From fef296cbbddb93e62f2aa7452e307542b3a4fd28 Mon Sep 17 00:00:00 2001 From: Gabriel Augendre Date: Thu, 6 Mar 2025 23:37:24 +0100 Subject: [PATCH] build caddy with OVH DNS + try ECH on caddy beta --- .pre-commit-config.yaml | 2 +- playbooks/apps/caddy.yaml | 35 ++++++++++++- playbooks/apps/files/{ => caddy}/Caddyfile | 3 ++ .../apps/files/caddy/dns-ovh.Caddyfile.j2 | 13 +++++ playbooks/apps/templates/bin/new_domain.py.j2 | 2 +- playbooks/dependencies/caddy.yaml | 49 +++++++++---------- 6 files changed, 76 insertions(+), 28 deletions(-) rename playbooks/apps/files/{ => caddy}/Caddyfile (99%) create mode 100644 playbooks/apps/files/caddy/dns-ovh.Caddyfile.j2 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e609342..65a49b6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -45,4 +45,4 @@ repos: name: caddy fmt language: system entry: caddy fmt --overwrite - files: Caddyfile + files: ^Caddyfile$ diff --git a/playbooks/apps/caddy.yaml b/playbooks/apps/caddy.yaml index 474532b..56a50c5 100644 --- a/playbooks/apps/caddy.yaml +++ b/playbooks/apps/caddy.yaml @@ -6,15 +6,48 @@ tasks: - name: Write Caddyfile ansible.builtin.copy: - src: files/Caddyfile + src: files/caddy/Caddyfile dest: /etc/caddy/Caddyfile mode: "0644" owner: root group: root notify: - Reload caddy + - name: Write dns-ovh.Caddyfile + ansible.builtin.template: + src: files/caddy/dns-ovh.Caddyfile.j2 + dest: /etc/caddy/dns-ovh.Caddyfile + mode: "0644" + owner: root + group: root + notify: + - Reload caddy handlers: - name: Reload caddy ansible.builtin.service: name: caddy state: reloaded + vars: + ovh_app_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30626165303033383937353835383233633833623434333061393632346266373439393137343066 + 6331333266393761636634363564656662323962633034660a323632333866656565303561363939 + 62633064386133363938326665323961353236663831663035663863336161303533633131623631 + 6166633466313563620a366264653533616437646638626136306332636232396538316432306163 + 30366531393462396335653638643938663937356336393065303531643132336534 + ovh_app_secret: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 39366431363534386435613336343736343930636636313261373063623863373335346639333335 + 6233623137643536656632663262303465633433303033360a383638626138613837306163353834 + 63376439343761333439613662303431666662633561363833346162623261643532373637646537 + 3263303031326338620a636662376333366132303964613565383139363065626564316536653833 + 66663338623239393537393664306132366639343138343139336132366466663231323637306637 + 3162656265656137396530326336383731383133653066626235 + ovh_consumer_key: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 66666533623962393934343630326232336564393565653231373638666662613133346665613962 + 3033333037393933666332663562396132616536326433300a333239386132376431393833313661 + 32366666366366396266646234666436626664313332666364646464616434326537386337386330 + 6561643039613661340a303461346634386662376638656636643261643961323038653633623665 + 64323935663066376231386466383930613632623634643030396131623530663034363931313435 + 3130663863656465663839383332383666386235326130383039 diff --git a/playbooks/apps/files/Caddyfile b/playbooks/apps/files/caddy/Caddyfile similarity index 99% rename from playbooks/apps/files/Caddyfile rename to playbooks/apps/files/caddy/Caddyfile index b52d035..3585e55 100644 --- a/playbooks/apps/files/Caddyfile +++ b/playbooks/apps/files/caddy/Caddyfile @@ -5,6 +5,9 @@ log { format console } + + import ./dns-ovh.Caddyfile + ech ech.augendre.info } (common_headers) { diff --git a/playbooks/apps/files/caddy/dns-ovh.Caddyfile.j2 b/playbooks/apps/files/caddy/dns-ovh.Caddyfile.j2 new file mode 100644 index 0000000..d6ed920 --- /dev/null +++ b/playbooks/apps/files/caddy/dns-ovh.Caddyfile.j2 @@ -0,0 +1,13 @@ +dns ovh { + endpoint ovh-eu + application_key {{ ovh_app_key }} + application_secret {{ ovh_app_secret }} + consumer_key {{ ovh_consumer_key }} +} + +acme_dns ovh { + endpoint ovh-eu + application_key {{ ovh_app_key }} + application_secret {{ ovh_app_secret }} + consumer_key {{ ovh_consumer_key }} +} diff --git a/playbooks/apps/templates/bin/new_domain.py.j2 b/playbooks/apps/templates/bin/new_domain.py.j2 index baebf27..032ad26 100755 --- a/playbooks/apps/templates/bin/new_domain.py.j2 +++ b/playbooks/apps/templates/bin/new_domain.py.j2 @@ -1,4 +1,4 @@ -#!/usr/bin/env python3 +#!./venv/bin/python3 import json import sys diff --git a/playbooks/dependencies/caddy.yaml b/playbooks/dependencies/caddy.yaml index 5fb95a1..e11a24c 100644 --- a/playbooks/dependencies/caddy.yaml +++ b/playbooks/dependencies/caddy.yaml @@ -2,35 +2,34 @@ - name: Setup caddy hosts: servers gather_facts: false - become: true tasks: - - name: Install system deps - ansible.builtin.apt: - pkg: - - debian-keyring - - debian-archive-keyring - - apt-transport-https - - gnupg2 - - curl - state: present - - name: Add caddy repository - ansible.builtin.deb822_repository: - name: caddy - uris: https://dl.cloudsmith.io/public/caddy/stable/deb/debian - signed_by: https://dl.cloudsmith.io/public/caddy/stable/gpg.key - components: main - suites: any-version - types: [deb] - state: present - enabled: true - - name: Install caddy - ansible.builtin.apt: - update_cache: true - name: caddy - state: present + - name: Install xcaddy + ansible.builtin.command: + cmd: go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest + register: install + changed_when: '"downloading" in install.stdout' # doesn't seem to work + - name: Build caddy from source + ansible.builtin.command: + cmd: xcaddy build v2.10.0-beta.1 --with github.com/caddy-dns/ovh + chdir: /tmp + changed_when: true + - name: Copy new caddy binary + ansible.builtin.copy: + src: /tmp/caddy + dest: /usr/bin/caddy + remote_src: true + owner: root + group: root + mode: "0755" + become: true notify: Restart caddy + - name: Cleanup in /tmp + ansible.builtin.file: + path: /tmp/caddy + state: absent handlers: - name: Restart caddy ansible.builtin.service: name: caddy state: restarted + become: true