Add Caddy reverse proxy for blumeops services (#55)

## Summary - Add Caddy ansible role following zot pattern (manual build, ansible deploy) - Caddy built with Gandi DNS plugin for ACME DNS-01 challenges - Gandi PAT fetched from 1Password and written to secured file on indri - Configure wildcard TLS for `*.ops.eblu.me` - Initial services: forge, registry (indri-local) - Uses port 8443 during testing to avoid Tailscale serve conflicts ## Build Instructions (already done) On indri: ```bash cd ~/code/3rd/caddy && mise run build ``` ## Deployment and Testing - [ ] Review Caddyfile configuration - [ ] Run `mise run provision-indri -- --tags caddy` to deploy - [ ] Test: `curl -v https://forge.ops.eblu.me:8443` (should get TLS cert) - [ ] Test: `curl -v https://registry.ops.eblu.me:8443/v2/` (should return `{}`) - [ ] Once verified, switch to port 443 and migrate services from Tailscale serve ## Files Changed - `ansible/playbooks/indri.yml` - Add pre_task for Gandi PAT, add caddy role - `ansible/roles/caddy/` - New role with Caddyfile and LaunchAgent templates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/55
2026-01-25 09:35:06 -08:00 · 2026-01-25 09:35:06 -08:00 · 682a68dc9c
commit 682a68dc9c
parent b08faa50cc
7 changed files with 222 additions and 0 deletions
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@ -78,6 +78,23 @@
      no_log: true
      tags: [forgejo_runner]

+    # Caddy Gandi token for ACME DNS-01 challenges
+    - name: Fetch Gandi PAT for Caddy
+      ansible.builtin.command:
+        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get mco6ka3dc3rmw7zkg2dhia5d2m --fields pat --reveal
+      delegate_to: localhost
+      register: _caddy_gandi_token
+      changed_when: false
+      no_log: true
+      check_mode: false
+      tags: [caddy]
+
+    - name: Set Caddy Gandi token fact
+      ansible.builtin.set_fact:
+        caddy_gandi_token: "{{ _caddy_gandi_token.stdout }}"
+      no_log: true
+      tags: [caddy]
+
  roles:
    - role: alloy
      tags: alloy
@ -101,3 +118,5 @@
      tags: tailscale-serve
    - role: forgejo_runner
      tags: forgejo_runner
+    - role: caddy
+      tags: caddy