r/frigate-caddy: Deploy Caddy in front of Frigate

Deploying Caddy as a reverse proxy for Frigate enables HTTPS with a certificate issued by the internal CA (via ACME) and authentication via Authelia. Separating the installation and base configuratieon of Caddy into its own role will allow us to reuse that part for other sapplications that use Caddy for similar reasons.
2024-08-12 18:27:41 -05:00 · 2024-08-12 18:27:41 -05:00 · 6c71d96f81
parent 59be10a51c
commit 6c71d96f81
9 changed files with 101 additions and 0 deletions
--- a/frigate.yml
+++ b/frigate.yml
@ -4,3 +4,5 @@
    tags: gasket-dkms
  - role: frigate
    tags: frigate
+  - role: frigate-caddy
+    tags: frigate-caddy
--- a/group_vars/frigate.yml
+++ b/group_vars/frigate.yml
@ -0,0 +1,9 @@
+# vim: set ft=yaml.jinja :
+
+frigate_caddy_forward_auth:
+  url: https://auth.pyrocufflink.blue
+  path: /api/verify
+  location: '?rd=https://{{ frigate_caddy_server_name }}'
+frigate_caddy_acme:
+  email: frigate@pyrocufflink.blue
+  url: https://ca.pyrocufflink.blue/acme/acme/directory
--- a/roles/caddy/files/Caddyfile
+++ b/roles/caddy/files/Caddyfile
@ -0,0 +1 @@
+import Caddyfile.d/*.caddyfile
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@ -0,0 +1,4 @@
+- name: reload caddy
+  service:
+    name: caddy
+    state: reloaded
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -0,0 +1,47 @@
+- name: ensure caddy is installed
+  package:
+    name: caddy
+    state: present
+  tags:
+  - install
+
+- name: ensure base caddy configuration is set
+  copy:
+    src: Caddyfile
+    dest: /etc/caddy/Caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
+
+- name: ensure firewall is configured for caddy
+  firewalld:
+    service: '{{ item }}'
+    permanent: true
+    immediate: true
+    state: enabled
+  when: host_uses_firewalld|d(true)
+  loop:
+  - http
+  - https
+  tags:
+  - firewalld
+
+- name: flush handlers
+  meta: flush_handlers
+
+- name: ensure caddy starts at boot
+  service:
+    name: caddy
+    enabled: true
+  tags:
+  - service
+- name: ensure caddy is running
+  service:
+    name: caddy
+    state: started
+  tags:
+  - service
--- a/roles/frigate-caddy/defaults/main.yml
+++ b/roles/frigate-caddy/defaults/main.yml
@ -0,0 +1 @@
+frigate_caddy_server_name: frigate.{{ ansible_domain }}
--- a/roles/frigate-caddy/meta/main.yml
+++ b/roles/frigate-caddy/meta/main.yml
@ -0,0 +1,3 @@
+dependencies:
+- role: caddy
+  tags: caddy
--- a/roles/frigate-caddy/tasks/main.yml
+++ b/roles/frigate-caddy/tasks/main.yml
@ -0,0 +1,11 @@
+- name: ensure caddy is configured to proxy for frigate
+  template:
+    src: Caddyfile.j2
+    dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload caddy
+  tags:
+  - config
--- a/roles/frigate-caddy/templates/Caddyfile.j2
+++ b/roles/frigate-caddy/templates/Caddyfile.j2
@ -0,0 +1,23 @@
+{# vim: set sw=4 ts=4 sts=4 et : #}
+{{ frigate_caddy_server_name }} {
+{% if frigate_caddy_forward_auth|d %}
+   forward_auth {{ frigate_caddy_forward_auth.url }} {
+       uri {{ frigate_caddy_forward_auth.path }}
+       header_up Host {upstream_hostport}
+
+       @unauthorized status 401
+       handle_response @unauthorized {
+           respond "" 301
+           header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
+        }
+    }
+
+{% endif %}
+    reverse_proxy localhost:5000
+{% if frigate_caddy_acme|d %}
+
+    tls {{ frigate_caddy_acme.email }} {
+        ca {{ frigate_caddy_acme.url }}
+    }
+{% endif %}
+}
				`@ -0,0 +1 @@`
				`frigate_caddy_server_name: frigate.{{ ansible_domain }}`