feat/proxy-modular-attachments (#195)

stevius10 · web-flow · commit 06a77bc2f713 · 2025-10-22T10:49:51.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -6,3 +6,7 @@ local/*.hash
 
 .DS_Store
 .idea
+
+# git add --force '**/*.local*'
+
+*.local.caddy
diff --git a/config/recipes/repo/push.rb b/config/recipes/repo/push.rb
@@ -4,7 +4,7 @@
   cwd path_destination
   user node['app']['user']
   command <<-EOH
-  git add --all
+  git add --all && git add --force '**/*.local*'
   if ! git diff --quiet || ! git diff --cached --quiet; then
     git commit --allow-empty -m "initial commit [skip ci]"
     git push -f origin HEAD:main
diff --git a/libs/broker/templates/mosquitto.conf.erb b/libs/broker/templates/mosquitto.conf.erb
@@ -1,4 +1,6 @@
 listener <%= @port %>
+listener 9001
+protocol websockets
 
 persistence true
 persistence_location <%= @data_dir %>
diff --git a/libs/proxy/attributes/default.rb b/libs/proxy/attributes/default.rb
@@ -4,6 +4,11 @@
 default['app']['group']               = Default.group(node)
 
 default['proxy']['dir']['app']        = '/app/proxy'
+default['proxy']['dir']['config']     = '/app/proxy/conf.d'
 default['proxy']['dir']['logs']       = '/app/proxy/logs'
 
 default['proxy']['config']['domain']  = 'lan'
+
+default['proxy']['logs']['roll_size'] = '2MiB'
+default['proxy']['logs']['roll_keep'] = '3'
+default['proxy']['logs']['roll_for']  = '1d'
diff --git a/libs/proxy/files/default/config/10-assistant-example.caddy b/libs/proxy/files/default/config/10-assistant-example.caddy
@@ -0,0 +1,4 @@
+# http:
+#   use_x_forwarded_for: true
+#   trusted_proxies:
+#     - <IP_REVERSE_PROXY> # e. g. 192.168.178.101
diff --git a/libs/proxy/recipes/default.rb b/libs/proxy/recipes/default.rb
@@ -1,6 +1,6 @@
 Env.dump(self, ['ip', cookbook_name], repo: cookbook_name)
 
-Common.directories(self, [node['proxy']['dir']['app'], node['proxy']['dir']['logs']])
+Common.directories(self, [node['proxy']['dir']['app'], node['proxy']['dir']['config'], node['proxy']['dir']['logs']])
 
 package 'caddy'
 
@@ -9,22 +9,30 @@
     node.run_state['proxy_hosts'] = Utils.proxmox(node, 'nodes/pve/lxc').map do |state|
       config = Utils.proxmox(node, "nodes/pve/lxc/#{state['vmid']}/config")
       ip = config['net0'] ? config['net0'].match(/ip=([\d\.]+)/)&.[](1) : "404"
-      "#{state['name']}.#{node['proxy']['config']['domain']} #{ip}"
+      "#{state['name']}.#{node['proxy']['config']['domain']} #{ip} #{state['name']}"
     end
     Logs.info(node.run_state['proxy_hosts'])
   end
 end
 
 template "#{node['proxy']['dir']['app']}/Caddyfile" do
   source 'Caddyfile.erb'
-  owner  'root'
-  group  'root'
+  owner node['app']['user']
+  group node['app']['group']
   mode   '0644'
-  variables(
-    log_dir: node['proxy']['dir']['logs'], hosts: lazy { node.run_state['proxy_hosts'] || [] } )
+  variables( hosts: lazy { node.run_state['proxy_hosts'] || [] }, config_dir: node['proxy']['dir']['config'],
+    log_dir: node['proxy']['dir']['logs'], logs_roll_size: node['proxy']['logs']['roll_size'],
+    logs_roll_keep: node['proxy']['logs']['roll_keep'], logs_roll_for: node['proxy']['logs']['roll_for'] )
+end
+
+remote_directory node['proxy']['dir']['config'] do
+  source 'config'
+  owner node['app']['user']
+  group node['app']['group']
+  mode '0664'
 end
 
 Common.application(self, cookbook_name,
-  exec: "/bin/caddy run --config #{node['proxy']['dir']['app']}/Caddyfile",
-  subscribe: "template[#{node['proxy']['dir']['app']}/Caddyfile]",
+  exec: "/bin/caddy run --config #{node['proxy']['dir']['app']}/Caddyfile --adapter caddyfile",
+  subscribe: ["template[#{node['proxy']['dir']['app']}/Caddyfile]", "remote_directory[#{node['proxy']['dir']['config']}]"],
   unit: { 'Service' => { 'AmbientCapabilities' => 'CAP_NET_BIND_SERVICE' } } )
diff --git a/libs/proxy/templates/Caddyfile.erb b/libs/proxy/templates/Caddyfile.erb
@@ -5,14 +5,44 @@
   respond @external 403
 }
 
-<% @hosts.each do |entry| -%><% domain, ip = entry.split(' ') -%>
-<%= domain %> {
-  reverse_proxy <%= ip %>
-  tls internal
-  log {
-    output file <%= @log_dir %>/<%= domain %>.log
+(security_headers) {
+  header {
+    Strict-Transport-Security "max-age=31536000;"
+    X-Frame-Options "DENY"
+    X-Content-Type-Options "nosniff"
+    Permissions-Policy "interest-cohort=()"
+    -Server
   }
-  import internal
 }
 
-<% end -%>
+(proxy_headers) {
+  header_up Host {host}
+  header_up X-Real-IP {remote_ip}
+  header_up X-Forwarded-For {remote_ip}
+  header_up X-Forwarded-Proto {scheme}
+}
+
+<% @hosts.each do |entry| -%>
+  <% domain, upstream, hostname = entry.split(' ') -%>
+  <%= domain %> {
+    import security_headers
+    import internal
+
+    reverse_proxy <%= upstream %> {
+      import proxy_headers
+      header_up X-Container-IP <%= upstream.split(':').first %>
+    }
+
+    tls internal
+
+    log {
+      output file <%= @log_dir %>/<%= domain %>.log {
+        roll_size     <%= @logs_roll_size %>
+        roll_keep     <%= @logs_roll_keep %>
+        roll_keep_for <%= @logs_roll_for %>
+      }
+    }
+
+    import <%= @config_dir %>/<%= hostname %>*.caddy
+  }
+<% end -%>
