rick-infra/roles/caddy/templates/Caddyfile.j2

# Caddy configuration file
# Generated by Ansible - DO NOT EDIT MANUALLY

# Global configuration
{
    admin {{ caddy_admin_listen }}
    
    {% if caddy_tls_enabled and caddy_tls_email %}
    # ACME configuration for Let's Encrypt
    email {{ caddy_tls_email }}
    acme_ca {{ caddy_acme_ca }}
    {% endif %}
    
    {% if not caddy_auto_https %}
    auto_https off
    {% endif %}
}

# Primary domain: {{ caddy_domain }}
{{ caddy_domain }} {
    {% if caddy_tls_enabled %}
        {% if caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
    # DNS challenge for automatic TLS (secure: no environment files)
    tls {
        dns cloudflare {{ cloudflare_api_token }}
        resolvers {{ caddy_dns_resolvers | join(' ') }}
    }
        {% elif caddy_tls_email %}
    # HTTP challenge for automatic TLS  
    tls {{ caddy_tls_email }}
        {% endif %}
    {% else %}
    # TLS disabled
    {% endif %}
    
    # Serve static content
    root * {{ caddy_default_site_root }}
    file_server
    
    # Logging
    log {
        {% if caddy_log_format == "json" %}
        output file {{ caddy_log_dir }}/{{ caddy_domain | replace('.', '_') }}.log {
            roll_size 100mb
            roll_keep 5
        }
        format json {
            time_format "2006-01-02T15:04:05.000Z07:00"
        }
        level {{ caddy_log_level }}
        {% else %}
        output file {{ caddy_log_dir }}/{{ caddy_domain | replace('.', '_') }}.log {
            roll_size 100mb
            roll_keep 5
        }
        level {{ caddy_log_level }}
        {% endif %}
    }
}

# Additional configured sites
{% for site in caddy_sites %}
{{ site.domain }}{% if site.port is defined %}:{{ site.port }}{% endif %} {
    {% if caddy_tls_enabled and site.tls != "off" %}
        {% if site.dns_challenge | default(false) and caddy_dns_provider == "cloudflare" and cloudflare_api_token %}
    # DNS challenge for this site (secure: direct variable substitution)
    tls {
        dns cloudflare {{ cloudflare_api_token }}
        resolvers {{ caddy_dns_resolvers | join(' ') }}
    }
        {% elif caddy_tls_email and site.tls != "off" %}
    # HTTP challenge for this site
    tls {{ caddy_tls_email }}
        {% endif %}
    {% elif site.tls == "off" %}
    # TLS explicitly disabled for this site
    tls off
    {% endif %}

    {% if site.root is defined %}
    # Static file serving
    root * {{ site.root }}
    file_server
    {% endif %}

    {% if site.backend is defined %}
    # Reverse proxy
    reverse_proxy {{ site.backend }} {
        # Standard proxy headers
        header_up Host {upstream_hostport}
        header_up X-Real-IP {remote_host}
        header_up X-Forwarded-For {remote_host}
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-Host {host}
    }
    {% endif %}

    # Logging for this site
    log {
        {% if caddy_log_format == "json" %}
        output file {{ caddy_log_dir }}/{{ site.domain | replace('.', '_') }}.log {
            roll_size 100mb
            roll_keep 5
        }
        format json {
            time_format "2006-01-02T15:04:05.000Z07:00"
        }
        level {{ caddy_log_level }}
        {% else %}
        output file {{ caddy_log_dir }}/{{ site.domain | replace('.', '_') }}.log {
            roll_size 100mb
            roll_keep 5
        }
        level {{ caddy_log_level }}
        {% endif %}
    }

    {% if site.extra_config is defined %}
    # Additional site configuration
    {{ site.extra_config | indent(4) }}
    {% endif %}
}

{% endfor %}

{% if caddy_tls_enabled %}
# HTTP to HTTPS redirects
http://{{ caddy_domain }} {
    redir https://{host}{uri} permanent
}

{% for site in caddy_sites %}
{% if site.tls != "off" %}
http://{{ site.domain }} {
    redir https://{host}{uri} permanent
}
{% endif %}
{% endfor %}
{% endif %}