joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7788410bfc96374b5076218301657845667da945
rick-infra/roles/caddy/defaults/main.yml
Joakim 7788410bfc Complete production-ready Caddy infrastructure with security hardening 
- Add comprehensive Caddy role with HTTPS/TLS, DNS challenges, and systemd security
- Implement optimized systemd overrides with enhanced security restrictions
- Create detailed documentation with usage examples and variable references
- Establish proper Ansible configuration with vault integration
- Update site.yml for infrastructure orchestration with role-based deployment
- Add host-specific configuration structure for scalable multi-environment setup
2025-11-12 22:36:34 +01:00

96 lines
3.9 KiB
YAML
Raw Blame History

---
# =================================================================
# Caddy Web Server Role Configuration
# =================================================================
# This role provides a complete Caddy setup with automatic HTTPS
# Override these variables in host_vars/ for production deployment
# =================================================================
# Basic Installation Configuration
# =================================================================
caddy_version: "latest"
caddy_user: "caddy"
caddy_group: "caddy"
caddy_home: "/var/lib/caddy"
caddy_config_dir: "/etc/caddy"
caddy_data_dir: "/var/lib/caddy"
caddy_log_dir: "/var/log/caddy"
caddy_web_root: "/var/www"
caddy_default_site_root: "{{ caddy_web_root }}/default"
# =================================================================
# Service Configuration
# =================================================================
caddy_config_file: "/etc/caddy/Caddyfile" # Package default path
caddy_service_enabled: true
caddy_service_state: "started"
caddy_auto_https: true
caddy_admin_listen: "127.0.0.1:2019"
# =================================================================
# TLS/HTTPS Configuration
# =================================================================
# Enable automatic HTTPS with Let's Encrypt certificates
caddy_tls_enabled: false # Set to true to enable HTTPS
caddy_tls_email: "" # Required for Let's Encrypt (e.g., "admin@example.com")
caddy_domain: "localhost" # Primary domain to serve
# ACME Certificate Authority settings
caddy_acme_ca: "https://acme-v02.api.letsencrypt.org/directory" # Production CA
# caddy_acme_ca: "https://acme-staging-v02.api.letsencrypt.org/directory" # Staging for testing
# =================================================================
# DNS Challenge Configuration (for wildcard certificates)
# =================================================================
# DNS challenge allows wildcard certificates and works behind firewalls
caddy_dns_provider: "" # Set to "cloudflare" for Cloudflare DNS challenge
cloudflare_api_token: "" # Cloudflare API token (override in host_vars with vault reference)
# DNS challenge settings
caddy_dns_resolvers: # DNS resolvers for challenge verification
- "1.1.1.1:53"
- "1.0.0.1:53"
caddy_dns_propagation_timeout: 120 # Seconds to wait for DNS propagation
# =================================================================
# Sites Configuration
# =================================================================
# Define additional sites/domains to serve
caddy_sites: []
# Example configurations:
# caddy_sites:
# # Static file serving
# - domain: "static.example.com"
# root: "/var/www/static"
# dns_challenge: true # Use DNS challenge for this domain
#
# # Reverse proxy to backend service
# - domain: "api.example.com"
# backend: "localhost:8080"
# dns_challenge: true
# extra_config: |
# header_up Host {upstream_hostport}
# header_up X-Real-IP {remote_host}
#
# # Simple HTTP-only site
# - domain: "internal.example.com"
# root: "/var/www/internal"
# tls: "off"
# =================================================================
# Security & Network Configuration
# =================================================================
# Firewall ports to open automatically
caddy_firewall_ports:
- 80 # HTTP (for redirects and ACME challenges)
- 443 # HTTPS (for TLS traffic)
# =================================================================
# Advanced Configuration
# =================================================================
# Systemd service customization
caddy_systemd_security: true # Enable systemd security restrictions
caddy_log_level: "INFO" # Logging level (ERROR, WARN, INFO, DEBUG)
caddy_log_format: "common" # Log format (common, json)
Reference in New Issue View Git Blame Copy Permalink