ipxe-container/ipxe.caddyfile

# === iPXE BOOT SERVER ===
# Add this to your main Caddyfile or include via import
# Requires: import snippets/ipxe at the top of Caddyfile

# HTTPS endpoint for iPXE (local network)
ipxe.nuc.lan {
    tls /etc/caddy/tls/wildcard.nuc.lan.crt /etc/caddy/tls/wildcard.nuc.lan.key {
        protocols tls1.2 tls1.3
    }

    # Only allow local network access
    @local_network {
        remote_ip 192.168.1.0/24 10.89.0.0/24 10.10.5.0/24
    }

    # Boot menus - no caching
    @menus {
        path /menus/* /menu
    }
    handle @menus {
        import ipxe-headers
        import ipxe-upstream
    }

    # Boot files (kernels, initramfs) - cache aggressively
    @boot {
        path /boot/*
    }
    handle @boot {
        import ipxe-boot-headers
        import ipxe-upstream
    }

    # Images (ISO, squashfs) - moderate caching, range support
    @images {
        path /images/*
    }
    handle @images {
        import ipxe-image-headers
        import ipxe-upstream
    }

    # Health/status endpoints
    @health {
        path /health /status
    }
    handle @health {
        import ipxe-upstream
    }

    # Default handler for local network
    handle @local_network {
        import ipxe-upstream
    }

    # Block external access
    handle {
        respond "Access denied" 403
    }

    log {
        output file /var/log/caddy/ipxe.log {
            roll_size 10MB
            roll_keep 3
        }
        format json
    }
}

# HTTP endpoint for iPXE (required for legacy/chainloading)
# iPXE firmware often starts with HTTP before HTTPS
ipxe.nuc.lan:80 {
    # Allow HTTP for initial iPXE chainload (most PXE ROMs don't support HTTPS)
    @local_network {
        remote_ip 192.168.1.0/24 10.89.0.0/24 10.10.5.0/24
    }

    # Menus via HTTP (for initial boot)
    @menus {
        path /menus/* /menu
    }
    handle @menus {
        import ipxe-headers
        import ipxe-upstream
    }

    # Boot files via HTTP
    @boot {
        path /boot/*
    }
    handle @boot {
        import ipxe-boot-headers
        import ipxe-upstream
    }

    # Images via HTTP (for clients that don't support HTTPS)
    @images {
        path /images/*
    }
    handle @images {
        import ipxe-image-headers
        import ipxe-upstream
    }

    # Health endpoint
    handle @local_network {
        import ipxe-upstream
    }

    handle {
        respond "Access denied" 403
    }
}