Download caddy to vendor/caddy
parent
5bafd1df07
commit
1ee8d6f7c5
|
@ -1,2 +1,3 @@
|
|||
/secrets
|
||||
/site.retry
|
||||
/vendor
|
||||
|
|
|
@ -3,22 +3,23 @@
|
|||
This repository contains a set of roles I use to configure the following
|
||||
services for myself:
|
||||
|
||||
## Done:
|
||||
## Done:
|
||||
|
||||
* CalDAV / CardDAV
|
||||
* Common setup to all hosts
|
||||
* DNS (master and slaves)
|
||||
* VPN (server)
|
||||
* Website
|
||||
|
||||
## Left to do:
|
||||
|
||||
* Backups
|
||||
* CalDAV / CardDAV
|
||||
* Code hosting (wow self-referential)
|
||||
* E-mail
|
||||
* File sharing
|
||||
* Photo albums
|
||||
* SIP
|
||||
* VPN (client)
|
||||
* Website
|
||||
* XMPP
|
||||
|
||||
Everything else.
|
||||
|
|
13
deploy
13
deploy
|
@ -1,4 +1,13 @@
|
|||
#!/bin/sh
|
||||
|
||||
export ANSIBLE_CFG="$(dirname $0)/ansible.cfg"
|
||||
exec ansible-playbook -i inventory --extra-vars @secrets/main.yaml "$@" site.yaml
|
||||
ROOT="$(dirname $0)"
|
||||
CADDY="${ROOT}/vendor/caddy"
|
||||
|
||||
if [ ! -e "$CADDY" ]; then
|
||||
curl "https://caddyserver.com/download/build?os=linux&arch=amd64&features=DNS%2Cawslambda%2Ccors%2Cexpires%2Cfilemanager%2Cgit%2Chugo%2Cipfilter%2Cjsonp%2Cjwt%2Clocale%2Cmailout%2Cminify%2Cmultipass%2Cprometheus%2Cratelimit%2Crealip%2Csearch%2Cupload%2Cgandi%2Crfc2136" \
|
||||
| tar -C "$(dirname "$CADDY")" -xz caddy
|
||||
chmod a+x "$CADDY"
|
||||
fi
|
||||
|
||||
export ANSIBLE_CFG="${ROOT}/ansible.cfg"
|
||||
exec ansible-playbook -i ${ROOT}/inventory --extra-vars @secrets/main.yaml "$@" site.yaml
|
||||
|
|
|
@ -1,3 +1,7 @@
|
|||
[backup]
|
||||
outpost.ur.gs backup_role=server
|
||||
home.ur.gs backup_role=client
|
||||
|
||||
[database]
|
||||
home.ur.gs
|
||||
|
||||
|
@ -5,5 +9,8 @@ home.ur.gs
|
|||
outpost.ur.gs dns_role=slave
|
||||
home.ur.gs dns_role=master
|
||||
|
||||
[ur_gs]
|
||||
home.ur.gs domain=ur.gs
|
||||
|
||||
[vpn]
|
||||
endgame.ur.gs vpn_role=server
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- hosts: ur_gs
|
||||
roles:
|
||||
- caddy
|
||||
tags: ur_gs
|
|
@ -0,0 +1 @@
|
|||
import /etc/caddy/conf.http.d/*.Caddyfile
|
|
@ -0,0 +1,43 @@
|
|||
[Unit]
|
||||
Description=Caddy HTTP/2 web server
|
||||
Documentation=https://caddyserver.com/docs
|
||||
After=network-online.target
|
||||
Wants=network-online.target systemd-networkd-wait-online.service
|
||||
|
||||
[Service]
|
||||
Restart=on-failure
|
||||
|
||||
; User and group the process will run as.
|
||||
User=caddy
|
||||
Group=caddy
|
||||
|
||||
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
|
||||
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
|
||||
ExecReload=/bin/kill -USR1 $MAINPID
|
||||
|
||||
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
|
||||
LimitNOFILE=1048576
|
||||
; Unmodified caddy is not expected to use more than that.
|
||||
LimitNPROC=64
|
||||
|
||||
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
|
||||
PrivateTmp=true
|
||||
; Use a minimal /dev
|
||||
PrivateDevices=true
|
||||
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
|
||||
ProtectHome=true
|
||||
; Make /usr, /boot, /etc and possibly some more folders read-only.
|
||||
ProtectSystem=full
|
||||
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
|
||||
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
|
||||
ReadWriteDirectories=/var/lib/caddy
|
||||
|
||||
; The following additional security directives only work with systemd v229 or later.
|
||||
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
|
||||
; Note that you may have to add capabilities required by any plugins in use.
|
||||
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
;AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
;NoNewPrivileges=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: reload caddy
|
||||
service:
|
||||
name=caddy
|
||||
state=reloaded
|
||||
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
# No caddy packages...
|
||||
- name: Install Caddy binary
|
||||
copy:
|
||||
dest=/usr/local/bin/caddy
|
||||
src={{ inventory_dir }}/vendor/caddy
|
||||
owner=root
|
||||
group=root
|
||||
mode=0755
|
||||
|
||||
- name: give CAP_NET_BIND_SERVICE to caddy
|
||||
command: setcap cap_net_bind_service=+ep /usr/local/bin/caddy
|
||||
|
||||
- name: Add Caddy group
|
||||
group:
|
||||
name=caddy
|
||||
system=yes
|
||||
|
||||
- name: Add Caddy user
|
||||
user:
|
||||
name=caddy
|
||||
system=yes
|
||||
home=/var/lib/caddy
|
||||
group=caddy
|
||||
groups=www-data,ssl-cert
|
||||
|
||||
- name: Create caddy config hierarchy
|
||||
file:
|
||||
path={{ item }}
|
||||
state=directory
|
||||
owner=caddy
|
||||
group=caddy
|
||||
mode=0755
|
||||
with_items:
|
||||
- /etc/caddy
|
||||
- /etc/caddy/conf.http.d
|
||||
|
||||
- name: Add main Caddyfile
|
||||
copy:
|
||||
dest=/etc/caddy/Caddyfile
|
||||
src={{ role_path }}/files/Caddyfile
|
||||
owner=caddy
|
||||
group=caddy
|
||||
mode=0644
|
||||
|
||||
- name: Add Caddy systemd unit for HTTP
|
||||
copy:
|
||||
dest=/etc/systemd/system/caddy.service
|
||||
src={{ role_path }}/files/caddy.service
|
||||
owner=root
|
||||
group=root
|
||||
mode=0755
|
||||
notify: reload systemd
|
||||
|
||||
- name: Enable and start caddy
|
||||
service:
|
||||
name=caddy
|
||||
enabled=yes
|
||||
state=started
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
- include: install.yaml
|
||||
|
||||
- name: Add Caddyfile for {{ domain }}
|
||||
template:
|
||||
dest=/etc/caddy/conf.http.d/{{ domain }}.Caddyfile
|
||||
src={{ inventory_dir }}/templates//caddy/{{ domain }}.Caddyfile.tmpl
|
||||
owner=caddy
|
||||
group=caddy
|
||||
mode=0400
|
||||
notify: reload caddy
|
|
@ -3,4 +3,5 @@
|
|||
|
||||
- include: playbooks/database.yaml
|
||||
- include: playbooks/dns.yaml
|
||||
- include: playbooks/ur_gs.yaml
|
||||
- include: playbooks/vpn.yaml
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
{{ domain }} {
|
||||
root /var/lib/caddy/{{ domain }}/public
|
||||
log /var/log/caddy/{{ domain }}.log
|
||||
|
||||
git https://gitlab.com/lupine/web2016.git /var/lib/caddy/ur.gs {
|
||||
hook /webhook {{ ur_gs.website.webhook_secret }}
|
||||
then hugo --destination=/var/lib/caddy/ur.gs/public
|
||||
}
|
||||
|
||||
|
||||
# CalDAV and Carddav
|
||||
proxy /radicale http://127.0.0.1:5232
|
||||
}
|
Loading…
Reference in New Issue