The base Caddy Docker image is intentionally lean—around 50MB—to avoid bundling unnecessary components. However, if you need extra functionality, such as automatic SSL certificate issuance using the ACME DNS challenge via Cloudflare and Let’s Encrypt (as I did), you’ll need an image that includes the required plug-in. You have two options: use a community-maintained prebuilt image (the easy way), or build your own (the hard way). Here, we’re going with the hard way.

Here’s the setup.

1. You have one or more services running in Docker containers.
2. The devices that need to access those services are part of a Tailscale network (Tailnet).
3. You own a public domain name (e.g., your-domain.com)
4. You want/need to serve those services via HTTPS
5. You don’t want to open any ports or other holes in your firewall.
6. You don’t want to mess with self-signed certificates or create your own private certificate authority.

If this is your situation, this post might help.