feat(caddy): gate Caddy behind caddy_enabled (Linux on, macOS off)
Add caddy_enabled (group_vars/all) defaulting to ansible_os_family != 'Darwin', overridable via -e caddy_enabled=true/false. Wrap the dedicated caddy role and the gateway_openclaw Caddy ingress block in 'when: caddy_enabled | bool' so macOS single-host deploys never touch /etc/caddy or start caddy, while Linux VPS deploys keep Caddy + HTTP/TLS by default. Notifies only fire from gated tasks, so the Reload caddy handlers stay inert when disabled.
This commit is contained in:
parent
17e2267449
commit
0cfd1af1b7
@ -3,6 +3,12 @@ ansible_ssh_user: root
|
||||
ansible_ssh_private_key_file: ~/.ssh/id_rsa
|
||||
ansible_host_key_checking: False
|
||||
|
||||
# Global security level for public access.
|
||||
# Global security level for public access.
|
||||
# Set to 'strict' to disable public Caddy/Ingress access for all roles.
|
||||
ai_workspace_security_level: standard
|
||||
|
||||
# Whether to install/configure the Caddy reverse proxy (public HTTP/TLS ingress).
|
||||
# Default: enabled on Linux, disabled on macOS single-host deploys (no system
|
||||
# Caddy, /etc/caddy not writable). Override anytime with -e caddy_enabled=true
|
||||
# (force on) or -e caddy_enabled=false (force off) — extra-vars win.
|
||||
caddy_enabled: "{{ ansible_os_family != 'Darwin' }}"
|
||||
|
||||
@ -1,67 +1,73 @@
|
||||
- name: Ensure Caddy repo prerequisites
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- ca-certificates
|
||||
- gnupg
|
||||
state: present
|
||||
update_cache: true
|
||||
when:
|
||||
- "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
|
||||
# The whole Caddy role is skipped when caddy_enabled is false (default on macOS
|
||||
# single-host deploys), so /etc/caddy is never touched and no caddy service is
|
||||
# expected. Override with -e caddy_enabled=true.
|
||||
- name: Configure Caddy reverse proxy
|
||||
when: caddy_enabled | bool
|
||||
block:
|
||||
- name: Ensure Caddy repo prerequisites
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- ca-certificates
|
||||
- gnupg
|
||||
state: present
|
||||
update_cache: true
|
||||
when:
|
||||
- "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
|
||||
|
||||
- name: Ensure apt keyring directory exists
|
||||
ansible.builtin.file:
|
||||
path: /etc/apt/keyrings
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
- name: Ensure apt keyring directory exists
|
||||
ansible.builtin.file:
|
||||
path: /etc/apt/keyrings
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: '0755'
|
||||
|
||||
- name: Download Caddy GPG key
|
||||
ansible.builtin.get_url:
|
||||
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
|
||||
dest: /etc/apt/keyrings/caddy-stable.asc
|
||||
mode: '0644'
|
||||
- name: Download Caddy GPG key
|
||||
ansible.builtin.get_url:
|
||||
url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
|
||||
dest: /etc/apt/keyrings/caddy-stable.asc
|
||||
mode: '0644'
|
||||
|
||||
- name: Dearmor Caddy GPG key
|
||||
ansible.builtin.command:
|
||||
cmd: gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg /etc/apt/keyrings/caddy-stable.asc
|
||||
creates: /etc/apt/keyrings/caddy-stable.gpg
|
||||
- name: Dearmor Caddy GPG key
|
||||
ansible.builtin.command:
|
||||
cmd: gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg /etc/apt/keyrings/caddy-stable.asc
|
||||
creates: /etc/apt/keyrings/caddy-stable.gpg
|
||||
|
||||
- name: Add Caddy repository (Debian)
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
|
||||
filename: caddy-stable
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == 'Debian'
|
||||
- ansible_facts['distribution_version'] is version('13', '==')
|
||||
- name: Add Caddy repository (Debian)
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
|
||||
filename: caddy-stable
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == 'Debian'
|
||||
- ansible_facts['distribution_version'] is version('13', '==')
|
||||
|
||||
- name: Add Caddy repository (Ubuntu)
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/ubuntu any-version main"
|
||||
filename: caddy-stable
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == 'Ubuntu'
|
||||
- ansible_facts['distribution_version'] is version('24.04', '==')
|
||||
- name: Add Caddy repository (Ubuntu)
|
||||
ansible.builtin.apt_repository:
|
||||
repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/ubuntu any-version main"
|
||||
filename: caddy-stable
|
||||
state: present
|
||||
when:
|
||||
- ansible_facts['distribution'] == 'Ubuntu'
|
||||
- ansible_facts['distribution_version'] is version('24.04', '==')
|
||||
|
||||
- name: Install Caddy
|
||||
ansible.builtin.apt:
|
||||
name: caddy
|
||||
state: present
|
||||
update_cache: true
|
||||
when:
|
||||
- "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
|
||||
- name: Install Caddy
|
||||
ansible.builtin.apt:
|
||||
name: caddy
|
||||
state: present
|
||||
update_cache: true
|
||||
when:
|
||||
- "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
|
||||
|
||||
- name: Deploy Caddyfile
|
||||
ansible.builtin.template:
|
||||
src: Caddyfile.j2
|
||||
dest: /etc/caddy/Caddyfile
|
||||
mode: '0644'
|
||||
notify: Reload caddy
|
||||
- name: Deploy Caddyfile
|
||||
ansible.builtin.template:
|
||||
src: Caddyfile.j2
|
||||
dest: /etc/caddy/Caddyfile
|
||||
mode: '0644'
|
||||
notify: Reload caddy
|
||||
|
||||
- name: Ensure Caddy is running
|
||||
ansible.builtin.service:
|
||||
name: caddy
|
||||
state: started
|
||||
enabled: true
|
||||
- name: Ensure Caddy is running
|
||||
ansible.builtin.service:
|
||||
name: caddy
|
||||
state: started
|
||||
enabled: true
|
||||
|
||||
@ -591,9 +591,11 @@
|
||||
ansible.builtin.import_tasks: macos.yml
|
||||
when: ansible_os_family == 'Darwin'
|
||||
|
||||
- name: Configure Caddy integration
|
||||
become: true
|
||||
when: gateway_openclaw_caddy_enabled | bool
|
||||
# Caddy ingress for OpenClaw. Skipped entirely when caddy_enabled is false
|
||||
# (default on macOS single-host deploys), so /etc/caddy is never touched and no
|
||||
# caddy service is started/notified. Override with -e caddy_enabled=true.
|
||||
- name: Configure OpenClaw Caddy ingress
|
||||
when: caddy_enabled | bool
|
||||
block:
|
||||
- name: Ensure Caddy fragment directory exists
|
||||
ansible.builtin.file:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user