Update to caddy2

This commit is contained in:
Wilfried OLLIVIER 2020-05-19 21:26:04 +02:00
parent 7a35f631f2
commit 2008bd12ae
6 changed files with 28 additions and 51 deletions

View file

@ -19,7 +19,7 @@ Role Variables
- caddy_email: email used to register ACME/Let's Encrypt stuff - caddy_email: email used to register ACME/Let's Encrypt stuff
- caddy_update: yes/no - activate caddy updates - caddy_update: yes/no - activate caddy updates
- test_url: url used for the test page - test_url: url used for the test page
- test_https: should the test page use https - test_acme: should the test page use acme or internal HTTPS
- test_name: name of the test - test_name: name of the test
- test_code: test page source code directory - test_code: test page source code directory
- test_www: yes/no - enable redirection from www. to . - test_www: yes/no - enable redirection from www. to .

View file

@ -6,11 +6,11 @@ caddy_logs: /var/log/caddy
caddy_conf: /etc/caddy caddy_conf: /etc/caddy
caddy_confd: /etc/caddy/conf.d caddy_confd: /etc/caddy/conf.d
caddy_www: /var/www/caddy caddy_www: /var/www/caddy
caddy_email: none@none.com
caddy_update: yes
test_url: none.none test_url: none.none
test_https: no test_acme: no
test_name: test test_name: test
test_code: /var/www/caddy/test test_code: /var/www/caddy/test
test_www: no test_www: no
caddy_version: 2.0.0

View file

@ -1,6 +1,6 @@
galaxy_info: galaxy_info:
author: Wilfried OLLIVIER author: Wilfried OLLIVIER
description: Install Caddy webserver on Debian description: Install Caddy (2) webserver on Debian
company: none company: none
license: WTFPL license: WTFPL

View file

@ -9,22 +9,14 @@
shell=/bin/nologin shell=/bin/nologin
tags: user tags: user
- name: Get all Caddy releases
get_url: url=https://api.github.com/repos/mholt/caddy/git/refs/tags
dest={{ caddy_home }}/releases
force=yes
when: caddy_update
register: caddy_releases_cache
- name: Download new Caddy version or build - name: Download new Caddy version or build
get_url: url=https://caddyserver.com/download/linux/amd64?license=personal&telemetry=off get_url: url=https://github.com/caddyserver/caddy/releases/download/v{{ caddy_version }}/caddy_{{ caddy_version }}_linux_amd64.tar.gz
dest=/tmp/caddy.tar.gz dest=/tmp/caddy_{{ caddy_version }}.tar.gz
force=yes force=yes
when: caddy_releases_cache.changed
register: caddy_binary_cache register: caddy_binary_cache
- name: Extract new Caddy version or build - name: Extract new Caddy version or build
unarchive: src=/tmp/caddy.tar.gz unarchive: src=/tmp/caddy_{{ caddy_version }}.tar.gz
dest=/usr/bin/ dest=/usr/bin/
copy=no copy=no
when: caddy_binary_cache.changed when: caddy_binary_cache.changed

View file

@ -8,8 +8,8 @@ After=network.target
WorkingDirectory={{ caddy_home }} WorkingDirectory={{ caddy_home }}
User=caddy User=caddy
LimitNOFILE=8192 LimitNOFILE=8192
ExecStart=/usr/bin/caddy -agree=true -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/bin/kill -USR1 $MAINPID ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
Restart=on-failure Restart=on-failure
StartLimitInterval=600 StartLimitInterval=600
TimeoutStopSec=5s TimeoutStopSec=5s

View file

@ -1,43 +1,28 @@
{% if test_https %}
{{ test_url }} { {{ test_url }} {
{% else %}
http://{{ test_url }}
{% endif %}
{% if test_https %} {% if test_acme %}
header / { header / {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always # Enable HTTP Strict Transport Security (HSTS) to force clients to always
# connect via HTTPS (do not use if only testing) # connect via HTTPS (do not use if only testing)
Strict-Transport-Security "max-age=31536000;" Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks # Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block" X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff" X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection) # Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY" X-Frame-Options "DENY"
} }
{% else %} {% else %}
tls off tls internal
{% endif %} {% endif %}
log {{ caddy_logs }}/{{ test_name }}/access.log { log {
rotate_size 100 output file {{ caddy_logs }}/{{ test_name }}/vhost.log
rotate_age 30
rotate_keep 10
} }
errors {{ caddy_logs }}/{{ test_name }}/errors.log { root * {{ test_code }}
rotate_size 100 file_server
rotate_age 30 encode zstd gzip
rotate_keep 10
}
root {{ test_code }}/
gzip {
ext .jpg
level 9
}
} }