From 297325cce5bdef442ff4da74283958d93df14fe2 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Thu, 14 Dec 2023 20:30:34 +0100
Subject: [PATCH] Add some of caddy to ansible

---
 .pre-commit-config.yaml                     |  7 ++++
 _ansible/node002.yml                        | 10 +++++-
 _ansible/node003.yml                        |  5 ++-
 _ansible/roles/caddy/defaults/main.yml      |  1 +
 _ansible/roles/caddy/files/Dockerfile       |  8 +++++
 _ansible/roles/caddy/files/snippets         | 37 +++++++++++++++++++
 _ansible/roles/caddy/tasks/clean-sites.yml  | 11 ------
 _ansible/roles/caddy/tasks/main.yml         | 39 +++++++++++++++++----
 _ansible/roles/caddy/tasks/reload-caddy.yml | 16 ---------
 _ansible/roles/caddy/templates/Caddyfile.j2 | 11 ++++++
 _ansible/roles/caddy/vars/main.yml          | 37 +++++++++++++++++++
 _ansible/roles/synapse/vars/main.yml        |  2 +-
 _ansible/serguzim.net.yml                   |  9 +++++
 13 files changed, 156 insertions(+), 37 deletions(-)
 create mode 100644 .pre-commit-config.yaml
 create mode 100644 _ansible/roles/caddy/defaults/main.yml
 create mode 100644 _ansible/roles/caddy/files/Dockerfile
 create mode 100644 _ansible/roles/caddy/files/snippets
 delete mode 100644 _ansible/roles/caddy/tasks/clean-sites.yml
 delete mode 100644 _ansible/roles/caddy/tasks/reload-caddy.yml
 create mode 100644 _ansible/roles/caddy/templates/Caddyfile.j2
 create mode 100644 _ansible/roles/caddy/vars/main.yml
 create mode 100644 _ansible/serguzim.net.yml

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..c67ce61
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,7 @@
+repos:
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v6.22.1
+    hooks:
+      - id: ansible-lint
+        args:
+          - _ansible/serguzim.net.yml
diff --git a/_ansible/node002.yml b/_ansible/node002.yml
index 8480a7a..1966878 100644
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@@ -2,7 +2,15 @@
 - name: Run roles for node002
   hosts: node002
   roles:
-    - common
+    - role: common
+      tags: [always]
+    - role: caddy
+      tags: [caddy, reverse-proxy, webserver]
+      vars:
+        caddy_ports_extra:
+          - 8008:8008
+          - 8448:8448
+
 
     - role: acme_dns
       tags: [acme-dns, certificates]
diff --git a/_ansible/node003.yml b/_ansible/node003.yml
index 812469b..70ccb0e 100644
--- a/_ansible/node003.yml
+++ b/_ansible/node003.yml
@@ -2,7 +2,10 @@
 - name: Run roles for node003
   hosts: node003
   roles:
-    - common
+    - role: common
+      tags: [always]
+    - role: caddy
+      tags: [caddy, reverse-proxy, webserver]
 
     - role: minio
       tags: [minio, storage]
diff --git a/_ansible/roles/caddy/defaults/main.yml b/_ansible/roles/caddy/defaults/main.yml
new file mode 100644
index 0000000..d55dc2b
--- /dev/null
+++ b/_ansible/roles/caddy/defaults/main.yml
@@ -0,0 +1 @@
+caddy_ports_extra: []
diff --git a/_ansible/roles/caddy/files/Dockerfile b/_ansible/roles/caddy/files/Dockerfile
new file mode 100644
index 0000000..f383d18
--- /dev/null
+++ b/_ansible/roles/caddy/files/Dockerfile
@@ -0,0 +1,8 @@
+FROM caddy:2-builder AS builder
+
+RUN xcaddy build \
+    --with github.com/caddy-dns/acmedns@main
+
+FROM caddy:2-alpine
+
+COPY --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/_ansible/roles/caddy/files/snippets b/_ansible/roles/caddy/files/snippets
new file mode 100644
index 0000000..1f94af9
--- /dev/null
+++ b/_ansible/roles/caddy/files/snippets
@@ -0,0 +1,37 @@
+(auth_serguzim_me) {
+    # always forward outpost path to actual outpost
+    reverse_proxy /outpost.goauthentik.io/* authentik:9000
+
+    # forward authentication to outpost
+    forward_auth authentik:9000 {
+        uri /outpost.goauthentik.io/auth/caddy
+
+        # capitalization of the headers is important, otherwise they will be empty
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
+
+        # optional, in this config trust all private ranges, should probably be set to the outposts IP
+        trusted_proxies private_ranges
+    }
+}
+
+(default) {
+	encode zstd gzip
+}
+
+(acmedns) {
+	tls {
+		dns acmedns {
+			username "{$ACMEDNS_USER}"
+			password "{$ACMEDNS_PASS}"
+			subdomain "{$ACMEDNS_SUBD}"
+			server_url "{$ACMEDNS_URL}"
+		}
+	}
+}
+
+(faas) {
+		rewrite * /function/{args[0]}{uri}
+		reverse_proxy https://faas.serguzim.me {
+			header_up Host {http.reverse_proxy.upstream.hostport}
+		}
+}
diff --git a/_ansible/roles/caddy/tasks/clean-sites.yml b/_ansible/roles/caddy/tasks/clean-sites.yml
deleted file mode 100644
index 71dbe04..0000000
--- a/_ansible/roles/caddy/tasks/clean-sites.yml
+++ /dev/null
@@ -1,11 +0,0 @@
-- name: Find caddy site configs, but exclude managed sites
-  ansible.builtin.find:
-    paths: "{{ caddy_config_path }}"
-    excludes: "{{ managed_sites | default([]) }}"
-  register: files_to_delete
-
-- name: Remove unmanaged sites
-  file:
-    path: "{{ item.path }}"
-    state: absent
-  with_items: "{{ files_to_delete.files }}"
diff --git a/_ansible/roles/caddy/tasks/main.yml b/_ansible/roles/caddy/tasks/main.yml
index e3ef9fb..1699bf9 100644
--- a/_ansible/roles/caddy/tasks/main.yml
+++ b/_ansible/roles/caddy/tasks/main.yml
@@ -7,12 +7,37 @@
     svc: "{{ caddy_svc }}"
     env: "{{ caddy_env }}"
     compose: "{{ caddy_compose }}"
-- name: Deploy {{ svc.name }}
   block:
-    - name: Import tasks to deploy common service
-      ansible.builtin.import_tasks: tasks/deploy-common-service.yml
+    - name: Import prepare tasks for common service
+      ansible.builtin.import_tasks: tasks/prepare-common-service.yml
 
-    - name: Import tasks for cleaning sites
-      ansible.builtin.import_tasks: tasks/clean-sites.yml
-    - name: Import tasks to reload caddy
-      ansible.builtin.import_tasks: tasks/reload-caddy.yml
+    - name: Set caddy config path
+      ansible.builtin.set_fact:
+        config_path: "{{ (service_path, 'config') | path_join }}"
+
+    - name: Create config directory
+      ansible.builtin.file:
+        path: "{{ config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Template caddyfile
+      ansible.builtin.template:
+        src: Caddyfile.j2
+        dest: "{{ (config_path, 'Caddyfile') | path_join }}"
+        mode: "0644"
+
+    - name: Copy snippets file
+      ansible.builtin.copy:
+        src: snippets
+        dest: "{{ (config_path, 'snippets') | path_join }}"
+        mode: "0644"
+
+    - name: Create sites-config directory
+      ansible.builtin.file:
+        path: "{{ caddy_config_path }}"
+        state: directory
+        mode: "0755"
+
+    - name: Import start tasks for common service
+      ansible.builtin.import_tasks: tasks/start-common-service.yml
diff --git a/_ansible/roles/caddy/tasks/reload-caddy.yml b/_ansible/roles/caddy/tasks/reload-caddy.yml
deleted file mode 100644
index 9ed93b9..0000000
--- a/_ansible/roles/caddy/tasks/reload-caddy.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-- name: Check caddy configuration
-  ansible.builtin.command:
-    cmd: docker compose exec app sh -c "caddy validate --config /etc/caddy/Caddyfile"
-    chdir: "{{ service_path }}"
-  when: "'local-dev' != inventory_hostname"
-  register: cmd_result
-  changed_when: false
-
-- name: Reload caddy configuration
-  ansible.builtin.command:
-    cmd: docker compose exec app sh -c "caddy reload --config /etc/caddy/Caddyfile"
-    chdir: "{{ service_path }}"
-  when:
-    - "'local-dev' != inventory_hostname"
-    - cmd_result.rc == 0
-  changed_when: true # TODO find a way to detect changes
diff --git a/_ansible/roles/caddy/templates/Caddyfile.j2 b/_ansible/roles/caddy/templates/Caddyfile.j2
new file mode 100644
index 0000000..564c114
--- /dev/null
+++ b/_ansible/roles/caddy/templates/Caddyfile.j2
@@ -0,0 +1,11 @@
+{
+	email {{ admin_email }}
+
+	servers {
+		strict_sni_host on
+	}
+}
+
+import /etc/caddy/snippets
+import /etc/caddy/conf.d/*.conf
+import /etc/caddy/conf-hidden.d/*.conf
diff --git a/_ansible/roles/caddy/vars/main.yml b/_ansible/roles/caddy/vars/main.yml
new file mode 100644
index 0000000..99bdb15
--- /dev/null
+++ b/_ansible/roles/caddy/vars/main.yml
@@ -0,0 +1,37 @@
+---
+caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
+caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
+caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
+caddy_acmedns_url: "https://acme.serguzim.me"
+
+caddy_ports_default:
+  - 80:80
+  - 443:443
+  - 443:443/udp
+caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
+
+caddy_svc:
+  name: caddy
+
+caddy_env:
+  ACMEDNS_USER: "{{ caddy_acmedns_user }}"
+  ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
+  ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
+  ACMEDNS_URL: "{{ caddy_acmedns_url }}"
+
+caddy_compose:
+  watchtower: false
+  image: caddy-custom:2-alpine
+  volumes:
+    - "./config:/etc/caddy/"
+    - data:/data
+  file:
+    services:
+      app:
+        build:
+          context: .
+        ports: "{{ caddy_ports }}"
+        extra_hosts:
+          - host.docker.internal:host-gateway
+    volumes:
+      data:
diff --git a/_ansible/roles/synapse/vars/main.yml b/_ansible/roles/synapse/vars/main.yml
index 9b7f384..f259085 100644
--- a/_ansible/roles/synapse/vars/main.yml
+++ b/_ansible/roles/synapse/vars/main.yml
@@ -104,7 +104,7 @@ synapse_yml:
 
 synapse_compose:
   watchtower: true
-  image: ghcr.io/matrix-org/synapse:v1.98.0
+  image: ghcr.io/element-hq/synapse:latest
   volumes:
     - ./config:/config
     - media_store:/media_store
diff --git a/_ansible/serguzim.net.yml b/_ansible/serguzim.net.yml
new file mode 100644
index 0000000..9212c81
--- /dev/null
+++ b/_ansible/serguzim.net.yml
@@ -0,0 +1,9 @@
+---
+- name: Run playbook for node001
+  import_playbook: node001.yml
+
+- name: Run playbook for node002
+  import_playbook: node002.yml
+
+- name: Run playbook for node003
+  import_playbook: node003.yml