hiveloom tls
Hiveloom does not run a TLS terminator itself. Instead, this command emits configuration for an external proxy. Today there is one subcommand:
hiveloom tls render— print a complete Caddyfile.
Synopsis
hiveloom tls <COMMAND>hiveloom tls render
Prints a Caddyfile to stdout that:
- Terminates TLS for
--hostusing Let’s Encrypt. - Proxies all traffic to
127.0.0.1:<--upstream-port>. - Forwards
X-Forwarded-Protoso OAuth metadata rendershttps://URLs.
It does not install Caddy and does not apply the configuration — you pipe the output where you want it.
Synopsis
hiveloom tls render --host <HOST> --email <EMAIL> [OPTIONS]Options
| Flag | Default | Description |
|---|---|---|
--host <HOST> | — (required) | Public hostname. DNS must already point at the VPS — Hiveloom does not verify this. |
--email <EMAIL> | — (required) | Contact email used by Let’s Encrypt for renewal notices. |
--acme-env <production|staging> | production | Use staging while testing to avoid Let’s Encrypt rate limits. |
--upstream-port <PORT> | 3000 | Hiveloom upstream port Caddy should proxy to. |
Examples
Render and write directly into Caddy’s config directory:
hiveloom tls render \
--host hiveloom.example.com \
--email ops@example.com \
| sudo tee /etc/caddy/Caddyfile
sudo systemctl reload caddyStage a certificate first to avoid Let’s Encrypt rate limits:
hiveloom tls render \
--host hiveloom.example.com \
--email ops@example.com \
--acme-env staging \
> /tmp/Caddyfile.stagingOnce staging works, re-render with --acme-env production.
See also
- Reverse proxy — full guided setup.
- TLS — common Let’s Encrypt failure modes.