feat(caddy): OS-aware caddy_config_dir (Linux /etc/caddy, macOS brew)

Add caddy_config_dir = /etc/caddy on Linux, /opt/homebrew/etc/caddy on macOS. Derive the Caddyfile / conf.d / fragment paths in the caddy role and the gateway_openclaw/litellm/xworkmate_bridge roles from it, so a force-enabled Caddy (caddy_enabled=true) on macOS writes to the Homebrew location instead of the unwritable /etc/caddy. Default (caddy_enabled=false on macOS) still skips Caddy entirely.
2026-06-19 10:00:56 +00:00 · 2026-06-19 10:00:56 +00:00 · c07874b4d4
commit c07874b4d4
parent 784f683a3b
6 changed files with 23 additions and 16 deletions
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@ -12,3 +12,8 @@ ai_workspace_security_level: standard
 # Caddy, /etc/caddy not writable). Override anytime with -e caddy_enabled=true
 # (force on) or -e caddy_enabled=false (force off) — extra-vars win.
 caddy_enabled: "{{ ansible_os_family != 'Darwin' }}"
+
+# Caddy config root. Linux uses the system path /etc/caddy; macOS (Homebrew)
+# uses /opt/homebrew/etc/caddy. Roles derive their Caddyfile / conf.d / fragment
+# paths from this so a force-enabled Caddy on macOS writes to the brew location.
+caddy_config_dir: "{{ '/opt/homebrew/etc/caddy' if ansible_os_family == 'Darwin' else '/etc/caddy' }}"
--- a/roles/vhosts/caddy/tasks/main.yml
+++ b/roles/vhosts/caddy/tasks/main.yml
@ -59,10 +59,16 @@
      when:
        - "(ansible_facts['distribution'] == 'Debian' and (ansible_facts['distribution_version'] is version('13', '=='))) or (ansible_facts['distribution'] == 'Ubuntu' and (ansible_facts['distribution_version'] is version('24.04', '==')))"

+    - name: Ensure Caddy config directory exists
+      ansible.builtin.file:
+        path: "{{ caddy_config_dir }}"
+        state: directory
+        mode: '0755'
+
    - name: Deploy Caddyfile
      ansible.builtin.template:
        src: Caddyfile.j2
-        dest: /etc/caddy/Caddyfile
+        dest: "{{ caddy_config_dir }}/Caddyfile"
        mode: '0644'
      notify: Reload caddy

--- a/roles/vhosts/caddy/templates/Caddyfile.j2
+++ b/roles/vhosts/caddy/templates/Caddyfile.j2
@ -2,7 +2,7 @@
 	# debug
 }

-import /etc/caddy/conf.d/*.caddy
+import {{ caddy_config_dir }}/conf.d/*.caddy

 {% if caddy_portal_domains | default([], true) | length > 0 and caddy_portal_proxy | default('', true) | length > 0 %}
 ############################
--- a/roles/vhosts/gateway_openclaw/defaults/main.yml
+++ b/roles/vhosts/gateway_openclaw/defaults/main.yml
@ -7,11 +7,9 @@ gateway_openclaw_domain: openclaw.svc.plus
 # When false, disables public Caddy access to OpenClaw.
 gateway_openclaw_public_access: false

-gateway_openclaw_caddy_enabled: "{{ gateway_openclaw_public_access | bool }}"
-gateway_openclaw_caddy_base_dir: "{{ '/opt/homebrew/etc/caddy' if ansible_os_family == 'Darwin' else '/etc/caddy' }}"
-gateway_openclaw_caddyfile_path: "{{ gateway_openclaw_caddy_base_dir }}/Caddyfile"
-gateway_openclaw_caddy_conf_dir: "{{ gateway_openclaw_caddy_base_dir }}/conf.d"
-gateway_openclaw_caddy_fragment_path: "{{ gateway_openclaw_caddy_conf_dir }}/{{ gateway_openclaw_domain }}.caddy"
+gateway_openclaw_caddyfile_path: "{{ caddy_config_dir }}/Caddyfile"
+gateway_openclaw_caddy_conf_dir: "{{ caddy_config_dir }}/conf.d"
+gateway_openclaw_caddy_fragment_path: "{{ caddy_config_dir }}/conf.d/{{ gateway_openclaw_domain }}.caddy"
 gateway_openclaw_access_log_path: /var/log/caddy/clawdbot.access.log

 gateway_openclaw_service_name: openclaw-gateway
--- a/roles/vhosts/litellm/defaults/main.yml
+++ b/roles/vhosts/litellm/defaults/main.yml
@ -39,9 +39,8 @@ litellm_gemini_api_key: "{{ lookup('ansible.builtin.env', 'GEMINI_API_KEY') | de
 litellm_anthropic_api_key: "{{ lookup('ansible.builtin.env', 'ANTHROPIC_API_KEY') | default('', true) }}"
 litellm_ollama_api_key: "{{ lookup('ansible.builtin.env', 'OLLAMA_API_KEY') | default('', true) }}"

-litellm_caddy_base_dir: "{{ /opt/homebrew/etc/caddy if ansible_os_family == Darwin else /etc/caddy }}"
-litellm_caddyfile_path: "{{ litellm_caddy_base_dir }}/Caddyfile"
-litellm_caddy_conf_dir: "{{ litellm_caddy_base_dir }}/conf.d"
+litellm_caddyfile_path: "{{ caddy_config_dir }}/Caddyfile"
+litellm_caddy_conf_dir: "{{ caddy_config_dir }}/conf.d"

 litellm_basic_auth_username: "{{ litellm_ui_username }}"
 # litellm_basic_auth_password_hash is generated dynamically via tasks
@ -49,8 +48,8 @@ litellm_basic_auth_username: "{{ litellm_ui_username }}"
 litellm_api_domain: api.svc.plus
 litellm_ui_domain: litellm.svc.plus
 litellm_ui_path: /ui
-litellm_api_caddy_fragment_path: "{{ litellm_caddy_base_dir }}/conf.d/{{ litellm_api_domain }}.caddy"
-litellm_ui_caddy_fragment_path: "{{ litellm_caddy_base_dir }}/conf.d/{{ litellm_ui_domain }}.caddy"
+litellm_api_caddy_fragment_path: "{{ caddy_config_dir }}/conf.d/{{ litellm_api_domain }}.caddy"
+litellm_ui_caddy_fragment_path: "{{ caddy_config_dir }}/conf.d/{{ litellm_ui_domain }}.caddy"
 litellm_caddy_config_enabled: false
 litellm_enable_basic_auth: false

--- a/roles/vhosts/xworkmate_bridge/defaults/main.yml
+++ b/roles/vhosts/xworkmate_bridge/defaults/main.yml
@ -59,10 +59,9 @@ xworkmate_bridge_validation_validate_certs: true
 xworkmate_bridge_validation_origin: https://xworkmate.svc.plus

 # Caddy configuration paths
-xworkmate_bridge_caddy_base_dir: "{{ /opt/homebrew/etc/caddy if ansible_os_family == Darwin else /etc/caddy }}"
-xworkmate_bridge_caddyfile_path: "{{ xworkmate_bridge_caddy_base_dir }}/Caddyfile"
-xworkmate_bridge_caddy_conf_dir: "{{ xworkmate_bridge_caddy_base_dir }}/conf.d"
-xworkmate_bridge_service_caddy_fragment_path: "{{ xworkmate_bridge_caddy_base_dir }}/conf.d/xworkmate-bridge.caddy"
+xworkmate_bridge_caddyfile_path: "{{ caddy_config_dir }}/Caddyfile"
+xworkmate_bridge_caddy_conf_dir: "{{ caddy_config_dir }}/conf.d"
+xworkmate_bridge_service_caddy_fragment_path: "{{ caddy_config_dir }}/conf.d/xworkmate-bridge.caddy"

 # Upstream host/port settings for summary and validation
 xworkmate_bridge_codex_upstream_host: 127.0.0.1