bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2b4844b2113dfae906b8bb9c43c12fb7579c4cc2
deploy_home/ansible/roles/podman/templates/caddy/Caddyfile.j2
Bastian de Byl c96aeafb3f feat: add git.skudak.com Gitea instance and skudak domain migrations 
Gitea Skudak (git.skudak.com):
- New Gitea instance with PostgreSQL in podman pod under git user
- SSH access via Gitea's built-in SSH server on port 2222
- Registration restricted to @skudak.com emails with email confirmation
- SMTP configured for email delivery

Domain migrations:
- wiki.skudakrennsport.com → wiki.skudak.com (302 redirect)
- cloud.skudakrennsport.com + cloud.skudak.com (dual-domain serving)
- BookStack APP_URL updated to wiki.skudak.com
- Nextcloud trusted_domains updated for cloud.skudak.com

Infrastructure:
- SELinux context for git user container storage (container_file_t)
- Firewall rule for port 2222/tcp (Gitea Skudak SSH)
- Caddy reverse proxy for git.skudak.com

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-15 22:27:02 -05:00

390 lines
8.2 KiB
Django/Jinja
Raw Blame History

# Caddy Configuration
# Managed by Ansible - do not edit directly
# Global options
{
email {{ caddy_email }}
acme_ca {{ caddy_acme_ca }}
# Admin API endpoint
admin 0.0.0.0:{{ caddy_admin_port }}
# Global server options
servers {
protocols h1 h2 h3
}
# Logging
log {
output file /var/log/caddy/caddy.log
format {{ caddy_log_format }}
level {{ caddy_log_level }}
}
}
# Import snippet for common security headers
(common_headers) {
header {
{% for header, value in caddy_security_headers.items() %}
{{ header }} "{{ value }}"
{% endfor %}
-Server
-X-Powered-By
}
}
# Jinja2 macro for IP-restricted sites with redirect
{% macro ip_restricted_site(networks=caddy_local_networks) %}
@local {
remote_ip {{ networks | join(' ') }}
}
@denied {
not remote_ip {{ networks | join(' ') }}
}
# Redirect non-local traffic
handle @denied {
redir https://debyl.io{uri} 302
}
{% endmacro %}
# ============================================================================
# SITE CONFIGURATIONS
# ============================================================================
# Simple redirect: {{ base_server_name }} -> {{ base_server_name_io }}
{{ base_server_name }} {
redir https://{{ base_server_name_io }}{uri} 302
}
# ============================================================================
# SIMPLE REVERSE PROXIES
# ============================================================================
# Photos service - redirect old to new
{{ photos_server_name }} {
redir https://{{ photos_server_name_io }}{uri} 302
}
# Photos service - {{ photos_server_name_io }}
{{ photos_server_name_io }} {
import common_headers
reverse_proxy localhost:8088
log {
output file /var/log/caddy/photos.log
format json
}
}
# Wiki/BookStack - {{ bookstack_server_name }} redirect to new domain
{{ bookstack_server_name }} {
redir https://{{ bookstack_server_name_new }}{uri} 302
}
# Wiki/BookStack - {{ bookstack_server_name_new }} (new primary domain)
{{ bookstack_server_name_new }} {
import common_headers
reverse_proxy localhost:6875
log {
output file /var/log/caddy/wiki.log
format json
}
}
# ============================================================================
# IP-RESTRICTED SITES
# ============================================================================
# Home Assistant - redirect old to new
{{ assistant_server_name }} {
redir https://{{ assistant_server_name_io }}{uri} 302
}
# Home Assistant - {{ assistant_server_name_io }}
{{ assistant_server_name_io }} {
{{ ip_restricted_site() }}
handle @local {
reverse_proxy localhost:8123 {
# WebSocket support is automatic
flush_interval -1
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
}
}
log {
output file /var/log/caddy/assistant.log
format json
}
}
# CI/Drone - REMOVED
# ci.bdebyl.net configuration removed - Drone CI infrastructure decommissioned
# Home server - redirect old to new
{{ home_server_name }} {
redir https://{{ home_server_name_io }}{uri} 302
}
# Home server - {{ home_server_name_io }}
{{ home_server_name_io }} {
{{ ip_restricted_site() }}
handle @local {
respond "Home Server Access OK" 200
}
}
# Parts/Partsy - redirect old to new
{{ parts_server_name }} {
redir https://{{ parts_server_name_io }}{uri} 302
}
# Parts/Partsy - {{ parts_server_name_io }}
{{ parts_server_name_io }} {
{{ ip_restricted_site() }}
handle @local {
import common_headers
reverse_proxy localhost:8081
}
log {
output file /var/log/caddy/parts.log
format json
}
}
# Uptime Kuma - {{ uptime_kuma_server_name }}
{{ uptime_kuma_server_name }} {
{{ ip_restricted_site() }}
handle @local {
import common_headers
reverse_proxy localhost:3001 {
# WebSocket support for live updates
flush_interval -1
}
}
log {
output file /var/log/caddy/uptime-kuma.log
format json
}
}
# Graylog Logs - {{ logs_server_name }}
{{ logs_server_name }} {
# GELF HTTP endpoint - open for Lambda (auth via header)
# Must come BEFORE ip_restricted_site to allow external access
@gelf_authorized {
path /gelf
header X-Gelf-Token "{{ gelf_auth_token }}"
}
handle @gelf_authorized {
reverse_proxy localhost:12202
}
# Reject unauthorized GELF requests
handle /gelf {
respond "Unauthorized" 401
}
# IP restriction for Graylog web UI (excludes /gelf which is handled above)
@local {
remote_ip {{ caddy_local_networks | join(' ') }}
}
@denied {
not remote_ip {{ caddy_local_networks | join(' ') }}
not path /gelf
}
handle @denied {
redir https://debyl.io{uri} 302
}
handle @local {
import common_headers
reverse_proxy localhost:9000
}
log {
output file /var/log/caddy/graylog.log
format json
}
}
# ============================================================================
# COMPLEX CONFIGURATIONS
# ============================================================================
# Nextcloud - redirect old to new
{{ cloud_server_name }} {
redir https://{{ cloud_server_name_io }}{uri} 302
}
# Nextcloud - {{ cloud_server_name_io }}
{{ cloud_server_name_io }} {
request_body {
max_size {{ caddy_max_request_body_mb }}MB
}
reverse_proxy localhost:8089 {
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are automatic
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
-X-Powered-By
}
# Nextcloud specific redirects
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
log {
output file /var/log/caddy/cloud.log
format json
}
}
# Skudak Nextcloud - serve both domains (migration period)
{{ cloud_skudak_server_name }}, {{ cloud_skudak_server_name_new }} {
request_body {
max_size {{ caddy_max_request_body_mb }}MB
}
reverse_proxy localhost:8090 {
header_up Host {host}
header_up X-Real-IP {remote}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
-X-Powered-By
}
# Nextcloud specific redirects
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
log {
output file /var/log/caddy/cloud-skudak.log
format json
}
}
# Gitea - {{ gitea_debyl_server_name }}
{{ gitea_debyl_server_name }} {
import common_headers
reverse_proxy localhost:3100 {
flush_interval -1
}
log {
output file /var/log/caddy/gitea-debyl.log
format json
}
}
# Gitea Skudak - {{ gitea_skudak_server_name }}
{{ gitea_skudak_server_name }} {
import common_headers
reverse_proxy localhost:3101 {
flush_interval -1
}
log {
output file /var/log/caddy/gitea-skudak.log
format json
}
}
# Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
{{ fulfillr_server_name }} {
{{ ip_restricted_site() }}
@api {
path /api/*
}
# Handle API requests with CORS for local development
handle @api {
header {
Access-Control-Allow-Origin "*"
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
Access-Control-Allow-Credentials "true"
}
# Handle preflight requests
@options {
method OPTIONS
}
handle @options {
respond "" 204
}
reverse_proxy localhost:9054
}
# Serve static files with SPA fallback
handle {
root * /usr/local/share/fulfillr-site
try_files {path} {path}/ /index.html
file_server
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
}
log {
output file /var/log/caddy/fulfillr.log
format json
}
}
# ============================================================================
# TEST/STAGING SITES
# ============================================================================
# Test Site - test.debyl.io (Public static site hosting, no caching)
test.debyl.io {
import common_headers
root * /srv/test-site
try_files {path} {path}/ /index.html
file_server
# Disable all caching for test sites
header Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
header Pragma "no-cache"
log {
output file /var/log/caddy/test.log
format json
level {{ caddy_log_level }}
}
}
Reference in New Issue View Git Blame Copy Permalink