Download caddy to vendor/caddy

.gitignore

@@ -1,2 +1,3 @@
 /secrets
 /site.retry
+/vendor

README.md

@@ -3,22 +3,23 @@
 This repository contains a set of roles I use to configure the following
 services for myself:
 
-## Done: 
+## Done:
 
+* CalDAV / CardDAV
 * Common setup to all hosts
 * DNS (master and slaves)
 * VPN (server)
+* Website
+
 ## Left to do:
 
 * Backups
-* CalDAV / CardDAV
 * Code hosting (wow self-referential)
 * E-mail
 * File sharing
 * Photo albums
 * SIP
 * VPN (client)
-* Website
 * XMPP
 
 Everything else.

deploy

@@ -1,4 +1,13 @@
 #!/bin/sh
 
-export ANSIBLE_CFG="$(dirname $0)/ansible.cfg"
-exec ansible-playbook -i inventory --extra-vars @secrets/main.yaml "$@" site.yaml
+ROOT="$(dirname $0)"
+CADDY="${ROOT}/vendor/caddy"
+
+if [ ! -e "$CADDY" ]; then
+	curl "https://caddyserver.com/download/build?os=linux&arch=amd64&features=DNS%2Cawslambda%2Ccors%2Cexpires%2Cfilemanager%2Cgit%2Chugo%2Cipfilter%2Cjsonp%2Cjwt%2Clocale%2Cmailout%2Cminify%2Cmultipass%2Cprometheus%2Cratelimit%2Crealip%2Csearch%2Cupload%2Cgandi%2Crfc2136" \
+    | tar -C "$(dirname "$CADDY")" -xz caddy
+	chmod a+x "$CADDY"
+fi
+
+export ANSIBLE_CFG="${ROOT}/ansible.cfg"
+exec ansible-playbook -i ${ROOT}/inventory --extra-vars @secrets/main.yaml "$@" site.yaml

inventory

@@ -1,3 +1,7 @@
+[backup]
+outpost.ur.gs backup_role=server
+home.ur.gs    backup_role=client
+
 [database]
 home.ur.gs
 
@@ -5,5 +9,8 @@ home.ur.gs
 outpost.ur.gs dns_role=slave
 home.ur.gs    dns_role=master
 
+[ur_gs]
+home.ur.gs domain=ur.gs
+
 [vpn]
 endgame.ur.gs vpn_role=server

playbooks/ur_gs.yaml

@@ -0,0 +1,5 @@
+---
+- hosts: ur_gs
+  roles:
+    - caddy
+  tags: ur_gs

roles/caddy/files/Caddyfile

@@ -0,0 +1 @@
+import /etc/caddy/conf.http.d/*.Caddyfile

roles/caddy/files/caddy.service

@@ -0,0 +1,43 @@
+[Unit]
+Description=Caddy HTTP/2 web server
+Documentation=https://caddyserver.com/docs
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-failure
+
+; User and group the process will run as.
+User=caddy
+Group=caddy
+
+; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
+ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+; Unmodified caddy is not expected to use more than that.
+LimitNPROC=64
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp=true
+; Use a minimal /dev
+PrivateDevices=true
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/var/lib/caddy
+
+; The following additional security directives only work with systemd v229 or later.
+; They further retrict privileges that can be gained by caddy. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+;AmbientCapabilities=CAP_NET_BIND_SERVICE
+;NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target

roles/caddy/handlers/main.yaml

@@ -0,0 +1,8 @@
+---
+- name: reload caddy
+  service:
+    name=caddy
+    state=reloaded
+
+- name: reload systemd
+  command: systemctl daemon-reload

roles/caddy/tasks/install.yaml

@@ -0,0 +1,59 @@
+---
+# No caddy packages...
+- name: Install Caddy binary
+  copy:
+    dest=/usr/local/bin/caddy
+    src={{ inventory_dir }}/vendor/caddy
+    owner=root
+    group=root
+    mode=0755
+
+- name: give CAP_NET_BIND_SERVICE to caddy
+  command: setcap cap_net_bind_service=+ep /usr/local/bin/caddy
+
+- name: Add Caddy group
+  group:
+    name=caddy
+    system=yes
+
+- name: Add Caddy user
+  user:
+    name=caddy
+    system=yes
+    home=/var/lib/caddy
+    group=caddy
+    groups=www-data,ssl-cert
+
+- name: Create caddy config hierarchy
+  file:
+    path={{ item }}
+    state=directory
+    owner=caddy
+    group=caddy
+    mode=0755
+  with_items:
+    - /etc/caddy
+    - /etc/caddy/conf.http.d
+
+- name: Add main Caddyfile
+  copy:
+    dest=/etc/caddy/Caddyfile
+    src={{ role_path }}/files/Caddyfile
+    owner=caddy
+    group=caddy
+    mode=0644
+
+- name: Add Caddy systemd unit for HTTP
+  copy:
+    dest=/etc/systemd/system/caddy.service
+    src={{ role_path }}/files/caddy.service
+    owner=root
+    group=root
+    mode=0755
+  notify: reload systemd
+
+- name: Enable and start caddy
+  service:
+    name=caddy
+    enabled=yes
+    state=started

roles/caddy/tasks/main.yaml

@@ -0,0 +1,11 @@
+---
+- include: install.yaml
+
+- name: Add Caddyfile for {{ domain }}
+  template:
+    dest=/etc/caddy/conf.http.d/{{ domain }}.Caddyfile
+    src={{ inventory_dir }}/templates//caddy/{{ domain }}.Caddyfile.tmpl
+    owner=caddy
+    group=caddy
+    mode=0400
+  notify: reload caddy

site.yaml

@@ -3,4 +3,5 @@
 
 - include: playbooks/database.yaml
 - include: playbooks/dns.yaml
+- include: playbooks/ur_gs.yaml
 - include: playbooks/vpn.yaml

templates/caddy/ur.gs.Caddyfile.tmpl

@@ -0,0 +1,13 @@
+{{ domain }} {
+  root /var/lib/caddy/{{ domain }}/public
+	log /var/log/caddy/{{ domain }}.log
+
+  git https://gitlab.com/lupine/web2016.git /var/lib/caddy/ur.gs {
+    hook /webhook {{ ur_gs.website.webhook_secret }}
+    then  hugo --destination=/var/lib/caddy/ur.gs/public
+  }
+
+
+  # CalDAV and Carddav
+  proxy /radicale http://127.0.0.1:5232
+}