feat(caddy_site): add ansible role for configuring sites using caddy

2025-12-25 15:34:14 +01:00
parent 4fc0a671b3
commit 044ee49795
5 changed files with 81 additions and 0 deletions
--- a/playbooks/caddy_reverse_proxy.yml
+++ b/playbooks/caddy_reverse_proxy.yml
@@ -0,0 +1,24 @@
+---
+- name: Ensure reverse proxy configuration is created
+  hosts: "{{ target_hosts }}"
+  become: "{{ target_become | default(false) }}"
+  gather_facts: "{{ target_gather_facts | default(false) }}"
+  roles:
+    - role: finallycoffee.base.caddy_site
+  vars:
+    caddy_site_cert_basepath: >-2
+      {{ caddy_site_tls_store | default('/tls') }}/{{ caddy_site_name }}/certificates/{{ caddy_site_name }}
+    caddy_site_config: |+2
+      https://{{ caddy_site_name }} {
+          tls {{ caddy_site_cert_basepath}}.crt {{ caddy_site_cert_basepath }}.key
+          header {
+              Strict-Transport-Security "max-age=31536000"
+          }
+          encode zstd gzip
+          reverse_proxy {{ caddy_reverse_proxy_backend_addr | mandatory }} {
+            {% if caddy_reverse_proxy_import_proxyheaders | default(true, true) -%}
+            import proxyheaders
+            {%- endif +%}
+          }
+      }
+
--- a/roles/caddy_site/README.md
+++ b/roles/caddy_site/README.md
@@ -0,0 +1,7 @@
+# `finallycoffee.base.caddy_site` ansible role
+
+Provision a single site configuration in caddy.
+
+Set `caddy_site_name` as a unique
+site identifier (needs to be a valid filename) and `caddy_site_config`
+to contain the actual `Caddyfile` contents.
--- a/roles/caddy_site/defaults/main.yml
+++ b/roles/caddy_site/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+caddy_site_name: ~
+caddy_site_config: ~
+caddy_site_state: "present"
+
+caddy_site_configs: "/etc/caddy/sites.d"
+caddy_site_config_dir: >-2
+  {{ caddy_site_configs }}/{{ caddy_site_name }}
+caddy_site_config_file: >-2
+  {{ caddy_site_config_dir }}/Caddyfile
+
+caddy_site_owner: "caddy"
+caddy_site_group: "caddy"
--- a/roles/caddy_site/meta/main.yml
+++ b/roles/caddy_site/meta/main.yml
@@ -0,0 +1,11 @@
+---
+allow_duplicates: true
+dependencies: []
+galaxy_info:
+  role_name: caddy_site
+  description: Deploy a sites' configuration in caddy
+  galaxy_tags:
+    - caddy
+    - zerossl
+    - http
+    - webserver
--- a/roles/caddy_site/tasks/main.yml
+++ b/roles/caddy_site/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+- name: Fail if required variables are not populated
+  ansible.builtin.fail:
+    msg: "Either `caddy_site_name` or `caddy_site_config` is not provided"
+  when: >-2
+    (caddy_site_name | ansible.builtin.type_debug == 'NoneType')
+    or
+    (caddy_site_config | ansible.builtin.type_debug == 'NoneType')
+
+- name: Ensure directory for caddy site config '{{ caddy_site_name }}' is {{ caddy_site_state }}
+  ansible.builtin.file:
+    path: "{{ caddy_site_config_dir }}"
+    state: >-2
+      {{ (caddy_site_state == 'present') | ternary('directory', 'absent') }}
+    owner: "{{ caddy_site_owner }}"
+    group: "{{ caddy_site_group }}"
+    mode: "0750"
+
+- name: Ensure caddy site configuration is templated
+  ansible.builtin.copy:
+    dest: "{{ caddy_site_config_file }}"
+    content: "{{ caddy_site_config }}"
+    owner: "{{ caddy_site_owner }}"
+    group: "{{ caddy_site_group }}"
+    mode: "0640"
+  when: caddy_site_state == 'present'