Restrict access to caddy admin api

2025-05-06 16:23:32 +02:00 · 2025-05-06 16:23:32 +02:00 · 83749c4493
commit 83749c4493
parent 4a853065db
4 changed files with 11 additions and 8 deletions
--- a/playbooks/roles/caddy/templates/Caddyfile.j2
+++ b/playbooks/roles/caddy/templates/Caddyfile.j2
@ -1,14 +1,21 @@
 {
 	email {{ admin_email }}

+    metrics
+
 	servers {
-		metrics
 		strict_sni_host on
 	}
 }

 import /etc/caddy/snippets

+http://{{ host_vpn.domain }} {
+    import vpn_only
+
+    metrics
+}
+
 *.serguzim.me {
 	import acmedns

--- a/playbooks/roles/caddy/vars/main.yml
+++ b/playbooks/roles/caddy/vars/main.yml
@ -4,13 +4,10 @@ caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
 caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
 caddy_acmedns_url: "https://{{ acme_dns.host }}"

-caddy_ports_default:
-  - "{{ host_vpn.ip }}:2019:2019"
-caddy_ports_extra: "{{ host_services | services_get_attr('ports') | flatten | services_ports_to_docker('reverse_proxy') }}"
-caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
+caddy_ports: "{{ host_services | services_get_attr('ports') | flatten | services_ports_to_docker('reverse_proxy') }}"

 caddy_env:
-  CADDY_ADMIN: 0.0.0.0:2019
+  CADDY_ADMIN: unix//run/caddy-admin.sock

  ACMEDNS_USER: "{{ caddy_acmedns_user }}"
  ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"