metin-server/m2dev-client
3
0
Fork 1
Code Issues 7 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
1dba3e3c912d04089a8133e24de24992aaedc0b0
m2dev-client/docs/caddy-updates.conf
Jan Nedbal 02061f6e07 docs: add caddy snippet for updates.jakubkadlec.dev 
Caddy site block for the update CDN. Serves the signed manifest with
short TTL, content-addressed blobs as immutable, historical manifests
as immutable, and the Velopack launcher feed alongside. Caching rules
are calibrated so a new release is visible within a minute without
hammering the origin on thundering herds.
2026-04-14 11:22:32 +02:00

72 lines
2.9 KiB
Plaintext
Raw Blame History

# Caddy snippet for updates.jakubkadlec.dev.
#
# Drop this into the main Caddyfile on the VPS (or include it from there).
# Caddy already handles TLS via Let's Encrypt for the parent zone; this block
# only adds a subdomain that serves the update manifest, detached signature,
# and content-addressed blob store.
#
# Directory layout on disk (owned by the release operator, not Caddy):
#
# /var/www/updates.jakubkadlec.dev/
# ├── manifest.json
# ├── manifest.json.sig
# ├── manifests/
# │ └── 2026.04.14-1.json (archived historical manifests)
# ├── files/
# │ └── <hash[0:2]>/<hash> content-addressed blobs
# └── launcher/ Velopack feed (populated by Velopack's own publish tool)
#
# Create with:
# sudo mkdir -p /var/www/updates.jakubkadlec.dev/{files,manifests,launcher}
# sudo chown -R mt2.jakubkadlec.dev:mt2.jakubkadlec.dev /var/www/updates.jakubkadlec.dev
#
# Then add this to Caddy and `sudo systemctl reload caddy`.
updates.jakubkadlec.dev {
root * /var/www/updates.jakubkadlec.dev
# Allow clients to resume interrupted downloads via HTTP Range.
# Caddy's file_server sets Accept-Ranges: bytes by default, so there's
# nothing extra to configure for this — listed explicitly as a reminder.
file_server {
precompressed gzip br
}
# Content-addressed blobs are immutable (the hash IS the file name), so we
# can tell clients to cache them forever. A manifest update never rewrites
# an existing blob.
@blobs path /files/*
header @blobs Cache-Control "public, max-age=31536000, immutable"
# The manifest and its signature must never be cached beyond a minute —
# clients need to see new releases quickly, and stale caches would delay
# rollouts. Short TTL, not zero, to absorb thundering herds on release.
@manifest path /manifest.json /manifest.json.sig
header @manifest Cache-Control "public, max-age=60, must-revalidate"
# Historical manifests are as immutable as blobs — named by version.
@archive path /manifests/*
header @archive Cache-Control "public, max-age=31536000, immutable"
# The Velopack feed (launcher self-update) is a separate tree managed by
# Velopack's publishing tool. Same cache rules as the main manifest: short
# TTL on the feed metadata, blobs are immutable.
@velopack-feed path /launcher/RELEASES*
header @velopack-feed Cache-Control "public, max-age=60, must-revalidate"
@velopack-blobs path /launcher/*.nupkg
header @velopack-blobs Cache-Control "public, max-age=31536000, immutable"
# CORS is not needed — the launcher is a native app, not a browser — so
# no Access-Control-Allow-Origin header. If a web changelog page ever needs
# to fetch the manifest from the browser, revisit this.
# Deny directory listings; the launcher knows exactly which paths it wants.
file_server browse off 2>/dev/null || file_server
log {
output file /var/log/caddy/updates.jakubkadlec.dev.access.log
format json
}
}
Reference in New Issue View Git Blame Copy Permalink