feat(caddy): add role
Copied from Histalek <3
Based on b17a8f117b/roles/caddy
This commit is contained in:
parent
7c136306d1
commit
886e83baa8
8 changed files with 253 additions and 0 deletions
12
playbooks/caddy.yml
Normal file
12
playbooks/caddy.yml
Normal file
|
@ -0,0 +1,12 @@
|
|||
- name: Install Caddy.
|
||||
|
||||
hosts: caddy
|
||||
|
||||
roles:
|
||||
- role: podman
|
||||
become: true
|
||||
tags:
|
||||
- always
|
||||
- podman
|
||||
- role: caddy
|
||||
become: true
|
18
roles/caddy/defaults/main.yml
Normal file
18
roles/caddy/defaults/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
caddy_install_dir: /opt/caddy
|
||||
|
||||
caddy_container_image: docker.io/library/caddy
|
||||
# renovate: depName=docker.io/library/caddy
|
||||
caddy_image_tag: "2.8.4-alpine"
|
||||
|
||||
caddy_selinux_level: "{{ omit }}"
|
||||
|
||||
caddy_memory_high: 0
|
||||
caddy_memory_low: 128m
|
||||
caddy_swap_max: -1
|
||||
|
||||
caddy_letsencrypt_email: no-reply@example.com
|
||||
# possible values: ed25519|p256|p384|rsa2048|rsa4096
|
||||
caddy_letsencrypt_key_type: rsa4096
|
||||
caddy_letsencrypt_ca_server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
|
||||
caddy_log_level: warn
|
19
roles/caddy/handlers/main.yml
Normal file
19
roles/caddy/handlers/main.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
- name: Apply new SELinux file context to filesystem.
|
||||
ansible.builtin.command: "restorecon -irF {{ caddy_install_dir }}"
|
||||
become: true
|
||||
listen: "caddy selinux context changed"
|
||||
|
||||
- name: Restart caddy service.
|
||||
ansible.builtin.systemd:
|
||||
state: restarted
|
||||
name: "caddy"
|
||||
daemon_reload: true
|
||||
become: true
|
||||
listen: "caddy service changed"
|
||||
|
||||
- name: Reload caddy service.
|
||||
ansible.builtin.systemd:
|
||||
state: reloaded
|
||||
name: "caddy"
|
||||
become: true
|
||||
listen: "caddy config changed"
|
18
roles/caddy/meta/main.yml
Normal file
18
roles/caddy/meta/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
galaxy_info:
|
||||
author: histalek
|
||||
description: Deploy Caddy with podman and systemd.
|
||||
|
||||
issue_tracker_url: https://git.histalek.de/histalek-de/infrastructure/-/issues
|
||||
|
||||
license: GPL-3.0-only
|
||||
|
||||
min_ansible_version: "2.14"
|
||||
|
||||
platforms:
|
||||
- name: Fedora
|
||||
versions:
|
||||
- "38"
|
||||
- "39"
|
||||
- "40"
|
||||
|
||||
standalone: true
|
109
roles/caddy/tasks/main.yml
Normal file
109
roles/caddy/tasks/main.yml
Normal file
|
@ -0,0 +1,109 @@
|
|||
- name: Update default SELinux contexts.
|
||||
community.general.sefcontext:
|
||||
target: "{{ item }}(/.*)?"
|
||||
setype: "container_file_t"
|
||||
selevel: "{{ caddy_selinux_level }}"
|
||||
state: present
|
||||
loop:
|
||||
- "{{ caddy_install_dir }}/config"
|
||||
- "{{ caddy_install_dir }}/data"
|
||||
- "{{ caddy_install_dir }}/srv"
|
||||
become: true
|
||||
notify: "caddy selinux context changed"
|
||||
|
||||
- name: Create caddy directories.
|
||||
ansible.builtin.file:
|
||||
path: "{{ caddy_install_dir }}"
|
||||
state: directory
|
||||
mode: "0700"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
become: true
|
||||
|
||||
- name: Ensure caddy directories and configs exist.
|
||||
block:
|
||||
- name: Stat caddy config directory.
|
||||
ansible.builtin.stat:
|
||||
path: "{{ caddy_install_dir }}/config"
|
||||
become: true
|
||||
register: caddy_stat_config_dir
|
||||
|
||||
- name: Create caddy directories.
|
||||
ansible.builtin.file:
|
||||
path: "{{ item.path }}"
|
||||
state: directory
|
||||
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
|
||||
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
|
||||
mode: "0700"
|
||||
loop:
|
||||
- path: "{{ caddy_install_dir }}/config"
|
||||
- path: "{{ caddy_install_dir }}/data"
|
||||
- path: "{{ caddy_install_dir }}/srv"
|
||||
become: true
|
||||
|
||||
- name: Deploy caddy configs.
|
||||
ansible.builtin.template:
|
||||
src: Caddyfile.j2
|
||||
dest: "{{ caddy_install_dir }}/config/Caddyfile"
|
||||
mode: "0600"
|
||||
owner: "{{ caddy_stat_config_dir.stat.uid | default('root') }}"
|
||||
group: "{{ caddy_stat_config_dir.stat.gid | default('root') }}"
|
||||
become: true
|
||||
notify: "caddy config changed"
|
||||
|
||||
- name: Ensure container image is present on the host.
|
||||
containers.podman.podman_image:
|
||||
name: "{{ caddy_container_image }}"
|
||||
state: present
|
||||
tag: "{{ caddy_image_tag }}"
|
||||
become: true
|
||||
|
||||
- name: Allow http and https.
|
||||
ansible.posix.firewalld:
|
||||
service: "{{ item }}"
|
||||
zone: public
|
||||
permanent: true
|
||||
immediate: true
|
||||
state: enabled
|
||||
loop:
|
||||
- http
|
||||
- https
|
||||
become: true
|
||||
|
||||
# Ref: https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes
|
||||
- name: Set maximum udp send/receive buffer size to around 2,5MB for quic.
|
||||
ansible.posix.sysctl:
|
||||
name: "{{ item.name }}"
|
||||
value: 2500000
|
||||
sysctl_set: true
|
||||
state: present
|
||||
reload: true
|
||||
loop:
|
||||
- name: net.core.rmem_max
|
||||
- name: net.core.wmem_max
|
||||
become: true
|
||||
|
||||
- name: Create caddy container / network file.
|
||||
ansible.builtin.template:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
owner: "root"
|
||||
group: "root"
|
||||
mode: "0644"
|
||||
loop:
|
||||
- src: caddy.container.j2
|
||||
dest: /etc/containers/systemd/caddy.container
|
||||
- src: caddy.network.j2
|
||||
dest: /etc/containers/systemd/caddy.network
|
||||
become: true
|
||||
notify: "caddy service changed"
|
||||
|
||||
- name: Flush handlers.
|
||||
ansible.builtin.meta: flush_handlers
|
||||
|
||||
- name: Start and enable caddy service.
|
||||
ansible.builtin.systemd:
|
||||
state: started
|
||||
enabled: true
|
||||
name: "caddy"
|
||||
become: true
|
21
roles/caddy/templates/Caddyfile.j2
Normal file
21
roles/caddy/templates/Caddyfile.j2
Normal file
|
@ -0,0 +1,21 @@
|
|||
{
|
||||
admin
|
||||
persist_config off
|
||||
log {
|
||||
output stdout
|
||||
format console
|
||||
level warn
|
||||
}
|
||||
|
||||
email {{ caddy_letsencrypt_email }}
|
||||
skip_install_trust
|
||||
acme_ca {{ caddy_letsencrypt_ca_server }}
|
||||
key_type {{ caddy_letsencrypt_key_type }}
|
||||
|
||||
servers {
|
||||
# metrics
|
||||
strict_sni_host
|
||||
}
|
||||
}
|
||||
|
||||
import /config/*.caddy
|
50
roles/caddy/templates/caddy.container.j2
Normal file
50
roles/caddy/templates/caddy.container.j2
Normal file
|
@ -0,0 +1,50 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
[Unit]
|
||||
Description=Caddy reverse proxy
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
RestartSec=5s
|
||||
|
||||
ExecReload=/usr/bin/podman exec \
|
||||
-w /config \
|
||||
caddy \
|
||||
caddy reload
|
||||
|
||||
[Container]
|
||||
Image={{ caddy_container_image }}:{{ caddy_image_tag }}
|
||||
ContainerName=caddy
|
||||
|
||||
Exec=caddy run \
|
||||
--config /config/Caddyfile \
|
||||
--adapter caddyfile
|
||||
|
||||
AutoUpdate=registry
|
||||
LogDriver=journald
|
||||
|
||||
NoNewPrivileges=true
|
||||
ReadOnly=true
|
||||
DropCapability=all
|
||||
AddCapability=CAP_NET_BIND_SERVICE
|
||||
UserNS=auto:size=65535
|
||||
{% if caddy_selinux_level != omit %}
|
||||
SecurityLabelLevel={{ caddy_selinux_level }}
|
||||
{% endif %}
|
||||
|
||||
Network=caddy.network
|
||||
|
||||
PublishPort=80:80/tcp
|
||||
PublishPort=443:443/tcp
|
||||
PublishPort=443:443/udp
|
||||
|
||||
Volume={{ caddy_install_dir }}/config:/config:ro,U
|
||||
Volume={{ caddy_install_dir }}/data:/data:U
|
||||
Volume={{ caddy_install_dir }}/srv:/srv:U
|
||||
|
||||
PodmanArgs=--memory={{ caddy_memory_high }}
|
||||
PodmanArgs=--memory-swap={{ caddy_swap_max }}
|
||||
PodmanArgs=--memory-reservation={{ caddy_memory_low }}
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
6
roles/caddy/templates/caddy.network.j2
Normal file
6
roles/caddy/templates/caddy.network.j2
Normal file
|
@ -0,0 +1,6 @@
|
|||
{{ ansible_managed | comment }}
|
||||
|
||||
[Network]
|
||||
NetworkName=caddy_reverseproxy
|
||||
Driver=bridge
|
||||
IPv6=true
|
Loading…
Add table
Reference in a new issue