ansible-role-caddy/tasks/main.yml

- name: Ensure Caddy is installed
  ansible.builtin.package:
    name: caddy
    state: present

- name: Create Caddy configuration directory
  ansible.builtin.file:
    path: /etc/caddy
    state: directory
    owner: root
    group: root
    mode: '0755'

- name: Deploy Caddyfile
  ansible.builtin.template:
    src: Caddyfile.j2
    dest: "{{ caddy_config_path }}"
    owner: root
    group: root
    mode: '0644'

- name: Ensure Caddy authorities directory exists
  ansible.builtin.file:
    path: /var/lib/caddy/.local/share/caddy/pki/authorities/local
    state: directory
    owner: caddy
    group: caddy
    mode: '0700'
    become: yes

# Copy the pre-generated certs from files/certs folder to Caddy, 
# so that you only need to import the root.crt once for all .local domains
- name: Deploy Caddy root certificates
  vars:
    cert_list: "{{ lookup('fileglob', role_path + '/files/certs/*', wantlist=True) | map('basename') | list }}"
  ansible.builtin.copy:
    src: "certs/{{ item }}"
    dest: "{{ caddy_authorities_path }}/{{ item }}"
    owner: caddy
    group: caddy
    mode: '0600'
    force: yes

  loop: "{{ cert_list }}"
  become: yes
- name: Ensure Caddy root directory exists
  ansible.builtin.file:
    path: "{{ caddy_root }}"
    state: directory
    owner: www-data
    group: www-data
    mode: '0755'

- name: Start and enable Caddy service
  ansible.builtin.service:
    name: "{{ caddy_service_name }}"
    state: started
    enabled: true

- name: Restart Caddy
  become: yes
  ansible.builtin.service:
    name: "{{ caddy_service_name }}"
    state: restarted

# By default don't trust as its not usually needed
- name: Trust Caddy local CA
  copy:
    src: /var/lib/caddy/.local/share/caddy/pki/authorities/local/root.crt
    dest: /usr/local/share/ca-certificates/caddy-local.crt
    remote_src: yes
  notify: Update CA trust
  when: caddy_trust_local_ca | default(false) | bool