# === iPXE BOOT SERVER === # Add this to your main Caddyfile or include via import # Requires: import snippets/ipxe at the top of Caddyfile # HTTPS endpoint for iPXE (local network) ipxe.nuc.lan { tls /etc/caddy/tls/wildcard.nuc.lan.crt /etc/caddy/tls/wildcard.nuc.lan.key { protocols tls1.2 tls1.3 } # Only allow local network access @local_network { remote_ip 192.168.1.0/24 10.89.0.0/24 10.10.5.0/24 } # Boot menus - no caching @menus { path /menus/* /menu } handle @menus { import ipxe-headers import ipxe-upstream } # Boot files (kernels, initramfs) - cache aggressively @boot { path /boot/* } handle @boot { import ipxe-boot-headers import ipxe-upstream } # Images (ISO, squashfs) - moderate caching, range support @images { path /images/* } handle @images { import ipxe-image-headers import ipxe-upstream } # Health/status endpoints @health { path /health /status } handle @health { import ipxe-upstream } # Default handler for local network handle @local_network { import ipxe-upstream } # Block external access handle { respond "Access denied" 403 } log { output file /var/log/caddy/ipxe.log { roll_size 10MB roll_keep 3 } format json } } # HTTP endpoint for iPXE (required for legacy/chainloading) # iPXE firmware often starts with HTTP before HTTPS ipxe.nuc.lan:80 { # Allow HTTP for initial iPXE chainload (most PXE ROMs don't support HTTPS) @local_network { remote_ip 192.168.1.0/24 10.89.0.0/24 10.10.5.0/24 } # Menus via HTTP (for initial boot) @menus { path /menus/* /menu } handle @menus { import ipxe-headers import ipxe-upstream } # Boot files via HTTP @boot { path /boot/* } handle @boot { import ipxe-boot-headers import ipxe-upstream } # Images via HTTP (for clients that don't support HTTPS) @images { path /images/* } handle @images { import ipxe-image-headers import ipxe-upstream } # Health endpoint handle @local_network { import ipxe-upstream } handle { respond "Access denied" 403 } }