From 91b6cd5a2e50b9d79219fc783694f47b4f820032 Mon Sep 17 00:00:00 2001 From: Wilfried OLLIVIER Date: Fri, 1 Feb 2019 15:22:04 +0100 Subject: [PATCH] Bootstrap caddy role --- LICENCE | 13 ++++++ README.md | 47 +++++++++++++++++++++ defaults/main.yml | 16 +++++++ files/test.html | 31 ++++++++++++++ handlers/main.yml | 13 ++++++ meta/main.yml | 15 +++++++ tasks/main.yml | 85 ++++++++++++++++++++++++++++++++++++++ templates/caddy.service.j2 | 17 ++++++++ templates/caddyfile.j2 | 1 + templates/http.caddy.j2 | 44 ++++++++++++++++++++ tests/inventory | 1 + tests/test.yml | 5 +++ 12 files changed, 288 insertions(+) create mode 100644 LICENCE create mode 100644 README.md create mode 100644 defaults/main.yml create mode 100644 files/test.html create mode 100644 handlers/main.yml create mode 100644 meta/main.yml create mode 100644 tasks/main.yml create mode 100755 templates/caddy.service.j2 create mode 100755 templates/caddyfile.j2 create mode 100644 templates/http.caddy.j2 create mode 100644 tests/inventory create mode 100644 tests/test.yml diff --git a/LICENCE b/LICENCE new file mode 100644 index 0000000..5568253 --- /dev/null +++ b/LICENCE @@ -0,0 +1,13 @@ + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + Version 2, December 2004 + + Copyright (C) 2019 Wilfried OLLIVIER + + Everyone is permitted to copy and distribute verbatim or modified + copies of this license document, and changing it is allowed as long + as the name is changed. + + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. You just DO WHAT THE FUCK YOU WANT TO. diff --git a/README.md b/README.md new file mode 100644 index 0000000..d3f60f5 --- /dev/null +++ b/README.md @@ -0,0 +1,47 @@ +galaxy-caddy +============ + +Install and update Caddy webserver on Debian + +Requirements +------------ + +None + +Role Variables +-------------- + +- caddy_home: home of caddy user +- caddy_logs: logs directory +- caddy_conf: conf directory +- caddy_confd: confd directory +- caddy_www: directory used to store websites sources +- caddy_email: email used to register ACME/Let's Encrypt stuff +- caddy_update: yes/no - activate caddy updates + +- test_url: url used for the test page +- test_https: should the test page use https +- test_name: name of the test +- test_code: test page source code directory +- test_www: yes/no - enable redirection from www. to . + +Dependencies +------------ + +None + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: galaxy-caddy, test_url: test.io } + +Run tests +--------- + +Ensure galaxy-vagrant is up + + ansible-playbook -i tests/inventory tests/test.yml \ No newline at end of file diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..db9e60c --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,16 @@ +--- +# defaults file for galaxy-caddy + +caddy_home: /srv/caddy +caddy_logs: /srv/caddy/logs +caddy_conf: /etc/caddy +caddy_confd: /etc/caddy/conf.d +caddy_www: /var/www/caddy +caddy_email: none@none.com +caddy_update: yes + +test_url: none.none +test_https: no +test_name: test +test_code: /var/www/caddy/test +test_www: no \ No newline at end of file diff --git a/files/test.html b/files/test.html new file mode 100644 index 0000000..6fb4110 --- /dev/null +++ b/files/test.html @@ -0,0 +1,31 @@ + + Awo ! + + + + 
+    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+    @@@@@@@@@@@@@@@@@@@@@@@'~~~     ~~~`@@@@@@@@@@@@@@@@@@@@@@@@@
+    @@@@@@@@@@@@@@@@@@'                     `@@@@@@@@@@@@@@@@@@@@
+    @@@@@@@@@@@@@@@'                           `@@@@@@@@@@@@@@@@@
+    @@@@@@@@@@@@@'                               `@@@@@@@@@@@@@@@
+    @@@@@@@@@@@'                                   `@@@@@@@@@@@@@
+    @@@@@@@@@@'                                     `@@@@@@@@@@@@
+    @@@@@@@@@'                                       `@@@@@@@@@@@
+    @@@@@@@@@                                         @@@@@@@@@@@
+    @@@@@@@@'                      n,                 `@@@@@@@@@@
+    @@@@@@@@                     _/ | _                @@@@@@@@@@
+    @@@@@@@@                    /'  `'/                @@@@@@@@@@
+    @@@@@@@@a                 <~    .'                a@@@@@@@@@@
+    @@@@@@@@@                 .'    |                 @@@@@@@@@@@
+    @@@@@@@@@a              _/      |                a@@@@@@@@@@@
+    @@@@@@@@@@a           _/      `.`.              a@@@@@@@@@@@@
+    @@@@@@@@@@@a     ____/ '   \__ | |______       a@@@@@@@@@@@@@
+    @@@@@@@@@@@@@a__/___/      /__\ \ \     \___.a@@@@@@@@@@@@@@@
+    @@@@@@@@@@@@@/  (___.'\_______)\_|_|        \@@@@@@@@@@@@@@@@
+    @@@@@@@@@@@@|\________                       ~~~~~\@@@@@@@@@@
+
+ + + + \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..9d82f04 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# handlers file for galaxy-caddy + +- name: start caddy + service: name=caddy + state=started + enabled=yes + daemon_reload=yes + +- name: restart caddy + service: name=caddy + state=restarted + enabled=yes diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a4e2db7 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,15 @@ +galaxy_info: + author: Wilfried OLLIVIER + description: Install Caddy webserver on Debian + company: none + + license: WTFPL + + min_ansible_version: 2.4 + + galaxy_tags: + - caddy + - debian + - webserver + +dependencies: [] \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..c010ab4 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,85 @@ +--- +# tasks file for galaxy-caddy + +- name: Create Caddy user + user: name=caddy + system=yes + createhome=yes + home={{ caddy_home }} + shell=/bin/nologin + tags: user + +- name: Get all Caddy releases + get_url: url=https://api.github.com/repos/mholt/caddy/git/refs/tags + dest={{ caddy_home }}/releases + force=yes + when: caddy_update + register: caddy_releases_cache + +- name: Download new Caddy version or build + get_url: url=https://caddyserver.com/download/linux/amd64?license=personal + dest=/tmp/caddy.tar.gz + force=yes + when: caddy_releases_cache.changed + register: caddy_binary_cache + +- name: Extract new Caddy version or build + unarchive: src=/tmp/caddy.tar.gz + dest=/usr/bin/ + copy=no + when: caddy_binary_cache.changed + +- name: Ensure setcap bin + apt: name=libcap2-bin + state=present + +- name: Check if the binary can bind to TCP port <1024 + shell: getcap /usr/bin/caddy | grep cap_net_bind_service + failed_when: False + changed_when: False + register: caddy_bind_cap + +- name: Set capability on the binary file to be able to bind to TCP port <1024 + command: setcap cap_net_bind_service=+ep /usr/bin/caddy + when: caddy_bind_cap.rc > 0 + +- name: Create caddy needed directories + file: path={{ item }} + state=directory + owner=caddy + with_items: + - "{{ caddy_conf }}" + - "{{ caddy_confd }}" + - "{{ caddy_home }}/logs" + - "{{ caddy_www }}" + +- name: Caddyfile + template: src=caddyfile.j2 + dest={{ caddy_conf }}/Caddyfile + notify: restart caddy + +- name: Push vhost test page caddy config + template: src=http.caddy.j2 + dest={{ caddy_confd }}/test.caddy + notify: restart caddy + +- name: Create test www dir + file: path={{ caddy_www }}/test + state=directory + owner=caddy + group=caddy + +- name: Push test page source + copy: src=test.html + dest={{ caddy_www }}/test/index.html + +- name: Create Test page logs dir + file: path={{ caddy_home }}/logs/test + state=directory + owner=caddy + +- name: Systemd service + template: src=caddy.service.j2 + dest=/etc/systemd/system/caddy.service + notify: + - start caddy diff --git a/templates/caddy.service.j2 b/templates/caddy.service.j2 new file mode 100755 index 0000000..0fab5c4 --- /dev/null +++ b/templates/caddy.service.j2 @@ -0,0 +1,17 @@ +[Unit] +Description=Caddy HTTP/2 web server +Documentation=https://caddyserver.com/docs +After=network.target + +[Service] +WorkingDirectory={{ caddy_home }} +User=caddy +LimitNOFILE=8192 +PIDFile={{ caddy_home }}/caddy.pid +ExecStart=/usr/bin/caddy -agree=true -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -pidfile={{ caddy_home }}/caddy.pid +ExecReload=/bin/kill -USR1 $MAINPID +Restart=on-failure +StartLimitInterval=600 + +[Install] +WantedBy=multi-user.target diff --git a/templates/caddyfile.j2 b/templates/caddyfile.j2 new file mode 100755 index 0000000..8f097d9 --- /dev/null +++ b/templates/caddyfile.j2 @@ -0,0 +1 @@ +import {{ caddy_confd }}/* diff --git a/templates/http.caddy.j2 b/templates/http.caddy.j2 new file mode 100644 index 0000000..61b46b3 --- /dev/null +++ b/templates/http.caddy.j2 @@ -0,0 +1,44 @@ +{% if test_https %} +{{ test_url }} { +{% else %} +http://{{ test_url }} +{% endif %} + + {% if test_https %} + header / { + # Enable HTTP Strict Transport Security (HSTS) to force clients to always + # connect via HTTPS (do not use if only testing) + Strict-Transport-Security "max-age=31536000;" + # Enable cross-site filter (XSS) and tell browser to block detected attacks + X-XSS-Protection "1; mode=block" + # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type + X-Content-Type-Options "nosniff" + # Disallow the site to be rendered within a frame (clickjacking protection) + X-Frame-Options "DENY" + } + {% else %} + tls off + {% endif %} + + log {{ caddy_logs }}/{{ test_name }}/access.log { + rotate_size 100 + rotate_age 30 + rotate_keep 10 + } + + root {{ test_code }}/ + + gzip { + ext .jpg + level 9 + } + +} + +{% if test_www %} +www.{{ test_url }} { + + redir https://{{ test_url }} + +} +{% endif %} \ No newline at end of file diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..38d0757 --- /dev/null +++ b/tests/inventory @@ -0,0 +1 @@ +galaxy-vagrant.example.com diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..dc4eb7f --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: galaxy-vagrant.example.com + remote_user: root + roles: + - { role: ../galaxy-caddy, test_url: test.none } \ No newline at end of file