commit acd87c181483d9d183045617dd90d539f933286a Author: Malte Date: Mon Jun 24 00:48:33 2024 +0200 WIP Caddy caddy formula diff --git a/Caddyfile.jinja b/Caddyfile.jinja new file mode 100644 index 0000000..1cbf748 --- /dev/null +++ b/Caddyfile.jinja @@ -0,0 +1,29 @@ +# THIS FILE IS MANAGED BY SALT! NO TOUCHY TOUCHY, JUST LOOKY LOOKY! + +(header) { + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # clickjacking protection + X-Frame-Options DENY + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection 1 + + Content-Security-Policy default-src https: + } +} + +{% for site in salt['pillar.get']('caddy:sites') %} +{{ site }} +{% endfor %} + diff --git a/caddy/Caddyfile.jinja b/caddy/Caddyfile.jinja new file mode 100644 index 0000000..1cbf748 --- /dev/null +++ b/caddy/Caddyfile.jinja @@ -0,0 +1,29 @@ +# THIS FILE IS MANAGED BY SALT! NO TOUCHY TOUCHY, JUST LOOKY LOOKY! + +(header) { + header { + # disable FLoC tracking + Permissions-Policy interest-cohort=() + + # enable HSTS + Strict-Transport-Security max-age=31536000; + + # disable clients from sniffing the media type + X-Content-Type-Options nosniff + + # clickjacking protection + X-Frame-Options DENY + + # keep referrer data off of HTTP connections + Referrer-Policy no-referrer-when-downgrade + + X-XSS-Protection 1 + + Content-Security-Policy default-src https: + } +} + +{% for site in salt['pillar.get']('caddy:sites') %} +{{ site }} +{% endfor %} + diff --git a/caddy/init.sls b/caddy/init.sls new file mode 100644 index 0000000..27b7d6f --- /dev/null +++ b/caddy/init.sls @@ -0,0 +1,20 @@ +{% if grains['os'] == 'Ubuntu' %} +caddy repository available: + pkgrepo.managed: + - name: deb https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main + - key_url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key +{% endif %} + +caddy installed: + pkg.installed: + - name: caddy + +caddy service running: + service.running: + - name: caddy + +write caddy config file: + file.managed: + - name: /etc/caddy/Caddyfile + - source: salt://caddy/Caddyfile.jinja + - template: jinja diff --git a/init.sls b/init.sls new file mode 100644 index 0000000..27b7d6f --- /dev/null +++ b/init.sls @@ -0,0 +1,20 @@ +{% if grains['os'] == 'Ubuntu' %} +caddy repository available: + pkgrepo.managed: + - name: deb https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main + - key_url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key +{% endif %} + +caddy installed: + pkg.installed: + - name: caddy + +caddy service running: + service.running: + - name: caddy + +write caddy config file: + file.managed: + - name: /etc/caddy/Caddyfile + - source: salt://caddy/Caddyfile.jinja + - template: jinja diff --git a/pillar.example b/pillar.example new file mode 100644 index 0000000..01f7881 --- /dev/null +++ b/pillar.example @@ -0,0 +1,13 @@ +caddy: + sites: + - | + example.flipdot.org { + import header + respond "Hello World" + } + + - | + testing.flipdot.org { + import header + reverse_proxy localhost:3000 + }