add some sites

This commit is contained in:
Ross
2025-12-07 14:28:00 +00:00
commit 390ec25bd5
9 changed files with 137 additions and 0 deletions
+1
View File
@@ -0,0 +1 @@
import sites/*.caddy
+39
View File
@@ -0,0 +1,39 @@
# infra-caddy — central Caddy config repo
This repository contains a recommended layout and tooling to manage Caddy site configurations in one place and deploy them safely to a system Caddy installation or container.
Layout
- `Caddyfile` — top-level that imports `sites/*.caddy`.
- `sites/*.caddy` — per-site small files (one site per file).
- `deploy/` — helper scripts and example hooks.
Quick example
1. On the server, create a checkout path, e.g. `/srv/caddy-config`.
2. Ensure the system Caddyfile (e.g. `/etc/caddy/Caddyfile`) imports the checked-out `Caddyfile` or `sites/*.caddy`:
```
import /srv/caddy-config/Caddyfile
```
3. Use the provided `deploy/deploy.sh` locally (or a CI job) to sync and run validation+reload, or push to a server bare repo and use the `deploy/post-receive` hook.
Safe deploy pattern
- Always run `caddy validate --config /etc/caddy/Caddyfile` (or `caddy adapt`) before reloading.
- Use the `deploy/validate-and-reload.sh` script as a canonical check-and-reload.
- Grant the `git` or deploy user the narrow sudo permission to reload Caddy by adding the line from `deploy/deploy-sudoers.example` to `/etc/sudoers.d/infra-caddy-deploy`.
Post-receive hook (server)
- Create a bare repo (e.g. `/home/git/infra-caddy.git`) and set the `post-receive` hook to the contents in `deploy/post-receive`.
- Ensure the checked-out working tree path in the hook (`/srv/caddy-config`) matches your system and that the `validate-and-reload.sh` is executable.
CI
- The included `.github/workflows/validate-and-deploy.yml` validates the Caddyfile using the official `caddy:2` image and demonstrates an rsync deploy step (requires `DEPLOY_USER`, `DEPLOY_HOST` secrets).
Security notes
- Do not store private keys or secrets in this git repo.
- Use Vault, environment variables, or other secret stores for API keys or TLS private keys.
Adding a new site
1. Add `sites/<hostname>.caddy` with the host block and rules.
2. Push; CI or post-receive will validate and deploy.
+5
View File
@@ -0,0 +1,5 @@
# Example sudoers line to allow the `git` or deploy user to reload caddy without a password.
# Install by placing a file in /etc/sudoers.d/ (e.g., /etc/sudoers.d/infra-caddy-deploy)
# Replace `git` with the deploy user you use for the hook.
git ALL=(root) NOPASSWD: /bin/systemctl reload caddy
+16
View File
@@ -0,0 +1,16 @@
#!/bin/sh
# Simple local deploy helper: copy or rsync this repo into the target DEPLOY_DIR
# Then validate and reload. Intended for operators running from the repo clone.
set -eu
THIS_DIR=$(cd "$(dirname "$0")/.." && pwd)
DEPLOY_DIR=${DEPLOY_DIR:-/srv/caddy-config}
SYSTEM_CADDYFILE=${SYSTEM_CADDYFILE:-/etc/caddy/Caddyfile}
echo "Syncing ${THIS_DIR} -> ${DEPLOY_DIR}"
mkdir -p "${DEPLOY_DIR}"
rsync -a --delete "${THIS_DIR}/" "${DEPLOY_DIR}/"
echo "Running validation and reload against ${SYSTEM_CADDYFILE}"
SYSTEM_CADDYFILE="${SYSTEM_CADDYFILE}" DEPLOY_DIR="${DEPLOY_DIR}" "${DEPLOY_DIR}/deploy/validate-and-reload.sh"
+17
View File
@@ -0,0 +1,17 @@
#!/bin/sh
# Example bare-repo post-receive hook to update a checked-out deploy directory
# Adjust DEPLOY_DIR and paths as necessary. Ensure this hook is executable.
DEPLOY_DIR=/srv/caddy-config
echo "Updating working tree at ${DEPLOY_DIR}"
GIT_WORK_TREE=${DEPLOY_DIR} git checkout -f
# Run validation + reload script from the deploy dir (if present)
if [ -x "${DEPLOY_DIR}/deploy/validate-and-reload.sh" ]; then
echo "Running validation and reload"
"${DEPLOY_DIR}/deploy/validate-and-reload.sh"
else
echo "No validate-and-reload.sh found or not executable in ${DEPLOY_DIR}/deploy" >&2
exit 1
fi
+23
View File
@@ -0,0 +1,23 @@
#!/bin/sh
# Validate system Caddy configuration and reload Caddy on success.
# Usage: run from the checked-out deployment directory, or pass env vars
# Environment variables:
# SYSTEM_CADDYFILE - path to system Caddyfile that includes this repo (default /etc/caddy/Caddyfile)
# DEPLOY_DIR - path of the checked-out config repo used by system Caddy (not modified by this script)
set -eu
SYSTEM_CADDYFILE=${SYSTEM_CADDYFILE:-/etc/caddy/Caddyfile}
DEPLOY_DIR=${DEPLOY_DIR:-/srv/caddy-config}
echo "Validating Caddy configuration: ${SYSTEM_CADDYFILE}"
if ! /usr/bin/caddy validate --config "${SYSTEM_CADDYFILE}"; then
echo "Caddy validation failed; aborting reload" >&2
exit 1
fi
echo "Validation succeeded; reloading Caddy"
sudo systemctl reload caddy
echo "Caddy reloaded successfully"
+17
View File
@@ -0,0 +1,17 @@
dinos.lan {
tls internal
route /media/* {
uri strip_prefix /media
root * /srv/toptrumps/media
file_server
}
handle_path /static/* {
root * /srv/toptrumps/static
file_server
}
reverse_proxy 127.0.0.1:8001
encode gzip
}
+8
View File
@@ -0,0 +1,8 @@
jelly.lan {
tls internal
# Reverse-proxy to Jellyfin running on localhost:8096
reverse_proxy http://127.0.0.1:8096
encode gzip
}
+11
View File
@@ -0,0 +1,11 @@
portainer.lan {
tls internal
reverse_proxy https://127.0.0.1:9443 {
transport http {
tls_insecure_skip_verify
}
}
encode gzip
}