feat/proxy-certificate-integration (#204)

Author: stevius10

.gitignore

@@ -9,4 +9,5 @@ local/*.hash
 
 # git add --force '**/*.local*'
 
-*.local.caddy
+*.local.*
+!.*.local.*

base/default.yml

@@ -4,13 +4,16 @@
   gather_facts: no
   vars:
     os: "{{ OS | default('local:vztmpl/debian-13-standard_13.1-1_amd64.tar.zst') }}"
-    key_dir: "{{ KEYS_DIR | default('/share/.ssh') }}"
+    share_dir: "{{ SHARE | default('/share') }}"
+    cert_dir:  "{{ share_dir }}/.cert"
+    key_dir:   "{{ share_dir }}/.ssh"
   tasks:
 
-    - name: Ensure key directory
+    - name: Ensure directories
       file:
         path: "{{ key_dir }}"
         state: directory
+      loop: ["{{ share_dir }}", "{{ cert_dir }}", "{{ key_dir }}"]
 
     - name: Generate container key on host
       community.crypto.openssh_keypair:

base/roles/base/tasks/main.yml

@@ -1,8 +1,9 @@
 - name: Base container configuration
   block:
-    - name: Set key directory
+    - name: Set shared directories
       set_fact:
-        key_dir: "{{ KEYS_DIR | default('/share/.ssh') }}"
+        cert_dir: "{{ share_dir }}/.certs"
+        key_dir: "{{ share_dir }}/.ssh"
 
     - name: Update system
       apt:
@@ -51,8 +52,9 @@
   include_tasks: state.yml
   vars:
     extra:
-      - { path: "/app", state: "directory", mode: "0755", owner: "app", group: "config" }
-      - { path: "/app/.ssh", state: "directory", mode: "0711", owner: "app", group: "config" }
+      - { path: "/app/.ssh", state: "directory", mode: "0755", owner: "app", group: "config" }
+      - { path: "{{ key_dir }}", state: "directory", mode: "0711", owner: "app", group: "config" }
+      - { path: "{{ cert_dir }}", state: "directory", mode: "0711", owner: "app", group: "config" }
 
 - name: Container accessibility
   import_tasks: access.yml

base/roles/base/vars/main.yml

@@ -11,5 +11,7 @@ default_users:
   - { name: "app",  groups: ["config"], create_home: false, home: "/app" }
   - { name: "config", groups: ["config", "root", "sudo"], create_home: false, home: "/app" }
 
+share_dir: "/share"
+
 ssh_users:
   - config

libs/proxy/attributes/default.rb

@@ -4,11 +4,13 @@
 default['app']['group']               = Default.group(node)
 
 default['proxy']['dir']['app']        = '/app/proxy'
+default['proxy']['dir']['certs']      = '/share/.certs'
+default['proxy']['dir']['caddy']      = "#{node['proxy']['dir']['certs']}/caddy"
 default['proxy']['dir']['config']     = '/app/proxy/conf.d'
 default['proxy']['dir']['logs']       = '/app/proxy/logs'
 
-default['proxy']['config']['domain']  = 'lan'
+default['proxy']['config']['domain']  = 'l'
 
 default['proxy']['logs']['roll_size'] = '2MiB'
-default['proxy']['logs']['roll_keep'] = '3'
-default['proxy']['logs']['roll_for']  = '1d'
+default['proxy']['logs']['roll_keep'] = '7'
+default['proxy']['logs']['roll_for']  = '24h'

libs/proxy/config.env

@@ -4,4 +4,5 @@ CORES="2"
 MEMORY="2048"
 SWAP="512"
 DISK="local-lvm:2"
+MOUNT="share"
 BOOT="yes"

libs/proxy/files/default/config/10-assistant-example.caddy

@@ -0,0 +1,19 @@
+# *-container.local.caddy (.gitignore): create, e. g. home.gitops.pm
+#
+# home.gitops.pm {
+#     import default api 192.178.168.110
+#     tls /share/.certs/.lego/certificates/gitops.pm.crt /share/.certs/.lego/certificates/gitops.pm.key
+# .. }
+
+# *-container.caddy: edit, e. g. assistant (10-assistant.caddy)
+
+route {
+    reverse_proxy @internal {vars.upstream}:8123
+}
+
+
+# Attachment: Home Assistant configuration
+# http:
+#   use_x_forwarded_for: true
+#   trusted_proxies:
+#     - <IP_REVERSE_PROXY> # e. g. 192.168.178.101

libs/proxy/files/default/config/10-assistant.caddy

@@ -1,6 +1,7 @@
 Env.dump(self, ['ip', cookbook_name], repo: cookbook_name)
 
-Common.directories(self, [node['proxy']['dir']['app'], node['proxy']['dir']['config'], node['proxy']['dir']['logs']])
+Common.directories(self, [ node['proxy']['dir']['app'],
+  node['proxy']['dir']['caddy'], node['proxy']['dir']['config'], node['proxy']['dir']['logs'] ] )
 
 package 'caddy'
 
@@ -20,7 +21,8 @@
   owner node['app']['user']
   group node['app']['group']
   mode   '0644'
-  variables( hosts: lazy { node.run_state['proxy_hosts'] || [] }, config_dir: node['proxy']['dir']['config'],
+  variables( hosts: lazy { node.run_state['proxy_hosts'] || [] },
+    caddy_dir: node['proxy']['dir']['caddy'], config_dir: node['proxy']['dir']['config'],
     log_dir: node['proxy']['dir']['logs'], logs_roll_size: node['proxy']['logs']['roll_size'],
     logs_roll_keep: node['proxy']['logs']['roll_keep'], logs_roll_for: node['proxy']['logs']['roll_for'] )
 end
@@ -29,10 +31,13 @@
   source 'config'
   owner node['app']['user']
   group node['app']['group']
-  mode '0664'
+  mode '0775'
+  files_mode '0664'
 end
 
-Common.application(self, cookbook_name,
-  exec: "/bin/caddy run --config #{node['proxy']['dir']['app']}/Caddyfile --adapter caddyfile",
-  subscribe: ["template[#{node['proxy']['dir']['app']}/Caddyfile]", "remote_directory[#{node['proxy']['dir']['config']}]"],
-  unit: { 'Service' => { 'AmbientCapabilities' => 'CAP_NET_BIND_SERVICE' } } )
+ruby_block "#{self.cookbook_name}_application" do block do
+  Common.application(self, cookbook_name,
+    exec: "/bin/caddy run --config #{node['proxy']['dir']['app']}/Caddyfile",
+    subscribe: ["template[#{node['proxy']['dir']['app']}/Caddyfile]", "remote_directory[#{node['proxy']['dir']['config']}]"],
+    unit: { 'Service' => { 'AmbientCapabilities' => 'CAP_NET_BIND_SERVICE' } } )
+end end

libs/proxy/recipes/default.rb

@@ -1,11 +1,14 @@
+{
+  storage file_system <%= @caddy_dir %>
+}
+
 (internal) {
-  @external {
-    not remote_ip 192.168.0.0/24
-  }
-  respond @external 403
+  @internal remote_ip 192.168.178.0/24
+  @external not remote_ip 192.168.178.0/24
+  respond @external "Forbidden" 403
 }
 
-(security_headers) {
+(header) {
   header {
     Strict-Transport-Security "max-age=31536000;"
     X-Frame-Options "DENY"
@@ -15,34 +18,40 @@
   }
 }
 
-(proxy_headers) {
-  header_up Host {host}
-  header_up X-Real-IP {remote_ip}
-  header_up X-Forwarded-For {remote_ip}
-  header_up X-Forwarded-Proto {scheme}
+(common) {
+  import header
+
+  log {
+    output file <%= @log_dir %>/{args.0}.log {
+      roll_size     <%= @logs_roll_size %>
+      roll_keep     <%= @logs_roll_keep %>
+      roll_keep_for <%= @logs_roll_for %>
+    }
+  }
+}
+
+(default) {
+  import common {args.0}
+
+  vars upstream {args.1}
+
+  reverse_proxy {args.1} {
+    header_up Host {args.0}
+    header_up X-Real-IP {remote_ip}
+    header_up X-Forwarded-For {remote_ip}
+    header_up X-Container-IP {args.1}
+  }
 }
 
-<% @hosts.each do |entry| -%>
-  <% domain, upstream, hostname = entry.split(' ') -%>
+<% @hosts.each do |entry| -%> <% domain, upstream, hostname = entry.split(' ') -%>
   <%= domain %> {
-    import security_headers
+    import default <%= hostname %> <%= upstream %>
     import internal
 
-    reverse_proxy <%= upstream %> {
-      import proxy_headers
-      header_up X-Container-IP <%= upstream.split(':').first %>
-    }
-
     tls internal
 
-    log {
-      output file <%= @log_dir %>/<%= domain %>.log {
-        roll_size     <%= @logs_roll_size %>
-        roll_keep     <%= @logs_roll_keep %>
-        roll_keep_for <%= @logs_roll_for %>
-      }
-    }
-
-    import <%= @config_dir %>/<%= hostname %>*.caddy
+    import <%= @config_dir %>/*<%= hostname %>.caddy
   }
-<% end -%>
+<% end -%>
+
+import <%= @config_dir %>/*.local.caddy