[BREAKING] Caddy: Upgrade to caddyserver v2

See https://caddyserver.com/docs/v2-upgrade for changes on the Caddyfile
2020-09-14 23:48:51 +02:00 · 2020-09-14 23:48:51 +02:00 · 480db3d6fb
parent db0db4ddb7
commit 480db3d6fb
5 changed files with 25 additions and 42 deletions
--- a/README.md
+++ b/README.md
@ -33,9 +33,6 @@ Attention: You still need to setup the borgbackup repository manually.
 Mandatory variable:
 - `caddy_email`: Email address to use for getting let's encrypt certificates
 Optional variable:
 - `caddy_plugins`: Comma separated list of caddyserver v1 plugins (default: `http.ratelimit`)
 ### Cronmails
 Mandatory variable:
 - `cron_email`: Sender email address used by cron
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,7 +4,6 @@
 borgbackup_ssh_id: "{{ ansible_user_dir }}/.ssh/id_ed25519"
 caddy_cachedir: "{{ ansible_user_dir }}/.ansbl-caddy-cache"
 caddy_plugins: "http.ratelimit"
 telegraf_interval: "300s"
 telegraf_docker_file: "telegraf-docker.conf"
--- a/tasks/caddy-install.yml
+++ b/tasks/caddy-install.yml
@ -21,19 +21,31 @@
        state: directory
    - name: caddyserver - Download caddy webserver (amd64)
      become: yes
      get_url:
-        url: "https://caddyserver.com/download/linux/amd64?plugins={{ caddy_plugins }}&license=personal"
+        url: "https://caddyserver.com/api/download?os=linux&arch=amd64"
-        dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz"
+        dest: "{{ caddy_cachedir }}/tmp/caddy"
        group: root
        owner: root
        mode: 0755
      when: ansible_architecture == "x86_64"
    - name: caddyserver - Download caddy webserver (armv7/ raspberry pi)
      become: yes
      get_url:
-        url: "https://caddyserver.com/download/linux/arm7?plugins={{ caddy_plugins }}&license=personal"
+        url: "https://caddyserver.com/api/download?os=linux&arch=arm&arm=7"
-        dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz"
+        dest: "{{ caddy_cachedir }}/tmp/caddy"
        group: root
        owner: root
        mode: 0755
      when: ansible_architecture == "armv7l"
    - name: caddyserver - Download caddy webserver (arm64)
      become: yes
      get_url:
-        url: "https://caddyserver.com/download/linux/arm64?plugins={{ caddy_plugins }}&license=personal"
+        url: "https://caddyserver.com/api/download?os=linux&arch=arm64"
-        dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz"
+        dest: "{{ caddy_cachedir }}/tmp/caddy"
        group: root
        owner: root
        mode: 0755
      when: ansible_architecture == "aarch64"
    - name: caddyserver - Stop caddy
@ -43,8 +55,6 @@
        state: stopped
      ignore_errors: yes
    - name: caddyserver - Extract caddy
      shell: "cd {{ caddy_cachedir }}/tmp && tar -xvf caddy.tar.gz"
    - name: caddyserver - Copy caddy to a PATH location
      become: yes
      shell: "cp {{ caddy_cachedir }}/tmp/caddy /usr/local/bin"
@ -53,16 +63,4 @@
      file:
        path: "{{ caddy_cachedir }}/tmp"
        state: absent
    - name: caddyserver - Install caddy APT dependencies
      become: yes
      apt:
        name: libcap2-bin
        state: present
    - name: caddyserver - Give caddy port binding capabilities
      become: yes
      shell: "setcap cap_net_bind_service=+ep /usr/local/bin/caddy"
      # capabilities:
      #   path: "{{ caddy_bin }}"
      #   capability: cap_net_bind_service+ep
      #   state: present
  when: caddy_releases_cache.changed
--- a/tasks/caddy-setup.yml
+++ b/tasks/caddy-setup.yml
@ -18,7 +18,7 @@
    group: www-data
    mode: 0770
  with_items:
-    - /etc/ssl/caddy
+    - /var/lib/caddy
    - /etc/caddy
 - name: caddyserver - Add Caddy home directory
  become: yes
--- a/templates/caddy.service
+++ b/templates/caddy.service
@ -1,24 +1,19 @@
 [Unit]
 Description=Caddy HTTP/2 web server
 Documentation=https://caddyserver.com/docs
-After=network-online.target
+After=network.target
 Wants=network-online.target
 [Service]
 Restart=on-abnormal
 User=www-data
 Group=www-data
-Environment=CADDYPATH=/etc/ssl/caddy
+Environment=HOME=/var/lib/caddy
-PIDFile=/run/caddy.pid
+ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
-ExecStart=/usr/local/bin/caddy -log stdout -agree -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -root=/var/tmp
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
 ExecReload=/bin/kill -USR1 $MAINPID
 KillMode=mixed
 KillSignal=SIGQUIT
 TimeoutStopSec=5s
 LimitNOFILE=8192
 LimitNPROC=64
@ -30,15 +25,9 @@ PermissionsStartOnly=true
 PrivateTmp=true
 ;PrivateDevices=true
 ;ProtectHome=true
-;ProtectSystem=full
+ProtectSystem=full
 ReadWriteDirectories=/etc/ssl/caddy
-; The following additional security directives only work with systemd v229 or later.
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ; They further restrict privileges that can be gained by caddy.
 ; Note that you may have to add capabilities required by any plugins in use.
 ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 ;AmbientCapabilities=CAP_NET_BIND_SERVICE
 ;NoNewPrivileges=true
 [Install]
 WantedBy=multi-user.target