serguzim/services
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add some of caddy to ansible

Browse source
This commit is contained in:
Tobias Reisinger 2023-12-14 20:30:34 +01:00
parent c1ec46aed5
commit 297325cce5
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
13 changed files with 156 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.pre-commit-config.yaml Normal file
View file

@ -0,0 +1,7 @@
repos:
- repo: https://github.com/ansible/ansible-lint
rev: v6.22.1
hooks:
- id: ansible-lint
args:
- _ansible/serguzim.net.yml

10
_ansible/node002.yml
View file

@ -2,7 +2,15 @@
- name: Run roles for node002 - name: Run roles for node002
hosts: node002 hosts: node002
roles: roles:
- common - role: common
tags: [always]
- role: caddy
tags: [caddy, reverse-proxy, webserver]
vars:
caddy_ports_extra:
- 8008:8008
- 8448:8448
- role: acme_dns - role: acme_dns
tags: [acme-dns, certificates] tags: [acme-dns, certificates]

5
_ansible/node003.yml
View file

@ -2,7 +2,10 @@
- name: Run roles for node003 - name: Run roles for node003
hosts: node003 hosts: node003
roles: roles:
- common - role: common
tags: [always]
- role: caddy
tags: [caddy, reverse-proxy, webserver]
- role: minio - role: minio
tags: [minio, storage] tags: [minio, storage]

1
_ansible/roles/caddy/defaults/main.yml Normal file
View file

@ -0,0 +1 @@
caddy_ports_extra: []

8
_ansible/roles/caddy/files/Dockerfile Normal file
View file

@ -0,0 +1,8 @@
FROM caddy:2-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/acmedns@main
FROM caddy:2-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

37
_ansible/roles/caddy/files/snippets Normal file
View file

@ -0,0 +1,37 @@
(auth_serguzim_me) {
# always forward outpost path to actual outpost
reverse_proxy /outpost.goauthentik.io/* authentik:9000
# forward authentication to outpost
forward_auth authentik:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
# optional, in this config trust all private ranges, should probably be set to the outposts IP
trusted_proxies private_ranges
}
}
(default) {
encode zstd gzip
}
(acmedns) {
tls {
dns acmedns {
username "{$ACMEDNS_USER}"
password "{$ACMEDNS_PASS}"
subdomain "{$ACMEDNS_SUBD}"
server_url "{$ACMEDNS_URL}"
}
}
}
(faas) {
rewrite * /function/{args[0]}{uri}
reverse_proxy https://faas.serguzim.me {
header_up Host {http.reverse_proxy.upstream.hostport}
}
}

11
_ansible/roles/caddy/tasks/clean-sites.yml
View file

@ -1,11 +0,0 @@
- name: Find caddy site configs, but exclude managed sites
ansible.builtin.find:
paths: "{{ caddy_config_path }}"
excludes: "{{ managed_sites | default([]) }}"
register: files_to_delete
- name: Remove unmanaged sites
file:
path: "{{ item.path }}"
state: absent
with_items: "{{ files_to_delete.files }}"

39
_ansible/roles/caddy/tasks/main.yml
View file

@ -7,12 +7,37 @@
svc: "{{ caddy_svc }}" svc: "{{ caddy_svc }}"
env: "{{ caddy_env }}" env: "{{ caddy_env }}"
compose: "{{ caddy_compose }}" compose: "{{ caddy_compose }}"
- name: Deploy {{ svc.name }}
block: block:
- name: Import tasks to deploy common service - name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/deploy-common-service.yml ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Import tasks for cleaning sites - name: Set caddy config path
ansible.builtin.import_tasks: tasks/clean-sites.yml ansible.builtin.set_fact:
- name: Import tasks to reload caddy config_path: "{{ (service_path, 'config') | path_join }}"
ansible.builtin.import_tasks: tasks/reload-caddy.yml
- name: Create config directory
ansible.builtin.file:
path: "{{ config_path }}"
state: directory
mode: "0755"
- name: Template caddyfile
ansible.builtin.template:
src: Caddyfile.j2
dest: "{{ (config_path, 'Caddyfile') | path_join }}"
mode: "0644"
- name: Copy snippets file
ansible.builtin.copy:
src: snippets
dest: "{{ (config_path, 'snippets') | path_join }}"
mode: "0644"
- name: Create sites-config directory
ansible.builtin.file:
path: "{{ caddy_config_path }}"
state: directory
mode: "0755"
- name: Import start tasks for common service
ansible.builtin.import_tasks: tasks/start-common-service.yml

16
_ansible/roles/caddy/tasks/reload-caddy.yml
View file

@ -1,16 +0,0 @@
- name: Check caddy configuration
ansible.builtin.command:
cmd: docker compose exec app sh -c "caddy validate --config /etc/caddy/Caddyfile"
chdir: "{{ service_path }}"
when: "'local-dev' != inventory_hostname"
register: cmd_result
changed_when: false
- name: Reload caddy configuration
ansible.builtin.command:
cmd: docker compose exec app sh -c "caddy reload --config /etc/caddy/Caddyfile"
chdir: "{{ service_path }}"
when:
- "'local-dev' != inventory_hostname"
- cmd_result.rc == 0
changed_when: true # TODO find a way to detect changes

11
_ansible/roles/caddy/templates/Caddyfile.j2 Normal file
View file

@ -0,0 +1,11 @@
{
email {{ admin_email }}
servers {
strict_sni_host on
}
}
import /etc/caddy/snippets
import /etc/caddy/conf.d/*.conf
import /etc/caddy/conf-hidden.d/*.conf

37
_ansible/roles/caddy/vars/main.yml Normal file
View file

@ -0,0 +1,37 @@
---
caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
caddy_acmedns_url: "https://acme.serguzim.me"
caddy_ports_default:
- 80:80
- 443:443
- 443:443/udp
caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
caddy_svc:
name: caddy
caddy_env:
ACMEDNS_USER: "{{ caddy_acmedns_user }}"
ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
ACMEDNS_URL: "{{ caddy_acmedns_url }}"
caddy_compose:
watchtower: false
image: caddy-custom:2-alpine
volumes:
- "./config:/etc/caddy/"
- data:/data
file:
services:
app:
build:
context: .
ports: "{{ caddy_ports }}"
extra_hosts:
- host.docker.internal:host-gateway
volumes:
data:

2
_ansible/roles/synapse/vars/main.yml
View file

@ -104,7 +104,7 @@ synapse_yml:
synapse_compose: synapse_compose:
watchtower: true watchtower: true
image: ghcr.io/matrix-org/synapse:v1.98.0 image: ghcr.io/element-hq/synapse:latest
volumes: volumes:
- ./config:/config - ./config:/config
- media_store:/media_store - media_store:/media_store

9
_ansible/serguzim.net.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: Run playbook for node001
import_playbook: node001.yml
- name: Run playbook for node002
import_playbook: node002.yml
- name: Run playbook for node003
import_playbook: node003.yml