Browse Source

Download caddy to vendor/caddy

main
Nick Thomas 5 years ago
parent
commit
1ee8d6f7c5
  1. 1
      .gitignore
  2. 7
      README.md
  3. 13
      deploy
  4. 7
      inventory
  5. 5
      playbooks/ur_gs.yaml
  6. 1
      roles/caddy/files/Caddyfile
  7. 43
      roles/caddy/files/caddy.service
  8. 8
      roles/caddy/handlers/main.yaml
  9. 59
      roles/caddy/tasks/install.yaml
  10. 11
      roles/caddy/tasks/main.yaml
  11. 1
      site.yaml
  12. 13
      templates/caddy/ur.gs.Caddyfile.tmpl
  13. 0
      vendor/.gitkeep

1
.gitignore vendored

@ -1,2 +1,3 @@
/secrets
/site.retry
/vendor

7
README.md

@ -3,22 +3,23 @@
This repository contains a set of roles I use to configure the following
services for myself:
## Done:
## Done:
* CalDAV / CardDAV
* Common setup to all hosts
* DNS (master and slaves)
* VPN (server)
* Website
## Left to do:
* Backups
* CalDAV / CardDAV
* Code hosting (wow self-referential)
* E-mail
* File sharing
* Photo albums
* SIP
* VPN (client)
* Website
* XMPP
Everything else.

13
deploy

@ -1,4 +1,13 @@
#!/bin/sh
export ANSIBLE_CFG="$(dirname $0)/ansible.cfg"
exec ansible-playbook -i inventory --extra-vars @secrets/main.yaml "$@" site.yaml
ROOT="$(dirname $0)"
CADDY="${ROOT}/vendor/caddy"
if [ ! -e "$CADDY" ]; then
curl "https://caddyserver.com/download/build?os=linux&arch=amd64&features=DNS%2Cawslambda%2Ccors%2Cexpires%2Cfilemanager%2Cgit%2Chugo%2Cipfilter%2Cjsonp%2Cjwt%2Clocale%2Cmailout%2Cminify%2Cmultipass%2Cprometheus%2Cratelimit%2Crealip%2Csearch%2Cupload%2Cgandi%2Crfc2136" \
| tar -C "$(dirname "$CADDY")" -xz caddy
chmod a+x "$CADDY"
fi
export ANSIBLE_CFG="${ROOT}/ansible.cfg"
exec ansible-playbook -i ${ROOT}/inventory --extra-vars @secrets/main.yaml "$@" site.yaml

7
inventory

@ -1,3 +1,7 @@
[backup]
outpost.ur.gs backup_role=server
home.ur.gs backup_role=client
[database]
home.ur.gs
@ -5,5 +9,8 @@ home.ur.gs
outpost.ur.gs dns_role=slave
home.ur.gs dns_role=master
[ur_gs]
home.ur.gs domain=ur.gs
[vpn]
endgame.ur.gs vpn_role=server

5
playbooks/ur_gs.yaml

@ -0,0 +1,5 @@
---
- hosts: ur_gs
roles:
- caddy
tags: ur_gs

1
roles/caddy/files/Caddyfile

@ -0,0 +1 @@
import /etc/caddy/conf.http.d/*.Caddyfile

43
roles/caddy/files/caddy.service

@ -0,0 +1,43 @@
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-failure
; User and group the process will run as.
User=caddy
Group=caddy
; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
ExecReload=/bin/kill -USR1 $MAINPID
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Unmodified caddy is not expected to use more than that.
LimitNPROC=64
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/var/lib/caddy
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true
[Install]
WantedBy=multi-user.target

8
roles/caddy/handlers/main.yaml

@ -0,0 +1,8 @@
---
- name: reload caddy
service:
name=caddy
state=reloaded
- name: reload systemd
command: systemctl daemon-reload

59
roles/caddy/tasks/install.yaml

@ -0,0 +1,59 @@
---
# No caddy packages...
- name: Install Caddy binary
copy:
dest=/usr/local/bin/caddy
src={{ inventory_dir }}/vendor/caddy
owner=root
group=root
mode=0755
- name: give CAP_NET_BIND_SERVICE to caddy
command: setcap cap_net_bind_service=+ep /usr/local/bin/caddy
- name: Add Caddy group
group:
name=caddy
system=yes
- name: Add Caddy user
user:
name=caddy
system=yes
home=/var/lib/caddy
group=caddy
groups=www-data,ssl-cert
- name: Create caddy config hierarchy
file:
path={{ item }}
state=directory
owner=caddy
group=caddy
mode=0755
with_items:
- /etc/caddy
- /etc/caddy/conf.http.d
- name: Add main Caddyfile
copy:
dest=/etc/caddy/Caddyfile
src={{ role_path }}/files/Caddyfile
owner=caddy
group=caddy
mode=0644
- name: Add Caddy systemd unit for HTTP
copy:
dest=/etc/systemd/system/caddy.service
src={{ role_path }}/files/caddy.service
owner=root
group=root
mode=0755
notify: reload systemd
- name: Enable and start caddy
service:
name=caddy
enabled=yes
state=started

11
roles/caddy/tasks/main.yaml

@ -0,0 +1,11 @@
---
- include: install.yaml
- name: Add Caddyfile for {{ domain }}
template:
dest=/etc/caddy/conf.http.d/{{ domain }}.Caddyfile
src={{ inventory_dir }}/templates//caddy/{{ domain }}.Caddyfile.tmpl
owner=caddy
group=caddy
mode=0400
notify: reload caddy

1
site.yaml

@ -3,4 +3,5 @@
- include: playbooks/database.yaml
- include: playbooks/dns.yaml
- include: playbooks/ur_gs.yaml
- include: playbooks/vpn.yaml

13
templates/caddy/ur.gs.Caddyfile.tmpl

@ -0,0 +1,13 @@
{{ domain }} {
root /var/lib/caddy/{{ domain }}/public
log /var/log/caddy/{{ domain }}.log
git https://gitlab.com/lupine/web2016.git /var/lib/caddy/ur.gs {
hook /webhook {{ ur_gs.website.webhook_secret }}
then hugo --destination=/var/lib/caddy/ur.gs/public
}
# CalDAV and Carddav
proxy /radicale http://127.0.0.1:5232
}

0
vendor/.gitkeep vendored

Loading…
Cancel
Save