From f8c478b2e6e934005aec66ed398c5150fd006934 Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Fri, 15 Dec 2023 03:06:20 +0100
Subject: [PATCH] Add extra-services (used to be conf-hidden.d in caddy)

---
 _ansible/node002.yml                          |  2 +
 _ansible/roles/caddy/templates/Caddyfile.j2   |  1 -
 _ansible/roles/extra_services/tasks/main.yml  | 11 ++++++
 _ansible/roles/extra_services/vars/main.yml   | 14 +++++++
 _ansible/templates/caddy_site.conf.j2         |  2 +
 caddy/.env                                    |  3 --
 caddy/.gitignore                              |  2 -
 caddy/Dockerfile                              |  8 ----
 caddy/config/Caddyfile                        | 11 ------
 .../conf.002.d/cloud-old.serguzim.me.conf     | 13 -------
 caddy/config/snippets                         | 37 -------------------
 caddy/docker-compose.yml                      | 32 ----------------
 12 files changed, 29 insertions(+), 107 deletions(-)
 create mode 100644 _ansible/roles/extra_services/tasks/main.yml
 create mode 100644 _ansible/roles/extra_services/vars/main.yml
 delete mode 100644 caddy/.env
 delete mode 100644 caddy/.gitignore
 delete mode 100644 caddy/Dockerfile
 delete mode 100644 caddy/config/Caddyfile
 delete mode 100644 caddy/config/conf.002.d/cloud-old.serguzim.me.conf
 delete mode 100644 caddy/config/snippets
 delete mode 100644 caddy/docker-compose.yml

diff --git a/_ansible/node002.yml b/_ansible/node002.yml
index abaaffc..366ecb6 100644
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@@ -18,6 +18,8 @@
       tags: [authentik, authentication]
     - role: coder
       tags: [coder, development]
+    - role: extra_services
+      tags: [extra-services]
     - role: faas
       tags: [faas]
     - role: forgejo
diff --git a/_ansible/roles/caddy/templates/Caddyfile.j2 b/_ansible/roles/caddy/templates/Caddyfile.j2
index 564c114..1832851 100644
--- a/_ansible/roles/caddy/templates/Caddyfile.j2
+++ b/_ansible/roles/caddy/templates/Caddyfile.j2
@@ -8,4 +8,3 @@
 
 import /etc/caddy/snippets
 import /etc/caddy/conf.d/*.conf
-import /etc/caddy/conf-hidden.d/*.conf
diff --git a/_ansible/roles/extra_services/tasks/main.yml b/_ansible/roles/extra_services/tasks/main.yml
new file mode 100644
index 0000000..9c1c71f
--- /dev/null
+++ b/_ansible/roles/extra_services/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy extra services
+  block:
+    - name: Import tasks to template the site and functions for the reverse proxy
+      ansible.builtin.include_tasks: tasks/steps/template-site-config.yml
+      loop: "{{ extra_services_all }}"
+      loop_control:
+        loop_var: svc
diff --git a/_ansible/roles/extra_services/vars/main.yml b/_ansible/roles/extra_services/vars/main.yml
new file mode 100644
index 0000000..0c99c8d
--- /dev/null
+++ b/_ansible/roles/extra_services/vars/main.yml
@@ -0,0 +1,14 @@
+---
+extra_services_default:
+  - domain: cloud-old.serguzim.me
+    docker_host: host.docker.internal
+    port: 3015
+    caddy_extra: |
+      redir /.well-known/host-meta         /public.php?service=host-meta 301
+      redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
+      redir /.well-known/webfinger         /public.php?service=webfinger 301
+      redir /.well-known/carddav           /remote.php/dav/ 301
+      redir /.well-known/caldav            /remote.php/dav/ 301
+
+extra_services_hidden: "{{ vault_extra_services }}"
+extra_services_all: "{{ extra_services_default | union(extra_services_hidden) }}"
diff --git a/_ansible/templates/caddy_site.conf.j2 b/_ansible/templates/caddy_site.conf.j2
index c45522b..967ba7a 100644
--- a/_ansible/templates/caddy_site.conf.j2
+++ b/_ansible/templates/caddy_site.conf.j2
@@ -18,6 +18,8 @@
 	handle {
 {% if svc.faas_function|default(false) %}
 		import faas {{ svc.faas_function }}
+{% elif svc.redirect|default(false) %}
+		redir "{{ svc.redirect }}"
 {% else %}
 		reverse_proxy {{ svc.docker_host|default(svc.name) }}:{{ svc.port }}
 {% endif %}
diff --git a/caddy/.env b/caddy/.env
deleted file mode 100644
index 3030326..0000000
--- a/caddy/.env
+++ /dev/null
@@ -1,3 +0,0 @@
-ACMEDNS_USER=
-ACMEDNS_PASS=
-ACMEDNS_SUBD=
diff --git a/caddy/.gitignore b/caddy/.gitignore
deleted file mode 100644
index 290f864..0000000
--- a/caddy/.gitignore
+++ /dev/null
@@ -1,2 +0,0 @@
-/config/conf-hidden.d/
-/config/conf.d
diff --git a/caddy/Dockerfile b/caddy/Dockerfile
deleted file mode 100644
index f383d18..0000000
--- a/caddy/Dockerfile
+++ /dev/null
@@ -1,8 +0,0 @@
-FROM caddy:2-builder AS builder
-
-RUN xcaddy build \
-    --with github.com/caddy-dns/acmedns@main
-
-FROM caddy:2-alpine
-
-COPY --from=builder /usr/bin/caddy /usr/bin/caddy
diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile
deleted file mode 100644
index c6ec6a6..0000000
--- a/caddy/config/Caddyfile
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-	email tobias@msrg.cc
-
-	servers {
-		strict_sni_host on
-	}
-}
-
-import /etc/caddy/snippets
-import /etc/caddy/conf.d/*.conf
-import /etc/caddy/conf-hidden.d/*.conf
diff --git a/caddy/config/conf.002.d/cloud-old.serguzim.me.conf b/caddy/config/conf.002.d/cloud-old.serguzim.me.conf
deleted file mode 100644
index a37a753..0000000
--- a/caddy/config/conf.002.d/cloud-old.serguzim.me.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-cloud-old.serguzim.me {
-	import default
-
-	reverse_proxy host.docker.internal:3015
-
-	redir /.well-known/host-meta         /public.php?service=host-meta 301
-	redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
-	redir /.well-known/webfinger         /public.php?service=webfinger 301
-	redir /.well-known/carddav           /remote.php/dav/ 301
-	redir /.well-known/caldav            /remote.php/dav/ 301
-
-	header Strict-Transport-Security "max-age=15552000; includeSubdomains;"
-}
diff --git a/caddy/config/snippets b/caddy/config/snippets
deleted file mode 100644
index 87c9533..0000000
--- a/caddy/config/snippets
+++ /dev/null
@@ -1,37 +0,0 @@
-(auth_serguzim_me) {
-    # always forward outpost path to actual outpost
-    reverse_proxy /outpost.goauthentik.io/* authentik:9000
-
-    # forward authentication to outpost
-    forward_auth authentik:9000 {
-        uri /outpost.goauthentik.io/auth/caddy
-
-        # capitalization of the headers is important, otherwise they will be empty
-        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
-
-        # optional, in this config trust all private ranges, should probably be set to the outposts IP
-        trusted_proxies private_ranges
-    }
-}
-
-(default) {
-	encode zstd gzip
-}
-
-(acmedns) {
-	tls {
-		dns acmedns {
-			username "{$ACMEDNS_USER}"
-			password "{$ACMEDNS_PASS}"
-			subdomain "{$ACMEDNS_SUBD}"
-			server_url https://acme.serguzim.me
-		}
-	}
-}
-
-(faas) {
-		rewrite * /function/{args[0]}{uri}
-		reverse_proxy https://faas.serguzim.me {
-			header_up Host {http.reverse_proxy.upstream.hostport}
-		}
-}
diff --git a/caddy/docker-compose.yml b/caddy/docker-compose.yml
deleted file mode 100644
index 516af9c..0000000
--- a/caddy/docker-compose.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-version: "3.7"
-
-services:
-  app:
-    build:
-      context: .
-    image: caddy-custom:2-alpine
-    restart: always
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"
-      - "8008:8008"
-      - "8448:8448"
-    env_file:
-      - .env
-      - .secret.env
-    volumes:
-      - ./config:/etc/caddy/
-      - data:/data
-      - /run/tailscale/tailscaled.sock:/run/tailscale/tailscaled.sock
-    extra_hosts:
-      - host.docker.internal:host-gateway
-    networks:
-      apps:
-
-volumes:
-  data:
-
-networks:
-  apps:
-    external: true