- dev_env .zshrc: drop the rclone alias (not installed) and guard the direnv
hook with `command -v direnv` so a missing direnv doesn't error every shell (O16)
- dev_env oh-my-posh: tag the zen.toml theme deploy `config` (it renders config to
disk like the per_user dotfiles); the include now carries packages+config so a
`--tags config` run re-renders the theme while the binary install stays packages
only (O17). Verified via `molecule converge -- --tags config`.
- drop the non-vocabulary `tags: [verify]` from molecule verify playbooks across
base/docker_host/public_dns/reverse_proxy (check-tags exempts molecule anyway) (O25)
- reverse_proxy templates: add the `{{ ansible_managed }}` header (ADR-024 §1.2) (O26)
make lint green; dev_env + reverse_proxy molecule green.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| defaults | ||
| handlers | ||
| meta | ||
| molecule/default | ||
| tasks | ||
| templates | ||
| ACCESS.md | ||
| README.md | ||
| SECURITY.md | ||
| VERIFY.md | ||
reverse_proxy
Boma's standard Caddy reverse proxy (ADR-024). Runs on askari (the off-site
Hetzner host) and terminates TLS for all public-facing services via ACME HTTP-01.
Uses the official caddy:2 image — no custom build, no DNS plugin, no token required.
How TLS works
Caddy obtains per-hostname certificates using the ACME HTTP-01 challenge. Port 80
must be reachable from the internet for the challenge to succeed. Each host in
reverse_proxy__routes gets its own certificate automatically.
DNS-01 (for mesh/LAN-only cluster services) is deferred to Phase 2. The
caddy-dns/gandiplugin failed to issue certificates during M4a and needs investigation before it can be used.
Route catalog — reverse_proxy__routes
Services register themselves as routes by appending an entry to
reverse_proxy__routes in group_vars/all/reverse_proxy.yml:
reverse_proxy__routes:
- {host: app.askari.wingu.me, upstream: "app:8080"}
- {host: health.askari.wingu.me, respond: "ok"}
Each entry renders a separate server block in the Caddyfile:
app.askari.wingu.me {
reverse_proxy app:8080
}
health.askari.wingu.me {
respond "ok" 200
}
Use upstream to proxy to a Docker service, or respond to return a static string.
Variables
| Variable | Default | Description |
|---|---|---|
reverse_proxy__base_dir |
/opt/services/reverse_proxy |
Working directory for Compose project |
reverse_proxy__acme_email |
admin@example.test |
ACME registration email |
reverse_proxy__routes |
[] |
List of {host, upstream} or {host, respond} entries |
reverse_proxy__manage |
true |
Set false in Molecule to skip Docker tasks |
Production overrides live in
inventories/production/group_vars/all/reverse_proxy.yml.
reverse_proxy__manage toggle
Docker operations (docker compose up) are gated on reverse_proxy__manage | bool.
Set it to false in Molecule so the role can be tested (template rendering, directory
creation) without a Docker daemon.
Secrets
None. HTTP-01 requires no credentials.