Switch to terraform

ansible/caddy/group_vars/caddy_servers.yml

@@ -0,0 +1,25 @@
+---
+# =============================================================================
+# Shared Caddy Reverse Proxy Configuration
+# =============================================================================
+# Single Caddy instance handling all PoC services.
+
+# =============================================================================
+# Let's Encrypt Configuration
+# =============================================================================
+letsencrypt_email: "vlad.stus@gmail.com"
+
+# =============================================================================
+# Paths
+# =============================================================================
+caddy_base_dir: "/opt/caddy"
+
+# =============================================================================
+# Services to proxy
+# =============================================================================
+gitea_domain: "gitea-poc.networkmonitor.cc"
+gitea_http_port: 3000
+gitea_network: "gitea_gitea"
+
+netbird_domain: "netbird-poc.networkmonitor.cc"
+netbird_network: "netbird_netbird"

ansible/caddy/playbook.yml

@@ -0,0 +1,134 @@
+---
+# =============================================================================
+# Shared Caddy Reverse Proxy Playbook
+# =============================================================================
+# Deploys single Caddy instance that proxies to Gitea and NetBird.
+# Run AFTER deploying Gitea and NetBird (needs their networks).
+#
+# Prerequisites:
+#   1. Gitea deployed (creates gitea_gitea network)
+#   2. NetBird deployed (creates netbird_netbird network)
+#   3. DNS records pointing to VPS
+#
+# Usage:
+#   ansible-playbook -i poc-inventory.yml playbook.yml
+# =============================================================================
+
+- name: Deploy Shared Caddy Reverse Proxy
+  hosts: caddy_servers
+  become: true
+  vars_files:
+    - group_vars/caddy_servers.yml
+
+  pre_tasks:
+    - name: Check if Gitea network exists
+      ansible.builtin.command:
+        cmd: docker network inspect {{ gitea_network }}
+      register: gitea_network_check
+      failed_when: false
+      changed_when: false
+
+    - name: Check if NetBird network exists
+      ansible.builtin.command:
+        cmd: docker network inspect {{ netbird_network }}
+      register: netbird_network_check
+      failed_when: false
+      changed_when: false
+
+    - name: Warn about missing networks
+      ansible.builtin.debug:
+        msg: |
+          WARNING: Some service networks don't exist yet.
+          Gitea network ({{ gitea_network }}): {{ 'EXISTS' if gitea_network_check.rc == 0 else 'MISSING - deploy Gitea first' }}
+          NetBird network ({{ netbird_network }}): {{ 'EXISTS' if netbird_network_check.rc == 0 else 'MISSING - deploy NetBird first' }}
+
+          Caddy will fail to start until both networks exist.
+      when: gitea_network_check.rc != 0 or netbird_network_check.rc != 0
+
+  tasks:
+    # =========================================================================
+    # Stop existing Caddy if running elsewhere
+    # =========================================================================
+    - name: Check for Caddy in Gitea deployment
+      ansible.builtin.stat:
+        path: /opt/gitea/docker-compose.yml
+      register: gitea_compose
+
+    - name: Stop Caddy in Gitea deployment
+      ansible.builtin.shell: |
+        cd /opt/gitea && docker compose stop caddy && docker compose rm -f caddy
+      when: gitea_compose.stat.exists
+      failed_when: false
+      changed_when: true
+
+    # =========================================================================
+    # Caddy Directory Structure
+    # =========================================================================
+    - name: Create Caddy directory
+      ansible.builtin.file:
+        path: "{{ caddy_base_dir }}"
+        state: directory
+        mode: "0755"
+
+    # =========================================================================
+    # Deploy Configuration Files
+    # =========================================================================
+    - name: Deploy docker-compose.yml
+      ansible.builtin.template:
+        src: templates/docker-compose.yml.j2
+        dest: "{{ caddy_base_dir }}/docker-compose.yml"
+        mode: "0644"
+
+    - name: Deploy Caddyfile
+      ansible.builtin.template:
+        src: templates/Caddyfile.j2
+        dest: "{{ caddy_base_dir }}/Caddyfile"
+        mode: "0644"
+      register: caddyfile_changed
+
+    # =========================================================================
+    # Start Caddy
+    # =========================================================================
+    - name: Pull Caddy image
+      ansible.builtin.command:
+        cmd: docker compose pull
+        chdir: "{{ caddy_base_dir }}"
+      changed_when: true
+
+    - name: Start Caddy
+      ansible.builtin.command:
+        cmd: docker compose up -d
+        chdir: "{{ caddy_base_dir }}"
+      changed_when: true
+
+    - name: Reload Caddy config if changed
+      ansible.builtin.command:
+        cmd: docker compose exec caddy caddy reload --config /etc/caddy/Caddyfile
+        chdir: "{{ caddy_base_dir }}"
+      when: caddyfile_changed.changed
+      failed_when: false
+      changed_when: true
+
+    # =========================================================================
+    # Deployment Summary
+    # =========================================================================
+    - name: Display deployment status
+      ansible.builtin.debug:
+        msg: |
+          ============================================
+          Shared Caddy Deployed!
+          ============================================
+
+          Proxying:
+            - https://{{ gitea_domain }} -> gitea:{{ gitea_http_port }}
+            - https://{{ netbird_domain }} -> netbird services
+
+          ============================================
+
+          View logs:
+            ssh root@{{ ansible_host }} "cd {{ caddy_base_dir }} && docker compose logs -f"
+
+          Reload config after changes:
+            ssh root@{{ ansible_host }} "cd {{ caddy_base_dir }} && docker compose exec caddy caddy reload --config /etc/caddy/Caddyfile"
+
+          ============================================

ansible/caddy/poc-inventory.yml

@@ -0,0 +1,8 @@
+---
+all:
+  children:
+    caddy_servers:
+      hosts:
+        caddy-poc:
+          ansible_host: observability-poc.networkmonitor.cc
+          ansible_user: root

ansible/caddy/templates/Caddyfile.j2

@@ -0,0 +1,56 @@
+# =============================================================================
+# Shared Caddy - NetBird GitOps PoC
+# =============================================================================
+{
+  servers :80,:443 {
+    protocols h1 h2c h2 h3
+  }
+  email {{ letsencrypt_email }}
+}
+
+(security_headers) {
+    header * {
+        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+        X-Content-Type-Options "nosniff"
+        X-Frame-Options "SAMEORIGIN"
+        X-XSS-Protection "1; mode=block"
+        -Server
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+}
+
+# =============================================================================
+# Gitea
+# =============================================================================
+{{ gitea_domain }} {
+    import security_headers
+    reverse_proxy gitea:{{ gitea_http_port }}
+}
+
+# =============================================================================
+# NetBird
+# =============================================================================
+{{ netbird_domain }} {
+    import security_headers
+
+    # Embedded IdP OAuth2 endpoints
+    reverse_proxy /oauth2/* management:80
+    reverse_proxy /.well-known/openid-configuration management:80
+    reverse_proxy /.well-known/jwks.json management:80
+
+    # NetBird Relay
+    reverse_proxy /relay* relay:80
+
+    # NetBird Signal (gRPC)
+    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+
+    # NetBird Management API (gRPC)
+    reverse_proxy /management.ManagementService/* h2c://management:80
+
+    # NetBird Management REST API
+    reverse_proxy /api/* management:80
+
+    # NetBird Dashboard (catch-all)
+    reverse_proxy /* dashboard:80
+}
+}

ansible/caddy/templates/docker-compose.yml.j2

@@ -0,0 +1,35 @@
+networks:
+  # Connect to Gitea network
+  gitea:
+    name: {{ gitea_network }}
+    external: true
+  # Connect to NetBird network
+  netbird:
+    name: {{ netbird_network }}
+    external: true
+
+services:
+  caddy:
+    image: caddy:alpine
+    container_name: caddy
+    restart: unless-stopped
+    networks:
+      - gitea
+      - netbird
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    volumes:
+      - {{ caddy_base_dir }}/Caddyfile:/etc/caddy/Caddyfile
+      - caddy_data:/data
+      - caddy_config:/config
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "100m"
+        max-file: "2"
+
+volumes:
+  caddy_data:
+  caddy_config: