Add some of caddy to ansible
This commit is contained in:
parent
c1ec46aed5
commit
297325cce5
GPG key ID:
13AD60C237A28DFE
13 changed files with 156 additions and 37 deletions
7
.pre-commit-config.yaml
Normal file
7
.pre-commit-config.yaml
Normal file
|
|
@ -0,0 +1,7 @@
|
|||
repos:
|
||||
- repo: https://github.com/ansible/ansible-lint
|
||||
rev: v6.22.1
|
||||
hooks:
|
||||
- id: ansible-lint
|
||||
args:
|
||||
- _ansible/serguzim.net.yml
|
||||
|
|
@ -2,7 +2,15 @@
|
|||
- name: Run roles for node002
|
||||
hosts: node002
|
||||
roles:
|
||||
- common
|
||||
- role: common
|
||||
tags: [always]
|
||||
- role: caddy
|
||||
tags: [caddy, reverse-proxy, webserver]
|
||||
vars:
|
||||
caddy_ports_extra:
|
||||
- 8008:8008
|
||||
- 8448:8448
|
||||
|
||||
|
||||
- role: acme_dns
|
||||
tags: [acme-dns, certificates]
|
||||
|
|
|
|||
|
|
@ -2,7 +2,10 @@
|
|||
- name: Run roles for node003
|
||||
hosts: node003
|
||||
roles:
|
||||
- common
|
||||
- role: common
|
||||
tags: [always]
|
||||
- role: caddy
|
||||
tags: [caddy, reverse-proxy, webserver]
|
||||
|
||||
- role: minio
|
||||
tags: [minio, storage]
|
||||
|
|
|
|||
1
_ansible/roles/caddy/defaults/main.yml
Normal file
1
_ansible/roles/caddy/defaults/main.yml
Normal file
|
|
@ -0,0 +1 @@
|
|||
caddy_ports_extra: []
|
||||
8
_ansible/roles/caddy/files/Dockerfile
Normal file
8
_ansible/roles/caddy/files/Dockerfile
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
FROM caddy:2-builder AS builder
|
||||
|
||||
RUN xcaddy build \
|
||||
--with github.com/caddy-dns/acmedns@main
|
||||
|
||||
FROM caddy:2-alpine
|
||||
|
||||
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
|
||||
37
_ansible/roles/caddy/files/snippets
Normal file
37
_ansible/roles/caddy/files/snippets
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
(auth_serguzim_me) {
|
||||
# always forward outpost path to actual outpost
|
||||
reverse_proxy /outpost.goauthentik.io/* authentik:9000
|
||||
|
||||
# forward authentication to outpost
|
||||
forward_auth authentik:9000 {
|
||||
uri /outpost.goauthentik.io/auth/caddy
|
||||
|
||||
# capitalization of the headers is important, otherwise they will be empty
|
||||
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
|
||||
|
||||
# optional, in this config trust all private ranges, should probably be set to the outposts IP
|
||||
trusted_proxies private_ranges
|
||||
}
|
||||
}
|
||||
|
||||
(default) {
|
||||
encode zstd gzip
|
||||
}
|
||||
|
||||
(acmedns) {
|
||||
tls {
|
||||
dns acmedns {
|
||||
username "{$ACMEDNS_USER}"
|
||||
password "{$ACMEDNS_PASS}"
|
||||
subdomain "{$ACMEDNS_SUBD}"
|
||||
server_url "{$ACMEDNS_URL}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
(faas) {
|
||||
rewrite * /function/{args[0]}{uri}
|
||||
reverse_proxy https://faas.serguzim.me {
|
||||
header_up Host {http.reverse_proxy.upstream.hostport}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
- name: Find caddy site configs, but exclude managed sites
|
||||
ansible.builtin.find:
|
||||
paths: "{{ caddy_config_path }}"
|
||||
excludes: "{{ managed_sites | default([]) }}"
|
||||
register: files_to_delete
|
||||
|
||||
- name: Remove unmanaged sites
|
||||
file:
|
||||
path: "{{ item.path }}"
|
||||
state: absent
|
||||
with_items: "{{ files_to_delete.files }}"
|
||||
|
|
@ -7,12 +7,37 @@
|
|||
svc: "{{ caddy_svc }}"
|
||||
env: "{{ caddy_env }}"
|
||||
compose: "{{ caddy_compose }}"
|
||||
- name: Deploy {{ svc.name }}
|
||||
block:
|
||||
- name: Import tasks to deploy common service
|
||||
ansible.builtin.import_tasks: tasks/deploy-common-service.yml
|
||||
- name: Import prepare tasks for common service
|
||||
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
|
||||
|
||||
- name: Import tasks for cleaning sites
|
||||
ansible.builtin.import_tasks: tasks/clean-sites.yml
|
||||
- name: Import tasks to reload caddy
|
||||
ansible.builtin.import_tasks: tasks/reload-caddy.yml
|
||||
- name: Set caddy config path
|
||||
ansible.builtin.set_fact:
|
||||
config_path: "{{ (service_path, 'config') | path_join }}"
|
||||
|
||||
- name: Create config directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ config_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Template caddyfile
|
||||
ansible.builtin.template:
|
||||
src: Caddyfile.j2
|
||||
dest: "{{ (config_path, 'Caddyfile') | path_join }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: Copy snippets file
|
||||
ansible.builtin.copy:
|
||||
src: snippets
|
||||
dest: "{{ (config_path, 'snippets') | path_join }}"
|
||||
mode: "0644"
|
||||
|
||||
- name: Create sites-config directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ caddy_config_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Import start tasks for common service
|
||||
ansible.builtin.import_tasks: tasks/start-common-service.yml
|
||||
|
|
|
|||
|
|
@ -1,16 +0,0 @@
|
|||
- name: Check caddy configuration
|
||||
ansible.builtin.command:
|
||||
cmd: docker compose exec app sh -c "caddy validate --config /etc/caddy/Caddyfile"
|
||||
chdir: "{{ service_path }}"
|
||||
when: "'local-dev' != inventory_hostname"
|
||||
register: cmd_result
|
||||
changed_when: false
|
||||
|
||||
- name: Reload caddy configuration
|
||||
ansible.builtin.command:
|
||||
cmd: docker compose exec app sh -c "caddy reload --config /etc/caddy/Caddyfile"
|
||||
chdir: "{{ service_path }}"
|
||||
when:
|
||||
- "'local-dev' != inventory_hostname"
|
||||
- cmd_result.rc == 0
|
||||
changed_when: true # TODO find a way to detect changes
|
||||
11
_ansible/roles/caddy/templates/Caddyfile.j2
Normal file
11
_ansible/roles/caddy/templates/Caddyfile.j2
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
email {{ admin_email }}
|
||||
|
||||
servers {
|
||||
strict_sni_host on
|
||||
}
|
||||
}
|
||||
|
||||
import /etc/caddy/snippets
|
||||
import /etc/caddy/conf.d/*.conf
|
||||
import /etc/caddy/conf-hidden.d/*.conf
|
||||
37
_ansible/roles/caddy/vars/main.yml
Normal file
37
_ansible/roles/caddy/vars/main.yml
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
---
|
||||
caddy_acmedns_user: "{{ vault_caddy.acmedns.user }}"
|
||||
caddy_acmedns_pass: "{{ vault_caddy.acmedns.pass }}"
|
||||
caddy_acmedns_subd: "{{ vault_caddy.acmedns.subd }}"
|
||||
caddy_acmedns_url: "https://acme.serguzim.me"
|
||||
|
||||
caddy_ports_default:
|
||||
- 80:80
|
||||
- 443:443
|
||||
- 443:443/udp
|
||||
caddy_ports: "{{ caddy_ports_default | union(caddy_ports_extra) }}"
|
||||
|
||||
caddy_svc:
|
||||
name: caddy
|
||||
|
||||
caddy_env:
|
||||
ACMEDNS_USER: "{{ caddy_acmedns_user }}"
|
||||
ACMEDNS_PASS: "{{ caddy_acmedns_pass }}"
|
||||
ACMEDNS_SUBD: "{{ caddy_acmedns_subd }}"
|
||||
ACMEDNS_URL: "{{ caddy_acmedns_url }}"
|
||||
|
||||
caddy_compose:
|
||||
watchtower: false
|
||||
image: caddy-custom:2-alpine
|
||||
volumes:
|
||||
- "./config:/etc/caddy/"
|
||||
- data:/data
|
||||
file:
|
||||
services:
|
||||
app:
|
||||
build:
|
||||
context: .
|
||||
ports: "{{ caddy_ports }}"
|
||||
extra_hosts:
|
||||
- host.docker.internal:host-gateway
|
||||
volumes:
|
||||
data:
|
||||
|
|
@ -104,7 +104,7 @@ synapse_yml:
|
|||
|
||||
synapse_compose:
|
||||
watchtower: true
|
||||
image: ghcr.io/matrix-org/synapse:v1.98.0
|
||||
image: ghcr.io/element-hq/synapse:latest
|
||||
volumes:
|
||||
- ./config:/config
|
||||
- media_store:/media_store
|
||||
|
|
|
|||
9
_ansible/serguzim.net.yml
Normal file
9
_ansible/serguzim.net.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- name: Run playbook for node001
|
||||
import_playbook: node001.yml
|
||||
|
||||
- name: Run playbook for node002
|
||||
import_playbook: node002.yml
|
||||
|
||||
- name: Run playbook for node003
|
||||
import_playbook: node003.yml
|
||||
Reference in a new issue