Complete production-ready Caddy infrastructure with security hardening
- Add comprehensive Caddy role with HTTPS/TLS, DNS challenges, and systemd security - Implement optimized systemd overrides with enhanced security restrictions - Create detailed documentation with usage examples and variable references - Establish proper Ansible configuration with vault integration - Update site.yml for infrastructure orchestration with role-based deployment - Add host-specific configuration structure for scalable multi-environment setup
This commit is contained in:
139
roles/caddy/templates/Caddyfile.j2
Normal file
139
roles/caddy/templates/Caddyfile.j2
Normal file
@@ -0,0 +1,139 @@
|
||||
# Caddy configuration file
|
||||
# Generated by Ansible - DO NOT EDIT MANUALLY
|
||||
|
||||
# Global configuration
|
||||
{
|
||||
admin {{ caddy_admin_listen }}
|
||||
|
||||
{% if caddy_tls_enabled and caddy_tls_email %}
|
||||
# ACME configuration for Let's Encrypt
|
||||
email {{ caddy_tls_email }}
|
||||
acme_ca {{ caddy_acme_ca }}
|
||||
{% endif %}
|
||||
|
||||
{% if not caddy_auto_https %}
|
||||
auto_https off
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
# Primary domain: {{ caddy_domain }}
|
||||
{{ caddy_domain }} {
|
||||
{% if caddy_tls_enabled %}
|
||||
{% if caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
|
||||
# DNS challenge for automatic TLS (secure: no environment files)
|
||||
tls {
|
||||
dns cloudflare {{ cloudflare_api_token }}
|
||||
resolvers {{ caddy_dns_resolvers | join(' ') }}
|
||||
}
|
||||
{% elif caddy_tls_email %}
|
||||
# HTTP challenge for automatic TLS
|
||||
tls {{ caddy_tls_email }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# TLS disabled
|
||||
{% endif %}
|
||||
|
||||
# Serve static content
|
||||
root * {{ caddy_default_site_root }}
|
||||
file_server
|
||||
|
||||
# Logging
|
||||
log {
|
||||
{% if caddy_log_format == "json" %}
|
||||
output file {{ caddy_log_dir }}/{{ caddy_domain | replace('.', '_') }}.log {
|
||||
roll_size 100mb
|
||||
roll_keep 5
|
||||
}
|
||||
format json {
|
||||
time_format "2006-01-02T15:04:05.000Z07:00"
|
||||
}
|
||||
level {{ caddy_log_level }}
|
||||
{% else %}
|
||||
output file {{ caddy_log_dir }}/{{ caddy_domain | replace('.', '_') }}.log {
|
||||
roll_size 100mb
|
||||
roll_keep 5
|
||||
}
|
||||
level {{ caddy_log_level }}
|
||||
{% endif %}
|
||||
}
|
||||
}
|
||||
|
||||
# Additional configured sites
|
||||
{% for site in caddy_sites %}
|
||||
{{ site.domain }}{% if site.port is defined %}:{{ site.port }}{% endif %} {
|
||||
{% if caddy_tls_enabled and site.tls != "off" %}
|
||||
{% if site.dns_challenge | default(false) and caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
|
||||
# DNS challenge for this site (secure: direct variable substitution)
|
||||
tls {
|
||||
dns cloudflare {{ cloudflare_api_token }}
|
||||
resolvers {{ caddy_dns_resolvers | join(' ') }}
|
||||
}
|
||||
{% elif caddy_tls_email and site.tls != "off" %}
|
||||
# HTTP challenge for this site
|
||||
tls {{ caddy_tls_email }}
|
||||
{% endif %}
|
||||
{% elif site.tls == "off" %}
|
||||
# TLS explicitly disabled for this site
|
||||
tls off
|
||||
{% endif %}
|
||||
|
||||
{% if site.root is defined %}
|
||||
# Static file serving
|
||||
root * {{ site.root }}
|
||||
file_server
|
||||
{% endif %}
|
||||
|
||||
{% if site.backend is defined %}
|
||||
# Reverse proxy
|
||||
reverse_proxy {{ site.backend }} {
|
||||
# Standard proxy headers
|
||||
header_up Host {upstream_hostport}
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
header_up X-Forwarded-Host {host}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
# Logging for this site
|
||||
log {
|
||||
{% if caddy_log_format == "json" %}
|
||||
output file {{ caddy_log_dir }}/{{ site.domain | replace('.', '_') }}.log {
|
||||
roll_size 100mb
|
||||
roll_keep 5
|
||||
}
|
||||
format json {
|
||||
time_format "2006-01-02T15:04:05.000Z07:00"
|
||||
}
|
||||
level {{ caddy_log_level }}
|
||||
{% else %}
|
||||
output file {{ caddy_log_dir }}/{{ site.domain | replace('.', '_') }}.log {
|
||||
roll_size 100mb
|
||||
roll_keep 5
|
||||
}
|
||||
level {{ caddy_log_level }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if site.extra_config is defined %}
|
||||
# Additional site configuration
|
||||
{{ site.extra_config | indent(4) }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{% if caddy_tls_enabled %}
|
||||
# HTTP to HTTPS redirects
|
||||
http://{{ caddy_domain }} {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
|
||||
{% for site in caddy_sites %}
|
||||
{% if site.tls != "off" %}
|
||||
http://{{ site.domain }} {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
Reference in New Issue
Block a user