diff --git a/roles/reverse_proxy/defaults/main.yml b/roles/reverse_proxy/defaults/main.yml index 46249a9..fb6b92f 100644 --- a/roles/reverse_proxy/defaults/main.yml +++ b/roles/reverse_proxy/defaults/main.yml @@ -35,3 +35,7 @@ access__api: # noqa: var-naming[no-role-prefix] # DNS-01; no manual steps). Residual risk: Let's Encrypt rate limits on rapid re-issuance. backup__service: reverse_proxy # noqa: var-naming[no-role-prefix] backup__state: false # noqa: var-naming[no-role-prefix] + +# Integration-test / staging cert knobs (ADR-025). Default off = production behaviour. +reverse_proxy__tls_internal: false # true => every site uses Caddy's self-signed CA +reverse_proxy__acme_ca: "" # set to the LE staging directory URL to use staging diff --git a/roles/reverse_proxy/templates/Caddyfile.j2 b/roles/reverse_proxy/templates/Caddyfile.j2 index 0c0a280..a14ec68 100644 --- a/roles/reverse_proxy/templates/Caddyfile.j2 +++ b/roles/reverse_proxy/templates/Caddyfile.j2 @@ -1,6 +1,9 @@ # {{ ansible_managed }} { email {{ reverse_proxy__acme_email }} +{%- if reverse_proxy__acme_ca %} + acme_ca {{ reverse_proxy__acme_ca }} +{%- endif %} {% if reverse_proxy__acme_dns_provider == 'gandi' %} # ACME DNS-01 via Gandi (mesh/LAN-only hosts, incl. wildcard certs). Token is the # Gandi PAT, injected from the env file as a Bearer token (ADR-024). Needs the custom @@ -10,6 +13,9 @@ } {% for r in reverse_proxy__routes %} {{ r['host'] }} { +{%- if reverse_proxy__tls_internal %} + tls internal +{%- endif %} {% if r['caddy'] is defined %} {{ r['caddy'] | trim | indent(2, first=true) }} {% elif r['upstream'] is defined %}