boma/roles/reverse_proxy
sjat b7e919d6b3 refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image)
Switch from a custom caddy-dns/gandi image built on-host to the official
caddy:2 image with per-host ACME HTTP-01 certificates. Removes the
Dockerfile, env.j2 (Gandi token), on-host image build/ship/load tasks,
the caddy-image Makefile target, and the wildcard DNS-01 Caddyfile.
Each route now gets its own server block and automatic certificate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 18:11:20 +02:00
..
defaults refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00
handlers refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00
meta feat(reverse_proxy): Caddy role (Gandi DNS-01, on-host image build, route catalog) 2026-06-14 17:36:58 +02:00
molecule/default refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00
tasks refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00
templates refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00
README.md refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00

reverse_proxy

Boma's standard Caddy reverse proxy (ADR-024). Runs on askari (the off-site Hetzner host) and terminates TLS for all public-facing services via ACME HTTP-01. Uses the official caddy:2 image — no custom build, no DNS plugin, no token required.

How TLS works

Caddy obtains per-hostname certificates using the ACME HTTP-01 challenge. Port 80 must be reachable from the internet for the challenge to succeed. Each host in reverse_proxy__routes gets its own certificate automatically.

DNS-01 (for mesh/LAN-only cluster services) is deferred to Phase 2. The caddy-dns/gandi plugin failed to issue certificates during M4a and needs investigation before it can be used.

Route catalog — reverse_proxy__routes

Services register themselves as routes by appending an entry to reverse_proxy__routes in group_vars/all/reverse_proxy.yml:

reverse_proxy__routes:
  - {host: app.askari.wingu.me, upstream: "app:8080"}
  - {host: health.askari.wingu.me, respond: "ok"}

Each entry renders a separate server block in the Caddyfile:

app.askari.wingu.me {
  reverse_proxy app:8080
}

health.askari.wingu.me {
  respond "ok" 200
}

Use upstream to proxy to a Docker service, or respond to return a static string.

Variables

Variable Default Description
reverse_proxy__base_dir /opt/services/reverse_proxy Working directory for Compose project
reverse_proxy__acme_email admin@example.test ACME registration email
reverse_proxy__routes [] List of {host, upstream} or {host, respond} entries
reverse_proxy__manage true Set false in Molecule to skip Docker tasks

Production overrides live in inventories/production/group_vars/all/reverse_proxy.yml.

reverse_proxy__manage toggle

Docker operations (docker compose up) are gated on reverse_proxy__manage | bool. Set it to false in Molecule so the role can be tested (template rendering, directory creation) without a Docker daemon.

Secrets

None. HTTP-01 requires no credentials.