Scaffolding for server

Code for reading dns01proxy configuration from a file, provisioning
Caddy guest modules, and starting Caddy.

Author: liujed

app.go

@@ -0,0 +1,33 @@
+package caddydns01proxy
+
+import (
+	"encoding/json"
+
+	"github.com/caddyserver/caddy/v2"
+)
+
+func init() {
+	caddy.RegisterModule(App{})
+}
+
+// A Caddy application module that implements the dns01proxy server.
+type App struct {
+	Handler
+
+	// The sockets on which to listen.
+	Listen []string `json:"listen"`
+
+	// Configures the set of trusted proxies.
+	TrustedProxiesRaw json.RawMessage `json:"trusted_proxies,omitempty" caddy:"namespace=http.ip_sources inline_key=source"`
+}
+
+var _ caddy.Module = (*App)(nil)
+
+func (App) CaddyModule() caddy.ModuleInfo {
+	return caddy.ModuleInfo{
+		ID: "dns01proxy",
+		New: func() caddy.Module {
+			return new(App)
+		},
+	}
+}

caddy_config.go

@@ -0,0 +1,25 @@
+package caddydns01proxy
+
+import (
+	"fmt"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/liujed/caddy-dns01proxy/jsonutil"
+)
+
+// A dns01proxy configuration file is the same as the app configuration.
+type ConfigFile = App
+
+// Reads a dns01proxy configuration file and returns a corresponding Caddy
+// configuration.
+func caddyConfigFromConfigFile(path string) (*caddy.Config, error) {
+	config, err := jsonutil.UnmarshalFromFile[ConfigFile](path)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO: generate a Caddy configuration.
+	_ = config
+
+	return nil, fmt.Errorf("implement me")
+}

client_policy.go

@@ -0,0 +1,56 @@
+package caddydns01proxy
+
+import (
+	"fmt"
+
+	"github.com/caddyserver/caddy/v2"
+	x509policy "github.com/smallstep/certificates/authority/policy"
+	"github.com/smallstep/certificates/authority/provisioner"
+)
+
+// The policy configuration for a user. Specifies the domains at which the user
+// is allowed to answer DNS-01 challenges.
+type ClientPolicy struct {
+	// Identifies the client to which this policy applies.
+	UserID string `json:"user_id"`
+
+	AllowDomainsRaw []string `json:"allow_domains,omitempty"`
+	DenyDomainsRaw  []string `json:"deny_domains,omitempty"`
+
+	// The policy to be applied to the DNS domains for answering DNS-01
+	// challenges.
+	DomainPolicy x509policy.X509Policy `json:"-"`
+}
+
+var _ caddy.Provisioner = (*ClientPolicy)(nil)
+
+func (c *ClientPolicy) Provision(ctx caddy.Context) error {
+	domainPolicyOpts := provisioner.X509Options{}
+
+	provisionX509NameOptions := func(raw *[]string) *x509policy.X509NameOptions {
+		// Allow the raw version to be GC'd.
+		defer func() {
+			*raw = nil
+		}()
+
+		if len(*raw) > 0 {
+			return &x509policy.X509NameOptions{
+				DNSDomains: *raw,
+			}
+		}
+		return nil
+	}
+
+	// Ingest the allow/deny lists.
+	domainPolicyOpts.AllowedNames = provisionX509NameOptions(&c.AllowDomainsRaw)
+	domainPolicyOpts.DeniedNames = provisionX509NameOptions(&c.DenyDomainsRaw)
+
+	// Instantiate the domain policy.
+	var err error
+	c.DomainPolicy, err = x509policy.NewX509PolicyEngine(&domainPolicyOpts)
+	if err != nil {
+		return fmt.Errorf("unable to provision domain policy: %w", err)
+	}
+
+	return nil
+}

client_registry.go

@@ -0,0 +1,47 @@
+package caddydns01proxy
+
+import (
+	"fmt"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/liujed/goutil/maps"
+)
+
+// A registry of known users and their corresponding policy configuration.
+type ClientRegistry struct {
+	// Maps each client's user ID to its policy configuration.
+	Clients maps.Map[string, *ClientPolicy]
+}
+
+func (c *ClientRegistry) Provision(
+	ctx caddy.Context,
+	accountsRaw []RawAccount,
+) error {
+	// Convert accountsRaw into a map keyed on user ID.
+	c.Clients = maps.NewHashMap[string, *ClientPolicy]()
+	for i, rawAccount := range accountsRaw {
+		if c.Clients.ContainsKey(rawAccount.UserID) {
+			return fmt.Errorf(
+				"account %d: user ID is not unique: %q",
+				i,
+				rawAccount.UserID,
+			)
+		}
+
+		c.Clients.Put(rawAccount.UserID, &rawAccount.ClientPolicy)
+	}
+
+	// Provision the ClientPolicy instances.
+	for userID, ca := range c.Clients.Entries() {
+		err := ca.Provision(ctx)
+		if err != nil {
+			return fmt.Errorf(
+				"unable to provision client policy for user ID %q: %w",
+				userID,
+				err,
+			)
+		}
+	}
+
+	return nil
+}

command.go

@@ -63,5 +63,20 @@ Designed to work with:
 }
 
 func cmdRun(fs caddycmd.Flags) (int, error) {
-	return caddy.ExitCodeSuccess, nil
+	caddy.TrapSignals()
+
+	configFlag := fs.String(flgConfig.Name)
+	cfg, err := caddyConfigFromConfigFile(configFlag)
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, err
+	}
+
+	caddy.Log().Info(fmt.Sprintf("Starting %s", Release()))
+
+	err = caddy.Run(cfg)
+	if err != nil {
+		return caddy.ExitCodeFailedStartup, err
+	}
+
+	select {}
 }

dns_config.go

@@ -0,0 +1,35 @@
+package caddydns01proxy
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/certmagic"
+	"github.com/liujed/goutil/optionals"
+)
+
+type DNSConfig struct {
+	ProviderRaw json.RawMessage `json:"provider" caddy:"namespace=dns.providers inline_key=name"`
+
+	Provider certmagic.DNSProvider `json:"-"`
+
+	// The TTL to use for the DNS TXT records when answering challenges.
+	TTL optionals.Optional[caddy.Duration] `json:"ttl"`
+}
+
+var _ caddy.Provisioner = (*Handler)(nil)
+
+func (d *DNSConfig) Provision(ctx caddy.Context) error {
+	if len(d.ProviderRaw) == 0 {
+		return fmt.Errorf("must configure a DNS provider")
+	}
+
+	module, err := ctx.LoadModule(d, "ProviderRaw")
+	if err != nil {
+		return fmt.Errorf("unable to load DNS provider: %w", err)
+	}
+	d.Provider = module.(certmagic.DNSProvider)
+
+	return nil
+}

go.mod

@@ -4,38 +4,98 @@ go 1.24.3
 
 require (
 	github.com/caddyserver/caddy/v2 v2.10.0
+	github.com/caddyserver/certmagic v0.23.0
 	github.com/liujed/goutil v0.0.0
+	github.com/smallstep/certificates v0.26.1
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/pflag v1.0.6
 )
 
 require (
+	cel.dev/expr v0.19.1 // indirect
+	dario.cat/mergo v1.0.1 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/AndreasBriese/bbloom v0.0.0-20190825152654-46b345b51c96 // indirect
 	github.com/KimMachineGun/automemlimit v0.7.1 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/aryann/difflib v0.0.0-20210328193216-ff5ff6dc229b // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/caddyserver/certmagic v0.23.0 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
+	github.com/cespare/xxhash v1.1.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chzyer/readline v1.5.1 // indirect
+	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/dgraph-io/badger v1.6.2 // indirect
+	github.com/dgraph-io/badger/v2 v2.2007.4 // indirect
+	github.com/dgraph-io/ristretto v0.2.0 // indirect
+	github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-kit/kit v0.13.0 // indirect
+	github.com/go-kit/log v0.2.1 // indirect
+	github.com/go-logfmt/logfmt v0.6.0 // indirect
+	github.com/go-sql-driver/mysql v1.7.1 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/cel-go v0.24.1 // indirect
 	github.com/google/pprof v0.0.0-20231212022811-ec68065c825e // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
+	github.com/jackc/pgconn v1.14.3 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.3 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgtype v1.14.0 // indirect
+	github.com/jackc/pgx/v4 v4.18.3 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/libdns/libdns v1.0.0-beta.1 // indirect
+	github.com/manifoldco/promptui v0.9.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mholt/acmez/v3 v3.1.2 // indirect
 	github.com/miekg/dns v1.1.65 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/onsi/ginkgo/v2 v2.13.2 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.19.1 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/common v0.48.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/quic-go/quic-go v0.50.1 // indirect
+	github.com/rs/xid v1.5.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/slackhq/nebula v1.6.1 // indirect
+	github.com/smallstep/nosql v0.6.1 // indirect
+	github.com/smallstep/pkcs7 v0.0.0-20231024181729-3b98ecc1ca81 // indirect
+	github.com/smallstep/scep v0.0.0-20231024192529-aee96d7ad34d // indirect
+	github.com/smallstep/truststore v0.13.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
+	github.com/stoewer/go-strcase v1.2.0 // indirect
+	github.com/tailscale/tscert v0.0.0-20240608151842-d3f834017e53 // indirect
+	github.com/urfave/cli v1.22.14 // indirect
 	github.com/zeebo/blake3 v0.2.4 // indirect
+	go.etcd.io/bbolt v1.3.9 // indirect
+	go.step.sm/cli-utils v0.9.0 // indirect
+	go.step.sm/crypto v0.45.0 // indirect
+	go.step.sm/linkedca v0.20.1 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
@@ -52,6 +112,10 @@ require (
 	golang.org/x/text v0.24.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
+	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	howett.net/plist v1.0.0 // indirect
 )