From e351a1bd87da88ae529889c170f94c37815766c2 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 3 Feb 2026 21:12:50 -0800 Subject: [PATCH] Add Caddy reference card and fix replication tutorial sequence - Add reference/services/caddy.md with proxy configuration details - Fix tailscale-setup Next Steps to include core-services - Fix "BluemeOps" typo in tailscale-setup - Add Prerequisites link in core-services to tailscale-setup - Add Caddy to reference index Co-Authored-By: Claude Opus 4.5 --- docs/changelog.d/+caddy-docs.doc.md | 1 + docs/reference/index.md | 1 + docs/reference/services/caddy.md | 98 +++++++++++++++++++ docs/tutorials/replication/core-services.md | 2 + docs/tutorials/replication/tailscale-setup.md | 4 +- 5 files changed, 104 insertions(+), 2 deletions(-) create mode 100644 docs/changelog.d/+caddy-docs.doc.md create mode 100644 docs/reference/services/caddy.md diff --git a/docs/changelog.d/+caddy-docs.doc.md b/docs/changelog.d/+caddy-docs.doc.md new file mode 100644 index 0000000..df088dd --- /dev/null +++ b/docs/changelog.d/+caddy-docs.doc.md @@ -0,0 +1 @@ +Add Caddy reference card and fix replication tutorial sequence diff --git a/docs/reference/index.md b/docs/reference/index.md index 8c0ed62..11fd515 100644 --- a/docs/reference/index.md +++ b/docs/reference/index.md @@ -17,6 +17,7 @@ Individual service reference cards with URLs and configuration details. | [[alloy | Alloy]] | Observability collector (metrics & logs) | indri + k8s | | [[argocd]] | GitOps continuous delivery | k8s | | [[borgmatic]] | Backup system | indri | +| [[caddy]] | Reverse proxy & TLS termination | indri | | [[1password]] | Secrets management | cloud + k8s | | [[forgejo]] | Git forge & CI/CD | indri | | [[grafana]] | Dashboards & visualization | k8s | diff --git a/docs/reference/services/caddy.md b/docs/reference/services/caddy.md new file mode 100644 index 0000000..7430ddf --- /dev/null +++ b/docs/reference/services/caddy.md @@ -0,0 +1,98 @@ +--- +title: caddy +tags: + - service + - networking + - tls +--- + +# Caddy + +Reverse proxy for `*.ops.eblu.me` services with automatic TLS via ACME DNS-01. + +## Quick Reference + +| Property | Value | +|----------|-------| +| **Domain** | `*.ops.eblu.me` | +| **HTTPS Port** | 443 | +| **Config** | `ansible/roles/caddy/templates/Caddyfile.j2` | +| **Binary** | Custom build with Gandi DNS plugin | + +## Why Caddy? + +Caddy provides a single TLS termination point for all BlumeOps services: + +- **Wildcard certificate** for `*.ops.eblu.me` via Let's Encrypt +- **DNS-01 challenge** using Gandi API (no port 80 needed) +- **Unified access** from k8s pods, containers, and tailnet clients + +See [[routing]] for when to use `*.ops.eblu.me` vs `*.tail8d86e.ts.net`. + +## Proxied Services + +### Indri-Local Services + +| Subdomain | Backend | Service | +|-----------|---------|---------| +| `forge.ops.eblu.me` | `localhost:3001` | [[forgejo]] | +| `registry.ops.eblu.me` | `localhost:5050` | [[zot]] | +| `jellyfin.ops.eblu.me` | `localhost:8096` | [[jellyfin]] | + +### Kubernetes Services + +K8s services are proxied via their Tailscale Ingress endpoints: + +| Subdomain | Backend | Service | +|-----------|---------|---------| +| `grafana.ops.eblu.me` | `grafana.tail8d86e.ts.net` | [[grafana]] | +| `argocd.ops.eblu.me` | `argocd.tail8d86e.ts.net` | [[argocd]] | +| `docs.ops.eblu.me` | `docs.tail8d86e.ts.net` | [[docs]] | +| `feed.ops.eblu.me` | `feed.tail8d86e.ts.net` | [[miniflux]] | +| ... | ... | (see defaults/main.yml for full list) | + +### TCP Services (Layer 4) + +| Port | Backend | Service | +|------|---------|---------| +| 2222 | `localhost:2200` | Forgejo SSH | +| 5432 | `pg.tail8d86e.ts.net:5432` | [[postgresql]] | + +## Configuration + +Caddy is managed via the `caddy` Ansible role: + +```bash +# Deploy caddy changes +mise run provision-indri -- --tags caddy +``` + +**Key files:** +- `ansible/roles/caddy/defaults/main.yml` - Service definitions +- `ansible/roles/caddy/templates/Caddyfile.j2` - Caddy config template + +## Secrets + +| Secret | Source | Description | +|--------|--------|-------------| +| `GANDI_BEARER_TOKEN` | 1Password | API token for DNS-01 challenges | + +The token is written to `~/.config/caddy/gandi-token` (chmod 0600) and sourced by the Caddy wrapper script. + +## Custom Build + +Caddy is built from source with the Gandi DNS plugin: + +```bash +# Build location +~/code/3rd/caddy/bin/caddy +``` + +The build includes the `github.com/caddy-dns/gandi` plugin for ACME DNS-01 challenges. + +## Related + +- [[routing]] - Service routing architecture +- [[forgejo]] - Git forge (proxied by Caddy) +- [[zot]] - Container registry (proxied by Caddy) +- [[tailscale-operator]] - K8s services use Tailscale Ingress, then Caddy diff --git a/docs/tutorials/replication/core-services.md b/docs/tutorials/replication/core-services.md index 3dc5847..100598e 100644 --- a/docs/tutorials/replication/core-services.md +++ b/docs/tutorials/replication/core-services.md @@ -9,6 +9,8 @@ tags: # Core Services Setup > **Audiences:** Replicator +> +> **Prerequisites:** [[tutorials/replication/tailscale-setup | Tailscale Setup]] This tutorial walks through setting up the foundational services that your GitOps infrastructure depends on: a git forge and optionally a container registry. diff --git a/docs/tutorials/replication/tailscale-setup.md b/docs/tutorials/replication/tailscale-setup.md index 92d0a40..23b9ea2 100644 --- a/docs/tutorials/replication/tailscale-setup.md +++ b/docs/tutorials/replication/tailscale-setup.md @@ -112,12 +112,12 @@ Tags must be defined in ACLs before use. ## Next Steps With networking established: +- [[tutorials/replication/core-services | Set Up Core Services]] - Install Forgejo and optionally a container registry - [[tutorials/replication/kubernetes-bootstrap | Bootstrap Kubernetes]] - Your cluster will join the tailnet -- Set up your server and storage devices ## BlumeOps Specifics -BluemeOps' Tailscale configuration includes: +BlumeOps' Tailscale configuration includes: - Multiple device tags (`homelab`, `nas`, `registry`, `k8s-api`) - Group-based access for family members - SSH access rules with authentication requirements