Add extra-services (used to be conf-hidden.d in caddy)

2023-12-15 03:06:20 +01:00 · 2023-12-15 03:06:20 +01:00 · f8c478b2e6
commit f8c478b2e6
parent 7400ef19ad
12 changed files with 29 additions and 107 deletions
--- a/_ansible/node002.yml
+++ b/_ansible/node002.yml
@ -18,6 +18,8 @@
      tags: [authentik, authentication]
    - role: coder
      tags: [coder, development]
+    - role: extra_services
+      tags: [extra-services]
    - role: faas
      tags: [faas]
    - role: forgejo
--- a/_ansible/roles/caddy/templates/Caddyfile.j2
+++ b/_ansible/roles/caddy/templates/Caddyfile.j2
@ -8,4 +8,3 @@

 import /etc/caddy/snippets
 import /etc/caddy/conf.d/*.conf
-import /etc/caddy/conf-hidden.d/*.conf
--- a/_ansible/roles/extra_services/tasks/main.yml
+++ b/_ansible/roles/extra_services/tasks/main.yml
@ -0,0 +1,11 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Deploy extra services
+  block:
+    - name: Import tasks to template the site and functions for the reverse proxy
+      ansible.builtin.include_tasks: tasks/steps/template-site-config.yml
+      loop: "{{ extra_services_all }}"
+      loop_control:
+        loop_var: svc
--- a/_ansible/roles/extra_services/vars/main.yml
+++ b/_ansible/roles/extra_services/vars/main.yml
@ -0,0 +1,14 @@
+---
+extra_services_default:
+  - domain: cloud-old.serguzim.me
+    docker_host: host.docker.internal
+    port: 3015
+    caddy_extra: |
+      redir /.well-known/host-meta         /public.php?service=host-meta 301
+      redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
+      redir /.well-known/webfinger         /public.php?service=webfinger 301
+      redir /.well-known/carddav           /remote.php/dav/ 301
+      redir /.well-known/caldav            /remote.php/dav/ 301
+
+extra_services_hidden: "{{ vault_extra_services }}"
+extra_services_all: "{{ extra_services_default | union(extra_services_hidden) }}"
--- a/_ansible/templates/caddy_site.conf.j2
+++ b/_ansible/templates/caddy_site.conf.j2
@ -18,6 +18,8 @@
 	handle {
 {% if svc.faas_function|default(false) %}
 		import faas {{ svc.faas_function }}
+{% elif svc.redirect|default(false) %}
+		redir "{{ svc.redirect }}"
 {% else %}
 		reverse_proxy {{ svc.docker_host|default(svc.name) }}:{{ svc.port }}
 {% endif %}
--- a/caddy/.env
+++ b/caddy/.env
@ -1,3 +0,0 @@
-ACMEDNS_USER=
-ACMEDNS_PASS=
-ACMEDNS_SUBD=
--- a/caddy/.gitignore
+++ b/caddy/.gitignore
@ -1,2 +0,0 @@
-/config/conf-hidden.d/
-/config/conf.d
--- a/caddy/Dockerfile
+++ b/caddy/Dockerfile
@ -1,8 +0,0 @@
-FROM caddy:2-builder AS builder
-
-RUN xcaddy build \
-    --with github.com/caddy-dns/acmedns@main
-
-FROM caddy:2-alpine
-
-COPY --from=builder /usr/bin/caddy /usr/bin/caddy
--- a/caddy/config/Caddyfile
+++ b/caddy/config/Caddyfile
@ -1,11 +0,0 @@
-{
-	email tobias@msrg.cc
-
-	servers {
-		strict_sni_host on
-	}
-}
-
-import /etc/caddy/snippets
-import /etc/caddy/conf.d/*.conf
-import /etc/caddy/conf-hidden.d/*.conf
--- a/caddy/config/conf.002.d/cloud-old.serguzim.me.conf
+++ b/caddy/config/conf.002.d/cloud-old.serguzim.me.conf
@ -1,13 +0,0 @@
-cloud-old.serguzim.me {
-	import default
-
-	reverse_proxy host.docker.internal:3015
-
-	redir /.well-known/host-meta         /public.php?service=host-meta 301
-	redir /.well-known/host-meta.json    /public.php?service=host-meta-json 301
-	redir /.well-known/webfinger         /public.php?service=webfinger 301
-	redir /.well-known/carddav           /remote.php/dav/ 301
-	redir /.well-known/caldav            /remote.php/dav/ 301
-
-	header Strict-Transport-Security "max-age=15552000; includeSubdomains;"
-}
--- a/caddy/config/snippets
+++ b/caddy/config/snippets
@ -1,37 +0,0 @@
-(auth_serguzim_me) {
-    # always forward outpost path to actual outpost
-    reverse_proxy /outpost.goauthentik.io/* authentik:9000
-
-    # forward authentication to outpost
-    forward_auth authentik:9000 {
-        uri /outpost.goauthentik.io/auth/caddy
-
-        # capitalization of the headers is important, otherwise they will be empty
-        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
-
-        # optional, in this config trust all private ranges, should probably be set to the outposts IP
-        trusted_proxies private_ranges
-    }
-}
-
-(default) {
-	encode zstd gzip
-}
-
-(acmedns) {
-	tls {
-		dns acmedns {
-			username "{$ACMEDNS_USER}"
-			password "{$ACMEDNS_PASS}"
-			subdomain "{$ACMEDNS_SUBD}"
-			server_url https://acme.serguzim.me
-		}
-	}
-}
-
-(faas) {
-		rewrite * /function/{args[0]}{uri}
-		reverse_proxy https://faas.serguzim.me {
-			header_up Host {http.reverse_proxy.upstream.hostport}
-		}
-}
--- a/caddy/docker-compose.yml
+++ b/caddy/docker-compose.yml
@ -1,32 +0,0 @@
-version: "3.7"
-
-services:
-  app:
-    build:
-      context: .
-    image: caddy-custom:2-alpine
-    restart: always
-    ports:
-      - "80:80"
-      - "443:443"
-      - "443:443/udp"
-      - "8008:8008"
-      - "8448:8448"
-    env_file:
-      - .env
-      - .secret.env
-    volumes:
-      - ./config:/etc/caddy/
-      - data:/data
-      - /run/tailscale/tailscaled.sock:/run/tailscale/tailscaled.sock
-    extra_hosts:
-      - host.docker.internal:host-gateway
-    networks:
-      apps:
-
-volumes:
-  data:
-
-networks:
-  apps:
-    external: true