From 480db3d6fbf3ee11594585d7d71f99bbcf48aa05 Mon Sep 17 00:00:00 2001 From: Jannik Beyerstedt Date: Mon, 14 Sep 2020 23:48:51 +0200 Subject: [PATCH] [BREAKING] Caddy: Upgrade to caddyserver v2 See https://caddyserver.com/docs/v2-upgrade for changes on the Caddyfile --- README.md | 3 --- defaults/main.yml | 1 - tasks/caddy-install.yml | 38 ++++++++++++++++++-------------------- tasks/caddy-setup.yml | 2 +- templates/caddy.service | 23 ++++++----------------- 5 files changed, 25 insertions(+), 42 deletions(-) diff --git a/README.md b/README.md index 037513b..b00c26c 100644 --- a/README.md +++ b/README.md @@ -33,9 +33,6 @@ Attention: You still need to setup the borgbackup repository manually. Mandatory variable: - `caddy_email`: Email address to use for getting let's encrypt certificates -Optional variable: -- `caddy_plugins`: Comma separated list of caddyserver v1 plugins (default: `http.ratelimit`) - ### Cronmails Mandatory variable: - `cron_email`: Sender email address used by cron diff --git a/defaults/main.yml b/defaults/main.yml index 8e2a9b8..a9ccf24 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,7 +4,6 @@ borgbackup_ssh_id: "{{ ansible_user_dir }}/.ssh/id_ed25519" caddy_cachedir: "{{ ansible_user_dir }}/.ansbl-caddy-cache" -caddy_plugins: "http.ratelimit" telegraf_interval: "300s" telegraf_docker_file: "telegraf-docker.conf" diff --git a/tasks/caddy-install.yml b/tasks/caddy-install.yml index 944506d..45b60c2 100644 --- a/tasks/caddy-install.yml +++ b/tasks/caddy-install.yml @@ -21,19 +21,31 @@ state: directory - name: caddyserver - Download caddy webserver (amd64) + become: yes get_url: - url: "https://caddyserver.com/download/linux/amd64?plugins={{ caddy_plugins }}&license=personal" - dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz" + url: "https://caddyserver.com/api/download?os=linux&arch=amd64" + dest: "{{ caddy_cachedir }}/tmp/caddy" + group: root + owner: root + mode: 0755 when: ansible_architecture == "x86_64" - name: caddyserver - Download caddy webserver (armv7/ raspberry pi) + become: yes get_url: - url: "https://caddyserver.com/download/linux/arm7?plugins={{ caddy_plugins }}&license=personal" - dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz" + url: "https://caddyserver.com/api/download?os=linux&arch=arm&arm=7" + dest: "{{ caddy_cachedir }}/tmp/caddy" + group: root + owner: root + mode: 0755 when: ansible_architecture == "armv7l" - name: caddyserver - Download caddy webserver (arm64) + become: yes get_url: - url: "https://caddyserver.com/download/linux/arm64?plugins={{ caddy_plugins }}&license=personal" - dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz" + url: "https://caddyserver.com/api/download?os=linux&arch=arm64" + dest: "{{ caddy_cachedir }}/tmp/caddy" + group: root + owner: root + mode: 0755 when: ansible_architecture == "aarch64" - name: caddyserver - Stop caddy @@ -43,8 +55,6 @@ state: stopped ignore_errors: yes - - name: caddyserver - Extract caddy - shell: "cd {{ caddy_cachedir }}/tmp && tar -xvf caddy.tar.gz" - name: caddyserver - Copy caddy to a PATH location become: yes shell: "cp {{ caddy_cachedir }}/tmp/caddy /usr/local/bin" @@ -53,16 +63,4 @@ file: path: "{{ caddy_cachedir }}/tmp" state: absent - - name: caddyserver - Install caddy APT dependencies - become: yes - apt: - name: libcap2-bin - state: present - - name: caddyserver - Give caddy port binding capabilities - become: yes - shell: "setcap cap_net_bind_service=+ep /usr/local/bin/caddy" - # capabilities: - # path: "{{ caddy_bin }}" - # capability: cap_net_bind_service+ep - # state: present when: caddy_releases_cache.changed diff --git a/tasks/caddy-setup.yml b/tasks/caddy-setup.yml index 93f4ced..69f9973 100644 --- a/tasks/caddy-setup.yml +++ b/tasks/caddy-setup.yml @@ -18,7 +18,7 @@ group: www-data mode: 0770 with_items: - - /etc/ssl/caddy + - /var/lib/caddy - /etc/caddy - name: caddyserver - Add Caddy home directory become: yes diff --git a/templates/caddy.service b/templates/caddy.service index 782f787..c4c4984 100644 --- a/templates/caddy.service +++ b/templates/caddy.service @@ -1,24 +1,19 @@ [Unit] Description=Caddy HTTP/2 web server Documentation=https://caddyserver.com/docs -After=network-online.target -Wants=network-online.target +After=network.target [Service] Restart=on-abnormal User=www-data Group=www-data -Environment=CADDYPATH=/etc/ssl/caddy +Environment=HOME=/var/lib/caddy -PIDFile=/run/caddy.pid -ExecStart=/usr/local/bin/caddy -log stdout -agree -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -root=/var/tmp -ExecReload=/bin/kill -USR1 $MAINPID +ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile +ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile -KillMode=mixed -KillSignal=SIGQUIT TimeoutStopSec=5s - LimitNOFILE=8192 LimitNPROC=64 @@ -30,15 +25,9 @@ PermissionsStartOnly=true PrivateTmp=true ;PrivateDevices=true ;ProtectHome=true -;ProtectSystem=full -ReadWriteDirectories=/etc/ssl/caddy +ProtectSystem=full -; The following additional security directives only work with systemd v229 or later. -; They further restrict privileges that can be gained by caddy. -; Note that you may have to add capabilities required by any plugins in use. -;CapabilityBoundingSet=CAP_NET_BIND_SERVICE -;AmbientCapabilities=CAP_NET_BIND_SERVICE -;NoNewPrivileges=true +AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target