Deploy ansible configuration to created instances

ansible/ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+remote_user=admin
+become=True
+roles_path=galaxy_roles/
+vault_password_file=./.vault_pass

ansible/galaxy_roles/caddy-ansible/.ansible-lint

@@ -0,0 +1,3 @@
+---
+skip_list:
+  - 'role-name'     # Role name caddy-ansible does not match `^[a-z][a-z0-9_]+$` pattern

ansible/galaxy_roles/caddy-ansible/.github/workflows/ci.yml

@@ -0,0 +1,49 @@
+---
+name: CI
+'on':
+  pull_request:
+  push:
+    branches:
+      - master
+  schedule:
+    - cron: "30 7 * * 3"
+
+defaults:
+  run:
+    working-directory: 'caddy_ansible.caddy_ansible'
+
+jobs:
+  molecule:
+    name: Molecule
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        distro:
+          - centos8
+          - centos7
+          - fedora29
+          - ubuntu2004
+          - ubuntu1804
+          - debian10
+          - debian9
+
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          path: 'caddy_ansible.caddy_ansible'
+
+      - name: Set up Python 3.
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+
+      - name: Install test dependencies.
+        run: pip3 install ansible ansible-lint yamllint molecule[docker] pytest testinfra
+
+      - name: Run Molecule tests.
+        run: molecule test
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}

ansible/galaxy_roles/caddy-ansible/.gitignore

@@ -0,0 +1,4 @@
+.vagrant
+*.retry
+.molecule
+__pycache__/

ansible/galaxy_roles/caddy-ansible/.yamllint

@@ -0,0 +1,6 @@
+---
+extends: default
+rules:
+  line-length:
+    max: 120
+    level: warning

ansible/galaxy_roles/caddy-ansible/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Lorenz Bischof
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

ansible/galaxy_roles/caddy-ansible/README.md

@@ -0,0 +1,213 @@
+[![Build Status](https://travis-ci.org/caddy-ansible/caddy-ansible.svg?branch=master)](https://travis-ci.org/caddy-ansible/caddy-ansible)
+[![Galaxy Role](https://img.shields.io/badge/ansible--galaxy-caddy-blue.svg)](https://galaxy.ansible.com/caddy_ansible/caddy_ansible/)
+
+# Caddy Ansible Role
+
+<!-- toc -->
+
+- [Dependencies](#dependencies)
+- [Role Variables](#role-variables)
+  * [The Caddyfile](#the-caddyfile)
+  * [The OS to download caddy for](#the-os-to-download-caddy-for)
+  * [Auto update Caddy?](#auto-update-caddy)
+  * [Additional Available Packages](#additional-available-packages)
+  * [Use `setcap`?](#use-setcap)
+  * [Use systemd capabilities controls](#use-systemd-capabilities-controls)
+  * [Add additional environment variables](#add-additional-environment-variables)
+  * [Use additional CLI arguments](#use-additional-cli-arguments)
+  * [Use a GitHub OAuth token to request the list of caddy releases](#use-a-github-oauth-token-to-request-the-list-of-caddy-releases)
+- [Example Playbooks](#example-playbooks)
+- [Debugging](#debugging)
+- [Contributing](#contributing)
+
+<!-- tocstop -->
+
+This role installs and configures the caddy web server. The user can specify any http configuration parameters they wish to apply their site. Any number of sites can be added with configurations of your choice.
+
+## Dependencies
+
+None
+
+## Role Variables
+
+### The Caddyfile
+
+See [Caddyfile docs](https://caddyserver.com/docs/caddyfile). Notice the `|` used to include a multi-line string. You may set `caddy_conf_filename` to `config.json` to use json format.
+
+default:
+
+```yaml
+caddy_conf_filename: Caddyfile
+caddy_config: |
+  http://localhost:2020
+  respond "Hello, world!"
+```
+
+If you wish to use a template for the config you can do this:
+
+```yaml
+caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"
+```
+
+### The OS to download caddy for
+
+default:
+
+```yaml
+caddy_os: linux
+```
+
+### Auto update Caddy?
+
+default:
+
+```yaml
+caddy_update: true
+```
+
+### Additional Available Packages
+
+Changing this variable will reinstall Caddy with the new packages if `caddy_update` is enabled. Check https://caddyserver.com/download for available packages.
+
+default:
+
+```yaml
+caddy_packages: []
+```
+
+### Use `setcap`?
+
+This allows Caddy to open a low port (under 1024 - e.g. 80, 443).
+
+default:
+
+```yaml
+caddy_setcap: true
+```
+
+### Use systemd capabilities controls
+
+default:
+
+```yaml
+caddy_systemd_capabilities_enabled: false
+caddy_systemd_capabilities: "CAP_NET_BIND_SERVICE"
+```
+
+NOTE: This feature requires systemd v229 or newer and might be needed in addition to `caddy_setcap: yes`.
+
+Supported:
+
+* Debian 9 (stretch)
+* Fedora 25
+* Ubuntu 16.04 (xenial)
+
+RHEL/CentOS has no release that supports systemd capability controls at this time.
+
+### Add additional environment variables
+
+Add environment variables to the systemd script.
+
+default:
+
+```yaml
+caddy_environment_variables: {}
+```
+
+Example usage:
+
+```yaml
+caddy_environment_variables:
+  FOO: bar
+  SECONDVAR: spam
+```
+
+### Use additional CLI arguments
+
+default:
+
+```yaml
+caddy_additional_args: ""
+```
+
+Example for LetsEncrypt staging:
+
+```yaml
+caddy_additional_args: "-ca https://acme-staging.api.letsencrypt.org/directory"
+```
+
+### Use a GitHub OAuth token to request the list of caddy releases
+
+This role uses the GitHub releases list to check when a new version is available. [GitHub has some fairly agressive rate-limiting](https://developer.github.com/v3/#rate-limiting) which can cause failures. You can set your GitHub token to increase the limits for yourself when running the role (e.g. if deploying many servers behind a NAT or running this role repeatedly as part of a CI process).
+
+default:
+
+```yaml
+caddy_github_token: ""
+```
+
+## Example Playbooks
+
+```yaml
+---
+- hosts: all
+  become: yes
+  roles:
+    - role: caddy_ansible.caddy_ansible
+      caddy_config: |
+        files.example.com
+        encode gzip
+        file_server browse {
+            root /home/caddy/
+        }
+```
+
+Example with DigitalOcean DNS for TLS:
+
+```yaml
+---
+- hosts: all
+  roles:
+    - role: caddy_ansible.caddy_ansible
+      caddy_environment_variables:
+        DO_AUTH_TOKEN: "your-token-here"
+      caddy_systemd_capabilities_enabled: true
+      caddy_systemd_network_dependency: false
+      caddy_packages: ["github.com/caddy-dns/lego-deprecated"]
+      caddy_config: |
+        nextcloud.example.com {
+            log
+
+            reverse_proxy http://localhost:8080 {
+                header_up Host {http.request.host}
+                header_up X-Real-IP {http.request.remote.host}
+                header_up X-Forwarded-For {http.request.remote.host}
+                header_up X-Forwarded-Port {http.request.port}
+                header_up X-Forwarded-Proto {http.request.scheme}
+            }
+
+            tls webmaster@example.com {
+                dns lego_deprecated digitalocean
+            }
+        }
+```
+
+## Debugging
+
+If the service fails to start you can figure out why by looking at the output of Caddy.
+
+```bash
+systemctl status caddy -l
+```
+
+If something doesn't seem right, open an issue!
+
+## Contributing
+
+Pull requests are welcome. Please test your changes beforehand with vagrant:
+
+```bash
+vagrant up
+vagrant provision   # (since it already provisioned there should be no changes here)
+vagrant destroy
+```

ansible/galaxy_roles/caddy-ansible/Vagrantfile

@@ -0,0 +1,49 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure(2) do |config|
+  config.vm.define "buster" do |buster|
+    buster.vm.box = "debian/buster64"
+  end
+
+  config.vm.define "bionic" do |bionic|
+    bionic.vm.box = "bento/ubuntu-18.04"
+  end
+
+  config.vm.define "focal" do |focal|
+    focal.vm.box = "bento/ubuntu-20.04"
+  end
+
+  config.vm.define "centos7" do |centos7|
+    centos7.vm.box = "bento/centos-7.6"
+  end
+
+  config.vm.define "fedora32" do |fedora32|
+    fedora32.vm.box = "bento/fedora-32"
+  end
+
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook = 'tests/playbook.yml'
+    ansible.verbose = true
+  end
+
+  $script = <<SCRIPT
+  # curl localhost and get the http response code
+  while ! curl -Is localhost:2020 -o /dev/null; do
+    sleep 1 && echo -n .
+  done
+  echo
+  http_code=$(curl --silent --head --output /dev/null -w '%{http_code}' localhost:2020)
+  case $http_code in
+    200|404) echo "$http_code | Server running" ;;
+    000)     echo "$http_code | Server not accessible!" >&2 ; exit 1 ;;
+    *)       echo "$http_code | Unknown http response code!" >&2 ; exit 1 ;;
+  esac
+SCRIPT
+
+  # Fix 'stdin: is not a tty' error
+  config.ssh.pty = true
+  config.vm.provision :shell, inline: $script
+
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+end

ansible/galaxy_roles/caddy-ansible/ansible.cfg

@@ -0,0 +1,2 @@
+[defaults]
+roles_path=../

ansible/galaxy_roles/caddy-ansible/defaults/main.yml

@@ -0,0 +1,31 @@
+---
+# defaults file for caddy-ansible
+caddy_user: caddy
+caddy_home: /home/caddy
+caddy_packages: []
+caddy_update: true
+caddy_bin_dir: /usr/local/bin
+caddy_conf_dir: /etc/caddy
+caddy_conf_filename: Caddyfile
+caddy_github_token: ""
+caddy_log_dir: /var/log/caddy
+caddy_log_file: stdout
+caddy_certs_dir: /etc/ssl/caddy
+# additional cli args to pass to caddy
+caddy_additional_args: ""
+caddy_systemd_network_dependency: true
+caddy_systemd_capabilities_enabled: true
+caddy_systemd_capabilities: "CAP_NET_BIND_SERVICE"
+caddy_systemd_restart: "on-failure"   # always, on-success, on-failure, on-abnormal, on-abort, on-watchdog
+caddy_systemd_restart_startlimitinterval: "86400"
+caddy_systemd_restart_startlimitburst: "5"
+caddy_systemd_private_tmp: "true"
+caddy_systemd_private_devices: "true"
+# Disable this because the git module writes to ~/.ssh
+caddy_systemd_protect_home: "false"
+caddy_systemd_protect_system: "full"
+caddy_systemd_nproc_limit: 0
+caddy_setcap: true
+caddy_config: "{{ lookup('template', 'templates/Caddyfile.j2') }}"
+caddy_environment_variables: {}
+caddy_os: linux

ansible/galaxy_roles/caddy-ansible/handlers/main.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Restart caddy
+  systemd:
+    daemon_reload: true
+    name: caddy
+    state: restarted
+
+- name: Reload caddy
+  systemd:
+    name: caddy
+    state: reloaded

ansible/galaxy_roles/caddy-ansible/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: caddy_ansible
+  role_name: caddy_ansible
+  description: Installs and configures a Caddy webserver
+  license: MIT
+  min_ansible_version: 2.0
+  platforms:
+    - name: EL
+      versions:
+        - 7
+        - 8
+    - name: Ubuntu
+      versions:
+        - bionic
+        - focal
+    - name: Debian
+      versions:
+        - stretch
+        - buster
+        - bullseye
+    - name: Fedora
+      versions:
+        - 29
+  galaxy_tags:
+    - system
+    - web
+dependencies: []

ansible/galaxy_roles/caddy-ansible/molecule/default/converge.yml

@@ -0,0 +1,16 @@
+---
+- name: Converge
+  hosts: all
+  roles:
+    - role: caddy_ansible.caddy_ansible
+  tasks:
+    - name: Ensure ss is installed (for testinfra)
+      yum:
+        name: iproute
+        state: present
+      when: ansible_distribution in ['CentOS', 'Red Hat Enterprise Linux', 'Fedora']
+    - name: Ensure ss is installed (for testinfra)
+      package:
+        name: iproute2
+        state: present
+      when: ansible_distribution not in ['CentOS', 'Red Hat Enterprise Linux', 'Fedora']

ansible/galaxy_roles/caddy-ansible/molecule/default/molecule.yml

@@ -0,0 +1,28 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+lint: |
+  set -e
+  yamllint .
+  ansible-lint
+platforms:
+  - name: instance
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    privileged: true
+    pre_build_image: true
+provisioner:
+  name: ansible
+  playbooks:
+    converge: ${MOLECULE_PLAYBOOK:-converge.yml}
+  env:
+    ANSIBLE_ROLES_PATH: "../../.cache/roles"
+scenario:
+  name: default
+verifier:
+  name: testinfra
+  enabled: true

ansible/galaxy_roles/caddy-ansible/molecule/default/tests/test_default.py

@@ -0,0 +1,38 @@
+import os
+
+from testinfra.utils.ansible_runner import AnsibleRunner
+
+inventory = os.environ['MOLECULE_INVENTORY_FILE']
+testinfra_hosts = AnsibleRunner(inventory).get_hosts('all')
+
+
+def test_files(host):
+    dirs = [
+        "/etc/caddy",
+        "/var/log/caddy"
+    ]
+    for dir in dirs:
+        d = host.file(dir)
+        assert d.exists
+        assert d.is_directory
+
+
+def test_packages(host):
+    pkgs = []
+    for p in pkgs:
+        assert host.package(p).is_installed
+
+
+def test_service(host):
+    s = host.service("caddy")
+    assert s.is_enabled
+    assert s.is_running
+
+
+def test_socket(host):
+    sockets = [
+        "tcp://127.0.0.1:2020"
+    ]
+    for socket in sockets:
+        s = host.socket(socket)
+        assert s.is_listening

ansible/galaxy_roles/caddy-ansible/tasks/github-extract.yml

@@ -0,0 +1,21 @@
+---
+- name: Extract Caddy
+  unarchive:
+    src: "{{ caddy_home }}/caddy.tar.gz"
+    dest: "{{ caddy_home }}"
+    copy: false
+    mode: 0644
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_user_details.group }}"
+  when: caddy_binary_cache.changed
+  tags: skip_ansible_lint
+
+- name: Extract Caddy
+  unarchive:
+    src: "{{ caddy_home }}/caddy.tar.gz"
+    dest: "{{ caddy_home }}"
+    creates: "{{ caddy_home }}/caddy"
+    copy: false
+    mode: 0644
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_user_details.group }}"

ansible/galaxy_roles/caddy-ansible/tasks/github-url.yml

@@ -0,0 +1,22 @@
+---
+- name: Get latest Caddy release details
+  uri:
+    url: https://api.github.com/repos/caddyserver/caddy/releases/latest
+    return_content: true
+    headers: '{{ caddy_github_headers }}'
+  register: latest_caddy_release
+
+- name: Set Caddy tag
+  set_fact:
+    caddy_tag: "{{ (latest_caddy_release.content | from_json).get('tag_name') }}"
+
+- name: Set Caddy version
+  set_fact:
+    caddy_version: "{{ caddy_tag | regex_replace('^v', '') }}"
+
+- name: Set Caddy urls
+  set_fact:
+    caddy_url: "https://github.com/caddyserver/caddy/releases/download/\
+                {{ caddy_tag }}/caddy_{{ caddy_version }}_{{ caddy_os }}_{{ go_arch }}.tar.gz"
+    caddy_checksum_url: "sha512:https://github.com/caddyserver/caddy/releases/download/\
+                         {{ caddy_tag }}/caddy_{{ caddy_version }}_checksums.txt"

ansible/galaxy_roles/caddy-ansible/tasks/main.yml

@@ -0,0 +1,143 @@
+---
+- include: preflight.yml
+- include: packages-{{ ansible_pkg_mgr }}.yml
+
+- name: Create Caddy user
+  user:
+    name: "{{ caddy_user }}"
+    group: "{{ group }}"
+    system: true
+    createhome: true
+    home: "{{ caddy_home }}"
+    shell: /bin/bash
+  register: caddy_user_details
+  become: yes
+
+- name: Build headers to use when making requests to github
+  set_fact:
+    caddy_github_headers: "{{ caddy_github_headers | combine({'Authorization': 'token ' + caddy_github_token}) }}"
+  when: caddy_github_token | length > 0
+
+- name: Get all Caddy releases
+  get_url:
+    url: https://api.github.com/repos/caddyserver/caddy/git/refs/tags
+    dest: "{{ caddy_home }}/releases.txt"
+    force: true
+    headers: '{{ caddy_github_headers }}'
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_user_details.group }}"
+  retries: 3
+  delay: 2
+  when: caddy_update
+  register: caddy_releases_cache
+  become: yes
+
+- name: Set Caddy features
+  copy:
+    content: "{{ ','.join(caddy_packages) }}"
+    dest: "{{ caddy_home }}/features.txt"
+    mode: 0640
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_user_details.group }}"
+  when: caddy_update
+  register: caddy_features_cache
+  become: yes
+
+- include: github-url.yml
+  when: caddy_use_github
+
+- name: Download Caddy
+  get_url:
+    url: "{{ caddy_url }}"
+    checksum: "{{ caddy_checksum_url | default(omit) }}"
+    dest: "{{ caddy_home }}/{{ 'caddy.tar.gz' if caddy_use_github else 'caddy' }}"
+    force: true
+    timeout: 300
+    mode: 0644
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_user_details.group }}"
+  retries: 3
+  delay: 2
+  when: caddy_releases_cache.changed or caddy_features_cache.changed
+  register: caddy_binary_cache
+  tags: skip_ansible_lint
+  become: yes
+
+- name: Download Caddy
+  get_url:
+    url: "{{ caddy_url }}"
+    checksum: "{{ caddy_checksum_url | default(omit) }}"
+    dest: "{{ caddy_home }}/{{ 'caddy.tar.gz' if caddy_use_github else 'caddy' }}"
+    timeout: 300
+    mode: 0644
+    owner: "{{ caddy_user }}"
+    group: "{{ caddy_user_details.group }}"
+  retries: 3
+  delay: 2
+  register: caddy_download
+  tags: skip_ansible_lint
+  become: yes
+
+- include: github-extract.yml
+  when: caddy_use_github
+
+- name: Copy Caddy Binary
+  copy:
+    src: "{{ caddy_home }}/caddy"
+    dest: "{{ caddy_bin }}"
+    mode: 0755
+    remote_src: true
+  notify:
+    - Restart caddy
+
+- name: Create directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ caddy_user }}"
+    mode: 0770
+  with_items:
+    - "{{ caddy_conf_dir }}"
+    - "{{ caddy_certs_dir }}"
+
+- name: Create log directory
+  file:
+    path: "{{ caddy_log_dir }}"
+    state: directory
+    owner: "{{ caddy_user }}"
+    mode: 0775
+
+- name: Create caddy config
+  copy:
+    content: "{{ caddy_config }}"
+    dest: "{{ caddy_conf_dir }}/{{ caddy_conf_filename }}"
+    owner: "{{ caddy_user }}"
+    mode: 0640
+  notify:
+    - Reload caddy
+
+- name: Template systemd service
+  template:
+    src: caddy.service
+    dest: /etc/systemd/system/caddy.service
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - Restart caddy
+
+- name: Set capability on the binary file to be able to bind to TCP port <1024
+  capabilities:
+    path: "{{ caddy_bin }}"
+    capability: cap_net_bind_service+eip
+    state: present
+  when: caddy_setcap
+
+- name: Ensue caddy service is up-to-date before starting it
+  meta: flush_handlers
+
+- name: Start Caddy service
+  systemd:
+    name: caddy
+    state: started
+    enabled: true

ansible/galaxy_roles/caddy-ansible/tasks/packages-apt.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Update cache
+  apt:
+    update_cache: true
+    cache_valid_time: 43200   # 12 hours
+
+# This is required because it provides the /bin/kill binary used in the service file
+- name: Install procps
+  apt:
+    name: procps
+    state: present
+
+- name: Install libcap
+  apt:
+    name: libcap2-bin
+    state: present
+  when: caddy_setcap

ansible/galaxy_roles/caddy-ansible/tasks/packages-dnf.yml

@@ -0,0 +1 @@
+---

ansible/galaxy_roles/caddy-ansible/tasks/packages-pacman.yml

@@ -0,0 +1 @@
+---

ansible/galaxy_roles/caddy-ansible/tasks/packages-yum.yml

@@ -0,0 +1 @@
+---

ansible/galaxy_roles/caddy-ansible/tasks/preflight.yml

@@ -0,0 +1,17 @@
+---
+- name: Assert usage of systemd as an init system
+  assert:
+    that: ansible_service_mgr == 'systemd'
+    msg: "This module only works with systemd"
+
+- name: Get systemd version
+  command: systemctl --version
+  changed_when: false
+  check_mode: false
+  register: __systemd_version
+  tags:
+    - skip_ansible_lint
+
+- name: Set systemd version fact
+  set_fact:
+    caddy_systemd_version: "{{ __systemd_version.stdout_lines[0].split(' ')[1] }}"

ansible/galaxy_roles/caddy-ansible/templates/Caddyfile.j2

@@ -0,0 +1,2 @@
+http://localhost:2020
+respond "Hello, world!"

ansible/galaxy_roles/caddy-ansible/templates/caddy.service

@@ -0,0 +1,73 @@
+{{ ansible_managed | comment(decoration="; ") }}
+; source: https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service
+; version: 6be0386
+; changes: Set variables via Ansible
+
+[Unit]
+Description=Caddy HTTP/2 web server
+Documentation=https://caddyserver.com/docs
+After=network-online.target
+{% if caddy_systemd_network_dependency == true %}
+Wants=network-online.target systemd-networkd-wait-online.service
+{% endif %}
+{% if caddy_systemd_version | int >= 230 %}
+StartLimitIntervalSec={{ caddy_systemd_restart_startlimitinterval }}
+StartLimitBurst={{ caddy_systemd_restart_startlimitburst }}
+{% endif %}
+
+[Service]
+Restart={{ caddy_systemd_restart }}
+{% if caddy_systemd_version | int < 230 %}
+StartLimitInterval={{ caddy_systemd_restart_startlimitinterval }}
+StartLimitBurst={{ caddy_systemd_restart_startlimitburst }}
+{% endif %}
+
+; User and group the process will run as.
+User={{ caddy_user }}
+Group={{ group }}
+
+; Letsencrypt-issued certificates will be written to this directory.
+Environment=CADDYPATH={{ caddy_certs_dir }}
+
+ExecStart="{{ caddy_bin_dir }}/caddy" run --environ --config "{{ caddy_conf_dir }}/{{ caddy_conf_filename }}" {{ caddy_additional_args }}
+ExecReload="{{ caddy_bin_dir }}/caddy" reload --config "{{ caddy_conf_dir }}/{{ caddy_conf_filename }}"
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+{% if caddy_systemd_nproc_limit > 0 %}
+; Limit the number of caddy threads.
+LimitNPROC={{ caddy_systemd_nproc_limit }}
+{% endif %}
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp={{ caddy_systemd_private_tmp }}
+; Use a minimal /dev
+PrivateDevices={{ caddy_systemd_private_devices }}
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome={{ caddy_systemd_protect_home }}
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem={{ caddy_systemd_protect_system }}
+; … except {{ caddy_certs_dir }}, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories={{ caddy_certs_dir }} {{ caddy_log_dir }}
+
+{% if caddy_systemd_capabilities_enabled %}
+; The following additional security directives only work with systemd v229 or later.
+; They further retrict privileges that can be gained by caddy.
+; Note that you may have to add capabilities required by any plugins in use.
+CapabilityBoundingSet={{ caddy_systemd_capabilities }}
+AmbientCapabilities={{ caddy_systemd_capabilities }}
+NoNewPrivileges=true
+
+{% endif %}
+{% if caddy_environment_variables|length %}
+
+; Additional environment variables:
+
+{% for key, value in caddy_environment_variables.items() %}
+Environment={{ key }}={{ value }}
+{% endfor %}
+
+{% endif %}
+[Install]
+WantedBy=multi-user.target

ansible/galaxy_roles/caddy-ansible/tests/inventory

@@ -0,0 +1 @@
+localhost

ansible/galaxy_roles/caddy-ansible/tests/playbook.yml

@@ -0,0 +1,8 @@
+---
+- hosts: all
+  become: true
+  tasks:
+    - name: Install curl
+      package: name=curl state=present
+  roles:
+    - caddy_ansible.caddy_ansible

ansible/galaxy_roles/caddy-ansible/vars/main.yml

@@ -0,0 +1,27 @@
+---
+# vars file for caddy-ansible
+caddy_github_headers: {}
+
+go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+  aarch64: 'arm64'
+  armv7l: 'armv7'
+  armv6l: 'armv6'
+
+go_arch: "{{ go_arch_map[ansible_architecture] | default(ansible_architecture) }}"
+
+caddy_bin: "{{ caddy_bin_dir }}/caddy"
+
+caddy_arch_param_map:
+  armv7l: 'arch=arm&arm=7'
+  armv6l: 'arch=arm&arm=6'
+
+caddy_arch_param: "{{ caddy_arch_param_map[ansible_architecture] | default('arch=' + go_arch) }}"
+
+caddy_url: "https://caddyserver.com/api/download?os={{ caddy_os }}&{{ caddy_arch_param }}\
+           {% for pkg in caddy_packages %}\
+           &p={{ pkg | urlencode() }}\
+           {% endfor %}"
+
+caddy_use_github: "{{ caddy_packages == [] }}"

ansible/galaxy_roles/jekyll-site/README.md

@@ -0,0 +1,20 @@
+Jekyll Site Configuration
+==============
+
+This role automates the configuration for Jekyll static sites on Ubuntu20 instances. Ruby is installed to support the use of Jekyll. Bundler is installed to support the use of Capistrano for deploys.
+
+Use `deploy_dirs` to set the directory for deploys.
+
+Role Variables
+--------
+
+        site_name: "example-site"       # Name of the static-site (no spaces).
+        deploy_dirs:                    # List of deploy directories to create.
+          - "/srv/{{ site_name }}/"
+        deploy_user: "jekyll"           # User for deploys.
+        deploy_group: "jekyll"          # Group of deploy user.
+
+        ruby_version: "2.7"             # The version of Ruby to install. (v2.3 -> 2.7)
+        bundler_version: "2.1.4"        # The Bundler version.
+
+        ssh_keys: []                    # SSH Key for deploy user access.

ansible/galaxy_roles/jekyll-site/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+# site_name: "example-site"
+# deploy_dirs: 
+#   - "/srv/{{ site_name }}/"
+#   # - "/srv/{{ site_name }}-staging/"
+# deploy_user: "jekyll"
+# deploy_group: "jekyll"
+
+# ruby_version: "2.7"
+# bundler_version: "2.1.4"
+
+# ssh_keys: []

ansible/galaxy_roles/jekyll-site/meta/main.yml

@@ -0,0 +1,13 @@
+galaxy_info:
+  author: James Lavender
+  description: Installation of Ruby and Jekyll for Static Site generation.
+  license: MIT
+  min_ansible_version: 2.1
+  platforms:
+  - name: Ubuntu
+    version:
+      - 18.04
+      - 20.04
+  galaxy_tags:
+    - jekyll
+    - static_sites

ansible/galaxy_roles/jekyll-site/tasks/dependencies.yml

@@ -0,0 +1,12 @@
+---
+- name: jekyll_site | Dependencies | Install additional packages
+  apt:
+    name: "{{ item }}"
+    state: present
+    update_cache: yes
+  loop:
+    - build-essential
+    - zlib1g-dev
+    - git
+    - nmap
+  become: yes

ansible/galaxy_roles/jekyll-site/tasks/deploy_user.yml

@@ -0,0 +1,41 @@
+---
+- name: jekyll_site | Deploy User | Ensure deploy group exists
+  group:
+    name: "{{ deploy_group }}"
+    state: present
+  become: yes
+
+- name: jekyll_site | Deploy User | Allow deploy group to have passwordless sudo
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%{{ deploy_group }}'
+    line: '%{{ deploy_group }} ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+  become: yes
+
+- name: jekyll_site | Deploy User | Ensure deploy user exists.
+  user:
+    name: "{{ deploy_user }}"
+    group: "{{ deploy_group }}"
+    state: present
+    create_home: yes
+    shell: /bin/bash
+  become: yes
+
+- name: jekyll_site | Deploy User | Ensure admin user ssh directory exists
+  file:
+    path: "/home/{{ deploy_user }}/.ssh/"
+    state: directory
+    owner: "{{ deploy_user }}"
+    group: "{{ deploy_group }}"
+    mode: 0700
+  become: yes
+
+- name: jekyll_site | Deploy User | Add SSH keys to admin user
+  authorized_key:
+    user: "{{ deploy_user }}"
+    state: present
+    key: "{{ item.key }}"
+  with_items: "{{ ssh__keys }}"
+  become: yes

ansible/galaxy_roles/jekyll-site/tasks/install_ruby.yml

@@ -0,0 +1,48 @@
+---
+- name: jekyll_site | Install Ruby | Add brightbox PPA
+  apt_repository:
+    repo: 'ppa:brightbox/ruby-ng'
+  become: yes
+
+- name: jekyll_site | Install Ruby | Install Ruby
+  apt:
+    name: "ruby{{ ruby_version }}"
+    state: present
+    update_cache: yes
+  become: yes
+
+- name: jekyll_site | Install Ruby | Install Ruby Development headers
+  apt:
+    name: "ruby{{ ruby_version }}-dev"
+    state: present
+    update_cache: yes
+  become: yes
+
+- name: jekyll_site | Install Ruby | Install bundler
+  gem:
+    name: bundler
+    version: "{{ bundler_version }}"
+    state: present
+    include_dependencies: True
+    # user_install: False
+  become: yes
+
+- name: jekyll_site | Install Ruby | Install bundle
+  gem:
+    name: bundle
+    state: present
+    include_dependencies: True
+    user_install: False
+  become: yes
+
+- name: jekyll_site | Install Ruby | Update ruby alternatives
+  alternatives:
+    name: ruby
+    path: "/usr/bin/ruby{{ ruby_version }}"
+  become: yes
+
+- name: jekyll_site | Install Ruby | Update Gem alternatives
+  alternatives:
+    name: gem
+    path: "/usr/bin/gem{{ ruby_version }}"
+  become: yes

ansible/galaxy_roles/jekyll-site/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- include_tasks: dependencies.yml
+- include_tasks: deploy_user.yml
+- include_tasks: install_ruby.yml
+
+- name: Install jekyll
+  gem:
+    name: jekyll
+    state: present
+    include_dependencies: True
+    user_install: False
+  become: yes
+
+- name: Setup deploy directories
+  file:
+    state: directory
+    path: "{{ item }}"
+    owner: "{{ deploy_user }}"
+    group: "{{ deploy_group }}"
+    mode: 0755
+  with_items: "{{ deploy_dirs }}"
+  become: yes

ansible/galaxy_roles/linode-preflight/README.md

@@ -0,0 +1,2 @@
+# Linode-Preflight
+A set of Ansible tasks for preflighting a Linode instance.

ansible/galaxy_roles/linode-preflight/defaults/main.yml

@@ -0,0 +1,17 @@
+---
+# Preflight
+preflight__timezone: UTC
+
+# Firewall
+firewall__ssh_rule: limit
+
+# User
+user: "ops"
+group: "ops"
+
+# SSH Config
+ssh__port: 8822
+ssh__password_authentication: "no"
+ssh__address_family: "inet"
+
+ssh__keys: []

ansible/galaxy_roles/linode-preflight/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart sshd
+  service:
+    name: sshd
+    state: restarted
+  become: yes

ansible/galaxy_roles/linode-preflight/meta/main.yml

@@ -0,0 +1,9 @@
+galaxy_info:
+  author: James Lavender
+  description: A set of preflight tasks for any Linode Instance.
+  license: GPLv3
+  min_ansible_version: 1.2
+  galaxy-tags:
+    - linode-preflight
+
+dependencies: []

ansible/galaxy_roles/linode-preflight/tasks/add_user.yml

@@ -0,0 +1,40 @@
+---
+- name: linode_preflight | add_user | Add admin group
+  group:
+    name: "{{ group }}"
+    state: present
+
+- name: linode_preflight | add_user | Allow admin group to have passwordless sudo
+  lineinfile:
+    dest: /etc/sudoers
+    state: present
+    regexp: '^%{{ group }}'
+    line: '%{{ group }} ALL=(ALL) NOPASSWD: ALL'
+    validate: 'visudo -cf %s'
+  become: yes
+
+- name: linode_preflight | add_user | Add admin user
+  user:
+    name: "{{ user }}"
+    group: "{{ group }}"
+    state: present
+    create_home: yes
+    shell: /bin/bash
+  become: yes
+
+- name: linode_preflight | add_user | Ensure admin user ssh directory exists
+  file:
+    path: "/home/{{ user }}/.ssh/"
+    state: directory
+    owner: "{{ user }}"
+    group: "{{ group }}"
+    mode: 0700
+  become: yes
+
+- name: linode_preflight | add_user | Add SSH keys to admin user
+  authorized_key:
+    user: "{{ user }}"
+    state: present
+    key: "{{ item.key }}"
+  with_items: "{{ ssh__keys }}"
+  become: yes

ansible/galaxy_roles/linode-preflight/tasks/ansible_dependencies.yml

@@ -0,0 +1,9 @@
+---
+- name: linode-preflight | ansible dependencies | Install Python
+  raw: test -e /usr/bin/python || (sudo apt-get -y update && sudo apt-get install -y python2-minimal)
+  register: common__pyout
+  become: yes
+  changed_when:
+    - False
+    - common__pyout.stdout != ""
+    - common__pyout.stderr != "\r\n"

ansible/galaxy_roles/linode-preflight/tasks/firewall.yml

@@ -0,0 +1,49 @@
+---
+- name: linode_preflight | firewall | install ufw
+  apt:
+    pkg: ufw
+    state: present
+  become: yes
+
+- name: linode_preflight | firewall | Open ssh port
+  ufw:
+    state: enabled
+    rule: "{{ firewall__ssh_rule }}"
+    port: "{{ item }}"
+    proto: tcp
+  loop:
+    - 22
+    - 8822
+  become: yes
+
+- name: linode_preflight | firewall | deny all incoming connections
+  ufw:
+    state: enabled
+    policy: deny
+    direction: incoming
+  become: yes
+
+- name: linode_preflight | firewall | allow all outgoing connections
+  ufw:
+    state: enabled
+    policy: allow
+    direction: outgoing
+  become: yes
+
+- name: linode_preflight | firewall | allow all connections from localhost
+  ufw:
+    state: enabled
+    from: "127.0.0.1"
+    rule: allow
+    proto: any
+  become: yes
+
+- name: linode_preflight | firewall | Copy SSH config
+  template:
+    src: "etc/ssh/sshd_config.j2"
+    dest: "/etc/ssh/sshd_config"
+    mode: 0644
+    validate: '/usr/sbin/sshd -t -f %s'
+  become: yes
+  notify: restart sshd
+

ansible/galaxy_roles/linode-preflight/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+- include_tasks: ansible_dependencies.yml
+- include_tasks: preflight.yml
+- include_tasks: add_user.yml
+- include_tasks: firewall.yml # Always run last. Then swap Ansible user.

ansible/galaxy_roles/linode-preflight/tasks/oh-my-bash.yml

@@ -0,0 +1,12 @@
+---
+- name: linode_preflight | ohmybash | Install dependency
+  apt:
+    pkg: curl
+    state: present
+  become: yes
+
+- name: linode_preflight | ohmybash | Install OhMyBash
+  shell:
+    cmd: bash -c "$(curl -fsSL https://raw.githubusercontent.com/ohmybash/oh-my-bash/master/tools/install.sh)"
+  become: yes
+  become_user: "{{ user }}"

ansible/galaxy_roles/linode-preflight/tasks/preflight.yml

@@ -0,0 +1,27 @@
+---
+- name: linode_preflight | preflight | install ntp
+  apt:
+    name: ntp
+    state: present
+  become: yes
+
+- name: linode_preflight | preflight | ensure ntp is running on boot
+  service:
+    name: ntp
+    state: started
+    enabled: yes
+  become: yes
+
+- name: linode_preflight | preflight | Set Timezone
+  timezone:
+    name: "{{ preflight__timezone }}"
+  become: yes
+
+- name: linode_preflight | preflight | copy 10periodic unattended upgrades
+  template:
+    src: "etc/apt/apt.conf.d/10periodic.j2"
+    dest: "/etc/apt/apt.conf.d/10periodic"
+    owner: root
+    group: root
+    mode: 0644
+  become: yes

ansible/galaxy_roles/linode-preflight/templates/etc/apt/apt.conf.d/10periodic.j2

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+APT::Periodic::Download-Upgradeable-Packages "0";
+APT::Periodic::AutocleanInterval "0";

ansible/galaxy_roles/linode-preflight/templates/etc/ssh/sshd_config.j2

@@ -0,0 +1,123 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+Port {{ ssh__port }}
+AddressFamily {{ ssh__address_family }}
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+PasswordAuthentication {{ ssh__password_authentication }}
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server

ansible/inventories/common/group_vars/all/main.yml

@@ -0,0 +1,10 @@
+---
+ruby_version: '2.7'
+bundler_version: '2.1.4'
+
+ssh__keys:
+  - key: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDLNjy5+2zBjT4cHUNzWeoCoQYi8y+7AHQJr+2cAfw+S+q7JWlx00L3XAp3mINARcJyRxVb4TypiTV3vX55cwAz2eYmzyYBQfDCorNq+26iNs9pF/SwEq1nHhM0MtVu7w9v2kizVFMP/aYN3kcUaTM0hGNQ5OqNy/1by91zei/wsieXjxj18OiThWD77oSoxZrejxrPTZRcxL4aPgeEbJqsXtvBvPBjhLF7s4EvmPfzb0N/hYaQOwXDhLOU576yN/6TgnGkSazsVIkZRO67qVAlZAJs4VOlm7x1t/9cwLhwjDUqj9x+nIVh/Cr62jvn8aQVS9SO69rbkzf8lhSaVbgQ/Yi/lqbOQJ8gc0RKhcJwz2TltaY9piaVOSgiIW7sqWfcnwWohs2C+YS0F6qN8Nor897dWONbwRCvp52b6u0mqf3DEUIlWoDopVbkVgSg08uOoswJ/mum/6Xn+SN+zsL2y+32UlbE3gQRL/WUh7hzN+XVupBwijgQXgcfN2t5UgspiAIpup0Po+I/enbNdiZ/rAlhr8wX0NetTYr2rrHNzzV74HjnXjjUo72zaeMk9rPseL4FgnL8F7BBnuctW5tApjmA3AB5VBD7GbTQLRXg1kYBxujiQTSAQulpm7ezKz3PgUsUOg5IYAQYa1Bye2bit4ayNKWMM2iXGLfSkTYluw==
+
+# Defaults
+user: "ops"
+group: "oper"

ansible/inventories/production/group_vars/all/common-main.yml

@@ -0,0 +1 @@
+../../../common/group_vars/all/main.yml

ansible/inventories/production/group_vars/all/main.yml

@@ -0,0 +1,14 @@
+---
+# Website/Blog settings
+domain: "example.com"
+staging_domain: "staging.example.com"
+site_name: "example"
+
+# Defaults
+deploy_dirs: 
+  - "/srv/{{ site_name }}"
+  - "/srv/{{ site_name }}-staging"
+
+deploy_user: "jekyll"
+deploy_group: "jekyll"
+

ansible/inventories/production/hosts

@@ -0,0 +1,7 @@
+[all:vars]
+ansible_port=22
+ansible_user=root
+
+[jekyll_site]
+#45.79.216.88
+#45.79.216.70

ansible/requirements.yml

@@ -0,0 +1,9 @@
+---
+- src: git+ssh://gitea@git.jameslavender.com:8822/jameslavender/linode-preflight.git
+  name: linode-preflight
+
+- src: git+ssh://git@github.com/caddy-ansible/caddy-ansible.git
+  name: caddy-ansible
+
+- src: git+ssh://gitea@git.jameslavender.com:8822/jameslavender/jekyll_site-ansible.git
+  name: jekyll-site

ansible/roles/web-server/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: reload_caddy
+  service:
+    name: caddy
+    state: reloaded
+  become: yes

ansible/roles/web-server/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: web_server | Write Caddyfile and restart Caddy
+  template:
+    src: "etc/caddy/Caddyfile.j2"
+    dest: "/etc/caddy/Caddyfile"
+    owner: caddy
+    group: "{{ group }}"
+    mode: 0644
+  become: yes
+  notify: 
+    - reload_caddy
+
+- name: web_server | Allow Internet traffic
+  ufw:
+    rule: allow
+    port: "{{ item }}"
+    proto: tcp
+  become: yes
+  loop:
+    - '80'
+    - '443'

ansible/roles/web-server/templates/etc/caddy/Caddyfile.j2

@@ -0,0 +1,26 @@
+{{ domain }} {
+    root * /srv/{{ site_name }}/current/_site
+    file_server
+
+    log {
+        output file /var/log/caddy/{{ domain }}.access.log {
+        	roll_size 3MiB
+	        roll_keep 5
+	        roll_keep_for 48h
+        }
+        format console
+    }
+}
+{{ staging_domain }} {
+    root * /srv/{{ site_name }}-staging/current/_site
+    file_server
+
+    log {
+        output file /var/log/caddy/{{ domain }}.access.log {
+        	roll_size 3MiB
+	        roll_keep 5
+	        roll_keep_for 48h
+        }
+        format console
+    }
+}

ansible/site.yml

@@ -0,0 +1,18 @@
+---
+- hosts: all
+  gather_facts: true
+  roles:
+    - linode-preflight
+    - caddy-ansible
+    - jekyll-site
+    - web-server
+  tasks:
+    - name: clean-up | Close now unneeded firewall ports.
+      ufw:
+        rule: allow
+        port: "{{ item }}"
+        proto: tcp
+        delete: yes
+      become: yes
+      loop:
+        - '22'