linderhof/roles/caddy/tasks/main.yml

- name: Allow HTTP traffic
  ufw:
    rule: allow
    port: 80
    proto: tcp

- name: Allow HTTPS traffic
  ufw:
    rule: allow
    port: 443
    proto: tcp

- name: Allow HTTPS/QUIC (HTTP/3) traffic
  ufw:
    rule: allow
    port: 443
    proto: udp

- name: Create Caddy directories
  file:
    path: "/srv/caddy/{{ item }}"
    state: directory
    owner: root
    group: docker
    mode: "0755"
  loop:
    - ""
    - data
    - config
    - sites

- name: Create site roots
  file:
    path: "/srv/caddy/sites/{{ item }}"
    state: directory
    owner: root
    group: docker
    mode: "0775" # also allow members of the docker group to write
  loop: "{{ caddy_sites }}"

- name: Install Caddyfile
  template:
    src: Caddyfile.j2
    dest: /srv/caddy/Caddyfile
    owner: root
    group: docker
    mode: "0644"
  notify: Restart Caddy
  tags: config

- name: Check for cached goaccess hash
  ansible.builtin.stat:
    path: /srv/caddy/.goaccess_hash
  register: _goaccess_hash_stat
  when: enable_goaccess | default(true)

- name: Read goaccess hash from cache
  ansible.builtin.slurp:
    src: /srv/caddy/.goaccess_hash
  register: _goaccess_hash_file
  when: enable_goaccess | default(true) and _goaccess_hash_stat.stat.exists

- name: Set goaccess hash fact from cache
  ansible.builtin.set_fact:
    caddy_goaccess_hash_stdout: "{{ _goaccess_hash_file.content | b64decode | trim }}"
  when: enable_goaccess | default(true) and _goaccess_hash_stat.stat.exists

- name: Generate goaccess password hash
  ansible.builtin.command:
    argv:
      - docker
      - run
      - --rm
      - "caddy:{{ caddy_version }}"
      - caddy
      - hash-password
      - --plaintext
      - "{{ goaccess_password }}"
  register: _goaccess_hash_result
  changed_when: false
  no_log: true
  when: enable_goaccess | default(true) and not _goaccess_hash_stat.stat.exists

- name: Cache goaccess hash
  ansible.builtin.copy:
    content: "{{ _goaccess_hash_result.stdout }}"
    dest: /srv/caddy/.goaccess_hash
    mode: "0600"
  when: enable_goaccess | default(true) and not _goaccess_hash_stat.stat.exists

- name: Set goaccess hash fact from generation
  ansible.builtin.set_fact:
    caddy_goaccess_hash_stdout: "{{ _goaccess_hash_result.stdout }}"
  when: enable_goaccess | default(true) and not _goaccess_hash_stat.stat.exists

- name: Deploy Caddy compose.yml
  template:
    src: compose.yml.j2
    dest: /srv/caddy/compose.yml
    owner: root
    group: docker
    mode: "0644"
  notify: Restart Caddy
  tags: config
initial commit Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-02-27 15:09:25 -07:00			`- name: Allow HTTP traffic`
			`ufw:`
			`rule: allow`
			`port: 80`
			`proto: tcp`

			`- name: Allow HTTPS traffic`
			`ufw:`
			`rule: allow`
			`port: 443`
			`proto: tcp`

			`- name: Allow HTTPS/QUIC (HTTP/3) traffic`
			`ufw:`
			`rule: allow`
			`port: 443`
			`proto: udp`

			`- name: Create Caddy directories`
			`file:`
			`path: "/srv/caddy/{{ item }}"`
			`state: directory`
			`owner: root`
			`group: docker`
			`mode: "0755"`
			`loop:`
			`- ""`
			`- data`
			`- config`
			`- sites`

			`- name: Create site roots`
			`file:`
			`path: "/srv/caddy/sites/{{ item }}"`
			`state: directory`
			`owner: root`
			`group: docker`
			`mode: "0775" # also allow members of the docker group to write`
			`loop: "{{ caddy_sites }}"`

			`- name: Install Caddyfile`
			`template:`
			`src: Caddyfile.j2`
			`dest: /srv/caddy/Caddyfile`
			`owner: root`
			`group: docker`
			`mode: "0644"`
			`notify: Restart Caddy`
			`tags: config`

			`- name: Check for cached goaccess hash`
			`ansible.builtin.stat:`
			`path: /srv/caddy/.goaccess_hash`
			`register: _goaccess_hash_stat`
			`when: enable_goaccess \| default(true)`

			`- name: Read goaccess hash from cache`
			`ansible.builtin.slurp:`
			`src: /srv/caddy/.goaccess_hash`
			`register: _goaccess_hash_file`
			`when: enable_goaccess \| default(true) and _goaccess_hash_stat.stat.exists`

			`- name: Set goaccess hash fact from cache`
			`ansible.builtin.set_fact:`
			`caddy_goaccess_hash_stdout: "{{ _goaccess_hash_file.content \| b64decode \| trim }}"`
			`when: enable_goaccess \| default(true) and _goaccess_hash_stat.stat.exists`

			`- name: Generate goaccess password hash`
			`ansible.builtin.command:`
			`argv:`
			`- docker`
			`- run`
			`- --rm`
			`- "caddy:{{ caddy_version }}"`
			`- caddy`
			`- hash-password`
			`- --plaintext`
			`- "{{ goaccess_password }}"`
			`register: _goaccess_hash_result`
			`changed_when: false`
			`no_log: true`
			`when: enable_goaccess \| default(true) and not _goaccess_hash_stat.stat.exists`

			`- name: Cache goaccess hash`
			`ansible.builtin.copy:`
			`content: "{{ _goaccess_hash_result.stdout }}"`
			`dest: /srv/caddy/.goaccess_hash`
			`mode: "0600"`
			`when: enable_goaccess \| default(true) and not _goaccess_hash_stat.stat.exists`

			`- name: Set goaccess hash fact from generation`
			`ansible.builtin.set_fact:`
			`caddy_goaccess_hash_stdout: "{{ _goaccess_hash_result.stdout }}"`
			`when: enable_goaccess \| default(true) and not _goaccess_hash_stat.stat.exists`

			`- name: Deploy Caddy compose.yml`
			`template:`
			`src: compose.yml.j2`
			`dest: /srv/caddy/compose.yml`
			`owner: root`
			`group: docker`
			`mode: "0644"`
			`notify: Restart Caddy`
			`tags: config`