[BREAKING] Caddy: Upgrade to caddyserver v2
See https://caddyserver.com/docs/v2-upgrade for changes on the Caddyfile
This commit is contained in:
parent
db0db4ddb7
commit
480db3d6fb
|
|
@ -33,9 +33,6 @@ Attention: You still need to setup the borgbackup repository manually.
|
|||
Mandatory variable:
|
||||
- `caddy_email`: Email address to use for getting let's encrypt certificates
|
||||
|
||||
Optional variable:
|
||||
- `caddy_plugins`: Comma separated list of caddyserver v1 plugins (default: `http.ratelimit`)
|
||||
|
||||
### Cronmails
|
||||
Mandatory variable:
|
||||
- `cron_email`: Sender email address used by cron
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@
|
|||
borgbackup_ssh_id: "{{ ansible_user_dir }}/.ssh/id_ed25519"
|
||||
|
||||
caddy_cachedir: "{{ ansible_user_dir }}/.ansbl-caddy-cache"
|
||||
caddy_plugins: "http.ratelimit"
|
||||
|
||||
telegraf_interval: "300s"
|
||||
telegraf_docker_file: "telegraf-docker.conf"
|
||||
|
|
|
|||
|
|
@ -21,19 +21,31 @@
|
|||
state: directory
|
||||
|
||||
- name: caddyserver - Download caddy webserver (amd64)
|
||||
become: yes
|
||||
get_url:
|
||||
url: "https://caddyserver.com/download/linux/amd64?plugins={{ caddy_plugins }}&license=personal"
|
||||
dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz"
|
||||
url: "https://caddyserver.com/api/download?os=linux&arch=amd64"
|
||||
dest: "{{ caddy_cachedir }}/tmp/caddy"
|
||||
group: root
|
||||
owner: root
|
||||
mode: 0755
|
||||
when: ansible_architecture == "x86_64"
|
||||
- name: caddyserver - Download caddy webserver (armv7/ raspberry pi)
|
||||
become: yes
|
||||
get_url:
|
||||
url: "https://caddyserver.com/download/linux/arm7?plugins={{ caddy_plugins }}&license=personal"
|
||||
dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz"
|
||||
url: "https://caddyserver.com/api/download?os=linux&arch=arm&arm=7"
|
||||
dest: "{{ caddy_cachedir }}/tmp/caddy"
|
||||
group: root
|
||||
owner: root
|
||||
mode: 0755
|
||||
when: ansible_architecture == "armv7l"
|
||||
- name: caddyserver - Download caddy webserver (arm64)
|
||||
become: yes
|
||||
get_url:
|
||||
url: "https://caddyserver.com/download/linux/arm64?plugins={{ caddy_plugins }}&license=personal"
|
||||
dest: "{{ caddy_cachedir }}/tmp/caddy.tar.gz"
|
||||
url: "https://caddyserver.com/api/download?os=linux&arch=arm64"
|
||||
dest: "{{ caddy_cachedir }}/tmp/caddy"
|
||||
group: root
|
||||
owner: root
|
||||
mode: 0755
|
||||
when: ansible_architecture == "aarch64"
|
||||
|
||||
- name: caddyserver - Stop caddy
|
||||
|
|
@ -43,8 +55,6 @@
|
|||
state: stopped
|
||||
ignore_errors: yes
|
||||
|
||||
- name: caddyserver - Extract caddy
|
||||
shell: "cd {{ caddy_cachedir }}/tmp && tar -xvf caddy.tar.gz"
|
||||
- name: caddyserver - Copy caddy to a PATH location
|
||||
become: yes
|
||||
shell: "cp {{ caddy_cachedir }}/tmp/caddy /usr/local/bin"
|
||||
|
|
@ -53,16 +63,4 @@
|
|||
file:
|
||||
path: "{{ caddy_cachedir }}/tmp"
|
||||
state: absent
|
||||
- name: caddyserver - Install caddy APT dependencies
|
||||
become: yes
|
||||
apt:
|
||||
name: libcap2-bin
|
||||
state: present
|
||||
- name: caddyserver - Give caddy port binding capabilities
|
||||
become: yes
|
||||
shell: "setcap cap_net_bind_service=+ep /usr/local/bin/caddy"
|
||||
# capabilities:
|
||||
# path: "{{ caddy_bin }}"
|
||||
# capability: cap_net_bind_service+ep
|
||||
# state: present
|
||||
when: caddy_releases_cache.changed
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@
|
|||
group: www-data
|
||||
mode: 0770
|
||||
with_items:
|
||||
- /etc/ssl/caddy
|
||||
- /var/lib/caddy
|
||||
- /etc/caddy
|
||||
- name: caddyserver - Add Caddy home directory
|
||||
become: yes
|
||||
|
|
|
|||
|
|
@ -1,24 +1,19 @@
|
|||
[Unit]
|
||||
Description=Caddy HTTP/2 web server
|
||||
Documentation=https://caddyserver.com/docs
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Restart=on-abnormal
|
||||
|
||||
User=www-data
|
||||
Group=www-data
|
||||
Environment=CADDYPATH=/etc/ssl/caddy
|
||||
Environment=HOME=/var/lib/caddy
|
||||
|
||||
PIDFile=/run/caddy.pid
|
||||
ExecStart=/usr/local/bin/caddy -log stdout -agree -email={{ caddy_email }} -conf=/etc/caddy/Caddyfile -root=/var/tmp
|
||||
ExecReload=/bin/kill -USR1 $MAINPID
|
||||
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
|
||||
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
|
||||
|
||||
KillMode=mixed
|
||||
KillSignal=SIGQUIT
|
||||
TimeoutStopSec=5s
|
||||
|
||||
LimitNOFILE=8192
|
||||
LimitNPROC=64
|
||||
|
||||
|
|
@ -30,15 +25,9 @@ PermissionsStartOnly=true
|
|||
PrivateTmp=true
|
||||
;PrivateDevices=true
|
||||
;ProtectHome=true
|
||||
;ProtectSystem=full
|
||||
ReadWriteDirectories=/etc/ssl/caddy
|
||||
ProtectSystem=full
|
||||
|
||||
; The following additional security directives only work with systemd v229 or later.
|
||||
; They further restrict privileges that can be gained by caddy.
|
||||
; Note that you may have to add capabilities required by any plugins in use.
|
||||
;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
;AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
;NoNewPrivileges=true
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Reference in a new issue