From ff1cb54475264045786a424c192dfb6b5c3d5fee Mon Sep 17 00:00:00 2001
From: Ed Geraghty <edg@privacyinternational.org>
Date: Mon, 15 Dec 2025 15:18:11 +0000
Subject: [PATCH 1/3] Simplify caddy config files

---
 scripts/container-entrypoint.sh | 32 +++++++++-----------------------
 1 file changed, 9 insertions(+), 23 deletions(-)

diff --git a/scripts/container-entrypoint.sh b/scripts/container-entrypoint.sh
index d95f64f..ca24244 100755
--- a/scripts/container-entrypoint.sh
+++ b/scripts/container-entrypoint.sh
@@ -17,6 +17,7 @@ declare helper_scripts=(
 abort_config=false
 litestream_enabled=true
 https_enabled=true
+caddy_config_file=""
 
 # Caddyfile block placeholders 
 ACME_EAB_BLOCK=""
@@ -220,17 +221,6 @@ create_headscale_config() {
 	create_config_from_template "${headscale_config}" "Headscale configuration file"
 }
 
-#######################################
-# Create our Caddyfile
-#######################################
-create_caddyfile() {
-	if ${https_enabled}; then
-		create_config_from_template "${caddyfile_https}" "Caddy HTTPS configuration file"
-	else
-		create_config_from_template "${caddyfile_cleartext}" "Caddy HTTP configuration file"
-	fi
-}
-
 #######################################
 # Validate ZeroSSL EAB credentials if provided and modify Caddyfile as needed
 #######################################
@@ -353,6 +343,9 @@ check_caddy_environment_variables() {
 
 	if env_var_is_defined "CADDY_FRONTEND" && [[ "${CADDY_FRONTEND}" = "DISABLE_HTTPS" ]]; then
 		https_enabled=false
+		caddy_config_file="${caddyfile_cleartext}"
+	else
+		caddy_config_file="${caddyfile_https}"
 		return
 	fi
 
@@ -427,7 +420,7 @@ check_config_files() {
 
 	create_headscale_config
 
-	create_caddyfile
+	create_config_from_template "${caddy_config_file}" "Caddy configuration file"
 
 	reuse_or_create_noise_private_key
 }
@@ -496,17 +489,10 @@ display_configuration_summary() {
 start_caddy_service() {
 	log_info "Starting Caddy using our environment variables."
 
-	if ${https_enabled}; then
-		caddy start --config "${caddyfile_https}" || {
-			log_error "Failed to start Caddy with HTTPS config"
-			return
-		}
-	else
-		caddy start --config "${caddyfile_cleartext}" || {
-			log_error "Failed to start Caddy with cleartext config"
-			return
-		}
-	fi
+	caddy start --config "${caddy_config_file}" || {
+		log_error "Failed to start Caddy"
+		return
+	}
 
 	# Verify Caddy is actually running
 	sleep 2

From c1075d3201f87d4831a5ee732b1291f77807b507 Mon Sep 17 00:00:00 2001
From: Ed Geraghty <edg@privacyinternational.org>
Date: Mon, 15 Dec 2025 15:19:11 +0000
Subject: [PATCH 2/3] Collapse headscale config logic down a bit

---
 scripts/container-entrypoint.sh | 27 +--------------------------
 1 file changed, 1 insertion(+), 26 deletions(-)

diff --git a/scripts/container-entrypoint.sh b/scripts/container-entrypoint.sh
index ca24244..0bd5870 100755
--- a/scripts/container-entrypoint.sh
+++ b/scripts/container-entrypoint.sh
@@ -196,31 +196,6 @@ check_headscale_environment_vars() {
 	check_env_var_or_set_default "EPHEMERAL_NODE_INACTIVITY_TIMEOUT" "${headscale_ephemeral_node_inactivity_timeout_default}" "^[0-9]+[smhd]([0-9]+[smhd])*$" "Invalid 'EPHEMERAL_NODE_INACTIVITY_TIMEOUT'. Must be a valid duration (e.g., '30m', '1h', '90s')."
 }
 
-#######################################
-# Create our Headscale configuration file
-#######################################
-create_headscale_config() {
-	# Ensure all template variables are exported for envsubst
-    local template_vars=(
-        "ACME_EAB_BLOCK"
-        "CLOUDFLARE_ACME_BLOCK"
-        "SECURITY_HEADERS_BLOCK"
-        "PUBLIC_SERVER_URL"
-        "PUBLIC_LISTEN_PORT"
-        "HEADSCALE_DNS_BASE_DOMAIN"
-        "HEADSCALE_OVERRIDE_LOCAL_DNS"
-        "MAGIC_DNS"
-        "IP_PREFIXES"
-        "IP_ALLOCATION"
-        "HEADSCALE_EXTRA_RECORDS_PATH"
-    )
-	for var in "${template_vars[@]}"; do
-		export "${var}=${!var}"
-	done
-
-	create_config_from_template "${headscale_config}" "Headscale configuration file"
-}
-
 #######################################
 # Validate ZeroSSL EAB credentials if provided and modify Caddyfile as needed
 #######################################
@@ -418,7 +393,7 @@ check_config_files() {
 		export "${var}=${!var}"
 	done
 
-	create_headscale_config
+	create_config_from_template "${headscale_config}" "Headscale configuration file"
 
 	create_config_from_template "${caddy_config_file}" "Caddy configuration file"
 

From ba315ec5ca078e31af80b29f24f26571f052d77d Mon Sep 17 00:00:00 2001
From: Ed Geraghty <edg@privacyinternational.org>
Date: Mon, 15 Dec 2025 15:23:11 +0000
Subject: [PATCH 3/3] Whitespace lint

---
 scripts/container-entrypoint.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/container-entrypoint.sh b/scripts/container-entrypoint.sh
index 0bd5870..a5c8a40 100755
--- a/scripts/container-entrypoint.sh
+++ b/scripts/container-entrypoint.sh
@@ -360,8 +360,8 @@ reuse_or_create_noise_private_key() {
 	fi
 
 	if env_var_is_defined "HEADSCALE_NOISE_PRIVATE_KEY"; then
-	    printf '%s' "${HEADSCALE_NOISE_PRIVATE_KEY}" > "${key_path}"
-        chmod 600 "${key_path}"
+		printf '%s' "${HEADSCALE_NOISE_PRIVATE_KEY}" > "${key_path}"
+		chmod 600 "${key_path}"
 	else
 		log_info "Generating new Noise private key - existing clients will need to re-authenticate"
 	fi