feat: custom ca for caddy (#931)

* fix: send email on transcript page permissions fixed

* feat: custom ca for caddy

gpu/self_hosted/Dockerfile

@@ -42,6 +42,7 @@ COPY pyproject.toml uv.lock /app/
 COPY ./app /app/app
 COPY ./main.py /app/
 COPY ./runserver.sh /app/
+COPY ./docker-entrypoint.sh /app/
 
 # prevent uv failing with too many open files on big cpus
 ENV UV_CONCURRENT_INSTALLS=16
@@ -52,6 +53,8 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 
 EXPOSE 8000
 
-CMD ["sh", "/app/runserver.sh"]
+RUN chmod +x /app/docker-entrypoint.sh
+
+CMD ["sh", "/app/docker-entrypoint.sh"]
 
 

gpu/self_hosted/Dockerfile.cpu

@@ -26,6 +26,7 @@ COPY pyproject.toml uv.lock /app/
 COPY ./app /app/app
 COPY ./main.py /app/
 COPY ./runserver.sh /app/
+COPY ./docker-entrypoint.sh /app/
 
 # prevent uv failing with too many open files on big cpus
 ENV UV_CONCURRENT_INSTALLS=16
@@ -36,4 +37,6 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 
 EXPOSE 8000
 
-CMD ["sh", "/app/runserver.sh"]
+RUN chmod +x /app/docker-entrypoint.sh
+
+CMD ["sh", "/app/docker-entrypoint.sh"]

gpu/self_hosted/docker-entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+# Custom CA certificate injection
+# If a CA cert is mounted at this path (via docker-compose.ca.yml),
+# add it to the system trust store and configure all Python SSL libraries.
+CUSTOM_CA_PATH="/usr/local/share/ca-certificates/custom-ca.crt"
+
+if [ -s "$CUSTOM_CA_PATH" ]; then
+    echo "[entrypoint] Custom CA certificate detected, updating trust store..."
+    update-ca-certificates 2>/dev/null
+
+    # update-ca-certificates creates a combined bundle (system + custom CAs)
+    COMBINED_BUNDLE="/etc/ssl/certs/ca-certificates.crt"
+    export SSL_CERT_FILE="$COMBINED_BUNDLE"
+    export REQUESTS_CA_BUNDLE="$COMBINED_BUNDLE"
+    export CURL_CA_BUNDLE="$COMBINED_BUNDLE"
+    export GRPC_DEFAULT_SSL_ROOTS_FILE_PATH="$COMBINED_BUNDLE"
+    echo "[entrypoint] CA trust store updated (SSL_CERT_FILE=$COMBINED_BUNDLE)"
+fi
+
+exec sh /app/runserver.sh