hosting/cloudserve-infrastructure
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Separate caddy container id grabbing into own role

Browse source 
Since other roles often rely on this not an actual new caddy server
installation we should probably have it as its own little role.
This commit is contained in:
Marty Oehme 2023-12-08 20:35:51 +01:00
parent a52cab2f61
commit 388a1d8cfc
Signed by: Marty
GPG key ID: EDBF2ED917B2EF6A
8 changed files with 246 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

42
roles/caddy/tasks/main.yml
View file

@ -5,9 +5,9 @@
ansible.builtin.file:
path: "{{ caddy_caddyfile_dir }}"
state: directory
mode: '0755'
mode: "0755"
become: true
tags:
tags:
- fs
- name: Ensure Caddyfile exists
@ -30,44 +30,6 @@
become: true
tags:
- docker-swarm
- name: Get caddy container info
ansible.builtin.command:
cmd: docker ps -q -f name={{ caddy_stack.name }}
become: true
# bringing up the container takes some time, we have to wait
until: caddy_container_info['rc'] == 0 and caddy_container_info['stdout'] | length >= 1
retries: 5
delay: 10
changed_when: False
register: caddy_container_info
- name: Register caddy container id
ansible.builtin.set_fact: caddy_container_id={{ caddy_container_info['stdout'] }}
notify:
- debug caddy container
# FIXME this should be taken care of in Dockerfile not here
- name: Ensure caddy curl available
community.docker.docker_container_exec:
container: "{{ caddy_container_id }}"
command: >
apk add curl
become: true
register: result
changed_when: "'Installing' in result.stdout"
- name: Ensure caddy api is responsive
community.docker.docker_container_exec:
container: "{{ caddy_container_id }}"
command: >
curl localhost:2019/config/
become: true
until: result.rc == 0
when: caddy_use_api == True
changed_when: False
register: result
# TODO FIXME UP
# - name: Allow access to services
# firewalld:

84
roles/caddy_id/README.md Normal file
View file

@ -0,0 +1,84 @@
# Caddy
Caddy is the reverse proxy for all other services running on the infrastructure.
It was chosen for its relative ease of use,
interactible API and https-by-default setup.
## Variables
```
caddy_caddyfile_dir: "{{ docker_stack_files_dir }}/caddy"
```
Sets up the on-target directory where important caddy files should be stored.
```
caddy_email: <your@email.here>
```
Which e-mail should be used to provision https certificates with. I believe theoretically caddy will work and provision you with certificates even without providing an e-mail, but I would strongly urge providing one.
```
caddy_tls_use_staging: no
```
If turned on will use the staging servers of the acme certificate service, which is useful for testing and playing around with https (due to higher API limits and less severe restrictions).
```
caddy_use_api: yes
```
If turned off, will turn off the admin api for caddy. Should only be used if no other services are intended to be provisioned on the target, since most other service stacks rely on the API to set up their proxy targets.
```
caddy_use_debug: no
```
If true, will turn on caddy's debug logging.
```
caddy_use_https: yes
```
If turned off will turn of all auto-provisioning of https certificates by caddy.
```
caddy_version: alpine
```
Sets the docker image version to be used.
## Internal variables
```yaml
caddy_stack:
name: caddy
compose: "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}"
```
Defines the actual docker stack which will later run on the target.
The name can be changed and will be used as a proxy target (`caddy.mydomain.com` or `192.168.1.1/caddy`) ---
though to be clear there is no intention currently to expose the caddy to the web at the moment.\
The compose option defines which template to use for the `docker-stack.yml` file. You can either change options for the stack in the template file,
or directly here like the following:
```yaml
compose:
- "{{ lookup('template', 'docker-stack.yml.j2') | from_yaml }}"
- version: '3'
services:
another-container:
image: nginx:latest
# ...
```
```yaml
caddy_http_server_name: http
```
```yaml
caddy_https_server_name: https
```
The internal representation of the http and https servers respectively.

5
roles/caddy_id/meta/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
dependencies:
- docker
- docker-swarm

39
roles/caddy_id/tasks/main.yml Normal file
View file

@ -0,0 +1,39 @@
---
# get the caddy container id for all other containers
- name: Get caddy container info
ansible.builtin.command:
cmd: docker ps -q -f name={{ caddy_stack.name }}
become: true
# bringing up the container takes some time, we have to wait
until: caddy_container_info['rc'] | default('') == 0 and caddy_container_info['stdout'] | length >= 1
retries: 5
delay: 10
changed_when: False
register: caddy_container_info
- name: Register caddy container id
ansible.builtin.set_fact: caddy_container_id={{ caddy_container_info['stdout'] }}
notify:
- debug caddy container
# FIXME this should be taken care of in Dockerfile not here
- name: Ensure caddy curl available
community.docker.docker_container_exec:
container: "{{ caddy_container_id }}"
command: >
apk add curl
become: true
register: result
changed_when: "'Installing' in result.stdout"
- name: Ensure caddy api is responsive
community.docker.docker_container_exec:
container: "{{ caddy_container_id }}"
command: >
curl localhost:2019/config/
become: true
until: result.rc | default('') == 0
when: caddy_use_api == True
changed_when: False
register: result

72
roles/caddy_id/templates/config.json.j2 Normal file
View file

@ -0,0 +1,72 @@
{
{% if caddy_use_api is sameas false %}
"admin": {
"disabled": true
},
{% endif %}
{% if caddy_use_debug is sameas true %}
"logging": {
"logs": {
"default": {
"level": "DEBUG"
}
}
},
{% endif %}
"apps": {
"http": {
"servers": {
"{{ caddy_http_server_name }}": {
"listen": [
":80"
],
"routes": []
{% if caddy_use_https is sameas false %},
"automatic_https": {
"disable": true
}
{% endif %}
},
"{{ caddy_https_server_name }}": {
"listen": [
":443"
],
"routes": []
{% if caddy_use_https is sameas false %},
"automatic_https": {
"disable": true
}
{% endif %}
}
}
}
{% if caddy_use_https is sameas true %},
"tls": {
"automation": {
"policies": [
{
"subjects": [],
"issuers": [
{
{% if caddy_tls_use_staging is sameas true %}
"ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
{% endif %}
{%- if caddy_email is not undefined and not none %}
"email": "{{ caddy_email }}",
{% endif %}
"module": "acme"
},
{
{%- if caddy_email is not undefined and not none %}
"email": "{{ caddy_email }}",
{% endif %}
"module": "zerossl"
}
]
}
]
}
}
{% endif %}
}
}

30
roles/caddy_id/templates/docker-stack.yml.j2 Normal file
View file

@ -0,0 +1,30 @@
version: "3.7"
services:
app:
image: caddy:{{ caddy_version }}
command: caddy run --config /etc/caddy/config.json
healthcheck:
test: ["CMD", "wget", "--quiet", "--spider", "--tries=1", "http://localhost:2019/metrics"]
interval: 1m
timeout: 10s
retries: 3
start_period: 1m
ports:
- "80:80"
- "443:443"
volumes:
- "{{ caddy_caddyfile_dir }}:/etc/caddy"
- "{{ docker_stack_files_dir }}:/stacks:ro"
- data:/data
- config:/config
networks:
- "{{ docker_swarm_public_network_name }}"
volumes:
data:
config:
networks:
"{{ docker_swarm_public_network_name }}":
external: true

5
roles/caddy_id/vars/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
caddy_stack:
name: caddy
caddy_use_api: yes # if no turns off api interface; it is *required* for other swarm roles to be routed

10
site.yml
View file

@ -21,7 +21,15 @@
- name: Install caddy reverse proxy
import_role:
role: caddy
tags: caddy
tags:
- caddy
- name: Grab caddy container id for all following services
import_role:
role: caddy_id
tags:
- caddy_id
- always
- name: Install wallabag
import_role: