sjat
6e38693499
Adds a per-instance DNS-01 mode to the Caddy role for mesh/LAN-only hosts that
cannot satisfy HTTP-01. Default behaviour (vanilla caddy:2 + HTTP-01, what askari
runs) is unchanged.
- reverse_proxy__acme_dns_provider: "" (HTTP-01) | "gandi" (DNS-01)
- reverse_proxy__image: override to the custom caddy-gandi image for DNS-01
- Caddyfile gains a global `acme_dns gandi {env.GANDI_BEARER_TOKEN}` block
- the PAT (vault.gandi.pat) renders into a host-only 0600 env file (no_log),
loaded by compose only when DNS-01 is enabled
Verified: the custom image issues a real wildcard cert (*.dns01test.wingu.me)
end-to-end against LE staging via Gandi DNS-01; `caddy validate` accepts
`acme_dns gandi` on the custom image and rejects it on vanilla caddy:2. Molecule
(HTTP-01 default path) green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| base | ||
| dev_env | ||
| docker_host | ||
| public_dns | ||
| reverse_proxy | ||
| README.md | ||
roles/
Local Ansible roles. No Galaxy roles — every role is written and maintained here
(ADR-003). Scaffold new ones with make new-role NAME=<name>; never create the
directory structure by hand.
Each role must have: a molecule/default/ scenario (Debian 13), a populated
README.md, and a filled-in meta/main.yml. Conventions: CLAUDE.md and
docs/runbooks/new-role.md.
Current state: base is partially built — its firewall (nftables) and
hardening (SSH key-only + fail2ban) concerns are implemented, tested, and the
hardening concern is applied to askari; the remaining concerns (auditd, packages,
users) are not yet built. docker_host (Docker engine + Compose), reverse_proxy
(Caddy), public_dns (Gandi), and dev_env are built. See STATUS.md for the
authoritative breakdown.