boma/roles/reverse_proxy/tasks/main.yml
sjat 6e38693499 feat(reverse_proxy): optional ACME DNS-01 via Gandi (wildcard / LAN-only)
Adds a per-instance DNS-01 mode to the Caddy role for mesh/LAN-only hosts that
cannot satisfy HTTP-01. Default behaviour (vanilla caddy:2 + HTTP-01, what askari
runs) is unchanged.

  - reverse_proxy__acme_dns_provider: "" (HTTP-01) | "gandi" (DNS-01)
  - reverse_proxy__image: override to the custom caddy-gandi image for DNS-01
  - Caddyfile gains a global `acme_dns gandi {env.GANDI_BEARER_TOKEN}` block
  - the PAT (vault.gandi.pat) renders into a host-only 0600 env file (no_log),
    loaded by compose only when DNS-01 is enabled

Verified: the custom image issues a real wildcard cert (*.dns01test.wingu.me)
end-to-end against LE staging via Gandi DNS-01; `caddy validate` accepts
`acme_dns gandi` on the custom image and rejects it on vanilla caddy:2. Molecule
(HTTP-01 default path) green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 06:57:47 +02:00

39 lines
1 KiB
YAML

---
- name: Ensure the service directory exists
ansible.builtin.file:
path: "{{ reverse_proxy__base_dir }}"
state: directory
mode: "0750"
tags: [config]
- name: Render the Caddyfile
ansible.builtin.template:
src: Caddyfile.j2
dest: "{{ reverse_proxy__base_dir }}/Caddyfile"
mode: "0644"
notify: reload caddy
tags: [config]
- name: Render the Gandi DNS-01 token env file
ansible.builtin.template:
src: env.j2
dest: "{{ reverse_proxy__base_dir }}/env"
mode: "0600"
no_log: true # contains the Gandi PAT
when: reverse_proxy__acme_dns_provider == 'gandi'
notify: reload caddy
tags: [config]
- name: Render the compose file
ansible.builtin.template:
src: docker-compose.yml.j2
dest: "{{ reverse_proxy__base_dir }}/docker-compose.yml"
mode: "0644"
tags: [config]
- name: Bring the reverse proxy up
community.docker.docker_compose_v2:
project_src: "{{ reverse_proxy__base_dir }}"
state: present
when: reverse_proxy__manage | bool
tags: [deploy]