feat(caddy): gate Caddy behind caddy_enabled (Linux on, macOS off)

Add caddy_enabled (group_vars/all) defaulting to ansible_os_family != 'Darwin', overridable via -e caddy_enabled=true/false. Wrap the dedicated caddy role and the gateway_openclaw Caddy ingress block in 'when: caddy_enabled | bool' so macOS single-host deploys never touch /etc/caddy or start caddy, while Linux VPS deploys keep Caddy + HTTP/TLS by default. Notifies only fire from gated tasks, so the Reload caddy handlers stay inert when disabled.
2026-06-19 09:14:09 +00:00 · 2026-06-19 09:14:09 +00:00 · 0cfd1af1b7
commit 0cfd1af1b7
parent 17e2267449
3 changed files with 77 additions and 63 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -3,6 +3,12 @@ ansible_ssh_user: root
 ansible_ssh_private_key_file: ~/.ssh/id_rsa
 ansible_host_key_checking: False

-# Global security level for public access. 
+# Global security level for public access.
 # Set to 'strict' to disable public Caddy/Ingress access for all roles.
 ai_workspace_security_level: standard
+
+# Whether to install/configure the Caddy reverse proxy (public HTTP/TLS ingress).
+# Default: enabled on Linux, disabled on macOS single-host deploys (no system
+# Caddy, /etc/caddy not writable). Override anytime with -e caddy_enabled=true
+# (force on) or -e caddy_enabled=false (force off) — extra-vars win.
+caddy_enabled: "{{ ansible_os_family != 'Darwin' }}"
--- a/roles/vhosts/caddy/tasks/main.yml
+++ b/roles/vhosts/caddy/tasks/main.yml
@ -1,67 +1,73 @@
- name: Ensure Caddy repo prerequisites
-  ansible.builtin.apt:
-    name:
-      - ca-certificates
-      - gnupg
-    state: present
-    update_cache: true
-  when:
-    - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
+# The whole Caddy role is skipped when caddy_enabled is false (default on macOS
+# single-host deploys), so /etc/caddy is never touched and no caddy service is
+# expected. Override with -e caddy_enabled=true.
+- name: Configure Caddy reverse proxy
+  when: caddy_enabled | bool
+  block:
+    - name: Ensure Caddy repo prerequisites
+      ansible.builtin.apt:
+        name:
+          - ca-certificates
+          - gnupg
+        state: present
+        update_cache: true
+      when:
+        - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"

- name: Ensure apt keyring directory exists
-  ansible.builtin.file:
-    path: /etc/apt/keyrings
-    state: directory
-    owner: root
-    group: root
-    mode: '0755'
+    - name: Ensure apt keyring directory exists
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'

- name: Download Caddy GPG key
-  ansible.builtin.get_url:
-    url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
-    dest: /etc/apt/keyrings/caddy-stable.asc
-    mode: '0644'
+    - name: Download Caddy GPG key
+      ansible.builtin.get_url:
+        url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+        dest: /etc/apt/keyrings/caddy-stable.asc
+        mode: '0644'

- name: Dearmor Caddy GPG key
-  ansible.builtin.command:
-    cmd: gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg /etc/apt/keyrings/caddy-stable.asc
-    creates: /etc/apt/keyrings/caddy-stable.gpg
+    - name: Dearmor Caddy GPG key
+      ansible.builtin.command:
+        cmd: gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg /etc/apt/keyrings/caddy-stable.asc
+        creates: /etc/apt/keyrings/caddy-stable.gpg

- name: Add Caddy repository (Debian)
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
-    filename: caddy-stable
-    state: present
-  when:
-    - ansible_facts['distribution'] == 'Debian'
-    - ansible_facts['distribution_version'] is version('13', '==')
+    - name: Add Caddy repository (Debian)
+      ansible.builtin.apt_repository:
+        repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
+        filename: caddy-stable
+        state: present
+      when:
+        - ansible_facts['distribution'] == 'Debian'
+        - ansible_facts['distribution_version'] is version('13', '==')

- name: Add Caddy repository (Ubuntu)
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/ubuntu any-version main"
-    filename: caddy-stable
-    state: present
-  when:
-    - ansible_facts['distribution'] == 'Ubuntu'
-    - ansible_facts['distribution_version'] is version('24.04', '==')
+    - name: Add Caddy repository (Ubuntu)
+      ansible.builtin.apt_repository:
+        repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/ubuntu any-version main"
+        filename: caddy-stable
+        state: present
+      when:
+        - ansible_facts['distribution'] == 'Ubuntu'
+        - ansible_facts['distribution_version'] is version('24.04', '==')

- name: Install Caddy
-  ansible.builtin.apt:
-    name: caddy
-    state: present
-    update_cache: true
-  when:
-    - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
+    - name: Install Caddy
+      ansible.builtin.apt:
+        name: caddy
+        state: present
+        update_cache: true
+      when:
+        - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"

- name: Deploy Caddyfile
-  ansible.builtin.template:
-    src: Caddyfile.j2
-    dest: /etc/caddy/Caddyfile
-    mode: '0644'
-  notify: Reload caddy
+    - name: Deploy Caddyfile
+      ansible.builtin.template:
+        src: Caddyfile.j2
+        dest: /etc/caddy/Caddyfile
+        mode: '0644'
+      notify: Reload caddy

- name: Ensure Caddy is running
-  ansible.builtin.service:
-    name: caddy
-    state: started
-    enabled: true
+    - name: Ensure Caddy is running
+      ansible.builtin.service:
+        name: caddy
+        state: started
+        enabled: true
--- a/roles/vhosts/gateway_openclaw/tasks/main.yml
+++ b/roles/vhosts/gateway_openclaw/tasks/main.yml
@ -591,9 +591,11 @@
  ansible.builtin.import_tasks: macos.yml
  when: ansible_os_family == 'Darwin'

- name: Configure Caddy integration
-  become: true
-  when: gateway_openclaw_caddy_enabled | bool
+# Caddy ingress for OpenClaw. Skipped entirely when caddy_enabled is false
+# (default on macOS single-host deploys), so /etc/caddy is never touched and no
+# caddy service is started/notified. Override with -e caddy_enabled=true.
+- name: Configure OpenClaw Caddy ingress
+  when: caddy_enabled | bool
  block:
    - name: Ensure Caddy fragment directory exists
      ansible.builtin.file: