bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
43fbcf59a5b29f6896c073ad8f56a27007c1336f
deploy_home/ansible/roles/podman/templates/caddy/Caddyfile.j2
Bastian de Byl 43fbcf59a5 add n8n workflow automation and fix cloud backup rsync 
- Add n8n container (n8nio/n8n:2.11.3) with Caddy reverse proxy at n8n.debyl.io
- Add --exclude .ssh to cloud backup rsync to prevent overwriting
  authorized_keys on TrueNAS backup targets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 12:12:19 -04:00

420 lines
8.8 KiB
Django/Jinja
Raw Blame History

# Caddy Configuration
# Managed by Ansible - do not edit directly
# Global options
{
email {{ caddy_email }}
acme_ca {{ caddy_acme_ca }}
# Admin API endpoint
admin 0.0.0.0:{{ caddy_admin_port }}
# Global server options
servers {
protocols h1 h2 h3
}
# Logging
log {
output file /var/log/caddy/caddy.log
format {{ caddy_log_format }}
level {{ caddy_log_level }}
}
}
# Import snippet for common security headers
(common_headers) {
header {
{% for header, value in caddy_security_headers.items() %}
{{ header }} "{{ value }}"
{% endfor %}
-Server
-X-Powered-By
}
}
# Jinja2 macro for IP-restricted sites with redirect
{% macro ip_restricted_site(networks=caddy_local_networks) %}
@local {
remote_ip {{ networks | join(' ') }}
}
@denied {
not remote_ip {{ networks | join(' ') }}
}
# Redirect non-local traffic
handle @denied {
redir https://debyl.io{uri} 302
}
{% endmacro %}
# ============================================================================
# SITE CONFIGURATIONS
# ============================================================================
# Simple redirect: {{ base_server_name }} -> {{ base_server_name_io }}
{{ base_server_name }} {
redir https://{{ base_server_name_io }}{uri} 302
}
# ============================================================================
# SIMPLE REVERSE PROXIES
# ============================================================================
# Photos service - redirect old to new
{{ photos_server_name }} {
redir https://{{ photos_server_name_io }}{uri} 302
}
# Photos service - {{ photos_server_name_io }}
{{ photos_server_name_io }} {
import common_headers
reverse_proxy localhost:8088
log {
output file /var/log/caddy/photos.log
format json
}
}
# Wiki/BookStack - {{ bookstack_server_name }} redirect to new domain
{{ bookstack_server_name }} {
redir https://{{ bookstack_server_name_new }}{uri} 302
}
# Wiki/BookStack - {{ bookstack_server_name_new }} (new primary domain)
{{ bookstack_server_name_new }} {
import common_headers
reverse_proxy localhost:6875
log {
output file /var/log/caddy/wiki.log
format json
}
}
# ============================================================================
# IP-RESTRICTED SITES
# ============================================================================
# Home Assistant - redirect old to new
{{ assistant_server_name }} {
redir https://{{ assistant_server_name_io }}{uri} 302
}
# Home Assistant - {{ assistant_server_name_io }}
{{ assistant_server_name_io }} {
{{ ip_restricted_site() }}
handle @local {
reverse_proxy localhost:8123 {
# WebSocket support is automatic
flush_interval -1
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
}
}
log {
output file /var/log/caddy/assistant.log
format json
}
}
# CI/Drone - REMOVED
# ci.bdebyl.net configuration removed - Drone CI infrastructure decommissioned
# Home server - {{ home_server_name_io }}
{{ home_server_name_io }} {
{{ ip_restricted_site() }}
handle @local {
respond "Home Server Access OK" 200
}
}
# Parts/Partsy - redirect old to new
{{ parts_server_name }} {
redir https://{{ parts_server_name_io }}{uri} 302
}
# Parts/Partsy - {{ parts_server_name_io }}
{{ parts_server_name_io }} {
{{ ip_restricted_site() }}
handle @local {
import common_headers
reverse_proxy localhost:8081
}
log {
output file /var/log/caddy/parts.log
format json
}
}
# Uptime Kuma (Debyltech) - {{ uptime_kuma_server_name }}
{{ uptime_kuma_server_name }} {
{{ ip_restricted_site() }}
handle @local {
import common_headers
reverse_proxy localhost:3001 {
# WebSocket support for live updates
flush_interval -1
}
}
log {
output file /var/log/caddy/uptime-kuma.log
format json
}
}
# Uptime Kuma (Personal) - {{ uptime_kuma_personal_server_name }}
{{ uptime_kuma_personal_server_name }} {
{{ ip_restricted_site() }}
handle @local {
import common_headers
reverse_proxy localhost:3002 {
# WebSocket support for live updates
flush_interval -1
}
}
log {
output file /var/log/caddy/uptime-kuma-personal.log
format json
}
}
# Graylog Logs - {{ logs_server_name }}
{{ logs_server_name }} {
# GELF HTTP endpoint - open for Lambda (auth via header)
# Must come BEFORE ip_restricted_site to allow external access
@gelf_authorized {
path /gelf
header X-Gelf-Token "{{ gelf_auth_token }}"
}
handle @gelf_authorized {
reverse_proxy localhost:12202
}
# Reject unauthorized GELF requests
handle /gelf {
respond "Unauthorized" 401
}
# IP restriction for Graylog web UI (excludes /gelf which is handled above)
@local {
remote_ip {{ caddy_local_networks | join(' ') }}
}
@denied {
not remote_ip {{ caddy_local_networks | join(' ') }}
not path /gelf
}
handle @denied {
redir https://debyl.io{uri} 302
}
handle @local {
import common_headers
reverse_proxy localhost:9000
}
log {
output file /var/log/caddy/graylog.log
format json
}
}
# ============================================================================
# COMPLEX CONFIGURATIONS
# ============================================================================
# Nextcloud - redirect old to new
{{ cloud_server_name }} {
redir https://{{ cloud_server_name_io }}{uri} 302
}
# Nextcloud - {{ cloud_server_name_io }}
{{ cloud_server_name_io }} {
request_body {
max_size {{ caddy_max_request_body_mb }}MB
}
reverse_proxy localhost:8089 {
header_up Host {host}
header_up X-Real-IP {remote}
# X-Forwarded-For and X-Forwarded-Proto are automatic
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
-X-Powered-By
}
# Nextcloud specific redirects
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
log {
output file /var/log/caddy/cloud.log
format json
}
}
# Skudak Nextcloud - serve both domains (migration period)
{{ cloud_skudak_server_name }}, {{ cloud_skudak_server_name_new }} {
request_body {
max_size {{ caddy_max_request_body_mb }}MB
}
reverse_proxy localhost:8090 {
header_up Host {host}
header_up X-Real-IP {remote}
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
-X-Powered-By
}
# Nextcloud specific redirects
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
log {
output file /var/log/caddy/cloud-skudak.log
format json
}
}
# Gitea - {{ gitea_debyl_server_name }}
{{ gitea_debyl_server_name }} {
import common_headers
reverse_proxy localhost:3100 {
flush_interval -1
}
log {
output file /var/log/caddy/gitea-debyl.log
format json
}
}
# Gitea Skudak - {{ gitea_skudak_server_name }}
{{ gitea_skudak_server_name }} {
import common_headers
reverse_proxy localhost:3101 {
flush_interval -1
}
log {
output file /var/log/caddy/gitea-skudak.log
format json
}
}
# N8N Workflow Automation - {{ n8n_server_name }}
{{ n8n_server_name }} {
{{ ip_restricted_site() }}
handle @local {
import common_headers
reverse_proxy localhost:5678 {
flush_interval -1
}
}
log {
output file {{ caddy_log_path }}/n8n.log
format {{ caddy_log_format }}
}
}
# Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
{{ fulfillr_server_name }} {
{{ ip_restricted_site() }}
@api {
path /api/*
}
# Handle API requests with CORS for local development
handle @api {
header {
Access-Control-Allow-Origin "*"
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
Access-Control-Allow-Credentials "true"
}
# Handle preflight requests
@options {
method OPTIONS
}
handle @options {
respond "" 204
}
reverse_proxy localhost:9054
}
# Serve static files with SPA fallback
handle {
root * /usr/local/share/fulfillr-site
try_files {path} {path}/ /index.html
file_server
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
}
log {
output file /var/log/caddy/fulfillr.log
format json
}
}
# ============================================================================
# TEST/STAGING SITES
# ============================================================================
# Test Site - test.debyl.io (Public static site hosting, no caching)
test.debyl.io {
import common_headers
root * /srv/test-site
try_files {path} {path}/ /index.html
file_server
# Disable all caching for test sites
header Cache-Control "no-store, no-cache, must-revalidate, max-age=0"
header Pragma "no-cache"
log {
output file /var/log/caddy/test.log
format json
level {{ caddy_log_level }}
}
}
Reference in New Issue View Git Blame Copy Permalink