feat: Migrate from DuckDNS to Porkbun and add Wg-easy

homelab/.env.example

@@ -1,8 +1,9 @@
 VAULT_DOMAIN=vault.example.com
 AUTH_DOMAIN=auth.example.com
 STORAGE_DOMAIN=storage.example.com
+VPN_DOMAIN=vpn.example.com
 EMAIL=mail@example.com
-APP_KEY=32characterslongrandomstring!
-NC_ADMIN_USER=admin
-NC_ADMIN_PASS=changeme
-DUCKDNS_TOKEN=TOKEN
+TWOFAUTH_APP_KEY=32characterslongrandomstring!
+WG_EASY_PASSWORD_HASH=your_bcrypt_hashed_password
+PORKBUN_API_KEY=your_porkbun_api_key
+PORKBUN_API_SECRET=your_porkbun_api_secret

homelab/Caddyfile

@@ -1,9 +1,12 @@
 # ===========================
-# DuckDNS
+# Porkbun
 # ===========================
-(dns_duck) {
+(dns_porkbun) {
     tls {
-        dns duckdns {env.DUCKDNS_TOKEN}
+        dns porkbun {
+                api_key {env.PORKBUN_API_KEY}
+                api_secret_key {env.PORKBUN_API_SECRET}
+        }
     }
     log {
         output file {env.LOG_FILE}
@@ -15,10 +18,9 @@
 # Vaultwarden
 # ===========================
 {env.VAULT_DOMAIN} {
-    import dns_duck
-
-    encode zstd gzip
+    import dns_porkbun
 
+    encode gzip
     reverse_proxy vaultwarden:80
 }
 
@@ -26,10 +28,9 @@
 # 2FAuth
 # ===========================
 {env.AUTH_DOMAIN} {
-    import dns_duck
-
-    encode zstd gzip
+    import dns_porkbun
 
+    encode gzip
     reverse_proxy 2fauth:8000
 }
 
@@ -37,10 +38,20 @@
 # Filebrowser
 # ===========================
 {env.STORAGE_DOMAIN} {
-    import dns_duck
-
-    encode zstd gzip
+    import dns_porkbun
 
+    encode gzip
     reverse_proxy filebrowser:80
 }
 
+# ===========================
+# WireGuard VPN
+# ===========================
+{env.VPN_DOMAIN} {
+    import dns_porkbun
+
+    encode gzip
+    tls internal
+    reverse_proxy wg-easy:51821
+}
+

homelab/Dockerfile

@@ -1,8 +1,8 @@
-# Build Caddy with DuckDNS DNS provider
+# Build Caddy with Porkbun DNS provider
 FROM caddy:latest-builder AS builder
 
 RUN xcaddy build \
-    --with github.com/caddy-dns/duckdns
+    --with github.com/caddy-dns/porkbun
 
 FROM caddy:latest 
 

homelab/compose.yml

@@ -10,6 +10,8 @@ services:
       - ./services/vaultwarden:/data
     environment:
       DOMAIN: "https://${VAULT_DOMAIN}"
+    networks:
+      - proxy
 
   # ==========================
   # 2FAuth (2FA manager)
@@ -26,12 +28,14 @@ services:
       APP_DEBUG: false
       APP_TIMEZONE: UTC
       SITE_OWNER: ${EMAIL}      
-      APP_KEY:  ${APP_KEY}
+      APP_KEY:  ${TWOFAUTH_APP_KEY}
       APP_URL: "https://${AUTH_DOMAIN}"
       ASSET_URL: "https://${AUTH_DOMAIN}"
       TRUSTED_PROXIES: '*'
       LOG_CHANNEL: daily
       LOG_LEVEL: notice
+    networks:
+      - proxy
 
   # ==========================
   # Filebrowser (Cloud file manager)
@@ -45,6 +49,33 @@ services:
       - ./services/filebrowser/database:/database
       - ./services/filebrowser/config:/config
     user: "1000:1000"
+    networks:
+      - proxy
+
+  # ==========================
+  # WG-Easy (WireGuard VPN)
+  # ==========================
+  wg-easy:
+    image: ghcr.io/wg-easy/wg-easy:latest
+    container_name: wg-easy
+    restart: always
+    environment:
+      WG_HOST: ${VPN_DOMAIN}
+      PASSWORD_HASH: ${WG_EASY_PASSWORD_HASH}
+    volumes:
+      - ./services/wg-easy/data:/etc/wireguard
+      - /lib/modules:/lib/modules:ro
+    ports:
+      - "51820:51820/udp"
+      - "51821:51821/tcp"
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
+    networks:
+      - proxy
 
   # ==========================
   # Caddy (Reverse proxy)
@@ -68,9 +99,13 @@ services:
       VAULT_DOMAIN: ${VAULT_DOMAIN}
       AUTH_DOMAIN: ${AUTH_DOMAIN}
       STORAGE_DOMAIN: ${STORAGE_DOMAIN}
+      VPN_DOMAIN: ${VPN_DOMAIN}
       EMAIL: ${EMAIL}
-      DUCKDNS_TOKEN: ${DUCKDNS_TOKEN}
+      PORKBUN_API_KEY: ${PORKBUN_API_KEY}
+      PORKBUN_API_SECRET: ${PORKBUN_API_SECRET}
       LOG_FILE: /data/access.log
+    networks:
+      - proxy
 
   # ==========================
   # Portainer (Docker manager)