blumeops/ansible/roles/caddy/defaults/main.yml

---
# Caddy reverse proxy configuration
# Caddy is built manually from ~/code/3rd/caddy with the Gandi DNS plugin

caddy_repo_dir: /Users/erichblume/code/3rd/caddy
caddy_binary: "{{ caddy_repo_dir }}/bin/caddy"
caddy_config_dir: /Users/erichblume/.config/caddy
caddy_data_dir: /Users/erichblume/.local/share/caddy
caddy_log_dir: /Users/erichblume/Library/Logs

# Gandi API token file (written by ansible, chmod 0600)
# Caddy reads this file for ACME DNS-01 challenges
caddy_gandi_token_file: /Users/erichblume/.config/caddy/gandi-token

# Domain configuration
caddy_domain: ops.eblu.me

# HTTPS port (443 is standard)
caddy_https_port: 443

# Services to proxy
# Format: { name: "service", host: "hostname", backend: "url" }
caddy_services:
  # Indri-local services
  - name: forge
    host: "forge.{{ caddy_domain }}"
    backend: "http://localhost:3001"
  - name: registry
    host: "registry.{{ caddy_domain }}"
    backend: "http://localhost:5050"

  # K8s services (via minikube NodePort or ClusterIP)
  # These will be configured once we determine the correct backend URLs
  # - name: grafana
  #   host: "grafana.{{ caddy_domain }}"
  #   backend: "http://minikube-ip:nodeport"

# SSH services (Layer 4 TCP proxy)
# Format: { port: external_port, backend: "host:port" }
caddy_ssh_services:
  - port: 2222
    backend: "localhost:2200"  # Forgejo SSH
Add Caddy reverse proxy for blumeops services (#55) ## Summary - Add Caddy ansible role following zot pattern (manual build, ansible deploy) - Caddy built with Gandi DNS plugin for ACME DNS-01 challenges - Gandi PAT fetched from 1Password and written to secured file on indri - Configure wildcard TLS for `*.ops.eblu.me` - Initial services: forge, registry (indri-local) - Uses port 8443 during testing to avoid Tailscale serve conflicts ## Build Instructions (already done) On indri: ```bash cd ~/code/3rd/caddy && mise run build ``` ## Deployment and Testing - [ ] Review Caddyfile configuration - [ ] Run `mise run provision-indri -- --tags caddy` to deploy - [ ] Test: `curl -v https://forge.ops.eblu.me:8443` (should get TLS cert) - [ ] Test: `curl -v https://registry.ops.eblu.me:8443/v2/` (should return `{}`) - [ ] Once verified, switch to port 443 and migrate services from Tailscale serve ## Files Changed - `ansible/playbooks/indri.yml` - Add pre_task for Gandi PAT, add caddy role - `ansible/roles/caddy/` - New role with Caddyfile and LaunchAgent templates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/55 2026-01-25 09:35:06 -08:00			`---`
			`# Caddy reverse proxy configuration`
			`# Caddy is built manually from ~/code/3rd/caddy with the Gandi DNS plugin`

			`caddy_repo_dir: /Users/erichblume/code/3rd/caddy`
			`caddy_binary: "{{ caddy_repo_dir }}/bin/caddy"`
			`caddy_config_dir: /Users/erichblume/.config/caddy`
			`caddy_data_dir: /Users/erichblume/.local/share/caddy`
			`caddy_log_dir: /Users/erichblume/Library/Logs`

			`# Gandi API token file (written by ansible, chmod 0600)`
			`# Caddy reads this file for ACME DNS-01 challenges`
			`caddy_gandi_token_file: /Users/erichblume/.config/caddy/gandi-token`

			`# Domain configuration`
			`caddy_domain: ops.eblu.me`

Add Caddy layer4 for Forgejo SSH (#56) ## Summary - Add layer4 TCP proxy configuration to Caddyfile template for SSH services - Configure Forgejo SSH on port 2222 → localhost:2200 - Switch HTTPS from port 8443 (testing) to 443 (production) - Requires Caddy rebuilt with `github.com/mholt/caddy-l4` plugin ## What This Enables Git+SSH access via `forge.ops.eblu.me:2222` is now accessible from: - Tailnet clients (gilbert) - Docker containers on indri - Kubernetes pods in minikube This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names. ## Testing Done - [x] Caddy rebuilt with layer4 plugin - [x] Validated Caddyfile syntax - [x] Cleared `svc:forge` from tailscale serve - [x] Verified HTTPS works: `curl https://forge.ops.eblu.me` - [x] Verified SSH works: `ssh -p 2222 forgejo@forge.ops.eblu.me` - [x] Verified git clone works via new endpoint - [x] Verified minikube pods can reach both HTTPS and SSH endpoints ## Deployment Caddy is already running with the new config on indri. This PR captures the ansible changes. ## Next Steps - Update zk docs with new git remote format - Migrate registry and other services to Caddy - Retire tailscale_services ansible role 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/56 2026-01-25 11:37:23 -08:00			`# HTTPS port (443 is standard)`
			`caddy_https_port: 443`
Add Caddy reverse proxy for blumeops services (#55) ## Summary - Add Caddy ansible role following zot pattern (manual build, ansible deploy) - Caddy built with Gandi DNS plugin for ACME DNS-01 challenges - Gandi PAT fetched from 1Password and written to secured file on indri - Configure wildcard TLS for `*.ops.eblu.me` - Initial services: forge, registry (indri-local) - Uses port 8443 during testing to avoid Tailscale serve conflicts ## Build Instructions (already done) On indri: ```bash cd ~/code/3rd/caddy && mise run build ``` ## Deployment and Testing - [ ] Review Caddyfile configuration - [ ] Run `mise run provision-indri -- --tags caddy` to deploy - [ ] Test: `curl -v https://forge.ops.eblu.me:8443` (should get TLS cert) - [ ] Test: `curl -v https://registry.ops.eblu.me:8443/v2/` (should return `{}`) - [ ] Once verified, switch to port 443 and migrate services from Tailscale serve ## Files Changed - `ansible/playbooks/indri.yml` - Add pre_task for Gandi PAT, add caddy role - `ansible/roles/caddy/` - New role with Caddyfile and LaunchAgent templates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/55 2026-01-25 09:35:06 -08:00
			`# Services to proxy`
			`# Format: { name: "service", host: "hostname", backend: "url" }`
			`caddy_services:`
			`# Indri-local services`
			`- name: forge`
			`host: "forge.{{ caddy_domain }}"`
			`backend: "http://localhost:3001"`
			`- name: registry`
			`host: "registry.{{ caddy_domain }}"`
			`backend: "http://localhost:5050"`

			`# K8s services (via minikube NodePort or ClusterIP)`
			`# These will be configured once we determine the correct backend URLs`
			`# - name: grafana`
			`# host: "grafana.{{ caddy_domain }}"`
			`# backend: "http://minikube-ip:nodeport"`
Add Caddy layer4 for Forgejo SSH (#56) ## Summary - Add layer4 TCP proxy configuration to Caddyfile template for SSH services - Configure Forgejo SSH on port 2222 → localhost:2200 - Switch HTTPS from port 8443 (testing) to 443 (production) - Requires Caddy rebuilt with `github.com/mholt/caddy-l4` plugin ## What This Enables Git+SSH access via `forge.ops.eblu.me:2222` is now accessible from: - Tailnet clients (gilbert) - Docker containers on indri - Kubernetes pods in minikube This solves the DNS resolution issues where containers couldn't reach Tailscale MagicDNS names. ## Testing Done - [x] Caddy rebuilt with layer4 plugin - [x] Validated Caddyfile syntax - [x] Cleared `svc:forge` from tailscale serve - [x] Verified HTTPS works: `curl https://forge.ops.eblu.me` - [x] Verified SSH works: `ssh -p 2222 forgejo@forge.ops.eblu.me` - [x] Verified git clone works via new endpoint - [x] Verified minikube pods can reach both HTTPS and SSH endpoints ## Deployment Caddy is already running with the new config on indri. This PR captures the ansible changes. ## Next Steps - Update zk docs with new git remote format - Migrate registry and other services to Caddy - Retire tailscale_services ansible role 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/56 2026-01-25 11:37:23 -08:00
			`# SSH services (Layer 4 TCP proxy)`
			`# Format: { port: external_port, backend: "host:port" }`
			`caddy_ssh_services:`
			`- port: 2222`
			`backend: "localhost:2200" # Forgejo SSH`