Simplify Caddy infrastructure to use file-based configuration instead of complex API registration system
This commit is contained in:
@@ -3,24 +3,30 @@
|
||||
|
||||
# Global configuration
|
||||
{
|
||||
admin {{ caddy_admin_listen }}
|
||||
|
||||
{% if caddy_tls_enabled and caddy_tls_email %}
|
||||
# ACME configuration for Let's Encrypt
|
||||
email {{ caddy_tls_email }}
|
||||
acme_ca {{ caddy_acme_ca }}
|
||||
{% endif %}
|
||||
|
||||
{% if caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
|
||||
# DNS challenge for wildcard certificates
|
||||
acme_dns cloudflare {{ cloudflare_api_token }}
|
||||
{% endif %}
|
||||
|
||||
{% if not caddy_auto_https %}
|
||||
auto_https off
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
# Import service configurations
|
||||
import {{ caddy_sites_enabled_dir }}/*
|
||||
|
||||
# Primary domain: {{ caddy_domain }}
|
||||
{{ caddy_domain }} {
|
||||
{% if caddy_tls_enabled %}
|
||||
{% if caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
|
||||
# DNS challenge for automatic TLS (secure: no environment files)
|
||||
# DNS challenge for automatic TLS
|
||||
tls {
|
||||
dns cloudflare {{ cloudflare_api_token }}
|
||||
resolvers {{ caddy_dns_resolvers | join(' ') }}
|
||||
@@ -29,8 +35,6 @@
|
||||
# HTTP challenge for automatic TLS
|
||||
tls {{ caddy_tls_email }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# TLS disabled
|
||||
{% endif %}
|
||||
|
||||
# Serve static content
|
||||
@@ -57,83 +61,3 @@
|
||||
{% endif %}
|
||||
}
|
||||
}
|
||||
|
||||
# Additional configured sites
|
||||
{% for site in caddy_sites %}
|
||||
{{ site.domain }}{% if site.port is defined %}:{{ site.port }}{% endif %} {
|
||||
{% if caddy_tls_enabled and site.tls != "off" %}
|
||||
{% if site.dns_challenge | default(false) and caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
|
||||
# DNS challenge for this site (secure: direct variable substitution)
|
||||
tls {
|
||||
dns cloudflare {{ cloudflare_api_token }}
|
||||
resolvers {{ caddy_dns_resolvers | join(' ') }}
|
||||
}
|
||||
{% elif caddy_tls_email and site.tls != "off" %}
|
||||
# HTTP challenge for this site
|
||||
tls {{ caddy_tls_email }}
|
||||
{% endif %}
|
||||
{% elif site.tls == "off" %}
|
||||
# TLS explicitly disabled for this site
|
||||
tls off
|
||||
{% endif %}
|
||||
|
||||
{% if site.root is defined %}
|
||||
# Static file serving
|
||||
root * {{ site.root }}
|
||||
file_server
|
||||
{% endif %}
|
||||
|
||||
{% if site.backend is defined %}
|
||||
# Reverse proxy
|
||||
reverse_proxy {{ site.backend }} {
|
||||
# Standard proxy headers
|
||||
header_up Host {upstream_hostport}
|
||||
header_up X-Real-IP {remote_host}
|
||||
header_up X-Forwarded-For {remote_host}
|
||||
header_up X-Forwarded-Proto {scheme}
|
||||
header_up X-Forwarded-Host {host}
|
||||
}
|
||||
{% endif %}
|
||||
|
||||
# Logging for this site
|
||||
log {
|
||||
{% if caddy_log_format == "json" %}
|
||||
output file {{ caddy_log_dir }}/{{ site.domain | replace('.', '_') }}.log {
|
||||
roll_size 100mb
|
||||
roll_keep 5
|
||||
}
|
||||
format json {
|
||||
time_format "2006-01-02T15:04:05.000Z07:00"
|
||||
}
|
||||
level {{ caddy_log_level }}
|
||||
{% else %}
|
||||
output file {{ caddy_log_dir }}/{{ site.domain | replace('.', '_') }}.log {
|
||||
roll_size 100mb
|
||||
roll_keep 5
|
||||
}
|
||||
level {{ caddy_log_level }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% if site.extra_config is defined %}
|
||||
# Additional site configuration
|
||||
{{ site.extra_config | indent(4) }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
{% if caddy_tls_enabled %}
|
||||
# HTTP to HTTPS redirects
|
||||
http://{{ caddy_domain }} {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
|
||||
{% for site in caddy_sites %}
|
||||
{% if site.tls != "off" %}
|
||||
http://{{ site.domain }} {
|
||||
redir https://{host}{uri} permanent
|
||||
}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
69
roles/caddy/templates/caddy.service.j2
Normal file
69
roles/caddy/templates/caddy.service.j2
Normal file
@@ -0,0 +1,69 @@
|
||||
# Custom Caddy systemd service file
|
||||
# Combines official Caddy service with enhanced security and API persistence
|
||||
# Generated by Ansible - DO NOT EDIT MANUALLY
|
||||
|
||||
[Unit]
|
||||
Description=Caddy web server
|
||||
Documentation=https://caddyserver.com/docs/
|
||||
After=network.target network-online.target
|
||||
Requires=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=notify
|
||||
User={{ caddy_user }}
|
||||
Group={{ caddy_user }}
|
||||
ExecStart=/usr/bin/caddy run --environ --config {{ caddy_config_file }}{% if caddy_api_enabled %} --resume{% endif %}
|
||||
|
||||
ExecReload=/usr/bin/caddy reload --config {{ caddy_config_file }} --force
|
||||
|
||||
{% if caddy_api_enabled %}
|
||||
# Wait for API to be ready before considering service started
|
||||
ExecStartPost=/bin/bash -c 'until curl -s http://{{ caddy_admin_listen }}/config/ >/dev/null 2>&1; do sleep 1; done'
|
||||
{% endif %}
|
||||
|
||||
# Standard settings from official service
|
||||
TimeoutStopSec=5s
|
||||
LimitNOFILE=1048576
|
||||
PrivateTmp=true
|
||||
|
||||
{% if caddy_systemd_security | default(true) %}
|
||||
# Enhanced security hardening
|
||||
NoNewPrivileges=true
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||||
RemoveIPC=true
|
||||
|
||||
# Filesystem restrictions (upgrade from ProtectSystem=full)
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
ReadWritePaths={{ caddy_data_dir }} {{ caddy_log_dir }}
|
||||
BindReadOnlyPaths={{ caddy_config_dir }}
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelLogs=true
|
||||
ProtectClock=true
|
||||
|
||||
# Network and namespace restrictions
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
# Process restrictions
|
||||
LimitNPROC=1048576
|
||||
MemoryDenyWriteExecute=true
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
# Logging (explicit configuration)
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=caddy
|
||||
{% else %}
|
||||
# Standard security from official service
|
||||
ProtectSystem=full
|
||||
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
|
||||
{% endif %}
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
@@ -1,8 +1,13 @@
|
||||
[Service]
|
||||
# Reload configuration with --force flag for reliability
|
||||
ExecStart=
|
||||
ExecStart=/usr/bin/caddy run --config {{ caddy_config_file }} --resume
|
||||
|
||||
ExecReload=
|
||||
ExecReload=/usr/bin/caddy reload --config {{ caddy_config_file }} --force
|
||||
|
||||
# Wait for API to be ready before considering service started
|
||||
ExecStartPost=/bin/bash -c 'until curl -s http://{{ caddy_admin_listen }}/config/ >/dev/null 2>&1; do sleep 1; done'
|
||||
|
||||
{% if caddy_systemd_security | default(true) %}
|
||||
# Enhanced security hardening beyond base service
|
||||
NoNewPrivileges=true
|
||||
@@ -35,4 +40,4 @@ SystemCallErrorNumber=EPERM
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
SyslogIdentifier=caddy
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
Reference in New Issue
Block a user