Adds a per-instance DNS-01 mode to the Caddy role for mesh/LAN-only hosts that
cannot satisfy HTTP-01. Default behaviour (vanilla caddy:2 + HTTP-01, what askari
runs) is unchanged.
- reverse_proxy__acme_dns_provider: "" (HTTP-01) | "gandi" (DNS-01)
- reverse_proxy__image: override to the custom caddy-gandi image for DNS-01
- Caddyfile gains a global `acme_dns gandi {env.GANDI_BEARER_TOKEN}` block
- the PAT (vault.gandi.pat) renders into a host-only 0600 env file (no_log),
loaded by compose only when DNS-01 is enabled
Verified: the custom image issues a real wildcard cert (*.dns01test.wingu.me)
end-to-end against LE staging via Gandi DNS-01; `caddy validate` accepts
`acme_dns gandi` on the custom image and rejects it on vanilla caddy:2. Molecule
(HTTP-01 default path) green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
19 lines
627 B
Django/Jinja
19 lines
627 B
Django/Jinja
# {{ ansible_managed }}
|
|
{
|
|
email {{ reverse_proxy__acme_email }}
|
|
{% if reverse_proxy__acme_dns_provider == 'gandi' %}
|
|
# ACME DNS-01 via Gandi (mesh/LAN-only hosts, incl. wildcard certs). Token is the
|
|
# Gandi PAT, injected from the env file as a Bearer token (ADR-024). Needs the custom
|
|
# caddy-gandi image — the upstream caddy:2 has no DNS provider modules.
|
|
acme_dns gandi {env.GANDI_BEARER_TOKEN}
|
|
{% endif %}
|
|
}
|
|
{% for r in reverse_proxy__routes %}
|
|
{{ r.host }} {
|
|
{% if r.upstream is defined %}
|
|
reverse_proxy {{ r.upstream }}
|
|
{% else %}
|
|
respond "{{ r.respond | default('boma') }}" 200
|
|
{% endif %}
|
|
}
|
|
{% endfor %}
|