From 0cfd1af1b719be4e6abfda85cf20d0112bc137b4 Mon Sep 17 00:00:00 2001
From: Haitao Pan <haitaopanhq@gmail.com>
Date: Fri, 19 Jun 2026 09:14:09 +0000
Subject: [PATCH] feat(caddy): gate Caddy behind caddy_enabled (Linux on, macOS
 off)

Add caddy_enabled (group_vars/all) defaulting to ansible_os_family != 'Darwin',
overridable via -e caddy_enabled=true/false. Wrap the dedicated caddy role and
the gateway_openclaw Caddy ingress block in 'when: caddy_enabled | bool' so
macOS single-host deploys never touch /etc/caddy or start caddy, while Linux
VPS deploys keep Caddy + HTTP/TLS by default. Notifies only fire from gated
tasks, so the Reload caddy handlers stay inert when disabled.
---
 group_vars/all.yml                           |   8 +-
 roles/vhosts/caddy/tasks/main.yml            | 124 ++++++++++---------
 roles/vhosts/gateway_openclaw/tasks/main.yml |   8 +-
 3 files changed, 77 insertions(+), 63 deletions(-)

diff --git a/group_vars/all.yml b/group_vars/all.yml
index 9278609..737d9ea 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -3,6 +3,12 @@ ansible_ssh_user: root
 ansible_ssh_private_key_file: ~/.ssh/id_rsa
 ansible_host_key_checking: False
 
-# Global security level for public access. 
+# Global security level for public access.
 # Set to 'strict' to disable public Caddy/Ingress access for all roles.
 ai_workspace_security_level: standard
+
+# Whether to install/configure the Caddy reverse proxy (public HTTP/TLS ingress).
+# Default: enabled on Linux, disabled on macOS single-host deploys (no system
+# Caddy, /etc/caddy not writable). Override anytime with -e caddy_enabled=true
+# (force on) or -e caddy_enabled=false (force off) — extra-vars win.
+caddy_enabled: "{{ ansible_os_family != 'Darwin' }}"
diff --git a/roles/vhosts/caddy/tasks/main.yml b/roles/vhosts/caddy/tasks/main.yml
index 860d918..3c34c97 100644
--- a/roles/vhosts/caddy/tasks/main.yml
+++ b/roles/vhosts/caddy/tasks/main.yml
@@ -1,67 +1,73 @@
-- name: Ensure Caddy repo prerequisites
-  ansible.builtin.apt:
-    name:
-      - ca-certificates
-      - gnupg
-    state: present
-    update_cache: true
-  when:
-    - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
+# The whole Caddy role is skipped when caddy_enabled is false (default on macOS
+# single-host deploys), so /etc/caddy is never touched and no caddy service is
+# expected. Override with -e caddy_enabled=true.
+- name: Configure Caddy reverse proxy
+  when: caddy_enabled | bool
+  block:
+    - name: Ensure Caddy repo prerequisites
+      ansible.builtin.apt:
+        name:
+          - ca-certificates
+          - gnupg
+        state: present
+        update_cache: true
+      when:
+        - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
 
-- name: Ensure apt keyring directory exists
-  ansible.builtin.file:
-    path: /etc/apt/keyrings
-    state: directory
-    owner: root
-    group: root
-    mode: '0755'
+    - name: Ensure apt keyring directory exists
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
 
-- name: Download Caddy GPG key
-  ansible.builtin.get_url:
-    url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
-    dest: /etc/apt/keyrings/caddy-stable.asc
-    mode: '0644'
+    - name: Download Caddy GPG key
+      ansible.builtin.get_url:
+        url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+        dest: /etc/apt/keyrings/caddy-stable.asc
+        mode: '0644'
 
-- name: Dearmor Caddy GPG key
-  ansible.builtin.command:
-    cmd: gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg /etc/apt/keyrings/caddy-stable.asc
-    creates: /etc/apt/keyrings/caddy-stable.gpg
+    - name: Dearmor Caddy GPG key
+      ansible.builtin.command:
+        cmd: gpg --dearmor -o /etc/apt/keyrings/caddy-stable.gpg /etc/apt/keyrings/caddy-stable.asc
+        creates: /etc/apt/keyrings/caddy-stable.gpg
 
-- name: Add Caddy repository (Debian)
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
-    filename: caddy-stable
-    state: present
-  when:
-    - ansible_facts['distribution'] == 'Debian'
-    - ansible_facts['distribution_version'] is version('13', '==')
+    - name: Add Caddy repository (Debian)
+      ansible.builtin.apt_repository:
+        repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main"
+        filename: caddy-stable
+        state: present
+      when:
+        - ansible_facts['distribution'] == 'Debian'
+        - ansible_facts['distribution_version'] is version('13', '==')
 
-- name: Add Caddy repository (Ubuntu)
-  ansible.builtin.apt_repository:
-    repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/ubuntu any-version main"
-    filename: caddy-stable
-    state: present
-  when:
-    - ansible_facts['distribution'] == 'Ubuntu'
-    - ansible_facts['distribution_version'] is version('24.04', '==')
+    - name: Add Caddy repository (Ubuntu)
+      ansible.builtin.apt_repository:
+        repo: "deb [signed-by=/etc/apt/keyrings/caddy-stable.gpg] https://dl.cloudsmith.io/public/caddy/stable/deb/ubuntu any-version main"
+        filename: caddy-stable
+        state: present
+      when:
+        - ansible_facts['distribution'] == 'Ubuntu'
+        - ansible_facts['distribution_version'] is version('24.04', '==')
 
-- name: Install Caddy
-  ansible.builtin.apt:
-    name: caddy
-    state: present
-    update_cache: true
-  when:
-    - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
+    - name: Install Caddy
+      ansible.builtin.apt:
+        name: caddy
+        state: present
+        update_cache: true
+      when:
+        - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"
 
-- name: Deploy Caddyfile
-  ansible.builtin.template:
-    src: Caddyfile.j2
-    dest: /etc/caddy/Caddyfile
-    mode: '0644'
-  notify: Reload caddy
+    - name: Deploy Caddyfile
+      ansible.builtin.template:
+        src: Caddyfile.j2
+        dest: /etc/caddy/Caddyfile
+        mode: '0644'
+      notify: Reload caddy
 
-- name: Ensure Caddy is running
-  ansible.builtin.service:
-    name: caddy
-    state: started
-    enabled: true
+    - name: Ensure Caddy is running
+      ansible.builtin.service:
+        name: caddy
+        state: started
+        enabled: true
diff --git a/roles/vhosts/gateway_openclaw/tasks/main.yml b/roles/vhosts/gateway_openclaw/tasks/main.yml
index 32c33b9..76a3d08 100644
--- a/roles/vhosts/gateway_openclaw/tasks/main.yml
+++ b/roles/vhosts/gateway_openclaw/tasks/main.yml
@@ -591,9 +591,11 @@
   ansible.builtin.import_tasks: macos.yml
   when: ansible_os_family == 'Darwin'
 
-- name: Configure Caddy integration
-  become: true
-  when: gateway_openclaw_caddy_enabled | bool
+# Caddy ingress for OpenClaw. Skipped entirely when caddy_enabled is false
+# (default on macOS single-host deploys), so /etc/caddy is never touched and no
+# caddy service is started/notified. Override with -e caddy_enabled=true.
+- name: Configure OpenClaw Caddy ingress
+  when: caddy_enabled | bool
   block:
     - name: Ensure Caddy fragment directory exists
       ansible.builtin.file: