iPXE Server

ipxe.caddyfile

@@ -0,0 +1,114 @@
+# === iPXE BOOT SERVER ===
+# Add this to your main Caddyfile or include via import
+# Requires: import snippets/ipxe at the top of Caddyfile
+
+# HTTPS endpoint for iPXE (local network)
+ipxe.nuc.lan {
+    tls /etc/caddy/tls/wildcard.nuc.lan.crt /etc/caddy/tls/wildcard.nuc.lan.key {
+        protocols tls1.2 tls1.3
+    }
+
+    # Only allow local network access
+    @local_network {
+        remote_ip 192.168.1.0/24 10.89.0.0/24 10.10.5.0/24
+    }
+
+    # Boot menus - no caching
+    @menus {
+        path /menus/* /menu
+    }
+    handle @menus {
+        import ipxe-headers
+        import ipxe-upstream
+    }
+
+    # Boot files (kernels, initramfs) - cache aggressively
+    @boot {
+        path /boot/*
+    }
+    handle @boot {
+        import ipxe-boot-headers
+        import ipxe-upstream
+    }
+
+    # Images (ISO, squashfs) - moderate caching, range support
+    @images {
+        path /images/*
+    }
+    handle @images {
+        import ipxe-image-headers
+        import ipxe-upstream
+    }
+
+    # Health/status endpoints
+    @health {
+        path /health /status
+    }
+    handle @health {
+        import ipxe-upstream
+    }
+
+    # Default handler for local network
+    handle @local_network {
+        import ipxe-upstream
+    }
+
+    # Block external access
+    handle {
+        respond "Access denied" 403
+    }
+
+    log {
+        output file /var/log/caddy/ipxe.log {
+            roll_size 10MB
+            roll_keep 3
+        }
+        format json
+    }
+}
+
+# HTTP endpoint for iPXE (required for legacy/chainloading)
+# iPXE firmware often starts with HTTP before HTTPS
+ipxe.nuc.lan:80 {
+    # Allow HTTP for initial iPXE chainload (most PXE ROMs don't support HTTPS)
+    @local_network {
+        remote_ip 192.168.1.0/24 10.89.0.0/24 10.10.5.0/24
+    }
+
+    # Menus via HTTP (for initial boot)
+    @menus {
+        path /menus/* /menu
+    }
+    handle @menus {
+        import ipxe-headers
+        import ipxe-upstream
+    }
+
+    # Boot files via HTTP
+    @boot {
+        path /boot/*
+    }
+    handle @boot {
+        import ipxe-boot-headers
+        import ipxe-upstream
+    }
+
+    # Images via HTTP (for clients that don't support HTTPS)
+    @images {
+        path /images/*
+    }
+    handle @images {
+        import ipxe-image-headers
+        import ipxe-upstream
+    }
+
+    # Health endpoint
+    handle @local_network {
+        import ipxe-upstream
+    }
+
+    handle {
+        respond "Access denied" 403
+    }
+}
+