env.d.ts
 
 #copilot
-copilot/
+copilot/
+
+data/
+.pnpm-store/
diff --git a/caddy/Caddyfile b/caddy/Caddyfile
@@ -0,0 +1,60 @@
+{$DOMAIN} {
+	import snippets/Logging
+
+	# Traffic Analytics service
+	import snippets/TrafficAnalytics
+
+	# ActivityPub Service
+	import snippets/ActivityPub
+
+	# Default proxy everything else to Ghost
+	handle {
+		reverse_proxy ghost:2368
+	}
+
+	# Optional: Enable gzip compression
+	encode gzip
+
+	# Optional: Add security headers
+	import snippets/SecurityHeaders
+}
+
+# Separate admin domains
+# To use a separate domain for Ghost Admin uncomment the block below (recommended)
+# {$ADMIN_DOMAIN} {
+# 	import snippets/Logging
+#
+# 	# Traffic Analytics service
+# 	import snippets/TrafficAnalytics
+#
+# 	# ActivityPub Service
+# 	import snippets/ActivityPub
+#
+# 	# Default proxy everything else to Ghost
+# 	handle {
+# 		reverse_proxy ghost:2368
+# 	}
+#
+# 	# Optional: Enable gzip compression
+# 	encode gzip
+#
+# 	# Optional: Add security headers
+# 	import snippets/SecurityHeaders
+# }
+
+# Redirect www -> root domain
+# To redirect the www variant of your domain to the non-www variant uncomment the 4 lines below
+# Note: You must have DNS setup correctly for both domains for this to work
+# www.{$DOMAIN} {
+# 	import snippets/Logging
+# 	redir https://{$DOMAIN}{uri}
+# }
+
+# Redirect root -> www domain
+# To redirect the non-www variant of your domain to the www variant uncomment the 4 lines below and change CHANGE_ME to your root domain
+# Note: You must have DNS setup correctly for both domains for this to work
+# When using ActivityPub with a www. domain, you must enable this redirect for ActivityPub to work correctly
+# CHANGE_ME {
+# 	import snippets/Logging
+# 	redir https://{$DOMAIN}{uri}
+# }
diff --git a/caddy/Caddyfile.example b/caddy/Caddyfile.example
@@ -0,0 +1,60 @@
+{$DOMAIN} {
+	import snippets/Logging
+
+	# Traffic Analytics service
+	import snippets/TrafficAnalytics
+
+	# ActivityPub Service
+	import snippets/ActivityPub
+
+	# Default proxy everything else to Ghost
+	handle {
+		reverse_proxy ghost:2368
+	}
+
+	# Optional: Enable gzip compression
+	encode gzip
+
+	# Optional: Add security headers
+	import snippets/SecurityHeaders
+}
+
+# Separate admin domains
+# To use a separate domain for Ghost Admin uncomment the block below (recommended)
+# {$ADMIN_DOMAIN} {
+# 	import snippets/Logging
+#
+# 	# Traffic Analytics service
+# 	import snippets/TrafficAnalytics
+#
+# 	# ActivityPub Service
+# 	import snippets/ActivityPub
+#
+# 	# Default proxy everything else to Ghost
+# 	handle {
+# 		reverse_proxy ghost:2368
+# 	}
+#
+# 	# Optional: Enable gzip compression
+# 	encode gzip
+#
+# 	# Optional: Add security headers
+# 	import snippets/SecurityHeaders
+# }
+
+# Redirect www -> root domain
+# To redirect the www variant of your domain to the non-www variant uncomment the 4 lines below
+# Note: You must have DNS setup correctly for both domains for this to work
+# www.{$DOMAIN} {
+# 	import snippets/Logging
+# 	redir https://{$DOMAIN}{uri}
+# }
+
+# Redirect root -> www domain
+# To redirect the non-www variant of your domain to the www variant uncomment the 4 lines below and change CHANGE_ME to your root domain
+# Note: You must have DNS setup correctly for both domains for this to work
+# When using ActivityPub with a www. domain, you must enable this redirect for ActivityPub to work correctly
+# CHANGE_ME {
+# 	import snippets/Logging
+# 	redir https://{$DOMAIN}{uri}
+# }
diff --git a/caddy/snippets/ActivityPub b/caddy/snippets/ActivityPub
@@ -0,0 +1,13 @@
+# ActivityPub
+# Proxy activitypub requests /.ghost/activitypub/
+handle /.ghost/activitypub/* {
+	reverse_proxy {$ACTIVITYPUB_TARGET}
+}
+
+handle /.well-known/webfinger {
+	reverse_proxy {$ACTIVITYPUB_TARGET}
+}
+
+handle /.well-known/nodeinfo {
+	reverse_proxy {$ACTIVITYPUB_TARGET}
+}
diff --git a/caddy/snippets/Logging b/caddy/snippets/Logging
@@ -0,0 +1,6 @@
+# Log all requests
+log {
+	output stdout
+	format console
+	level INFO
+}
diff --git a/caddy/snippets/SecurityHeaders b/caddy/snippets/SecurityHeaders
@@ -0,0 +1,12 @@
+header {
+	# Enable HSTS
+	Strict-Transport-Security max-age=31536000;
+	# Enable XSS protection
+	X-XSS-Protection "1; mode=block"
+	# Prevent MIME sniffing
+	X-Content-Type-Options nosniff
+	# Referrer policy
+	Referrer-Policy strict-origin-when-cross-origin
+	# Prevent embedding in external iframes
+	Content-Security-Policy "frame-ancestors 'self' {$ADMIN_DOMAIN:}"
+}
diff --git a/caddy/snippets/TrafficAnalytics b/caddy/snippets/TrafficAnalytics
@@ -0,0 +1,6 @@
+# Proxy analytics requests with any prefix (e.g. /.ghost/analytics/ or /blog/.ghost/analytics/)
+@analytics_paths path_regexp analytics_match ^(.*)/\.ghost/analytics(.*)$
+handle @analytics_paths {
+	rewrite * {re.analytics_match.2}
+	reverse_proxy traffic-analytics:3000
+}
diff --git a/compose.yml b/compose.yml
