Complete production-ready Caddy infrastructure with security hardening

- Add comprehensive Caddy role with HTTPS/TLS, DNS challenges, and systemd security - Implement optimized systemd overrides with enhanced security restrictions - Create detailed documentation with usage examples and variable references - Establish proper Ansible configuration with vault integration - Update site.yml for infrastructure orchestration with role-based deployment - Add host-specific configuration structure for scalable multi-environment setup
2025-11-12 22:36:34 +01:00
parent 0b6eea6113
commit 7788410bfc
12 changed files with 795 additions and 3 deletions
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@@ -0,0 +1,95 @@
+---
+# =================================================================
+# Caddy Web Server Role Configuration
+# =================================================================
+# This role provides a complete Caddy setup with automatic HTTPS
+# Override these variables in host_vars/ for production deployment
+
+# =================================================================
+# Basic Installation Configuration
+# =================================================================
+caddy_version: "latest"
+caddy_user: "caddy" 
+caddy_group: "caddy"
+caddy_home: "/var/lib/caddy"
+caddy_config_dir: "/etc/caddy"
+caddy_data_dir: "/var/lib/caddy"
+caddy_log_dir: "/var/log/caddy"
+caddy_web_root: "/var/www"
+caddy_default_site_root: "{{ caddy_web_root }}/default"
+
+# =================================================================
+# Service Configuration 
+# =================================================================
+caddy_config_file: "/etc/caddy/Caddyfile"        # Package default path
+caddy_service_enabled: true
+caddy_service_state: "started"
+caddy_auto_https: true
+caddy_admin_listen: "127.0.0.1:2019"
+
+# =================================================================
+# TLS/HTTPS Configuration
+# =================================================================
+# Enable automatic HTTPS with Let's Encrypt certificates
+caddy_tls_enabled: false                    # Set to true to enable HTTPS
+caddy_tls_email: ""                         # Required for Let's Encrypt (e.g., "admin@example.com")
+caddy_domain: "localhost"                   # Primary domain to serve
+
+# ACME Certificate Authority settings
+caddy_acme_ca: "https://acme-v02.api.letsencrypt.org/directory"  # Production CA
+# caddy_acme_ca: "https://acme-staging-v02.api.letsencrypt.org/directory"  # Staging for testing
+
+# =================================================================
+# DNS Challenge Configuration (for wildcard certificates)
+# =================================================================
+# DNS challenge allows wildcard certificates and works behind firewalls
+caddy_dns_provider: ""                      # Set to "cloudflare" for Cloudflare DNS challenge
+cloudflare_api_token: ""                    # Cloudflare API token (override in host_vars with vault reference)
+
+# DNS challenge settings  
+caddy_dns_resolvers:                        # DNS resolvers for challenge verification
+  - "1.1.1.1:53"
+  - "1.0.0.1:53"
+caddy_dns_propagation_timeout: 120          # Seconds to wait for DNS propagation
+
+# =================================================================
+# Sites Configuration
+# =================================================================
+# Define additional sites/domains to serve
+caddy_sites: []
+
+# Example configurations:
+# caddy_sites:
+#   # Static file serving
+#   - domain: "static.example.com"
+#     root: "/var/www/static"
+#     dns_challenge: true                   # Use DNS challenge for this domain
+#
+#   # Reverse proxy to backend service
+#   - domain: "api.example.com" 
+#     backend: "localhost:8080"
+#     dns_challenge: true
+#     extra_config: |
+#       header_up Host {upstream_hostport}
+#       header_up X-Real-IP {remote_host}
+#
+#   # Simple HTTP-only site
+#   - domain: "internal.example.com"
+#     root: "/var/www/internal"
+#     tls: "off"
+
+# =================================================================
+# Security & Network Configuration
+# =================================================================
+# Firewall ports to open automatically
+caddy_firewall_ports:
+  - 80    # HTTP (for redirects and ACME challenges)
+  - 443   # HTTPS (for TLS traffic)
+
+# =================================================================
+# Advanced Configuration
+# =================================================================
+# Systemd service customization
+caddy_systemd_security: true               # Enable systemd security restrictions
+caddy_log_level: "INFO"                    # Logging level (ERROR, WARN, INFO, DEBUG)
+caddy_log_format: "common"                 # Log format (common, json)