eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Caddy reverse proxy for blumeops services #55

Merged
eblume merged 3 commits from feature/caddy-reverse-proxy into main 2026-01-25 09:35:07 -08:00
Conversation 0 Commits 3 Files changed 7 +222
eblume commented 2026-01-25 09:01:07 -08:00
Owner
Copy link

Summary

  • Add Caddy ansible role following zot pattern (manual build, ansible deploy)
  • Caddy built with Gandi DNS plugin for ACME DNS-01 challenges
  • Gandi PAT fetched from 1Password and written to secured file on indri
  • Configure wildcard TLS for *.ops.eblu.me
  • Initial services: forge, registry (indri-local)
  • Uses port 8443 during testing to avoid Tailscale serve conflicts

Build Instructions (already done)

On indri:

cd ~/code/3rd/caddy && mise run build

Deployment and Testing

  • Review Caddyfile configuration
  • Run mise run provision-indri -- --tags caddy to deploy
  • Test: curl -v https://forge.ops.eblu.me:8443 (should get TLS cert)
  • Test: curl -v https://registry.ops.eblu.me:8443/v2/ (should return {})
  • Once verified, switch to port 443 and migrate services from Tailscale serve

Files Changed

  • ansible/playbooks/indri.yml - Add pre_task for Gandi PAT, add caddy role
  • ansible/roles/caddy/ - New role with Caddyfile and LaunchAgent templates

🤖 Generated with Claude Code

## Summary - Add Caddy ansible role following zot pattern (manual build, ansible deploy) - Caddy built with Gandi DNS plugin for ACME DNS-01 challenges - Gandi PAT fetched from 1Password and written to secured file on indri - Configure wildcard TLS for `*.ops.eblu.me` - Initial services: forge, registry (indri-local) - Uses port 8443 during testing to avoid Tailscale serve conflicts ## Build Instructions (already done) On indri: ```bash cd ~/code/3rd/caddy && mise run build ``` ## Deployment and Testing - [ ] Review Caddyfile configuration - [ ] Run `mise run provision-indri -- --tags caddy` to deploy - [ ] Test: `curl -v https://forge.ops.eblu.me:8443` (should get TLS cert) - [ ] Test: `curl -v https://registry.ops.eblu.me:8443/v2/` (should return `{}`) - [ ] Once verified, switch to port 443 and migrate services from Tailscale serve ## Files Changed - `ansible/playbooks/indri.yml` - Add pre_task for Gandi PAT, add caddy role - `ansible/roles/caddy/` - New role with Caddyfile and LaunchAgent templates 🤖 Generated with [Claude Code](https://claude.com/claude-code)
- Create caddy role following zot pattern (manual build, ansible deploy)
- Caddy built with Gandi DNS plugin for ACME DNS-01 challenges
- Gandi PAT fetched from 1Password and written to secured file on indri
- Configure wildcard TLS for *.ops.eblu.me
- Initial services: forge, registry (indri-local)
- Uses port 8443 during testing to avoid Tailscale serve conflicts

Build instructions (on indri):
  cd ~/code/3rd/caddy && mise run build

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use correct Gandi DNS syntax: dns gandi {env.VAR} (not nested block)
- Add wrapper script to load token from file into environment variable
- Update LaunchAgent to use wrapper script

Caddy now successfully obtains Let's Encrypt wildcard certs via DNS-01.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
eblume merged commit 682a68dc9c into main 2026-01-25 09:35:07 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!55
No description provided.