41 lines
2.7 KiB
YAML
41 lines
2.7 KiB
YAML
---
|
|
# Caddy reverse proxy (ADR-024).
|
|
reverse_proxy__base_dir: /opt/services/reverse_proxy
|
|
reverse_proxy__acme_email: admin@example.test
|
|
reverse_proxy__routes: [] # each: {host: x, upstream: "svc:port"} OR {host: x, respond: "text"}
|
|
reverse_proxy__manage: true # set false in Molecule to render without Docker
|
|
|
|
# ACME challenge type (ADR-024). Default is HTTP-01 with the vanilla upstream image —
|
|
# correct for PUBLIC hosts with an A-record (askari). For mesh/LAN-only hosts with NO
|
|
# public A-record (the cluster), HTTP-01 is impossible: set reverse_proxy__acme_dns_provider
|
|
# to "gandi" AND point reverse_proxy__image at the custom Caddy+Gandi image to issue certs
|
|
# (incl. wildcards) via Gandi DNS-01. The token is vault.gandi.pat (sent as a Bearer PAT;
|
|
# the legacy Apikey scheme is gone). Build the image with `make caddy-image` (on ubongo).
|
|
reverse_proxy__image: "caddy:2" # DNS-01 hosts override -> the caddy-gandi registry image
|
|
reverse_proxy__acme_dns_provider: "" # "" = HTTP-01; "gandi" = ACME DNS-01 via Gandi PAT
|
|
|
|
# access__*/backup__* are the ADR-021/022 CROSS-ROLE conventions — shared field names that
|
|
# render ACCESS.md/BACKUP.md and drive /check-access · /check-backup. They intentionally do
|
|
# NOT carry the reverse_proxy__ prefix, so each is marked `# noqa: var-naming[no-role-prefix]`
|
|
# (ansible-lint's role-prefix rule has no per-prefix allowlist; keeping it enabled elsewhere).
|
|
|
|
# Operational-access record (ADR-021) — source of truth for ACCESS.md + /check-access.
|
|
access__service: reverse_proxy # noqa: var-naming[no-role-prefix]
|
|
access__compose_project: reverse_proxy # noqa: var-naming[no-role-prefix]
|
|
access__compose_path: "{{ reverse_proxy__base_dir }}/docker-compose.yml" # noqa: var-naming[no-role-prefix]
|
|
access__containers: [caddy] # noqa: var-naming[no-role-prefix]
|
|
access__log: # noqa: var-naming[no-role-prefix]
|
|
loki_labels: { service: caddy } # intent; Loki/Alloy pipeline is ADR-018 (pending)
|
|
access__api: # noqa: var-naming[no-role-prefix]
|
|
enabled: false
|
|
reason: "Caddy admin API bound to container localhost :2019; never exposed (ADR-020 catalog owns ports)"
|
|
|
|
# Backup contract (ADR-022). Stateless: Caddy's /data holds only ACME account keys +
|
|
# issued certs, which are re-requested automatically on restart via ACME (HTTP-01 or
|
|
# DNS-01; no manual steps). Residual risk: Let's Encrypt rate limits on rapid re-issuance.
|
|
backup__service: reverse_proxy # noqa: var-naming[no-role-prefix]
|
|
backup__state: false # noqa: var-naming[no-role-prefix]
|
|
|
|
# Integration-test / staging cert knobs (ADR-025). Default off = production behaviour.
|
|
reverse_proxy__tls_internal: false # true => every site uses Caddy's self-signed CA
|
|
reverse_proxy__acme_ca: "" # set to the LE staging directory URL to use staging
|