new role and FWCNs

roles/reverseproxy/tasks/caddy.yml

@@ -0,0 +1,17 @@
+# Load distro-specific variables
+- include_vars: "{{ ansible_distribution | lower }}.yml"
+  tags: always
+  ignore_errors: True
+
+- block:
+  - debug:
+      msg: Debug
+
+  # Perform remaining tasks:
+  - ansible.builtin.import_tasks: caddy_install.yml
+  - ansible.builtin.import_tasks: caddy_config.yml
+  - ansible.builtin.import_tasks: caddy_service.yml
+
+  rescue:
+    - set_fact: task_failed=true
+    

roles/reverseproxy/tasks/caddy_config.yml

@@ -0,0 +1,18 @@
+---
+- name: Create Caddy config dir
+  file:
+    path: /etc/caddy
+    state: directory
+    mode: 0755
+
+- name: Deploy Caddyfile
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+    mode: 0644
+
+- name: Deploy PowerDNS env file
+  template:
+    src: powerdns.env.j2
+    dest: /etc/caddy/powerdns.env
+    mode: 0600

roles/reverseproxy/tasks/caddy_install.yml

@@ -0,0 +1,37 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - curl
+      - unzip
+      - git
+      - build-essential
+    state: present
+    update_cache: yes
+
+- name: Download xcaddy
+  get_url:
+    url: https://github.com/caddyserver/xcaddy/releases/download/v0.9.5/xcaddy_0.9.5_linux_amd64.tar.gz
+    dest: /tmp/xcaddy.tar.gz
+
+- name: Extract xcaddy
+  unarchive:
+    src: /tmp/xcaddy.tar.gz
+    dest: /usr/local/bin/
+    mode: 0755
+    remote_src: yes
+
+- name: Build Caddy with PowerDNS DNS plugin
+  command: >
+    xcaddy build
+    --with github.com/caddy-dns/powerdns
+  args:
+    chdir: /usr/local/bin
+    creates: /usr/local/bin/caddy-custom
+
+- name: Move custom caddy binary
+  copy:
+    src: /usr/local/bin/caddy
+    dest: /usr/local/bin/caddy
+    mode: 0755
+    remote_src: yes

roles/reverseproxy/tasks/caddy_service.yml

@@ -0,0 +1,31 @@
+---
+- name: Install systemd service
+  copy:
+    dest: /etc/systemd/system/caddy.service
+    mode: 0644
+    content: |
+      [Unit]
+      Description=Caddy
+      After=network-online.target
+      Wants=network-online.target
+
+      [Service]
+      EnvironmentFile=/etc/caddy/powerdns.env
+      ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+      ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+      Restart=on-failure
+      User=root
+      Group=root
+
+      [Install]
+      WantedBy=multi-user.target
+
+- name: Reload systemd
+  systemd:
+    daemon_reload: yes
+
+- name: Enable and start Caddy
+  systemd:
+    name: caddy
+    state: started
+    enabled: yes

roles/reverseproxy/tasks/main.yml

@@ -0,0 +1,11 @@
+# Load distro specific variables
+- include_vars: "{{ ansible_distribution | lower }}.yml"
+  tags: always
+  ignore_errors: True
+- include_vars: "{{ ansible_fqdn | lower }}.yml"
+  ignore_errors: True
+
+- include_tasks: caddy.yml
+  when:
+    - caddy is defined
+    - caddy == true

roles/reverseproxy/templates/Caddyfile.j2

@@ -0,0 +1,23 @@
+{
+    email admin@example.net
+
+    acme_dns powerdns {
+        api_url {env.PDNS_API_URL}
+        api_key {env.PDNS_API_KEY}
+        server_id {env.PDNS_SERVER_ID}
+    }
+}
+
+nextcloud.example.net {
+    reverse_proxy 10.10.20.10:443
+    tls {
+        dns powerdns
+    }
+}
+
+gitea.example.org {
+    reverse_proxy 10.10.30.20:3000
+    tls {
+        dns powerdns
+    }
+}

roles/reverseproxy/templates/powerdns.env.j2

@@ -0,0 +1,3 @@
+PDNS_API_KEY="{{ pdns_api_key }}"
+PDNS_API_URL="{{ pdns_api_url }}"
+PDNS_SERVER_ID="{{ pdns_server_id }}"