Add extra-services (used to be conf-hidden.d in caddy)

2023-12-15 03:06:20 +01:00 · 2023-12-15 03:06:20 +01:00 · f8c478b2e6
commit f8c478b2e6
parent 7400ef19ad
12 changed files with 29 additions and 107 deletions
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@ -18,6 +18,8 @@
      tags: [authentik, authentication]
    - role: coder
      tags: [coder, development]
    - role: extra_services
      tags: [extra-services]
    - role: faas
      tags: [faas]
    - role: forgejo
--- a/_ansible/roles/caddy/templates/Caddyfile.j2
+++ b/_ansible/roles/caddy/templates/Caddyfile.j2
@ -8,4 +8,3 @@
 import /etc/caddy/snippets
 import /etc/caddy/conf.d/*.conf
 import /etc/caddy/conf-hidden.d/*.conf
--- a/_ansible/roles/extra_services/tasks/main.yml
+++ b/_ansible/roles/extra_services/tasks/main.yml
@ -0,0 +1,11 @@
 ---
 - name: Set common facts
  ansible.builtin.import_tasks: tasks/set-default-facts.yml
 - name: Deploy extra services
  block:
    - name: Import tasks to template the site and functions for the reverse proxy
      ansible.builtin.include_tasks: tasks/steps/template-site-config.yml
      loop: "{{ extra_services_all }}"
      loop_control:
        loop_var: svc
--- a/_ansible/roles/extra_services/vars/main.yml
+++ b/_ansible/roles/extra_services/vars/main.yml
@ -0,0 +1,14 @@
 ---
 extra_services_default:
  - domain: cloud-old.serguzim.me
    docker_host: host.docker.internal
    port: 3015
    caddy_extra: |
      redir /.well-known/host-meta         /public.php?service=host-meta 301
      redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
      redir /.well-known/webfinger         /public.php?service=webfinger 301
      redir /.well-known/carddav           /remote.php/dav/ 301
      redir /.well-known/caldav            /remote.php/dav/ 301
 extra_services_hidden: "{{ vault_extra_services }}"
 extra_services_all: "{{ extra_services_default | union(extra_services_hidden) }}"
--- a/_ansible/templates/caddy_site.conf.j2
+++ b/_ansible/templates/caddy_site.conf.j2
@ -18,6 +18,8 @@
 	handle {
 {% if svc.faas_function|default(false) %}
 		import faas {{ svc.faas_function }}
 {% elif svc.redirect|default(false) %}
 		redir "{{ svc.redirect }}"
 {% else %}
 		reverse_proxy {{ svc.docker_host|default(svc.name) }}:{{ svc.port }}
 {% endif %}
--- a/caddy/.env
+++ b/caddy/.env
@ -1,3 +0,0 @@
 ACMEDNS_USER=
 ACMEDNS_PASS=
 ACMEDNS_SUBD=
--- a/caddy/.gitignore
+++ b/caddy/.gitignore
@ -1,2 +0,0 @@
 /config/conf-hidden.d/
 /config/conf.d
--- a/caddy/Dockerfile
+++ b/caddy/Dockerfile
@ -1,8 +0,0 @@
 FROM caddy:2-builder AS builder
 RUN xcaddy build \
    --with github.com/caddy-dns/acmedns@main
 FROM caddy:2-alpine
 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@ -1,11 +0,0 @@
 {
 	email tobias@msrg.cc
 	servers {
 		strict_sni_host on
 	}
 }
 import /etc/caddy/snippets
 import /etc/caddy/conf.d/*.conf
 import /etc/caddy/conf-hidden.d/*.conf
--- a/caddy/config/conf.002.d/cloud-old.serguzim.me.conf
+++ b/caddy/config/conf.002.d/cloud-old.serguzim.me.conf
@ -1,13 +0,0 @@
 cloud-old.serguzim.me {
 	import default
 	reverse_proxy host.docker.internal:3015
 	redir /.well-known/host-meta         /public.php?service=host-meta 301
 	redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
 	redir /.well-known/webfinger         /public.php?service=webfinger 301
 	redir /.well-known/carddav           /remote.php/dav/ 301
 	redir /.well-known/caldav            /remote.php/dav/ 301
 	header Strict-Transport-Security "max-age=15552000; includeSubdomains;"
 }
--- a/caddy/config/snippets
+++ b/caddy/config/snippets
@ -1,37 +0,0 @@
 (auth_serguzim_me) {
    # always forward outpost path to actual outpost
    reverse_proxy /outpost.goauthentik.io/* authentik:9000
    # forward authentication to outpost
    forward_auth authentik:9000 {
        uri /outpost.goauthentik.io/auth/caddy
        # capitalization of the headers is important, otherwise they will be empty
        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
        # optional, in this config trust all private ranges, should probably be set to the outposts IP
        trusted_proxies private_ranges
    }
 }
 (default) {
 	encode zstd gzip
 }
 (acmedns) {
 	tls {
 		dns acmedns {
 			username "{$ACMEDNS_USER}"
 			password "{$ACMEDNS_PASS}"
 			subdomain "{$ACMEDNS_SUBD}"
 			server_url https://acme.serguzim.me
 		}
 	}
 }
 (faas) {
 		rewrite * /function/{args[0]}{uri}
 		reverse_proxy https://faas.serguzim.me {
 			header_up Host {http.reverse_proxy.upstream.hostport}
 		}
 }
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@ -1,32 +0,0 @@
 version: "3.7"
 services:
  app:
    build:
      context: .
    image: caddy-custom:2-alpine
    restart: always
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
      - "8008:8008"
      - "8448:8448"
    env_file:
      - .env
      - .secret.env
    volumes:
      - ./config:/etc/caddy/
      - data:/data
      - /run/tailscale/tailscaled.sock:/run/tailscale/tailscaled.sock
    extra_hosts:
      - host.docker.internal:host-gateway
    networks:
      apps:
 volumes:
  data:
 networks:
  apps:
    external: true