feat(reverse-proxy): Add Caddy for reverse proxy

Signed-off-by: Tuan-Dat Tran <tuan-dat.tran@tudattr.dev>

roles/reverse_proxy/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+caddy_version: latest
+caddy_config_path: /etc/caddy/Caddyfile
+caddy_binary: ./caddy
+
+go_version: 1.23.4

roles/reverse_proxy/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: Restart Caddy
+  ansible.builtin.command: "{{ caddy_binary }} reload --config {{ caddy_config_path  }}"
+  become: true

roles/reverse_proxy/tasks/configure.yml

@@ -0,0 +1,15 @@
+---
+- name: Ensure Caddy configuration directory exists
+  ansible.builtin.file:
+    path: /etc/caddy
+    state: directory
+    mode: "0755"
+  become: true
+
+- name: Deploy Caddy configuration file
+  ansible.builtin.template:
+    src: Caddyfile.j2
+    dest: "{{ caddy_config_path }}"
+    mode: "0644"
+  become: true
+  notify: Restart Caddy

roles/reverse_proxy/tasks/install.yml

@@ -0,0 +1,32 @@
+---
+- name: Download xCaddy GPG key
+  ansible.builtin.get_url:
+    url: "https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key"
+    dest: /etc/apt/keyrings/caddy-xcaddy.asc
+    mode: "0644"
+  become: true
+
+- name: Add xCaddy repository to apt sources
+  ansible.builtin.apt_repository:
+    repo: "deb [signed-by=/etc/apt/keyrings/caddy-xcaddy.asc] https://dl.cloudsmith.io/public/caddy/xcaddy/deb/debian any-version main"
+    state: present
+    update_cache: true
+  become: true
+
+- name: Update apt cache
+  ansible.builtin.apt:
+    update_cache: true
+  become: true
+
+- name: Install xCaddy
+  ansible.builtin.apt:
+    name: xcaddy
+    state: present
+  become: true
+
+- name: Install Caddy
+  ansible.builtin.command: xcaddy build --with github.com/caddy-dns/netcup
+  environment:
+    PATH: "{{ ansible_env.PATH }}:/usr/local/go/bin"
+  register: xcaddy_build
+  failed_when: xcaddy_build.rc != 0

roles/reverse_proxy/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Install Prerequisites
+  ansible.builtin.include_tasks: prereq.yml
+- name: Install Caddy
+  ansible.builtin.include_tasks: install.yml
+- name: Configure Caddy
+  ansible.builtin.include_tasks: configure.yml
+- name: Start Caddy
+  ansible.builtin.include_tasks: start.yml

roles/reverse_proxy/tasks/prereq.yml

@@ -0,0 +1,44 @@
+---
+- name: Install prerequisites for Caddy
+  ansible.builtin.apt:
+    name:
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+      - curl
+    state: present
+    update_cache: true
+  become: true
+
+- name: Remove existing Go installation
+  ansible.builtin.file:
+    path: /usr/local/go
+    state: absent
+  become: true
+
+- name: Download Go tarball
+  ansible.builtin.get_url:
+    url: "https://go.dev/dl/go{{ go_version }}.linux-amd64.tar.gz"
+    dest: "/tmp/go{{ go_version }}.linux-amd64.tar.gz"
+    mode: "0755"
+
+- name: Extract Go tarball to /usr/local
+  ansible.builtin.unarchive:
+    src: /tmp/go1.23.4.linux-amd64.tar.gz
+    dest: /usr/local
+    remote_src: true
+  become: true
+  register: go_install
+
+- name: Ensure Go binary path is added to /etc/profile
+  ansible.builtin.lineinfile:
+    path: /etc/profile
+    line: "PATH=$PATH:/usr/local/go/bin"
+    state: present
+    regexp: "^PATH=.*:/usr/local/go/bin$"
+  become: true
+
+- name: Source /etc/profile to update PATH for the current session
+  ansible.builtin.shell: "source /etc/profile"
+  args:
+    executable: /bin/bash

roles/reverse_proxy/tasks/start.yml

@@ -0,0 +1,4 @@
+---
+- name: Ensure Caddy service is running
+  ansible.builtin.command: "{{ caddy_binary }} start --config {{ caddy_config_path }}"
+  become: true

roles/reverse_proxy/templates/Caddyfile.j2

@@ -0,0 +1,26 @@
+{
+    email {{ caddy.admin_email | default('admin@example.com') }}
+    acme_ca {{ caddy.acme_ca | default('https://acme-v02.api.letsencrypt.org/directory') }}
+}
+
+{% for service in services %}
+{{ service.name }}.{{ domain }} {
+    {% for vm in service.vm %}
+    reverse_proxy {{ hostvars[vm].ansible_host }}:{{ service.port }}
+    {% endfor %}
+    log {
+        output file /var/log/caddy/{{ service.name }}.log
+        format json
+    }
+	tls {
+		dns netcup {
+			customer_number {{ vault.netcup.customer_number }}
+			api_key {{ vault.netcup.api_key}}
+			api_password {{ vault.netcup.api_password }}
+		}
+    propagation_timeout 900s
+		propagation_delay 600s
+		resolvers 1.1.1.1
+	}
+}
+{% endfor %}