WIP Caddy caddy formula

2024-06-24 00:48:33 +02:00 · 2024-06-24 00:48:33 +02:00 · acd87c1814
commit acd87c1814
5 changed files with 111 additions and 0 deletions
--- a/Caddyfile.jinja
+++ b/Caddyfile.jinja
@ -0,0 +1,29 @@
+# THIS FILE IS MANAGED BY SALT! NO TOUCHY TOUCHY, JUST LOOKY LOOKY!
+
+(header) {
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+
+		# enable HSTS
+		Strict-Transport-Security max-age=31536000;
+
+		# disable clients from sniffing the media type
+		X-Content-Type-Options nosniff
+
+		# clickjacking protection
+		X-Frame-Options DENY
+
+		# keep referrer data off of HTTP connections
+		Referrer-Policy no-referrer-when-downgrade
+
+		X-XSS-Protection 1
+
+		Content-Security-Policy default-src https:
+	}
+}
+
+{% for site in salt['pillar.get']('caddy:sites') %}
+{{ site }}
+{% endfor %}
+
--- a/caddy/Caddyfile.jinja
+++ b/caddy/Caddyfile.jinja
@ -0,0 +1,29 @@
+# THIS FILE IS MANAGED BY SALT! NO TOUCHY TOUCHY, JUST LOOKY LOOKY!
+
+(header) {
+	header {
+		# disable FLoC tracking
+		Permissions-Policy interest-cohort=()
+
+		# enable HSTS
+		Strict-Transport-Security max-age=31536000;
+
+		# disable clients from sniffing the media type
+		X-Content-Type-Options nosniff
+
+		# clickjacking protection
+		X-Frame-Options DENY
+
+		# keep referrer data off of HTTP connections
+		Referrer-Policy no-referrer-when-downgrade
+
+		X-XSS-Protection 1
+
+		Content-Security-Policy default-src https:
+	}
+}
+
+{% for site in salt['pillar.get']('caddy:sites') %}
+{{ site }}
+{% endfor %}
+
--- a/caddy/init.sls
+++ b/caddy/init.sls
@ -0,0 +1,20 @@
+{% if grains['os'] == 'Ubuntu' %}
+caddy repository available:
+  pkgrepo.managed:
+    - name: deb https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
+    - key_url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+{% endif %}
+
+caddy installed:
+  pkg.installed:
+    - name: caddy
+
+caddy service running:
+  service.running:
+    - name: caddy
+
+write caddy config file:
+  file.managed:
+    - name: /etc/caddy/Caddyfile
+    - source: salt://caddy/Caddyfile.jinja
+    - template: jinja
--- a/init.sls
+++ b/init.sls
@ -0,0 +1,20 @@
+{% if grains['os'] == 'Ubuntu' %}
+caddy repository available:
+  pkgrepo.managed:
+    - name: deb https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
+    - key_url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+{% endif %}
+
+caddy installed:
+  pkg.installed:
+    - name: caddy
+
+caddy service running:
+  service.running:
+    - name: caddy
+
+write caddy config file:
+  file.managed:
+    - name: /etc/caddy/Caddyfile
+    - source: salt://caddy/Caddyfile.jinja
+    - template: jinja
--- a/pillar.example
+++ b/pillar.example
@ -0,0 +1,13 @@
+caddy:
+  sites:
+    - |
+      example.flipdot.org {
+        import header
+        respond "Hello World"
+      }
+
+    - |
+      testing.flipdot.org {
+        import header
+        reverse_proxy localhost:3000
+      }