From 0206817c4f1cc9545159ad39c8831ee2ffd35a61 Mon Sep 17 00:00:00 2001
From: otbutz <tbutz@optitool.de>
Date: Wed, 28 Jun 2023 18:57:23 +0200
Subject: [PATCH 1/4] Add NET_ADMIN documentation

---
 caddy/content.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/caddy/content.md b/caddy/content.md
index 7a8acc40b03e..c6da0ef8b460 100644
--- a/caddy/content.md
+++ b/caddy/content.md
@@ -20,6 +20,14 @@ In the examples below, a [named volume](https://docs.docker.com/storage/volumes/
 
 Note that named volumes are persisted across container restarts and terminations, so if you move to a new image version, the same data and config directories can be re-used.
 
+### Linux capabilities
+
+Caddy ships with HTTP/3 support enabled by default. To improve the performance of this UDP based protocol, the underlying quic-go library tries to increase the buffer sizes for its socket. The `NET_ADMIN` capability allows it to override the low default limits of the operating system without having to change kernel parameters via sysctl.
+
+Giving the container this capability is optional and has potential, though unlikely, [security implications](https://unix.stackexchange.com/a/508816).
+
+see https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+
 ### Basic Usage
 
 The default config file simply serves files from `/usr/share/caddy`, so if you want to serve `index.html` from the current working directory:
@@ -49,7 +57,7 @@ $ docker run -d -p 80:80 \
 The default `Caddyfile` only listens to port `80`, and does not set up automatic TLS. However, if you have a domain name for your site, and its A/AAAA DNS records are properly pointed to this machine's public IP, then you can use this command to simply serve a site over HTTPS:
 
 ```console
-$ docker run -d -p 80:80 -p 443:443 -p 443:443/udp \
+$ docker run --cap-add=NET_ADMIN -d -p 80:80 -p 443:443 -p 443:443/udp \
     -v /site:/srv \
     -v caddy_data:/data \
     -v caddy_config:/config \
@@ -120,6 +128,8 @@ services:
   caddy:
     image: %%IMAGE%%:<version>
     restart: unless-stopped
+    cap_add:
+      - NET_ADMIN
     ports:
       - "80:80"
       - "443:443"

From 37cd7bd6590fe394b0472c38dbc018525b53cb31 Mon Sep 17 00:00:00 2001
From: otbutz <tbutz@optitool.de>
Date: Thu, 29 Jun 2023 08:49:00 +0200
Subject: [PATCH 2/4] Move capabilities section lower

---
 caddy/content.md | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/caddy/content.md b/caddy/content.md
index c6da0ef8b460..9bdbdab4c4f4 100644
--- a/caddy/content.md
+++ b/caddy/content.md
@@ -20,14 +20,6 @@ In the examples below, a [named volume](https://docs.docker.com/storage/volumes/
 
 Note that named volumes are persisted across container restarts and terminations, so if you move to a new image version, the same data and config directories can be re-used.
 
-### Linux capabilities
-
-Caddy ships with HTTP/3 support enabled by default. To improve the performance of this UDP based protocol, the underlying quic-go library tries to increase the buffer sizes for its socket. The `NET_ADMIN` capability allows it to override the low default limits of the operating system without having to change kernel parameters via sysctl.
-
-Giving the container this capability is optional and has potential, though unlikely, [security implications](https://unix.stackexchange.com/a/508816).
-
-see https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
-
 ### Basic Usage
 
 The default config file simply serves files from `/usr/share/caddy`, so if you want to serve `index.html` from the current working directory:
@@ -117,6 +109,14 @@ $ caddy_container_id=$(docker ps | grep caddy | awk '{print $1;}')
 $ docker exec -w /etc/caddy $caddy_container_id caddy reload
 ```
 
+### Linux capabilities
+
+Caddy ships with HTTP/3 support enabled by default. To improve the performance of this UDP based protocol, the underlying quic-go library tries to increase the buffer sizes for its socket. The `NET_ADMIN` capability allows it to override the low default limits of the operating system without having to change kernel parameters via sysctl.
+
+Giving the container this capability is optional and has potential, though unlikely, [security implications](https://unix.stackexchange.com/a/508816).
+
+see https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+
 ### Docker Compose example
 
 If you prefer to use `docker-compose` to run your stack, here's a sample service definition.

From ff2cf1f734a9b0188e52780b39a6906cd48221bc Mon Sep 17 00:00:00 2001
From: otbutz <tbutz@optitool.de>
Date: Tue, 5 Sep 2023 08:11:24 +0200
Subject: [PATCH 3/4] Update caddy/content.md

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
---
 caddy/content.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/caddy/content.md b/caddy/content.md
index 9bdbdab4c4f4..11ae16385e67 100644
--- a/caddy/content.md
+++ b/caddy/content.md
@@ -113,9 +113,9 @@ $ docker exec -w /etc/caddy $caddy_container_id caddy reload
 
 Caddy ships with HTTP/3 support enabled by default. To improve the performance of this UDP based protocol, the underlying quic-go library tries to increase the buffer sizes for its socket. The `NET_ADMIN` capability allows it to override the low default limits of the operating system without having to change kernel parameters via sysctl.
 
-Giving the container this capability is optional and has potential, though unlikely, [security implications](https://unix.stackexchange.com/a/508816).
+Giving the container this capability is optional and has potential, though unlikely, to have [security implications](https://unix.stackexchange.com/a/508816).
 
-see https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
+See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for more details.
 
 ### Docker Compose example
 

From d0550deb27f307156ebcbe30d3bc4adcc899cf3c Mon Sep 17 00:00:00 2001
From: otbutz <tbutz@optitool.de>
Date: Tue, 5 Sep 2023 08:11:35 +0200
Subject: [PATCH 4/4] Update caddy/content.md

Co-authored-by: Francis Lavoie <lavofr@gmail.com>
---
 caddy/content.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/caddy/content.md b/caddy/content.md
index 11ae16385e67..f97e70bff147 100644
--- a/caddy/content.md
+++ b/caddy/content.md
@@ -49,7 +49,7 @@ $ docker run -d -p 80:80 \
 The default `Caddyfile` only listens to port `80`, and does not set up automatic TLS. However, if you have a domain name for your site, and its A/AAAA DNS records are properly pointed to this machine's public IP, then you can use this command to simply serve a site over HTTPS:
 
 ```console
-$ docker run --cap-add=NET_ADMIN -d -p 80:80 -p 443:443 -p 443:443/udp \
+$ docker run -d --cap-add=NET_ADMIN -p 80:80 -p 443:443 -p 443:443/udp \
     -v /site:/srv \
     -v caddy_data:/data \
     -v caddy_config:/config \