Fix pre-commit hooks and move directories

roles/ and inventory/ are now in playbooks/ also fixed issues reported by ansible-lint
2024-10-14 18:30:24 +02:00 · 2024-10-14 18:30:24 +02:00 · 4104057771
commit 4104057771
parent dc398ddb6e
123 changed files with 91 additions and 39 deletions
--- a/playbooks/roles/caddy/defaults/main.yml
+++ b/playbooks/roles/caddy/defaults/main.yml
@ -0,0 +1 @@
+caddy_ports_extra: []
--- a/playbooks/roles/caddy/files/Dockerfile
+++ b/playbooks/roles/caddy/files/Dockerfile
@ -0,0 +1,8 @@
+FROM caddy:2-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/acmedns@main
+
+FROM caddy:2-alpine
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/playbooks/roles/caddy/files/snippets
+++ b/playbooks/roles/caddy/files/snippets
@ -0,0 +1,46 @@
+(auth_serguzim_me) {
+    # always forward outpost path to actual outpost
+    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+
+    # forward authentication to outpost
+    forward_auth authentik:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+        # optional, in this config trust all private ranges, should probably be set to the outposts IP
+        trusted_proxies private_ranges
+    }
+}
+
+(default) {
+	encode zstd gzip
+}
+
+(acmedns) {
+	tls {
+		dns acmedns {
+			username "{$ACMEDNS_USER}"
+			password "{$ACMEDNS_PASS}"
+			subdomain "{$ACMEDNS_SUBD}"
+			server_url "{$ACMEDNS_URL}"
+		}
+	}
+}
+
+(faas) {
+	rewrite * /function/{args[0]}{uri}
+	reverse_proxy https://faas.serguzim.me {
+		header_up Host {http.reverse_proxy.upstream.hostport}
+	}
+}
+
+(analytics) {
+	handle_path /_a/* {
+		reverse_proxy https://analytics.serguzim.me {
+			header_up X-Analytics-IP {remote}
+			header_up Host {http.reverse_proxy.upstream.hostport}
+		}
+	}
+}
--- a/playbooks/roles/caddy/tasks/main.yml
+++ b/playbooks/roles/caddy/tasks/main.yml
@ -0,0 +1,56 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy {{ role_name }}
+  vars:
+    env: "{{ caddy_env }}"
+    compose: "{{ caddy_compose }}"
+  block:
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
+
+    - name: Copy the Dockerfile
+      ansible.builtin.copy:
+        src: Dockerfile
+        dest: "{{ (service_path, 'Dockerfile') | path_join }}"
+        mode: "0644"
+      register: cmd_result
+
+    - name: Set the docker rebuild flag
+      ansible.builtin.set_fact:
+        docker_rebuild: true
+      when: cmd_result.changed # noqa: no-handler We need to handle the restart per service. Handlers don't support variables.
+
+    - name: Set caddy config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, 'config') | path_join }}"
+
+    - name: Create config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template caddyfile
+      ansible.builtin.template:
+        src: Caddyfile.j2
+        dest: "{{ (config_path, 'Caddyfile') | path_join }}"
+        mode: "0644"
+      notify: Reload caddy
+
+    - name: Copy snippets file
+      ansible.builtin.copy:
+        src: snippets
+        dest: "{{ (config_path, 'snippets') | path_join }}"
+        mode: "0644"
+      notify: Reload caddy
+
+    - name: Create sites-config directory
+      ansible.builtin.file:
+        path: "{{ caddy_config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
--- a/playbooks/roles/caddy/templates/Caddyfile.j2
+++ b/playbooks/roles/caddy/templates/Caddyfile.j2
@ -0,0 +1,11 @@
+{
+	email {{ admin_email }}
+
+	servers {
+		metrics
+		strict_sni_host on
+	}
+}
+
+import /etc/caddy/snippets
+import /etc/caddy/conf.d/*.conf
--- a/playbooks/roles/caddy/vars/main.yml
+++ b/playbooks/roles/caddy/vars/main.yml
@ -0,0 +1,38 @@
+---
+caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
+caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
+caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
+caddy_acmedns_url: "https://{{ acme_dns.host }}"
+
+caddy_ports_default:
+  - 80:80
+  - 443:443
+  - 443:443/udp
+  - "{{ host_vpn.ip }}:2019:2019"
+caddy_ports_extra: "{{ all_services | my_service_attributes(inventory_hostname, 'ports') }}"
+caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
+
+caddy_env:
+  CADDY_ADMIN: 0.0.0.0:2019
+
+  ACMEDNS_USER: "{{ caddy_acmedns_user }}"
+  ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
+  ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
+  ACMEDNS_URL: "{{ caddy_acmedns_url }}"
+
+caddy_compose:
+  watchtower: false
+  image: "{{ (container_registry.public, 'services/caddy:2-alpine') | path_join }}"
+  volumes:
+    - "./config:/etc/caddy/"
+    - data:/data
+  file:
+    services:
+      app:
+        build:
+          context: .
+        ports: "{{ caddy_ports }}"
+        extra_hosts:
+          - host.docker.internal:host-gateway
+    volumes:
+      data: