feat(reverse-proxy): Add Caddy for reverse proxy

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>
2025-01-12 21:19:37 +01:00
parent 88141f8869
commit 1a1b8cb69c
18 changed files with 299 additions and 47 deletions
--- a/docker-lb.yml
+++ b/docker-lb.yml
@@ -0,0 +1,13 @@
+---
+- name: Set up reverse proxy for docker
+  hosts: docker_lb
+  gather_facts: yes
+  vars_files:
+    - secrets.yml
+  roles:
+    - role: common
+      tags:
+        - common
+    - role: reverse_proxy
+      tags:
+        - reverse_proxy
--- a/group_vars/docker/vars.yml
+++ b/group_vars/docker/vars.yml
@@ -2,3 +2,78 @@ docker:
  url: "https://download.docker.com/linux"
  apt_release_channel: "stable"
  dirs: "/opt/docker"
+
+caddy:
+  admin_email: me+acme@tudattr.dev
+
+domain: "seyshiro.de"
+
+services:
+  - name: syncthing
+    vm:
+      - docker-host00
+    port: 8384
+  - name: status
+    vm:
+      - docker-host00
+    port: 3001
+  - name: plex
+    vm:
+      - docker-host00
+    port: 32400
+  - name: jellyfin
+    vm:
+      - docker-host02
+    port: 8096
+  - name: hass
+    vm:
+      - docker-host02
+    port: 8123
+  - name: ddns
+    vm:
+      - docker-host00
+    port: 8123
+  - name: sonarr
+    vm:
+      - docker-host00
+    port: 8989
+  - name: radarr
+    vm:
+      - docker-host00
+    port: 7878
+  - name: lidarr
+    vm:
+      - docker-host00
+    port: 8686
+  - name: prowlarr
+    vm:
+      - docker-host00
+    port: 9696
+  - name: qbit
+    vm:
+      - docker-host00
+    port: 9696
+  - name: tl
+    vm:
+      - docker-host00
+    port: 9696
+  - name: paperless
+    vm:
+      - docker-host00
+    port: 8000
+  - name: pdf
+    vm:
+      - docker-host00
+    port: 8080
+  - name: git
+    vm:
+      - docker-host02
+    port: 3000
+  - name: changedetection
+    vm:
+      - docker-host00
+    port: 5000
+  - name: calibre
+    vm:
+      - docker-host00
+    port: 5000
--- a/host_vars/docker-host00.yml
+++ b/host_vars/docker-host00.yml
@@ -8,19 +8,3 @@ ansible_become_pass: "{{ vault.docker.host00.sudo }}"
 host:
  hostname: "docker-host00"
  ip: "{{ ansible_host }}"
-
-enable_nginx: true
-enable_syncthing: true
-enable_kuma: true
-enable_plex: true
-enable_arr: true
-enable_prometheus: false
-enable_grafana: false
-enable_ddns_updater: true
-enable_homeassistant: false
-enable_stirling: true
-enable_jellyfin: false
-enable_paperless: true
-enable_gitea: false
-enable_changedetection: true
-enable_calibre: false
--- a/host_vars/docker-host01.yml
+++ b/host_vars/docker-host01.yml
@@ -8,3 +8,19 @@ ansible_become_pass: "{{ vault.docker.host01.sudo }}"
 host:
  hostname: "docker-host01"
  ip: "{{ ansible_host }}"
+
+enable_nginx: true
+enable_syncthing: true
+enable_kuma: true
+enable_plex: true
+enable_arr: true
+enable_prometheus: false
+enable_grafana: false
+enable_ddns_updater: true
+enable_homeassistant: false
+enable_stirling: true
+enable_jellyfin: false
+enable_paperless: true
+enable_gitea: false
+enable_changedetection: true
+enable_calibre: false
--- a/host_vars/docker-host02.yml
+++ b/host_vars/docker-host02.yml
@@ -8,19 +8,3 @@ ansible_become_pass: "{{ vault.docker.host02.sudo }}"
 host:
  hostname: "docker-host02"
  ip: "{{ ansible_host }}"
-
-enable_nginx: true
-enable_syncthing: false
-enable_kuma: false
-enable_plex: false
-enable_arr: false
-enable_prometheus: false
-enable_grafana: false
-enable_ddns_updater: false
-enable_homeassistant: true
-enable_stirling: false
-enable_jellyfin: true
-enable_paperless: false
-enable_gitea: true
-enable_changedetection: false
-enable_calibre: false
--- a/host_vars/docker-lb.yml
+++ b/host_vars/docker-lb.yml
@@ -0,0 +1,10 @@
+---
+ansible_user: "{{ user }}"
+ansible_host: 192.168.20.37
+ansible_port: 22
+ansible_ssh_private_key_file: "{{ pk_path }}"
+ansible_become_pass: "{{ vault.docker.lb.sudo }}"
+
+host:
+  hostname: "docker-lb"
+  ip: "{{ ansible_host }}"
--- a/6
+++ b/6
@@ -66,12 +66,18 @@ ansible_ssh_common_args='-o ProxyCommand="ssh -p 22 -W %h:%p -q aya01"'

 [docker]
 docker-host00
+docker-host01
 docker-host02
+docker-lb

 [docker_host]
 docker-host00
+docker-host01
 docker-host02

+[docker_lb]
+docker-lb
+
 [proxmox]
 aya01
 lulu
--- a/roles/common/files/bash/bashrc
+++ b/roles/common/files/bash/bashrc
@@ -50,3 +50,7 @@ if ! shopt -oq posix; then
    . /etc/bash_completion
  fi
 fi
+
+if [ -f /etc/profile ]; then
+  . /etc/profile
+fi
--- a/roles/docker_host/templates/compose.yaml.j2
+++ b/roles/docker_host/templates/compose.yaml.j2
@@ -1,5 +1,6 @@
 services:
-{% if enable_nginx %}
+{% for service in services %}
+{% if service.name == 'nginx' and inventory_hostname in service.vm %}
  nginx:
    container_name: "nginx"
    image: "jc21/nginx-proxy-manager:latest"
@@ -16,7 +17,7 @@ services:
      - "/var/run/docker.sock:/var/run/docker.sock"
 {% endif %}

-{% if enable_syncthing %}
+{% if service.name == 'syncthing' and inventory_hostname in service.vm %}
  syncthing:
    image: syncthing/syncthing
    container_name: syncthing
@@ -38,7 +39,7 @@ services:
    hostname: syncthing
 {% endif %}

-{% if enable_kuma %}
+{% if service.name == 'status' and inventory_hostname in service.vm %}
  kuma:
    container_name: kuma
    image: louislam/uptime-kuma:1
@@ -57,7 +58,7 @@ services:
      - "/opt/local/kuma/:/app/data"
 {% endif %}

-{% if enable_plex %}
+{% if service.name == 'plex' and inventory_hostname in service.vm %}
  plex:
    image: lscr.io/linuxserver/plex:latest
    container_name: plex
@@ -89,7 +90,7 @@ services:
      - "/media/songs:/music:ro"
 {% endif %}

-{% if enable_arr %}
+{% if service.name == 'sonarr' and inventory_hostname in service.vm %}
  sonarr:
    image: lscr.io/linuxserver/sonarr:latest
    container_name: sonarr
@@ -106,7 +107,9 @@ services:
      - /opt/local/sonarr/config:/config
      - /media/series:/tv #optional
      - /media/docker/data/arr_downloads/sonarr:/downloads #optional
+{% endif %}

+{% if service.name == 'radarr' and inventory_hostname in service.vm %}
  radarr:
    image: lscr.io/linuxserver/radarr:latest
    container_name: radarr
@@ -123,7 +126,9 @@ services:
      - /opt/local/radarr/config:/config
      - /media/movies:/movies #optional
      - /media/docker/data/arr_downloads/radarr:/downloads #optional
+{% endif %}

+{% if service.name == 'lidarr' and inventory_hostname in service.vm %}
  lidarr:
    image: lscr.io/linuxserver/lidarr:latest
    container_name: lidarr
@@ -140,7 +145,9 @@ services:
      - /opt/local/lidarr/config:/config
      - /media/songs:/music #optional
      - /media/docker/data/arr_downloads/lidarr:/downloads #optional
+{% endif %}

+{% if service.name == 'prowlarr' and inventory_hostname in service.vm %}
  prowlarr:
    image: lscr.io/linuxserver/prowlarr:latest
    container_name: prowlarr
@@ -155,7 +162,9 @@ services:
      - TZ=Europe/Berlin
    volumes:
      - /opt/local/prowlarr/config:/config
+{% endif %}

+{% if service.name == 'tl' and inventory_hostname in service.vm %}
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
@@ -181,7 +190,9 @@ services:
      - SERVER_COUNTRIES=Hungary
      - OPENVPN_USER=MfCOtzTIEsmu1wY-q2lAZ3X1+pmp
      - OPENVPN_PASSWORD=knCl1Zl5PHz4HMWVCGR77dYa
+{% endif %}

+{% if service.name == 'tl' and inventory_hostname in service.vm %}
  torrentleech:
    image: qbittorrentofficial/qbittorrent-nox
    container_name: torrentleech
@@ -198,7 +209,9 @@ services:
    volumes:
      - /opt/docker/config/torrentleech/config:/config
      - /media/docker/data/arr_downloads:/downloads
+{% endif %}

+{% if service.name == 'qbit' and inventory_hostname in service.vm %}
  qbit:
    image: qbittorrentofficial/qbittorrent-nox
    container_name: qbit
@@ -217,7 +230,7 @@ services:
      - /media/docker/data/arr_downloads:/downloads
 {% endif %}

-{% if enable_prometheus %}
+{% if service.name == 'prometheus' and inventory_hostname in service.vm %}
  prometheus:
    image: prom/prometheus
    container_name: prometheus
@@ -235,7 +248,7 @@ services:
      - prometheus_data:/prometheus/
 {% endif %}

-{% if enable_grafana %}
+{% if service.name == 'grafana' and inventory_hostname in service.vm %}
  grafana:
    image: grafana/grafana-oss
    container_name: grafana
@@ -254,7 +267,7 @@ services:
      - /opt/docker/config/grafana/config/:/etc/grafana/
 {% endif %}

-{% if enable_ddns_updater %}
+{% if service.name == 'ddns' and inventory_hostname in service.vm %}
  ddns-updater:
    container_name: ddns-updater
    image: "ghcr.io/qdm12/ddns-updater"
@@ -267,7 +280,7 @@ services:
      - "/opt/docker/config/ddns-updater/data/:/updater/data/"
 {% endif %}

-{% if enable_homeassistant %}
+{% if service.name == 'hass' and inventory_hostname in service.vm %}
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
@@ -287,7 +300,7 @@ services:
      - 5683:5683/udp
 {% endif %}

-{% if enable_stirling %}
+{% if service.name == 'pdf' and inventory_hostname in service.vm %}
  stirling:
    container_name: stirling
    image: frooodle/s-pdf:latest
@@ -298,7 +311,7 @@ services:
      net: {}
 {% endif %}

-{% if enable_jellyfin %}
+{% if service.name == 'jellyfin' and inventory_hostname in service.vm %}
  jellyfin:
    container_name: jellyfin
    image: jellyfin/jellyfin
@@ -319,7 +332,7 @@ services:
      - "8096:8096"
 {% endif %}

-{% if enable_paperless %}
+{% if service.name == 'paperless' and inventory_hostname in service.vm %}
  paperless-broker:
    container_name: paperless-broker
    image: docker.io/library/redis:7
@@ -378,7 +391,7 @@ services:
      - "PAPERLESS_OCR_LANGUAGE=deu"
 {% endif %}

-{% if enable_gitea %}
+{% if service.name == 'git' and inventory_hostname in service.vm %}
  git:
    container_name: git
    image: gitea/gitea:1.20.5-rootless
@@ -400,7 +413,7 @@ services:
      - USER_GID=1000
 {% endif %}

-{% if enable_changedetection %}
+{% if service.name == 'changedetection' and inventory_hostname in service.vm %}
  changedetection:
    container_name: changedetection
    image: dgtlmoon/changedetection.io
@@ -413,7 +426,7 @@ services:
      - "/opt/docker/config/changedetection/data/:/datastore"
 {% endif %}

-{% if enable_calibre %}
+{% if service.name == 'calibre' and inventory_hostname in service.vm %}
  calibre:
    container_name: calibre
    image: lscr.io/linuxserver/calibre-web:latest
@@ -431,6 +444,7 @@ services:
      - "/opt/local/calibre/:/config"
      - "/media/docker/data/calibre/:/books"
 {% endif %}
+{% endfor %}

 networks:
  net:
--- a/roles/reverse_proxy/defaults/main.yml
+++ b/roles/reverse_proxy/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+caddy_version: latest
+caddy_config_path: /etc/caddy/Caddyfile
+caddy_binary: ./caddy
+
+go_version: 1.23.4
--- a/roles/reverse_proxy/handlers/main.yml
+++ b/roles/reverse_proxy/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: Restart Caddy
+  ansible.builtin.command: "{{ caddy_binary }} reload --config {{ caddy_config_path  }}"
+  become: true
--- a/roles/reverse_proxy/tasks/configure.yml
+++ b/roles/reverse_proxy/tasks/configure.yml
@@ -0,0 +1,15 @@
+---
+- name: Ensure Caddy configuration directory exists
+  ansible.builtin.file:
+    path: /etc/caddy
+    state: directory
+    mode: "0755"
+  become: true
+
+- name: Deploy Caddy configuration file
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: "{{ caddy_config_path }}"
+    mode: "0644"
+  become: true
+  notify: Restart Caddy
--- a/roles/reverse_proxy/tasks/install.yml
+++ b/roles/reverse_proxy/tasks/install.yml
@@ -0,0 +1,32 @@
+---
+- name: Download xCaddy GPG key
+  ansible.builtin.get_url:
+    url: "https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key"
+    dest: /etc/apt/keyrings/caddy-xcaddy.asc
+    mode: "0644"
+  become: true
+
+- name: Add xCaddy repository to apt sources
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/caddy-xcaddy.asc] https://dl.cloudsmith.io/public/caddy/xcaddy/deb/debian any-version main"
+    state: present
+    update_cache: true
+  become: true
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install xCaddy
+  ansible.builtin.apt:
+    name: xcaddy
+    state: present
+  become: true
+
+- name: Install Caddy
+  ansible.builtin.command: xcaddy build --with github.com/caddy-dns/netcup
+  environment:
+    PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin"
+  register: xcaddy_build
+  failed_when: xcaddy_build.rc != 0
--- a/roles/reverse_proxy/tasks/main.yml
+++ b/roles/reverse_proxy/tasks/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Install Prerequisites
+  ansible.builtin.include_tasks: prereq.yml
+- name: Install Caddy
+  ansible.builtin.include_tasks: install.yml
+- name: Configure Caddy
+  ansible.builtin.include_tasks: configure.yml
+- name: Start Caddy
+  ansible.builtin.include_tasks: start.yml
--- a/roles/reverse_proxy/tasks/prereq.yml
+++ b/roles/reverse_proxy/tasks/prereq.yml
@@ -0,0 +1,44 @@
+---
+- name: Install prerequisites for Caddy
+  ansible.builtin.apt:
+    name:
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+      - curl
+    state: present
+    update_cache: true
+  become: true
+
+- name: Remove existing Go installation
+  ansible.builtin.file:
+    path: /usr/local/go
+    state: absent
+  become: true
+
+- name: Download Go tarball
+  ansible.builtin.get_url:
+    url: "https://go.dev/dl/go{{ go_version }}.linux-amd64.tar.gz"
+    dest: "/tmp/go{{ go_version }}.linux-amd64.tar.gz"
+    mode: "0755"
+
+- name: Extract Go tarball to /usr/local
+  ansible.builtin.unarchive:
+    src: /tmp/go1.23.4.linux-amd64.tar.gz
+    dest: /usr/local
+    remote_src: true
+  become: true
+  register: go_install
+
+- name: Ensure Go binary path is added to /etc/profile
+  ansible.builtin.lineinfile:
+    path: /etc/profile
+    line: "PATH=$PATH:/usr/local/go/bin"
+    state: present
+    regexp: "^PATH=.*:/usr/local/go/bin$"
+  become: true
+
+- name: Source /etc/profile to update PATH for the current session
+  ansible.builtin.shell: "source /etc/profile"
+  args:
+    executable: /bin/bash
--- a/roles/reverse_proxy/tasks/start.yml
+++ b/roles/reverse_proxy/tasks/start.yml
@@ -0,0 +1,4 @@
+---
+- name: Ensure Caddy service is running
+  ansible.builtin.command: "{{ caddy_binary }} start --config {{ caddy_config_path }}"
+  become: true
--- a/roles/reverse_proxy/templates/Caddyfile.j2
+++ b/roles/reverse_proxy/templates/Caddyfile.j2
@@ -0,0 +1,26 @@
+{
+    email {{ caddy.admin_email | default('admin@example.com') }}
+    acme_ca {{ caddy.acme_ca | default('https://acme-v02.api.letsencrypt.org/directory') }}
+}
+
+{% for service in services %}
+{{ service.name }}.{{ domain }} {
+    {% for vm in service.vm %}
+    reverse_proxy {{ hostvars[vm].ansible_host }}:{{ service.port }}
+    {% endfor %}
+    log {
+        output file /var/log/caddy/{{ service.name }}.log
+        format json
+    }
+	tls {
+		dns netcup {
+			customer_number {{ vault.netcup.customer_number }}
+			api_key {{ vault.netcup.api_key}}
+			api_password {{ vault.netcup.api_password }}
+		}
+    propagation_timeout 900s
+		propagation_delay 600s
+		resolvers 1.1.1.1
+	}
+}
+{% endfor %}
--- a/secrets.yml.skeleton
+++ b/secrets.yml.skeleton
@@ -31,3 +31,9 @@ vault:
      sudo: ........
    host02:
      sudo: ........
+    lb:
+      sudo: ........
+  netcup:
+    customer_number: ........
+    api_key: ........
+    api_password: ........