From 917ce3bf0a05b5fcdfa73a9772a019dae866ff76 Mon Sep 17 00:00:00 2001 From: bain Date: Sat, 5 Aug 2023 14:24:42 +0200 Subject: [PATCH] update caddy and landing page config --- scripts/caddy/Caddyfile.templ | 10 ++++-- .../{caddy.service => caddy.service.templ} | 1 + scripts/caddy/index.html | 34 ++++++++++++++++++ scripts/caddy/landing.Caddyfile | 10 ++++++ scripts/caddy/script.sh | 36 +++++++++++-------- 5 files changed, 74 insertions(+), 17 deletions(-) rename scripts/caddy/{caddy.service => caddy.service.templ} (97%) create mode 100644 scripts/caddy/index.html create mode 100644 scripts/caddy/landing.Caddyfile diff --git a/scripts/caddy/Caddyfile.templ b/scripts/caddy/Caddyfile.templ index b80a752..229359c 100644 --- a/scripts/caddy/Caddyfile.templ +++ b/scripts/caddy/Caddyfile.templ @@ -2,8 +2,14 @@ acme_dns hetzner $hetzner_secret } -https://$domain { - respond "Hello world" +(blocked_matcher) { + @blocked not remote_ip 10.0.0.0/24 10.0.89.0/24 127.0.0.1 +} +(internal_only) { + import blocked_matcher + handle @blocked { + abort + } } import /etc/caddy/conf.d/* diff --git a/scripts/caddy/caddy.service b/scripts/caddy/caddy.service.templ similarity index 97% rename from scripts/caddy/caddy.service rename to scripts/caddy/caddy.service.templ index 618eaf7..cfb25c6 100644 --- a/scripts/caddy/caddy.service +++ b/scripts/caddy/caddy.service.templ @@ -32,6 +32,7 @@ PrivateDevices=yes PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_BIND_SERVICE +Environment="DOMAIN=$domain" [Install] WantedBy=multi-user.target diff --git a/scripts/caddy/index.html b/scripts/caddy/index.html new file mode 100644 index 0000000..f0751f4 --- /dev/null +++ b/scripts/caddy/index.html @@ -0,0 +1,34 @@ + + + + hangar.in + + + + + +
+

+ Welcome to the hangar! Your connection does not come from inside our network. + Please turn on the VPN, or hop on the next train to Prague :) +

+

~ Admins, with ❤️

+
+ + diff --git a/scripts/caddy/landing.Caddyfile b/scripts/caddy/landing.Caddyfile new file mode 100644 index 0000000..616a832 --- /dev/null +++ b/scripts/caddy/landing.Caddyfile @@ -0,0 +1,10 @@ +https://{$DOMAIN} { + import blocked_matcher + handle @blocked { + file_server { + root /var/www + status 403 + } + } + respond "Hello from the inside!" +} diff --git a/scripts/caddy/script.sh b/scripts/caddy/script.sh index af9d562..aaa647b 100644 --- a/scripts/caddy/script.sh +++ b/scripts/caddy/script.sh @@ -10,19 +10,8 @@ _ch_001-download_binary() { sudo chmod +x /usr/bin/caddy; } -# fill and copy config -_ch_002-add_config() { - sudo mkdir -p /etc/caddy/conf.d; - sudo cp $(_fill Caddyfile.templ) /etc/caddy/Caddyfile; - sudo chmod a+rx /etc/caddy; - sudo chgrp $USER /etc/caddy/Caddyfile; - sudo chmod a+r,g+w /etc/caddy/Caddyfile; - sudo chgrp $USER /etc/caddy/conf.d; - sudo chmod a+rx,g+w /etc/caddy/conf.d; -} - # create data folder with correct perms -_ch_003-create_user() { +_ch_002-create_user() { sudo groupadd --system caddy; sudo useradd --system \ --gid caddy \ @@ -33,13 +22,30 @@ _ch_003-create_user() { caddy; } -_ch_004-create_service() { - sudo cp caddy.service /etc/systemd/system/caddy.service; +# fill and copy default config +_ch_003-add_config() { + # create configuration directories and make sure + # only caddy and we have access to them + sudo mkdir -p /etc/caddy/conf.d; + sudo chown -R $USER:caddy /etc/caddy; + chmod g+s a-rwx /etc/caddy /etc/caddy/conf.d; + + cp $(_fill Caddyfile.templ) /etc/caddy/Caddyfile; +} + +_ch_004-add_default_landing_page() { + sudo mkdir -p /var/www; + sudo cp index.html /var/www; + cp landing.Caddyfile /etc/caddy/conf.d; +} + +_ch_005-create_service() { + sudo cp $(_fill caddy.service.templ) /etc/systemd/system/caddy.service; sudo systemctl daemon-reload; sudo systemctl enable --now caddy; } -_ch_005-allow_firewall() { +_ch_006-allow_firewall() { if command -v ufw &> /dev/null; then sudo ufw allow 80; sudo ufw allow 443;