add some sites
This commit is contained in:
@@ -0,0 +1,39 @@
|
||||
# infra-caddy — central Caddy config repo
|
||||
|
||||
This repository contains a recommended layout and tooling to manage Caddy site configurations in one place and deploy them safely to a system Caddy installation or container.
|
||||
|
||||
Layout
|
||||
- `Caddyfile` — top-level that imports `sites/*.caddy`.
|
||||
- `sites/*.caddy` — per-site small files (one site per file).
|
||||
- `deploy/` — helper scripts and example hooks.
|
||||
|
||||
Quick example
|
||||
|
||||
1. On the server, create a checkout path, e.g. `/srv/caddy-config`.
|
||||
2. Ensure the system Caddyfile (e.g. `/etc/caddy/Caddyfile`) imports the checked-out `Caddyfile` or `sites/*.caddy`:
|
||||
|
||||
```
|
||||
import /srv/caddy-config/Caddyfile
|
||||
```
|
||||
|
||||
3. Use the provided `deploy/deploy.sh` locally (or a CI job) to sync and run validation+reload, or push to a server bare repo and use the `deploy/post-receive` hook.
|
||||
|
||||
Safe deploy pattern
|
||||
- Always run `caddy validate --config /etc/caddy/Caddyfile` (or `caddy adapt`) before reloading.
|
||||
- Use the `deploy/validate-and-reload.sh` script as a canonical check-and-reload.
|
||||
- Grant the `git` or deploy user the narrow sudo permission to reload Caddy by adding the line from `deploy/deploy-sudoers.example` to `/etc/sudoers.d/infra-caddy-deploy`.
|
||||
|
||||
Post-receive hook (server)
|
||||
- Create a bare repo (e.g. `/home/git/infra-caddy.git`) and set the `post-receive` hook to the contents in `deploy/post-receive`.
|
||||
- Ensure the checked-out working tree path in the hook (`/srv/caddy-config`) matches your system and that the `validate-and-reload.sh` is executable.
|
||||
|
||||
CI
|
||||
- The included `.github/workflows/validate-and-deploy.yml` validates the Caddyfile using the official `caddy:2` image and demonstrates an rsync deploy step (requires `DEPLOY_USER`, `DEPLOY_HOST` secrets).
|
||||
|
||||
Security notes
|
||||
- Do not store private keys or secrets in this git repo.
|
||||
- Use Vault, environment variables, or other secret stores for API keys or TLS private keys.
|
||||
|
||||
Adding a new site
|
||||
1. Add `sites/<hostname>.caddy` with the host block and rules.
|
||||
2. Push; CI or post-receive will validate and deploy.
|
||||
@@ -0,0 +1,5 @@
|
||||
# Example sudoers line to allow the `git` or deploy user to reload caddy without a password.
|
||||
# Install by placing a file in /etc/sudoers.d/ (e.g., /etc/sudoers.d/infra-caddy-deploy)
|
||||
# Replace `git` with the deploy user you use for the hook.
|
||||
|
||||
git ALL=(root) NOPASSWD: /bin/systemctl reload caddy
|
||||
Executable
+16
@@ -0,0 +1,16 @@
|
||||
#!/bin/sh
|
||||
# Simple local deploy helper: copy or rsync this repo into the target DEPLOY_DIR
|
||||
# Then validate and reload. Intended for operators running from the repo clone.
|
||||
|
||||
set -eu
|
||||
|
||||
THIS_DIR=$(cd "$(dirname "$0")/.." && pwd)
|
||||
DEPLOY_DIR=${DEPLOY_DIR:-/srv/caddy-config}
|
||||
SYSTEM_CADDYFILE=${SYSTEM_CADDYFILE:-/etc/caddy/Caddyfile}
|
||||
|
||||
echo "Syncing ${THIS_DIR} -> ${DEPLOY_DIR}"
|
||||
mkdir -p "${DEPLOY_DIR}"
|
||||
rsync -a --delete "${THIS_DIR}/" "${DEPLOY_DIR}/"
|
||||
|
||||
echo "Running validation and reload against ${SYSTEM_CADDYFILE}"
|
||||
SYSTEM_CADDYFILE="${SYSTEM_CADDYFILE}" DEPLOY_DIR="${DEPLOY_DIR}" "${DEPLOY_DIR}/deploy/validate-and-reload.sh"
|
||||
Executable
+17
@@ -0,0 +1,17 @@
|
||||
#!/bin/sh
|
||||
# Example bare-repo post-receive hook to update a checked-out deploy directory
|
||||
# Adjust DEPLOY_DIR and paths as necessary. Ensure this hook is executable.
|
||||
|
||||
DEPLOY_DIR=/srv/caddy-config
|
||||
|
||||
echo "Updating working tree at ${DEPLOY_DIR}"
|
||||
GIT_WORK_TREE=${DEPLOY_DIR} git checkout -f
|
||||
|
||||
# Run validation + reload script from the deploy dir (if present)
|
||||
if [ -x "${DEPLOY_DIR}/deploy/validate-and-reload.sh" ]; then
|
||||
echo "Running validation and reload"
|
||||
"${DEPLOY_DIR}/deploy/validate-and-reload.sh"
|
||||
else
|
||||
echo "No validate-and-reload.sh found or not executable in ${DEPLOY_DIR}/deploy" >&2
|
||||
exit 1
|
||||
fi
|
||||
Executable
+23
@@ -0,0 +1,23 @@
|
||||
#!/bin/sh
|
||||
# Validate system Caddy configuration and reload Caddy on success.
|
||||
# Usage: run from the checked-out deployment directory, or pass env vars
|
||||
# Environment variables:
|
||||
# SYSTEM_CADDYFILE - path to system Caddyfile that includes this repo (default /etc/caddy/Caddyfile)
|
||||
# DEPLOY_DIR - path of the checked-out config repo used by system Caddy (not modified by this script)
|
||||
|
||||
set -eu
|
||||
|
||||
SYSTEM_CADDYFILE=${SYSTEM_CADDYFILE:-/etc/caddy/Caddyfile}
|
||||
DEPLOY_DIR=${DEPLOY_DIR:-/srv/caddy-config}
|
||||
|
||||
echo "Validating Caddy configuration: ${SYSTEM_CADDYFILE}"
|
||||
|
||||
if ! /usr/bin/caddy validate --config "${SYSTEM_CADDYFILE}"; then
|
||||
echo "Caddy validation failed; aborting reload" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Validation succeeded; reloading Caddy"
|
||||
sudo systemctl reload caddy
|
||||
|
||||
echo "Caddy reloaded successfully"
|
||||
@@ -0,0 +1,17 @@
|
||||
dinos.lan {
|
||||
tls internal
|
||||
|
||||
route /media/* {
|
||||
uri strip_prefix /media
|
||||
root * /srv/toptrumps/media
|
||||
file_server
|
||||
}
|
||||
|
||||
handle_path /static/* {
|
||||
root * /srv/toptrumps/static
|
||||
file_server
|
||||
}
|
||||
|
||||
reverse_proxy 127.0.0.1:8001
|
||||
encode gzip
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
jelly.lan {
|
||||
tls internal
|
||||
|
||||
# Reverse-proxy to Jellyfin running on localhost:8096
|
||||
reverse_proxy http://127.0.0.1:8096
|
||||
|
||||
encode gzip
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
portainer.lan {
|
||||
tls internal
|
||||
|
||||
reverse_proxy https://127.0.0.1:9443 {
|
||||
transport http {
|
||||
tls_insecure_skip_verify
|
||||
}
|
||||
}
|
||||
|
||||
encode gzip
|
||||
}
|
||||
Reference in New Issue
Block a user