Bootstrap caddy role

This commit is contained in:
Wilfried OLLIVIER 2019-02-01 15:22:04 +01:00
commit 91b6cd5a2e
12 changed files with 288 additions and 0 deletions

13
LICENCE Normal file
View file

@ -0,0 +1,13 @@
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
Version 2, December 2004
Copyright (C) 2019 Wilfried OLLIVIER <wollivier@fdn.fr>
Everyone is permitted to copy and distribute verbatim or modified
copies of this license document, and changing it is allowed as long
as the name is changed.
DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. You just DO WHAT THE FUCK YOU WANT TO.

47
README.md Normal file
View file

@ -0,0 +1,47 @@
galaxy-caddy
============
Install and update Caddy webserver on Debian
Requirements
------------
None
Role Variables
--------------
- caddy_home: home of caddy user
- caddy_logs: logs directory
- caddy_conf: conf directory
- caddy_confd: confd directory
- caddy_www: directory used to store websites sources
- caddy_email: email used to register ACME/Let's Encrypt stuff
- caddy_update: yes/no - activate caddy updates
- test_url: url used for the test page
- test_https: should the test page use https
- test_name: name of the test
- test_code: test page source code directory
- test_www: yes/no - enable redirection from www. to .
Dependencies
------------
None
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: galaxy-caddy, test_url: test.io }
Run tests
---------
Ensure galaxy-vagrant is up
ansible-playbook -i tests/inventory tests/test.yml

16
defaults/main.yml Normal file
View file

@ -0,0 +1,16 @@
---
# defaults file for galaxy-caddy
caddy_home: /srv/caddy
caddy_logs: /srv/caddy/logs
caddy_conf: /etc/caddy
caddy_confd: /etc/caddy/conf.d
caddy_www: /var/www/caddy
caddy_email: none@none.com
caddy_update: yes
test_url: none.none
test_https: no
test_name: test
test_code: /var/www/caddy/test
test_www: no

31
files/test.html Normal file
View file

@ -0,0 +1,31 @@
<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Awo !</title>
</head>
<body bgcolor="white">
<pre>
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@'~~~ ~~~`@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@' `@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@' `@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@' `@@@@@@@@@@@@@@@
@@@@@@@@@@@' `@@@@@@@@@@@@@
@@@@@@@@@@' `@@@@@@@@@@@@
@@@@@@@@@' `@@@@@@@@@@@
@@@@@@@@@ @@@@@@@@@@@
@@@@@@@@' n, `@@@@@@@@@@
@@@@@@@@ _/ | _ @@@@@@@@@@
@@@@@@@@ /' `'/ @@@@@@@@@@
@@@@@@@@a <~ .' a@@@@@@@@@@
@@@@@@@@@ .' | @@@@@@@@@@@
@@@@@@@@@a _/ | a@@@@@@@@@@@
@@@@@@@@@@a _/ `.`. a@@@@@@@@@@@@
@@@@@@@@@@@a ____/ ' \__ | |______ a@@@@@@@@@@@@@
@@@@@@@@@@@@@a__/___/ /__\ \ \ \___.a@@@@@@@@@@@@@@@
@@@@@@@@@@@@@/ (___.'\_______)\_|_| \@@@@@@@@@@@@@@@@
@@@@@@@@@@@@|\________ ~~~~~\@@@@@@@@@@
</pre>
</body></html>

13
handlers/main.yml Normal file
View file

@ -0,0 +1,13 @@
---
# handlers file for galaxy-caddy
- name: start caddy
service: name=caddy
state=started
enabled=yes
daemon_reload=yes
- name: restart caddy
service: name=caddy
state=restarted
enabled=yes

15
meta/main.yml Normal file
View file

@ -0,0 +1,15 @@
galaxy_info:
author: Wilfried OLLIVIER
description: Install Caddy webserver on Debian
company: none
license: WTFPL
min_ansible_version: 2.4
galaxy_tags:
- caddy
- debian
- webserver
dependencies: []

85
tasks/main.yml Normal file
View file

@ -0,0 +1,85 @@
---
# tasks file for galaxy-caddy
- name: Create Caddy user
user: name=caddy
system=yes
createhome=yes
home={{ caddy_home }}
shell=/bin/nologin
tags: user
- name: Get all Caddy releases
get_url: url=https://api.github.com/repos/mholt/caddy/git/refs/tags
dest={{ caddy_home }}/releases
force=yes
when: caddy_update
register: caddy_releases_cache
- name: Download new Caddy version or build
get_url: url=https://caddyserver.com/download/linux/amd64?license=personal
dest=/tmp/caddy.tar.gz
force=yes
when: caddy_releases_cache.changed
register: caddy_binary_cache
- name: Extract new Caddy version or build
unarchive: src=/tmp/caddy.tar.gz
dest=/usr/bin/
copy=no
when: caddy_binary_cache.changed
- name: Ensure setcap bin
apt: name=libcap2-bin
state=present
- name: Check if the binary can bind to TCP port <1024
shell: getcap /usr/bin/caddy | grep cap_net_bind_service
failed_when: False
changed_when: False
register: caddy_bind_cap
- name: Set capability on the binary file to be able to bind to TCP port <1024
command: setcap cap_net_bind_service=+ep /usr/bin/caddy
when: caddy_bind_cap.rc > 0
- name: Create caddy needed directories
file: path={{ item }}
state=directory
owner=caddy
with_items:
- "{{ caddy_conf }}"
- "{{ caddy_confd }}"
- "{{ caddy_home }}/logs"
- "{{ caddy_www }}"
- name: Caddyfile
template: src=caddyfile.j2
dest={{ caddy_conf }}/Caddyfile
notify: restart caddy
- name: Push vhost test page caddy config
template: src=http.caddy.j2
dest={{ caddy_confd }}/test.caddy
notify: restart caddy
- name: Create test www dir
file: path={{ caddy_www }}/test
state=directory
owner=caddy
group=caddy
- name: Push test page source
copy: src=test.html
dest={{ caddy_www }}/test/index.html
- name: Create Test page logs dir
file: path={{ caddy_home }}/logs/test
state=directory
owner=caddy
- name: Systemd service
template: src=caddy.service.j2
dest=/etc/systemd/system/caddy.service
notify:
- start caddy

17
templates/caddy.service.j2 Executable file
View file

@ -0,0 +1,17 @@
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target
[Service]
WorkingDirectory={{ caddy_home }}
User=caddy
LimitNOFILE=8192
PIDFile={{ caddy_home }}/caddy.pid
ExecStart=/usr/bin/caddy -agree=true -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -pidfile={{ caddy_home }}/caddy.pid
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
StartLimitInterval=600
[Install]
WantedBy=multi-user.target

1
templates/caddyfile.j2 Executable file
View file

@ -0,0 +1 @@
import {{ caddy_confd }}/*

44
templates/http.caddy.j2 Normal file
View file

@ -0,0 +1,44 @@
{% if test_https %}
{{ test_url }} {
{% else %}
http://{{ test_url }}
{% endif %}
{% if test_https %}
header / {
# Enable HTTP Strict Transport Security (HSTS) to force clients to always
# connect via HTTPS (do not use if only testing)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
X-Content-Type-Options "nosniff"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
}
{% else %}
tls off
{% endif %}
log {{ caddy_logs }}/{{ test_name }}/access.log {
rotate_size 100
rotate_age 30
rotate_keep 10
}
root {{ test_code }}/
gzip {
ext .jpg
level 9
}
}
{% if test_www %}
www.{{ test_url }} {
redir https://{{ test_url }}
}
{% endif %}

1
tests/inventory Normal file
View file

@ -0,0 +1 @@
galaxy-vagrant.example.com

5
tests/test.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: galaxy-vagrant.example.com
remote_user: root
roles:
- { role: ../galaxy-caddy, test_url: test.none }