From 6c71d96f8134edb481d6b6bd920e9e6ee655de30 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 12 Aug 2024 18:27:41 -0500
Subject: [PATCH] r/frigate-caddy: Deploy Caddy in front of Frigate

Deploying Caddy as a reverse proxy for Frigate enables HTTPS with a
certificate issued by the internal CA (via ACME) and authentication via
Authelia.

Separating the installation and base configuratieon of Caddy into its
own role will allow us to reuse that part for other sapplications that
use Caddy for similar reasons.
---
 frigate.yml                                |  2 +
 group_vars/frigate.yml                     |  9 +++++
 roles/caddy/files/Caddyfile                |  1 +
 roles/caddy/handlers/main.yml              |  4 ++
 roles/caddy/tasks/main.yml                 | 47 ++++++++++++++++++++++
 roles/frigate-caddy/defaults/main.yml      |  1 +
 roles/frigate-caddy/meta/main.yml          |  3 ++
 roles/frigate-caddy/tasks/main.yml         | 11 +++++
 roles/frigate-caddy/templates/Caddyfile.j2 | 23 +++++++++++
 9 files changed, 101 insertions(+)
 create mode 100644 group_vars/frigate.yml
 create mode 100644 roles/caddy/files/Caddyfile
 create mode 100644 roles/caddy/handlers/main.yml
 create mode 100644 roles/caddy/tasks/main.yml
 create mode 100644 roles/frigate-caddy/defaults/main.yml
 create mode 100644 roles/frigate-caddy/meta/main.yml
 create mode 100644 roles/frigate-caddy/tasks/main.yml
 create mode 100644 roles/frigate-caddy/templates/Caddyfile.j2

diff --git a/frigate.yml b/frigate.yml
index 800848e..176425d 100644
--- a/frigate.yml
+++ b/frigate.yml
@@ -4,3 +4,5 @@
     tags: gasket-dkms
   - role: frigate
     tags: frigate
+  - role: frigate-caddy
+    tags: frigate-caddy
diff --git a/group_vars/frigate.yml b/group_vars/frigate.yml
new file mode 100644
index 0000000..05c9126
--- /dev/null
+++ b/group_vars/frigate.yml
@@ -0,0 +1,9 @@
+# vim: set ft=yaml.jinja :
+
+frigate_caddy_forward_auth:
+  url: https://auth.pyrocufflink.blue
+  path: /api/verify
+  location: '?rd=https://{{ frigate_caddy_server_name }}'
+frigate_caddy_acme:
+  email: frigate@pyrocufflink.blue
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
diff --git a/roles/caddy/files/Caddyfile b/roles/caddy/files/Caddyfile
new file mode 100644
index 0000000..644d82b
--- /dev/null
+++ b/roles/caddy/files/Caddyfile
@@ -0,0 +1 @@
+import Caddyfile.d/*.caddyfile
diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml
new file mode 100644
index 0000000..e4c3a6f
--- /dev/null
+++ b/roles/caddy/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload caddy
+  service:
+    name: caddy
+    state: reloaded
diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml
new file mode 100644
index 0000000..ab37b0e
--- /dev/null
+++ b/roles/caddy/tasks/main.yml
@@ -0,0 +1,47 @@
+- name: ensure caddy is installed
+  package:
+    name: caddy
+    state: present
+  tags:
+  - install
+
+- name: ensure base caddy configuration is set
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure firewall is configured for caddy
+  firewalld:
+    service: '{{ item }}'
+    permanent: true
+    immediate: true
+    state: enabled
+  when: host_uses_firewalld|d(true)
+  loop:
+  - http
+  - https
+  tags:
+  - firewalld
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure caddy starts at boot
+  service:
+    name: caddy
+    enabled: true
+  tags:
+  - service
+- name: ensure caddy is running
+  service:
+    name: caddy
+    state: started
+  tags:
+  - service
diff --git a/roles/frigate-caddy/defaults/main.yml b/roles/frigate-caddy/defaults/main.yml
new file mode 100644
index 0000000..4182b9d
--- /dev/null
+++ b/roles/frigate-caddy/defaults/main.yml
@@ -0,0 +1 @@
+frigate_caddy_server_name: frigate.{{ ansible_domain }}
diff --git a/roles/frigate-caddy/meta/main.yml b/roles/frigate-caddy/meta/main.yml
new file mode 100644
index 0000000..e278138
--- /dev/null
+++ b/roles/frigate-caddy/meta/main.yml
@@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy
diff --git a/roles/frigate-caddy/tasks/main.yml b/roles/frigate-caddy/tasks/main.yml
new file mode 100644
index 0000000..5791b65
--- /dev/null
+++ b/roles/frigate-caddy/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: ensure caddy is configured to proxy for frigate
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
diff --git a/roles/frigate-caddy/templates/Caddyfile.j2 b/roles/frigate-caddy/templates/Caddyfile.j2
new file mode 100644
index 0000000..b9c46f7
--- /dev/null
+++ b/roles/frigate-caddy/templates/Caddyfile.j2
@@ -0,0 +1,23 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ frigate_caddy_server_name }} {
+{% if frigate_caddy_forward_auth|d %}
+   forward_auth {{ frigate_caddy_forward_auth.url }} {
+       uri {{ frigate_caddy_forward_auth.path }}
+       header_up Host {upstream_hostport}
+
+       @unauthorized status 401
+       handle_response @unauthorized {
+           respond "" 301
+           header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
+        }
+    }
+
+{% endif %}
+    reverse_proxy localhost:5000
+{% if frigate_caddy_acme|d %}
+
+    tls {{ frigate_caddy_acme.email }} {
+        ca {{ frigate_caddy_acme.url }}
+    }
+{% endif %}
+}