update caddy and landing page config

2023-08-05 14:24:42 +02:00 · 2023-08-05 14:24:42 +02:00 · 917ce3bf0a
commit 917ce3bf0a
parent f05125f313
5 changed files with 74 additions and 17 deletions
--- a/scripts/caddy/Caddyfile.templ
+++ b/scripts/caddy/Caddyfile.templ
@ -2,8 +2,14 @@
 	acme_dns hetzner $hetzner_secret
 }

-https://$domain {
-    respond "Hello world"
+(blocked_matcher) {
+    @blocked not remote_ip 10.0.0.0/24 10.0.89.0/24 127.0.0.1
+}
+(internal_only) {
+    import blocked_matcher
+    handle @blocked {
+        abort
+    }
 }

 import /etc/caddy/conf.d/*
--- a/scripts/caddy/caddy.service.templ
+++ b/scripts/caddy/caddy.service.templ
@ -32,6 +32,7 @@ PrivateDevices=yes
 PrivateTmp=true
 ProtectSystem=full
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment="DOMAIN=$domain"

 [Install]
 WantedBy=multi-user.target
--- a/scripts/caddy/index.html
+++ b/scripts/caddy/index.html
@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html lang="en">
+    <head>
+        <title>hangar.in</title>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+        <style>
+        body {
+            background: #1a1a1a;
+            font-family: monospace;
+            color: #fefefe;
+        }
+        h1 {
+            font-size: large;
+        }
+        .container {
+            position: absolute;
+            top: 50%;
+            left: 50%;
+            width: min(50ch, 95vw);
+            transform: translate(-50%, -50%);
+        }
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            <h1>
+                Welcome to the hangar! Your connection does not come from inside our network.
+                Please turn on the VPN, or hop on the next train to Prague :)
+            </h1>
+            <p>~ Admins, with ❤️</p>
+        </div>
+    </body>
+</html>
--- a/scripts/caddy/landing.Caddyfile
+++ b/scripts/caddy/landing.Caddyfile
@ -0,0 +1,10 @@
+https://{$DOMAIN} {
+    import blocked_matcher
+    handle @blocked {
+        file_server {
+            root /var/www
+            status 403
+        }
+    }
+    respond "Hello from the inside!"
+}
--- a/scripts/caddy/script.sh
+++ b/scripts/caddy/script.sh
@ -10,19 +10,8 @@ _ch_001-download_binary() {
    sudo chmod +x /usr/bin/caddy;
 }

-# fill and copy config
-_ch_002-add_config() {
-    sudo mkdir -p /etc/caddy/conf.d;
-    sudo cp $(_fill Caddyfile.templ) /etc/caddy/Caddyfile;
-    sudo chmod a+rx /etc/caddy;
-    sudo chgrp $USER /etc/caddy/Caddyfile;
-    sudo chmod a+r,g+w /etc/caddy/Caddyfile;
-    sudo chgrp $USER /etc/caddy/conf.d;
-    sudo chmod a+rx,g+w /etc/caddy/conf.d;
-}
-
 # create data folder with correct perms
-_ch_003-create_user() {
+_ch_002-create_user() {
    sudo groupadd --system caddy;
    sudo useradd --system \
        --gid caddy \
@ -33,13 +22,30 @@ _ch_003-create_user() {
        caddy;
 }

-_ch_004-create_service() {
-    sudo cp caddy.service /etc/systemd/system/caddy.service;
+# fill and copy default config
+_ch_003-add_config() {
+    # create configuration directories and make sure
+    # only caddy and we have access to them
+    sudo mkdir -p /etc/caddy/conf.d;
+    sudo chown -R $USER:caddy /etc/caddy;
+    chmod g+s a-rwx /etc/caddy /etc/caddy/conf.d;
+
+    cp $(_fill Caddyfile.templ) /etc/caddy/Caddyfile;
+}
+
+_ch_004-add_default_landing_page() {
+    sudo mkdir -p /var/www;
+    sudo cp index.html /var/www;
+    cp landing.Caddyfile /etc/caddy/conf.d;
+}
+
+_ch_005-create_service() {
+    sudo cp $(_fill caddy.service.templ) /etc/systemd/system/caddy.service;
    sudo systemctl daemon-reload;
    sudo systemctl enable --now caddy;
 }

-_ch_005-allow_firewall() {
+_ch_006-allow_firewall() {
    if command -v ufw &> /dev/null; then
        sudo ufw allow 80;
        sudo ufw allow 443;