[BREAKING] Caddy: Upgrade to caddyserver v2

See https://caddyserver.com/docs/v2-upgrade for changes on the Caddyfile
This commit is contained in:
Jannik Beyerstedt 2020-09-14 23:48:51 +02:00
parent db0db4ddb7
commit 480db3d6fb
5 changed files with 25 additions and 42 deletions

View file

@ -33,9 +33,6 @@ Attention: You still need to setup the borgbackup repository manually.
Mandatory variable: Mandatory variable:
- `caddy_email`: Email address to use for getting let's encrypt certificates - `caddy_email`: Email address to use for getting let's encrypt certificates
Optional variable:
- `caddy_plugins`: Comma separated list of caddyserver v1 plugins (default: `http.ratelimit`)
### Cronmails ### Cronmails
Mandatory variable: Mandatory variable:
- `cron_email`: Sender email address used by cron - `cron_email`: Sender email address used by cron

View file

@ -4,7 +4,6 @@
borgbackup_ssh_id: "{{ ansible_user_dir }}/.ssh/id_ed25519" borgbackup_ssh_id: "{{ ansible_user_dir }}/.ssh/id_ed25519"
caddy_cachedir: "{{ ansible_user_dir }}/.ansbl-caddy-cache" caddy_cachedir: "{{ ansible_user_dir }}/.ansbl-caddy-cache"
caddy_plugins: "http.ratelimit"
telegraf_interval: "300s" telegraf_interval: "300s"
telegraf_docker_file: "telegraf-docker.conf" telegraf_docker_file: "telegraf-docker.conf"

View file

@ -21,19 +21,31 @@
state: directory state: directory
- name: caddyserver - Download caddy webserver (amd64) - name: caddyserver - Download caddy webserver (amd64)
become: yes
get_url: get_url:
url: "https://caddyserver.com/download/linux/amd64?plugins={{ caddy_plugins }}&license=personal" url: "https://caddyserver.com/api/download?os=linux&arch=amd64"
dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz" dest: "{{ caddy_cachedir }}/tmp/caddy"
group: root
owner: root
mode: 0755
when: ansible_architecture == "x86_64" when: ansible_architecture == "x86_64"
- name: caddyserver - Download caddy webserver (armv7/ raspberry pi) - name: caddyserver - Download caddy webserver (armv7/ raspberry pi)
become: yes
get_url: get_url:
url: "https://caddyserver.com/download/linux/arm7?plugins={{ caddy_plugins }}&license=personal" url: "https://caddyserver.com/api/download?os=linux&arch=arm&arm=7"
dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz" dest: "{{ caddy_cachedir }}/tmp/caddy"
group: root
owner: root
mode: 0755
when: ansible_architecture == "armv7l" when: ansible_architecture == "armv7l"
- name: caddyserver - Download caddy webserver (arm64) - name: caddyserver - Download caddy webserver (arm64)
become: yes
get_url: get_url:
url: "https://caddyserver.com/download/linux/arm64?plugins={{ caddy_plugins }}&license=personal" url: "https://caddyserver.com/api/download?os=linux&arch=arm64"
dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz" dest: "{{ caddy_cachedir }}/tmp/caddy"
group: root
owner: root
mode: 0755
when: ansible_architecture == "aarch64" when: ansible_architecture == "aarch64"
- name: caddyserver - Stop caddy - name: caddyserver - Stop caddy
@ -43,8 +55,6 @@
state: stopped state: stopped
ignore_errors: yes ignore_errors: yes
- name: caddyserver - Extract caddy
shell: "cd {{ caddy_cachedir }}/tmp && tar -xvf caddy.tar.gz"
- name: caddyserver - Copy caddy to a PATH location - name: caddyserver - Copy caddy to a PATH location
become: yes become: yes
shell: "cp {{ caddy_cachedir }}/tmp/caddy /usr/local/bin" shell: "cp {{ caddy_cachedir }}/tmp/caddy /usr/local/bin"
@ -53,16 +63,4 @@
file: file:
path: "{{ caddy_cachedir }}/tmp" path: "{{ caddy_cachedir }}/tmp"
state: absent state: absent
- name: caddyserver - Install caddy APT dependencies
become: yes
apt:
name: libcap2-bin
state: present
- name: caddyserver - Give caddy port binding capabilities
become: yes
shell: "setcap cap_net_bind_service=+ep /usr/local/bin/caddy"
# capabilities:
# path: "{{ caddy_bin }}"
# capability: cap_net_bind_service+ep
# state: present
when: caddy_releases_cache.changed when: caddy_releases_cache.changed

View file

@ -18,7 +18,7 @@
group: www-data group: www-data
mode: 0770 mode: 0770
with_items: with_items:
- /etc/ssl/caddy - /var/lib/caddy
- /etc/caddy - /etc/caddy
- name: caddyserver - Add Caddy home directory - name: caddyserver - Add Caddy home directory
become: yes become: yes

View file

@ -1,24 +1,19 @@
[Unit] [Unit]
Description=Caddy HTTP/2 web server Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs Documentation=https://caddyserver.com/docs
After=network-online.target After=network.target
Wants=network-online.target
[Service] [Service]
Restart=on-abnormal Restart=on-abnormal
User=www-data User=www-data
Group=www-data Group=www-data
Environment=CADDYPATH=/etc/ssl/caddy Environment=HOME=/var/lib/caddy
PIDFile=/run/caddy.pid ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecStart=/usr/local/bin/caddy -log stdout -agree -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -root=/var/tmp ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
ExecReload=/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s TimeoutStopSec=5s
LimitNOFILE=8192 LimitNOFILE=8192
LimitNPROC=64 LimitNPROC=64
@ -30,15 +25,9 @@ PermissionsStartOnly=true
PrivateTmp=true PrivateTmp=true
;PrivateDevices=true ;PrivateDevices=true
;ProtectHome=true ;ProtectHome=true
;ProtectSystem=full ProtectSystem=full
ReadWriteDirectories=/etc/ssl/caddy
; The following additional security directives only work with systemd v229 or later. AmbientCapabilities=CAP_NET_BIND_SERVICE
; They further restrict privileges that can be gained by caddy.
; Note that you may have to add capabilities required by any plugins in use.
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
;AmbientCapabilities=CAP_NET_BIND_SERVICE
;NoNewPrivileges=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target