13 changed files with 164 additions and 5 deletions
@ -1,4 +1,13 @@
|
||||
#!/bin/sh |
||||
|
||||
export ANSIBLE_CFG="$(dirname $0)/ansible.cfg" |
||||
exec ansible-playbook -i inventory --extra-vars @secrets/main.yaml "$@" site.yaml |
||||
ROOT="$(dirname $0)" |
||||
CADDY="${ROOT}/vendor/caddy" |
||||
|
||||
if [ ! -e "$CADDY" ]; then |
||||
curl "https://caddyserver.com/download/build?os=linux&arch=amd64&features=DNS%2Cawslambda%2Ccors%2Cexpires%2Cfilemanager%2Cgit%2Chugo%2Cipfilter%2Cjsonp%2Cjwt%2Clocale%2Cmailout%2Cminify%2Cmultipass%2Cprometheus%2Cratelimit%2Crealip%2Csearch%2Cupload%2Cgandi%2Crfc2136" \ |
||||
| tar -C "$(dirname "$CADDY")" -xz caddy |
||||
chmod a+x "$CADDY" |
||||
fi |
||||
|
||||
export ANSIBLE_CFG="${ROOT}/ansible.cfg" |
||||
exec ansible-playbook -i ${ROOT}/inventory --extra-vars @secrets/main.yaml "$@" site.yaml |
||||
|
@ -0,0 +1,5 @@
|
||||
--- |
||||
- hosts: ur_gs |
||||
roles: |
||||
- caddy |
||||
tags: ur_gs |
@ -0,0 +1 @@
|
||||
import /etc/caddy/conf.http.d/*.Caddyfile |
@ -0,0 +1,43 @@
|
||||
[Unit] |
||||
Description=Caddy HTTP/2 web server |
||||
Documentation=https://caddyserver.com/docs |
||||
After=network-online.target |
||||
Wants=network-online.target systemd-networkd-wait-online.service |
||||
|
||||
[Service] |
||||
Restart=on-failure |
||||
|
||||
; User and group the process will run as. |
||||
User=caddy |
||||
Group=caddy |
||||
|
||||
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. |
||||
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp |
||||
ExecReload=/bin/kill -USR1 $MAINPID |
||||
|
||||
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. |
||||
LimitNOFILE=1048576 |
||||
; Unmodified caddy is not expected to use more than that. |
||||
LimitNPROC=64 |
||||
|
||||
; Use private /tmp and /var/tmp, which are discarded after caddy stops. |
||||
PrivateTmp=true |
||||
; Use a minimal /dev |
||||
PrivateDevices=true |
||||
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. |
||||
ProtectHome=true |
||||
; Make /usr, /boot, /etc and possibly some more folders read-only. |
||||
ProtectSystem=full |
||||
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. |
||||
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! |
||||
ReadWriteDirectories=/var/lib/caddy |
||||
|
||||
; The following additional security directives only work with systemd v229 or later. |
||||
; They further retrict privileges that can be gained by caddy. Uncomment if you like. |
||||
; Note that you may have to add capabilities required by any plugins in use. |
||||
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
||||
;AmbientCapabilities=CAP_NET_BIND_SERVICE |
||||
;NoNewPrivileges=true |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,8 @@
|
||||
--- |
||||
- name: reload caddy |
||||
service: |
||||
name=caddy |
||||
state=reloaded |
||||
|
||||
- name: reload systemd |
||||
command: systemctl daemon-reload |
@ -0,0 +1,59 @@
|
||||
--- |
||||
# No caddy packages... |
||||
- name: Install Caddy binary |
||||
copy: |
||||
dest=/usr/local/bin/caddy |
||||
src={{ inventory_dir }}/vendor/caddy |
||||
owner=root |
||||
group=root |
||||
mode=0755 |
||||
|
||||
- name: give CAP_NET_BIND_SERVICE to caddy |
||||
command: setcap cap_net_bind_service=+ep /usr/local/bin/caddy |
||||
|
||||
- name: Add Caddy group |
||||
group: |
||||
name=caddy |
||||
system=yes |
||||
|
||||
- name: Add Caddy user |
||||
user: |
||||
name=caddy |
||||
system=yes |
||||
home=/var/lib/caddy |
||||
group=caddy |
||||
groups=www-data,ssl-cert |
||||
|
||||
- name: Create caddy config hierarchy |
||||
file: |
||||
path={{ item }} |
||||
state=directory |
||||
owner=caddy |
||||
group=caddy |
||||
mode=0755 |
||||
with_items: |
||||
- /etc/caddy |
||||
- /etc/caddy/conf.http.d |
||||
|
||||
- name: Add main Caddyfile |
||||
copy: |
||||
dest=/etc/caddy/Caddyfile |
||||
src={{ role_path }}/files/Caddyfile |
||||
owner=caddy |
||||
group=caddy |
||||
mode=0644 |
||||
|
||||
- name: Add Caddy systemd unit for HTTP |
||||
copy: |
||||
dest=/etc/systemd/system/caddy.service |
||||
src={{ role_path }}/files/caddy.service |
||||
owner=root |
||||
group=root |
||||
mode=0755 |
||||
notify: reload systemd |
||||
|
||||
- name: Enable and start caddy |
||||
service: |
||||
name=caddy |
||||
enabled=yes |
||||
state=started |
@ -0,0 +1,11 @@
|
||||
--- |
||||
- include: install.yaml |
||||
|
||||
- name: Add Caddyfile for {{ domain }} |
||||
template: |
||||
dest=/etc/caddy/conf.http.d/{{ domain }}.Caddyfile |
||||
src={{ inventory_dir }}/templates//caddy/{{ domain }}.Caddyfile.tmpl |
||||
owner=caddy |
||||
group=caddy |
||||
mode=0400 |
||||
notify: reload caddy |
@ -0,0 +1,13 @@
|
||||
{{ domain }} { |
||||
root /var/lib/caddy/{{ domain }}/public |
||||
log /var/log/caddy/{{ domain }}.log |
||||
|
||||
git https://gitlab.com/lupine/web2016.git /var/lib/caddy/ur.gs { |
||||
hook /webhook {{ ur_gs.website.webhook_secret }} |
||||
then hugo --destination=/var/lib/caddy/ur.gs/public |
||||
} |
||||
|
||||
|
||||
# CalDAV and Carddav |
||||
proxy /radicale http://127.0.0.1:5232 |
||||
} |
Loading…
Reference in new issue