Adds a per-instance DNS-01 mode to the Caddy role for mesh/LAN-only hosts that
cannot satisfy HTTP-01. Default behaviour (vanilla caddy:2 + HTTP-01, what askari
runs) is unchanged.
- reverse_proxy__acme_dns_provider: "" (HTTP-01) | "gandi" (DNS-01)
- reverse_proxy__image: override to the custom caddy-gandi image for DNS-01
- Caddyfile gains a global `acme_dns gandi {env.GANDI_BEARER_TOKEN}` block
- the PAT (vault.gandi.pat) renders into a host-only 0600 env file (no_log),
loaded by compose only when DNS-01 is enabled
Verified: the custom image issues a real wildcard cert (*.dns01test.wingu.me)
end-to-end against LE staging via Gandi DNS-01; `caddy validate` accepts
`acme_dns gandi` on the custom image and rejects it on vanilla caddy:2. Molecule
(HTTP-01 default path) green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
39 lines
1 KiB
YAML
39 lines
1 KiB
YAML
---
|
|
- name: Ensure the service directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ reverse_proxy__base_dir }}"
|
|
state: directory
|
|
mode: "0750"
|
|
tags: [config]
|
|
|
|
- name: Render the Caddyfile
|
|
ansible.builtin.template:
|
|
src: Caddyfile.j2
|
|
dest: "{{ reverse_proxy__base_dir }}/Caddyfile"
|
|
mode: "0644"
|
|
notify: reload caddy
|
|
tags: [config]
|
|
|
|
- name: Render the Gandi DNS-01 token env file
|
|
ansible.builtin.template:
|
|
src: env.j2
|
|
dest: "{{ reverse_proxy__base_dir }}/env"
|
|
mode: "0600"
|
|
no_log: true # contains the Gandi PAT
|
|
when: reverse_proxy__acme_dns_provider == 'gandi'
|
|
notify: reload caddy
|
|
tags: [config]
|
|
|
|
- name: Render the compose file
|
|
ansible.builtin.template:
|
|
src: docker-compose.yml.j2
|
|
dest: "{{ reverse_proxy__base_dir }}/docker-compose.yml"
|
|
mode: "0644"
|
|
tags: [config]
|
|
|
|
- name: Bring the reverse proxy up
|
|
community.docker.docker_compose_v2:
|
|
project_src: "{{ reverse_proxy__base_dir }}"
|
|
state: present
|
|
when: reverse_proxy__manage | bool
|
|
tags: [deploy]
|