Complete production-ready Caddy infrastructure with security hardening

- Add comprehensive Caddy role with HTTPS/TLS, DNS challenges, and systemd security
- Implement optimized systemd overrides with enhanced security restrictions
- Create detailed documentation with usage examples and variable references
- Establish proper Ansible configuration with vault integration
- Update site.yml for infrastructure orchestration with role-based deployment
- Add host-specific configuration structure for scalable multi-environment setup

roles/caddy/tasks/main.yml

@@ -0,0 +1,122 @@
+---
+- name: Check if DNS challenge is needed
+  set_fact:
+    dns_challenge_needed: "{{ caddy_dns_provider == 'cloudflare' and cloudflare_api_token != '' }}"
+
+- name: Install standard Caddy (if no DNS challenge needed)
+  pacman:
+    name: caddy
+    state: present
+  when: not dns_challenge_needed | bool
+  notify: restart caddy
+
+- name: Download Caddy with Cloudflare plugin (if DNS challenge needed)
+  get_url:
+    url: "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com/caddy-dns/cloudflare"
+    dest: /tmp/caddy-with-cloudflare
+    mode: '0755'
+  when: dns_challenge_needed | bool
+
+- name: Install Caddy with Cloudflare plugin
+  copy:
+    src: /tmp/caddy-with-cloudflare
+    dest: /usr/bin/caddy
+    mode: '0755'
+    remote_src: yes
+    backup: yes
+  when: dns_challenge_needed | bool
+  notify: restart caddy
+
+- name: Clean up temporary Caddy binary
+  file:
+    path: /tmp/caddy-with-cloudflare
+    state: absent
+
+- name: Create caddy user and group
+  user:
+    name: "{{ caddy_user }}"
+    group: "{{ caddy_group }}"
+    home: "{{ caddy_home }}"
+    shell: /usr/bin/nologin
+    system: yes
+    createhome: yes
+  notify: restart caddy
+
+- name: Create Caddy directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_group }}"
+    mode: '0755'
+  loop:
+    - "{{ caddy_config_dir }}"
+    - "{{ caddy_data_dir }}"
+    - "{{ caddy_log_dir }}"
+    - "{{ caddy_web_root }}"
+    - "{{ caddy_default_site_root }}"
+
+- name: Deploy default index page
+  template:
+    src: index.html.j2
+    dest: "{{ caddy_default_site_root }}/index.html"
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_group }}"
+    mode: '0644'
+
+
+
+- name: Create systemd override directory
+  file:
+    path: /etc/systemd/system/caddy.service.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Caddy systemd override
+  template:
+    src: systemd-override.conf.j2
+    dest: /etc/systemd/system/caddy.service.d/override.conf
+    mode: '0644'
+  notify: 
+    - reload systemd
+    - restart caddy
+
+- name: Generate Caddyfile from template (with vault secrets)
+  template:
+    src: Caddyfile.j2
+    dest: "{{ caddy_config_file }}"
+    owner: root
+    group: "{{ caddy_group }}"
+    mode: '0640'
+    backup: yes
+  notify: reload caddy
+
+- name: Check Caddyfile syntax (basic check)
+  command: caddy fmt --overwrite "{{ caddy_config_file }}"
+  register: caddy_fmt_result
+  changed_when: false
+  failed_when: false
+
+# Note: Full validation with environment variables happens at service startup
+
+- name: Enable and start Caddy service
+  systemd:
+    name: caddy
+    enabled: "{{ caddy_service_enabled }}"
+    state: "{{ caddy_service_state }}"
+    daemon_reload: yes
+
+- name: Wait for Caddy to be running
+  wait_for:
+    port: 80
+    host: 127.0.0.1
+    timeout: 30
+  when: caddy_service_state == "started"
+
+- name: Verify Caddy admin API is accessible
+  uri:
+    url: "http://{{ caddy_admin_listen }}/config/"
+    method: GET
+  register: caddy_admin_check
+  failed_when: false
+  changed_when: false