From 2008bd12aef36b7ede6f431da268aa0d42a5b158 Mon Sep 17 00:00:00 2001
From: Wilfried OLLIVIER <wollivier@fdn.fr>
Date: Tue, 19 May 2020 21:26:04 +0200
Subject: [PATCH] Update to caddy2

---
 README.md                  |  2 +-
 defaults/main.yml          |  6 ++---
 meta/main.yml              |  2 +-
 tasks/main.yml             | 14 +++--------
 templates/caddy.service.j2 |  4 +--
 templates/http.caddy.j2    | 51 ++++++++++++++------------------------
 6 files changed, 28 insertions(+), 51 deletions(-)

diff --git a/README.md b/README.md
index 4f16fcc..eecbafe 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ Role Variables
 - caddy_email: email used to register ACME/Let's Encrypt stuff
 - caddy_update: yes/no - activate caddy updates
 - test_url: url used for the test page
-- test_https: should the test page use https
+- test_acme: should the test page use acme or internal HTTPS
 - test_name: name of the test
 - test_code: test page source code directory
 - test_www: yes/no - enable redirection from www. to .
diff --git a/defaults/main.yml b/defaults/main.yml
index a8d85ff..7034a25 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,11 +6,11 @@ caddy_logs: /var/log/caddy
 caddy_conf: /etc/caddy
 caddy_confd: /etc/caddy/conf.d
 caddy_www: /var/www/caddy
-caddy_email: none@none.com
-caddy_update: yes
 
 test_url: none.none
-test_https: no
+test_acme: no
 test_name: test
 test_code: /var/www/caddy/test
 test_www: no
+
+caddy_version: 2.0.0
diff --git a/meta/main.yml b/meta/main.yml
index aa1bd56..f359634 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -1,6 +1,6 @@
 galaxy_info:
   author: Wilfried OLLIVIER
-  description: Install Caddy webserver on Debian
+  description: Install Caddy (2) webserver on Debian
   company: none
 
   license: WTFPL
diff --git a/tasks/main.yml b/tasks/main.yml
index f0fb92e..adaa31d 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -9,22 +9,14 @@
         shell=/bin/nologin
   tags: user
 
-- name: Get all Caddy releases
-  get_url: url=https://api.github.com/repos/mholt/caddy/git/refs/tags
-           dest={{ caddy_home }}/releases
-           force=yes
-  when: caddy_update
-  register: caddy_releases_cache
-
 - name: Download new Caddy version or build
-  get_url: url=https://caddyserver.com/download/linux/amd64?license=personal&telemetry=off
-           dest=/tmp/caddy.tar.gz
+  get_url: url=https://github.com/caddyserver/caddy/releases/download/v{{ caddy_version }}/caddy_{{ caddy_version }}_linux_amd64.tar.gz
+           dest=/tmp/caddy_{{ caddy_version }}.tar.gz
            force=yes
-  when: caddy_releases_cache.changed
   register: caddy_binary_cache
 
 - name: Extract new Caddy version or build
-  unarchive: src=/tmp/caddy.tar.gz
+  unarchive: src=/tmp/caddy_{{ caddy_version }}.tar.gz
              dest=/usr/bin/
              copy=no
   when: caddy_binary_cache.changed
diff --git a/templates/caddy.service.j2 b/templates/caddy.service.j2
index 68d3770..514292d 100755
--- a/templates/caddy.service.j2
+++ b/templates/caddy.service.j2
@@ -8,8 +8,8 @@ After=network.target
 WorkingDirectory={{ caddy_home }}
 User=caddy
 LimitNOFILE=8192
-ExecStart=/usr/bin/caddy -agree=true -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile
-ExecReload=/bin/kill -USR1 $MAINPID
+ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
 Restart=on-failure
 StartLimitInterval=600
 TimeoutStopSec=5s
diff --git a/templates/http.caddy.j2 b/templates/http.caddy.j2
index 9b79ac8..47698c7 100644
--- a/templates/http.caddy.j2
+++ b/templates/http.caddy.j2
@@ -1,43 +1,28 @@
-{% if test_https %}
 {{ test_url }} {
-{% else %}
-http://{{ test_url }}
-{% endif %}
 
-    {% if test_https %}
-    header / {
-        # Enable HTTP Strict Transport Security (HSTS) to force clients to always
-        # connect via HTTPS (do not use if only testing)
-        Strict-Transport-Security "max-age=31536000;"
-        # Enable cross-site filter (XSS) and tell browser to block detected attacks
-        X-XSS-Protection "1; mode=block"
-        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-        X-Content-Type-Options "nosniff"
-        # Disallow the site to be rendered within a frame (clickjacking protection)
-        X-Frame-Options "DENY"
-    }
+    {% if test_acme %}
+header / {
+    # Enable HTTP Strict Transport Security (HSTS) to force clients to always
+    # connect via HTTPS (do not use if only testing)
+    Strict-Transport-Security "max-age=31536000;"
+    # Enable cross-site filter (XSS) and tell browser to block detected attacks
+    X-XSS-Protection "1; mode=block"
+    # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+    X-Content-Type-Options "nosniff"
+    # Disallow the site to be rendered within a frame (clickjacking protection)
+    X-Frame-Options "DENY"
+}
     {% else %}
-    tls off
+tls internal
     {% endif %}
 
-    log {{ caddy_logs }}/{{ test_name }}/access.log {
-        rotate_size  100
-        rotate_age   30
-        rotate_keep  10
+    log  {
+        output file {{ caddy_logs }}/{{ test_name }}/vhost.log
     }
 
-    errors {{ caddy_logs }}/{{ test_name }}/errors.log {
-        rotate_size  100
-        rotate_age   30
-        rotate_keep  10
-    }
-
-    root {{ test_code }}/
-
-    gzip {
-        ext .jpg
-        level 9
-    }
+    root * {{ test_code }}
+    file_server
+    encode zstd gzip
 
 }