role-caddy/tasks/install.yml

---
- block:
    - name: Update apt cache
      apt:
        cache_valid_time: 3600
        update_cache: true
      register: _pre_update_apt_cache
      until: _pre_update_apt_cache is succeeded
      when:
        - ansible_pkg_mgr == "apt"

    - name: Install dependencies
      package:
        name: "{{ caddy_dependencies }}"
        state: present
      register: _install_dep_packages
      until: _install_dep_packages is succeeded
      retries: 5
      delay: 2
- block:
    - name: Download caddy archive
      get_url:
        url: "{{ caddy_dl_url }}.tar.gz"
        dest: "/tmp/caddy-{{ caddy_version }}-linux-{{ caddy_arch }}.tar.gz"
      register: _download_archive
      until: _download_archive is succeeded
      retries: 5
      delay: 2

    - name: Download caddy checksum.txt
      get_url:
        url: "{{ caddy_dl_url_checksum }}"
        dest: "/tmp/caddy_{{ caddy_version }}_checksums.txt"
      register: _download_checksums_txt
      until: _download_checksums_txt is succeeded
      retries: 5
      delay: 2

    - name: Download caddy checksum.txt.pem
      get_url:
        url: "{{ caddy_dl_url_checksum }}.pem"
        dest: "/tmp/caddy_{{ caddy_version }}_checksums.txt.pem"
      register: _download_checksums_txt_pem
      until: _download_checksums_txt_pem is succeeded
      retries: 5
      delay: 2

    - name: Download caddy checksum.txt.sig
      get_url:
        url: "{{ caddy_dl_url_checksum }}.sig"
        dest: "/tmp/caddy_{{ caddy_version }}_checksums.txt.sig"
      register: _download_checksums_txt_sig
      until: _download_checksums_txt_pem is succeeded
      retries: 5
      delay: 2

    - name: Verify Certificate
      command: "COSIGN_EXPERIMENTAL=1 cosign verify-blob --certificate /tmp/caddy_{{ caddy_version }}_checksums.txt.pem --signature /tmp/caddy_{{ caddy_version }}_checksums.txt.sig /tmp/caddy_{{ caddy_version }}_checksums.txt"
      register: _caddy_cosign_key_status
      changed_when: false
      failed_when: _caddy_cosign_key_status.rc not in (0, 2)

    - name: Unpack caddy binary
      unarchive:
        remote_src: yes
        src: "/tmp/caddy-{{ caddy_version }}-linux-{{ caddy_arch }}.tar.gz"
        dest: "/usr/local/bin"
        mode: 0755
        owner: root
        group: root
      notify: "Restart caddy"
  when: (not caddy_version_check|bool) or (caddy_active_version.stdout != caddy_version)