dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

r/frigate-caddy: Deploy Caddy in front of Frigate 

Deploying Caddy as a reverse proxy for Frigate enables HTTPS with a
certificate issued by the internal CA (via ACME) and authentication via
Authelia.

Separating the installation and base configuratieon of Caddy into its
own role will allow us to reuse that part for other sapplications that
use Caddy for similar reasons.
frigate-exporter
Dustin 2024-08-12 18:27:41 -05:00
parent 59be10a51c
commit 6c71d96f81
9 changed files with 101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
frigate.yml
View File

@ -4,3 +4,5 @@
tags: gasket-dkms tags: gasket-dkms
- role: frigate - role: frigate
tags: frigate tags: frigate
- role: frigate-caddy
tags: frigate-caddy

9
group_vars/frigate.yml Normal file
View File

@ -0,0 +1,9 @@
# vim: set ft=yaml.jinja :
frigate_caddy_forward_auth:
url: https://auth.pyrocufflink.blue
path: /api/verify
location: '?rd=https://{{ frigate_caddy_server_name }}'
frigate_caddy_acme:
email: frigate@pyrocufflink.blue
url: https://ca.pyrocufflink.blue/acme/acme/directory

1
roles/caddy/files/Caddyfile Normal file
View File

@ -0,0 +1 @@
import Caddyfile.d/*.caddyfile

4
roles/caddy/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: reload caddy
service:
name: caddy
state: reloaded

47
roles/caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,47 @@
- name: ensure caddy is installed
package:
name: caddy
state: present
tags:
- install
- name: ensure base caddy configuration is set
copy:
src: Caddyfile
dest: /etc/caddy/Caddyfile
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- config
- name: ensure firewall is configured for caddy
firewalld:
service: '{{ item }}'
permanent: true
immediate: true
state: enabled
when: host_uses_firewalld|d(true)
loop:
- http
- https
tags:
- firewalld
- name: flush handlers
meta: flush_handlers
- name: ensure caddy starts at boot
service:
name: caddy
enabled: true
tags:
- service
- name: ensure caddy is running
service:
name: caddy
state: started
tags:
- service

1
roles/frigate-caddy/defaults/main.yml Normal file
View File

@ -0,0 +1 @@
frigate_caddy_server_name: frigate.{{ ansible_domain }}

3
roles/frigate-caddy/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
dependencies:
- role: caddy
tags: caddy

11
roles/frigate-caddy/tasks/main.yml Normal file
View File

@ -0,0 +1,11 @@
- name: ensure caddy is configured to proxy for frigate
template:
src: Caddyfile.j2
dest: /etc/caddy/Caddyfile.d/frigate.caddyfile
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- config

23
roles/frigate-caddy/templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,23 @@
{# vim: set sw=4 ts=4 sts=4 et : #}
{{ frigate_caddy_server_name }} {
{% if frigate_caddy_forward_auth|d %}
forward_auth {{ frigate_caddy_forward_auth.url }} {
uri {{ frigate_caddy_forward_auth.path }}
header_up Host {upstream_hostport}
@unauthorized status 401
handle_response @unauthorized {
respond "" 301
header Location {{ frigate_caddy_forward_auth.url}}{{ frigate_caddy_forward_auth.location }}
}
}
{% endif %}
reverse_proxy localhost:5000
{% if frigate_caddy_acme|d %}
tls {{ frigate_caddy_acme.email }} {
ca {{ frigate_caddy_acme.url }}
}
{% endif %}
}