Files
2025-12-07 14:28:00 +00:00

40 lines
2.0 KiB
Markdown

# infra-caddy — central Caddy config repo
This repository contains a recommended layout and tooling to manage Caddy site configurations in one place and deploy them safely to a system Caddy installation or container.
Layout
- `Caddyfile` — top-level that imports `sites/*.caddy`.
- `sites/*.caddy` — per-site small files (one site per file).
- `deploy/` — helper scripts and example hooks.
Quick example
1. On the server, create a checkout path, e.g. `/srv/caddy-config`.
2. Ensure the system Caddyfile (e.g. `/etc/caddy/Caddyfile`) imports the checked-out `Caddyfile` or `sites/*.caddy`:
```
import /srv/caddy-config/Caddyfile
```
3. Use the provided `deploy/deploy.sh` locally (or a CI job) to sync and run validation+reload, or push to a server bare repo and use the `deploy/post-receive` hook.
Safe deploy pattern
- Always run `caddy validate --config /etc/caddy/Caddyfile` (or `caddy adapt`) before reloading.
- Use the `deploy/validate-and-reload.sh` script as a canonical check-and-reload.
- Grant the `git` or deploy user the narrow sudo permission to reload Caddy by adding the line from `deploy/deploy-sudoers.example` to `/etc/sudoers.d/infra-caddy-deploy`.
Post-receive hook (server)
- Create a bare repo (e.g. `/home/git/infra-caddy.git`) and set the `post-receive` hook to the contents in `deploy/post-receive`.
- Ensure the checked-out working tree path in the hook (`/srv/caddy-config`) matches your system and that the `validate-and-reload.sh` is executable.
CI
- The included `.github/workflows/validate-and-deploy.yml` validates the Caddyfile using the official `caddy:2` image and demonstrates an rsync deploy step (requires `DEPLOY_USER`, `DEPLOY_HOST` secrets).
Security notes
- Do not store private keys or secrets in this git repo.
- Use Vault, environment variables, or other secret stores for API keys or TLS private keys.
Adding a new site
1. Add `sites/<hostname>.caddy` with the host block and rules.
2. Push; CI or post-receive will validate and deploy.