TUN-528: Move cloudflared into a separate repo

vendor/github.com/mholt/caddy/dist/init/README.md

@@ -0,0 +1,28 @@
+Init/Service Scripts
+====================
+
+This folder contains init/service scripts for using Caddy on various Linux and BSD distributions. They are created and maintained by the community.
+
+## Getting Help
+
+Different scripts have different maintainers; please consult the comments in the file and any README for assistance setting it up. Do not open an issue on the Caddy project about these scripts; instead, to ask a question or suggest a change, please contact the maintainer of the script directly.
+
+## Disclaimer
+
+The files contained herein are not officially supported by the Caddy project author and/or contributors, and as such, the files are not endorsed by the same. The Caddy project author and its contributors are not responsible for the function or malfunction of these scripts/files, or any unintended consequences to your system or website in attempting to set up Caddy. Users are expected to know how to administer their system, and these files should be considered as only a guide or suggestion for using Caddy in certain environments.
+
+## Guidelines
+
+The files distributed here should adhere to these principles where relevant (adjust accordingly for each system/platform):
+
+- Don't run as root.
+- Create a no-shell default user to run it.
+- Raise file descriptor limits.
+- Don't restart endlessly; if Caddy fails to start, there's a reason -- fix it, don't hammer it.
+- Allow Caddy to re-use the same, persistent folder for storage.
+- Stay as simple and minimal as possible.
+- Be idempotent.
+- Use comments to explain unexpected or unusual lines/patterns.
+- Be secure by default.
+
+Thank you for using Caddy! May it serve you well.

vendor/github.com/mholt/caddy/dist/init/freebsd/caddy

@@ -0,0 +1,83 @@
+#!/bin/sh
+#
+# PROVIDE: caddy
+# REQUIRE: networking
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable caddy:
+# caddy_enable (bool):        Set to "NO" by default.
+#                             Set it to "YES" to enable caddy
+#
+# caddy_cert_email (str):     Set to "" by default.
+#                             Defines the SSL certificate issuer email. By providing an
+#                             email address you automatically agree to letsencrypt.org's
+#                             general terms and conditions
+#
+# caddy_bin_path (str):       Set to "/usr/local/bin/caddy" by default.
+#                             Provides the path to the caddy server executable
+#
+# caddy_cpu (str):            Set to "99%" by default.
+#                             Configures, how much CPU capacity caddy may gain
+#
+# caddy_config_path (str):    Set to "/usr/local/www/Caddyfile" by default.
+#                             Defines the path for the configuration file caddy will load on boot
+#
+# caddy_user (str):           Set to "root" by default.
+#                             Defines the user that caddy will run on
+#
+# caddy_group (str):  	      Set to "wheel" by default.
+#                             Defines the group that caddy files will be attached to
+#
+# caddy_logfile (str)	      Set to "/var/log/caddy.log" by default.
+#			      Defines where the process log file is written, this is not a web access log
+#
+# caddy_env (str)	      Set to "" by default.
+#			      This allows environment variable to be set that may be required, for example when using "DNS Challenge" account credentials are required.
+#			      e.g. (in your rc.conf)   caddy_env="CLOUDFLARE_EMAIL=me@domain.com CLOUDFLARE_API_KEY=my_api_key"
+#
+
+. /etc/rc.subr
+
+name="caddy"
+rcvar="${name}_enable"
+
+load_rc_config ${name}
+
+: ${caddy_enable:="NO"}
+: ${caddy_cert_email=""}
+: ${caddy_bin_path="/usr/local/bin/caddy"}
+: ${caddy_cpu="99%"} # was a bug for me that caused a crash within jails
+: ${caddy_config_path="/usr/local/www/Caddyfile"}
+: ${caddy_logfile="/var/log/caddy.log"}
+: ${caddy_user="root"}
+: ${caddy_group="wheel"}
+
+if [ "$caddy_cert_email" = "" ]
+then
+    echo "rc variable \$caddy_cert_email is not set. Please provide a valid SSL certificate issuer email."
+    exit 1
+fi
+
+pidfile="/var/run/${name}.pid"
+procname="${caddy_bin_path}" #enabled builtin pid checking for start / stop
+command="/usr/sbin/daemon"
+command_args="-p ${pidfile} /usr/bin/env ${caddy_env} ${procname} -cpu ${caddy_cpu} -log stdout -conf ${caddy_config_path} -agree -email ${caddy_cert_email} < /dev/null >> ${caddy_logfile} 2>&1"
+
+start_precmd="caddy_startprecmd"
+
+caddy_startprecmd()
+{
+	if [ ! -e "${pidfile}" ]; then
+		install -o "${caddy_user}" -g "${caddy_group}" "/dev/null" "${pidfile}"
+	fi
+
+	if [ ! -e "${caddy_logfile}" ]; then
+		install -o "${caddy_user}" -g "${caddy_group}" "/dev/null" "${caddy_logfile}"
+	fi
+}
+
+required_files="${caddy_config_path}"
+
+run_rc_command "$1"
+

vendor/github.com/mholt/caddy/dist/init/linux-systemd/README.md

@@ -0,0 +1,128 @@
+# systemd Service Unit for Caddy
+
+Please do not hesitate to ask on
+[caddyserver/support](https://gitter.im/caddyserver/support)
+if you have any questions. Feel free to prepend to your question
+the username of whoever touched the file most recently, for example
+`@wmark re systemd: …`.
+
+The provided file should work with systemd version 219 or later. It might work with earlier versions.
+The easiest way to check your systemd version is to run `systemctl --version`.
+
+## Instructions
+
+We will assume the following:
+
+* that you want to run caddy as user `www-data` and group `www-data`, with UID and GID 33
+* you are working from a non-root user account that can use 'sudo' to execute commands as root
+
+Adjust as necessary or according to your preferences.
+
+First, put the caddy binary in the system wide binary directory and give it
+appropriate ownership and permissions:
+
+```bash
+sudo cp /path/to/caddy /usr/local/bin
+sudo chown root:root /usr/local/bin/caddy
+sudo chmod 755 /usr/local/bin/caddy
+```
+
+Give the caddy binary the ability to bind to privileged ports (e.g. 80, 443) as a non-root user:
+
+```bash
+sudo setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
+```
+
+Set up the user, group, and directories that will be needed:
+
+```bash
+sudo groupadd -g 33 www-data
+sudo useradd \
+  -g www-data --no-user-group \
+  --home-dir /var/www --no-create-home \
+  --shell /usr/sbin/nologin \
+  --system --uid 33 www-data
+
+sudo mkdir /etc/caddy
+sudo chown -R root:www-data /etc/caddy
+sudo mkdir /etc/ssl/caddy
+sudo chown -R root:www-data /etc/ssl/caddy
+sudo chmod 0770 /etc/ssl/caddy
+```
+
+Place your caddy configuration file ("Caddyfile") in the proper directory
+and give it appropriate ownership and permissions:
+
+```bash
+sudo cp /path/to/Caddyfile /etc/caddy/
+sudo chown www-data:www-data /etc/caddy/Caddyfile
+sudo chmod 444 /etc/caddy/Caddyfile
+```
+
+Create the home directory for the server and give it appropriate ownership
+and permissions:
+
+```bash
+sudo mkdir /var/www
+sudo chown www-data:www-data /var/www
+sudo chmod 555 /var/www
+```
+
+Let's assume you have the contents of your website in a directory called 'example.com'.
+Put your website into place for it to be served by caddy:
+
+```bash
+sudo cp -R example.com /var/www/
+sudo chown -R www-data:www-data /var/www/example.com
+sudo chmod -R 555 /var/www/example.com
+```
+
+You'll need to explicitly configure caddy to serve the site from this location by adding
+the following to your Caddyfile if you haven't already:
+
+```
+example.com {
+    root /var/www/example.com
+    ...
+}
+```
+
+Install the systemd service unit configuration file, reload the systemd daemon,
+and start caddy:
+
+```bash
+wget https://raw.githubusercontent.com/mholt/caddy/master/dist/init/linux-systemd/caddy.service
+sudo cp caddy.service /etc/systemd/system/
+sudo chown root:root /etc/systemd/system/caddy.service
+sudo chmod 644 /etc/systemd/system/caddy.service
+sudo systemctl daemon-reload
+sudo systemctl start caddy.service
+```
+
+Have the caddy service start automatically on boot if you like:
+
+```bash
+sudo systemctl enable caddy.service
+```
+
+If caddy doesn't seem to start properly you can view the log data to help figure out what the problem is:
+
+```bash
+journalctl --boot -u caddy.service
+```
+
+Use `log stdout` and `errors stderr` in your Caddyfile to fully utilize systemd journaling.
+
+If your GNU/Linux distribution does not use *journald* with *systemd* then check any logfiles in `/var/log`.
+
+If you want to follow the latest logs from caddy you can do so like this:
+
+```bash
+journalctl -f -u caddy.service
+```
+
+You can make other certificates and private key files accessible to the `www-data` user with the following command:
+
+```bash
+setfacl -m user:www-data:r-- /etc/ssl/private/my.key
+```

vendor/github.com/mholt/caddy/dist/init/linux-systemd/caddy.service

@@ -0,0 +1,51 @@
+[Unit]
+Description=Caddy HTTP/2 web server
+Documentation=https://caddyserver.com/docs
+After=network-online.target
+Wants=network-online.target systemd-networkd-wait-online.service
+
+[Service]
+Restart=on-abnormal
+
+; User and group the process will run as.
+User=www-data
+Group=www-data
+
+; Letsencrypt-issued certificates will be written to this directory.
+Environment=CADDYPATH=/etc/ssl/caddy
+
+; Always set "-root" to something safe in case it gets forgotten in the Caddyfile.
+ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp
+ExecReload=/bin/kill -USR1 $MAINPID
+
+; Use graceful shutdown with a reasonable timeout
+KillMode=mixed
+KillSignal=SIGQUIT
+TimeoutStopSec=5s
+
+; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
+LimitNOFILE=1048576
+; Unmodified caddy is not expected to use more than that.
+LimitNPROC=512
+
+; Use private /tmp and /var/tmp, which are discarded after caddy stops.
+PrivateTmp=true
+; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
+PrivateDevices=false
+; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
+ProtectHome=true
+; Make /usr, /boot, /etc and possibly some more folders read-only.
+ProtectSystem=full
+; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
+;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
+ReadWriteDirectories=/etc/ssl/caddy
+
+; The following additional security directives only work with systemd v229 or later.
+; They further restrict privileges that can be gained by caddy. Uncomment if you like.
+; Note that you may have to add capabilities required by any plugins in use.
+;CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+;AmbientCapabilities=CAP_NET_BIND_SERVICE
+;NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target

vendor/github.com/mholt/caddy/dist/init/linux-sysvinit/README.md

@@ -0,0 +1,27 @@
+SysVinit conf for Caddy
+=======================
+
+Usage
+-----
+
+* Download the appropriate Caddy binary in `/usr/local/bin/caddy` or use `curl https://getcaddy.com | bash`.
+* Save the SysVinit config file in `/etc/init.d/caddy`.
+* Ensure that the folder `/etc/caddy` exists and that the folder `/etc/ssl/caddy` is owned by `www-data`.
+* Create a Caddyfile in `/etc/caddy/Caddyfile`
+* Now you can use `service caddy start|stop|restart|reload|status` as `root`.
+
+Init script manipulation
+-----
+
+The init script supports configuration via the following files:
+* `/etc/default/caddy` ( Debian based https://www.debian.org/doc/manuals/debian-reference/ch03.en.html#_the_default_parameter_for_each_init_script )
+* `/etc/sysconfig/caddy` ( CentOS based https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-sysconfig-files.html )
+
+The following variables can be changed:
+* DAEMON: path to the caddy binary file (default: `/usr/local/bin/caddy`)
+* DAEMONUSER: user used to run caddy (default: `www-data`)
+* PIDFILE: path to the pidfile (default: `/var/run/$NAME.pid`)
+* LOGFILE: path to the log file for caddy daemon (not for access logs) (default: `/var/log/$NAME.log`)
+* CONFIGFILE: path to the caddy configuration file (default: `/etc/caddy/Caddyfile`)
+* CADDYPATH: path for SSL certificates managed by caddy (default: `/etc/ssl/caddy`)
+* ULIMIT: open files limit (default: `8192`)

vendor/github.com/mholt/caddy/dist/init/linux-sysvinit/caddy

@@ -0,0 +1,106 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          caddy
+# Required-Start:    $local_fs $network $named $time $syslog
+# Required-Stop:     $local_fs $network $named $time $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: starts the caddy web server
+# Description:       starts caddy using start-stop-daemon
+### END INIT INFO
+
+# Original Author: Frédéric Galusik (fredg)
+# Maintainer: Daniel van Dorp (djvdorp)
+
+DESC="the caddy web server"
+NAME=caddy
+DAEMON=/usr/local/bin/caddy
+
+DAEMONUSER=www-data
+PIDFILE=/var/run/$NAME.pid
+LOGFILE=/var/log/$NAME.log
+CONFIGFILE=/etc/caddy/Caddyfile
+
+USERBIND="setcap cap_net_bind_service=+ep"
+STOP_SCHEDULE="${STOP_SCHEDULE:-QUIT/5/TERM/5/KILL/5}"
+CADDYPATH=/etc/ssl/caddy
+ULIMIT=8192
+
+test -x $DAEMON || exit 0
+
+# allow overwriting variables
+#   Debian based
+[ -e "/etc/default/caddy" ] && . /etc/default/caddy
+#   CentOS based
+[ -e "/etc/sysconfig/caddy" ] && . /etc/sysconfig/caddy
+
+if [ -z "$DAEMONOPTS" ]; then
+    # daemon options
+    DAEMONOPTS="-agree=true -log=$LOGFILE -conf=$CONFIGFILE"
+fi
+
+# Set the CADDYPATH; Let's Encrypt certificates will be written to this directory.
+export CADDYPATH
+
+# Set the ulimits
+ulimit -n ${ULIMIT}
+
+
+start() {
+    $USERBIND $DAEMON
+    touch $LOGFILE && chown $DAEMONUSER $LOGFILE
+    start-stop-daemon --start --quiet --make-pidfile --pidfile $PIDFILE \
+        --background --chuid $DAEMONUSER --oknodo --exec $DAEMON -- $DAEMONOPTS
+}
+
+stop() {
+    start-stop-daemon --stop --quiet --pidfile $PIDFILE --retry=$STOP_SCHEDULE \
+        --name $NAME --oknodo
+    rm -f $PIDFILE
+}
+
+reload() {
+    start-stop-daemon --stop --quiet --signal USR1 --pidfile $PIDFILE \
+        --name $NAME
+}
+
+status() {
+    if [ -f $PIDFILE ]; then
+        if kill -0 $(cat "$PIDFILE"); then
+            echo "$NAME is running"
+        else
+            echo "$NAME process is dead, but pidfile exists"
+        fi
+    else
+        echo "$NAME is not running"
+    fi
+}
+
+case "$1" in
+    start)
+        echo "Starting $NAME"
+        start
+    ;;
+    stop)
+        echo "Stopping $NAME"
+        stop
+    ;;
+    restart)
+        echo "Restarting $NAME"
+        stop
+        start
+    ;;
+    reload)
+        echo "Reloading $NAME configuration"
+        reload
+    ;;
+    status)
+        status
+    ;;
+    *)
+        echo "Usage: $0 {start|stop|restart|reload|status}"
+        exit 2
+    ;;
+esac
+
+exit 0

vendor/github.com/mholt/caddy/dist/init/linux-upstart/README.md

@@ -0,0 +1,14 @@
+Upstart conf for Caddy
+=====================
+
+Usage
+-----
+
+Usage in this blogpost: [Running Caddy Server as a service with Upstart](https://denbeke.be/blog/servers/running-caddy-server-as-a-service/).
+Short recap:
+
+* Download Caddy in `/usr/local/bin/caddy` and execute `sudo setcap cap_net_bind_service=+ep /usr/local/bin/caddy`.
+* Save the appropriate upstart config file in `/etc/init/caddy.conf`.
+* Ensure that the folder `/etc/caddy` exists and that the subfolder .caddy is owned by `www-data`.
+* Create a Caddyfile in `/etc/caddy/Caddyfile`.
+* Now you can use `sudo service caddy start|stop|restart`.

vendor/github.com/mholt/caddy/dist/init/linux-upstart/caddy.conf

@@ -0,0 +1,25 @@
+description "Caddy HTTP/2 web server"
+
+start on runlevel [2345]
+stop on runlevel [016]
+
+console log
+
+setuid www-data
+setgid www-data
+
+respawn
+respawn limit 10 5
+
+reload signal SIGUSR1
+
+# Let's Encrypt certificates will be written to this directory.
+env CADDYPATH=/etc/ssl/caddy
+
+limit nofile 1048576 1048576
+
+script
+        cd /etc/ssl/caddy
+        rootdir="$(mktemp -d -t "caddy-run.XXXXXX")"
+        exec /usr/local/bin/caddy -agree -log=stdout -conf=/etc/caddy/Caddyfile -root=$rootdir
+end script

vendor/github.com/mholt/caddy/dist/init/linux-upstart/caddy.conf.centos-6

@@ -0,0 +1,21 @@
+description "Caddy HTTP/2 web server"
+
+start on runlevel [2345]
+stop on runlevel [016]
+
+console output
+
+respawn
+respawn limit 10 5
+
+# Let's Encrypt certificates will be written to this directory.
+env CADDYPATH=/etc/ssl/caddy
+
+limit nofile 1048576 1048576
+
+script
+        cd /etc/ssl/caddy
+        rootdir="$(mktemp -d -t "caddy-run.XXXXXX")"
+        chown www-data:www-data $rootdir
+        exec sudo -u www-data /usr/local/bin/caddy -agree -log=/var/log/caddy.log -conf=/etc/caddy/Caddyfile -root=$rootdir
+end script

vendor/github.com/mholt/caddy/dist/init/linux-upstart/caddy.conf.ubuntu-12.04

@@ -0,0 +1,26 @@
+description "Caddy HTTP/2 web server"
+
+start on runlevel [2345]
+stop on runlevel [016]
+
+console log
+
+setuid www-data
+setgid www-data
+
+respawn
+respawn limit 10 5
+
+# 12.04 upstart version does not support reload
+#reload signal SIGUSR1
+
+# Let's Encrypt certificates will be written to this directory.
+env CADDYPATH=/etc/ssl/caddy
+
+limit nofile 1048576 1048576
+
+script
+        cd /etc/ssl/caddy
+        rootdir="$(mktemp -d -t "caddy-run.XXXXXX")"
+        exec /usr/local/bin/caddy -agree -log=stdout -conf=/etc/caddy/Caddyfile -root=$rootdir
+end script

vendor/github.com/mholt/caddy/dist/init/mac-launchd/README.md

@@ -0,0 +1,42 @@
+launchd service for macOS
+=========================
+
+This is a working sample file for a *launchd* service on Mac, which should be placed here:
+
+```bash
+/Library/LaunchDaemons/com.caddyserver.web.plist
+```
+
+To create the proper directories as used in the example file:
+
+```bash
+sudo mkdir -p /etc/caddy /etc/ssl/caddy /var/log/caddy /usr/local/bin /var/tmp /srv/www/localhost
+sudo touch /etc/caddy/Caddyfile
+sudo chown root:wheel -R /usr/local/bin/caddy /Library/LaunchDaemons/
+sudo chown _www:_www -R /etc/caddy /etc/ssl/caddy /var/log/caddy
+sudo chmod 0750 /etc/ssl/caddy
+```
+
+Create a simple web page and Caddyfile
+
+```bash
+sudo bash -c 'echo "Hello, World!" > /srv/www/localhost/index.html'
+sudo bash -c 'echo "http://localhost {
+    root /srv/www/localhost
+}" >> /etc/caddy/Caddyfile'
+```
+
+Start and Stop the Caddy launchd service using the following commands:
+
+```bash
+launchctl load /Library/LaunchDaemons/com.caddyserver.web.plist
+launchctl unload /Library/LaunchDaemons/com.caddyserver.web.plist
+```
+
+To start on every boot use the `-w` flag (to write):
+
+```bash
+launchctl load -w /Library/LaunchAgents/com.caddyserver.web.plist
+```
+
+More information can be found in this blogpost: [Running Caddy as a service on macOS X server](https://denbeke.be/blog/software/running-caddy-as-a-service-on-macos-os-x-server/)

vendor/github.com/mholt/caddy/dist/init/mac-launchd/com.caddyserver.web.plist

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Label</key>
+	<string>Caddy</string>
+	<key>ProgramArguments</key>
+	<array>
+		<string>/usr/local/bin/caddy</string>
+		<string>-agree</string>
+		<string>-conf</string>
+		<string>/etc/caddy/Caddyfile</string>
+		<string>-root</string>
+		<string>/var/tmp</string>
+	</array>
+	<key>EnvironmentVariables</key>
+	<dict>
+		<key>CADDYPATH</key>
+		<string>/etc/ssl/caddy</string>
+	</dict>
+
+	<key>UserName</key>
+	<string>root</string>
+	<key>GroupName</key>
+	<string>wheel</string>
+	<key>InitGroups</key>
+	<true/>
+
+	<key>RunAtLoad</key>
+	<true/>
+	<key>KeepAlive</key>
+	<dict>
+		<key>Crashed</key>
+		<true/>
+	</dict>
+
+	<key>SoftResourceLimits</key>
+	<dict>
+		<key>NumberOfFiles</key>
+		<integer>8192</integer>
+	</dict>
+	<key>HardResourceLimits</key>
+	<dict/>
+
+	<key>WorkingDirectory</key>
+	<string>/etc/ssl/caddy</string>
+
+	<key>StandardErrorPath</key>
+	<string>/var/log/caddy/error.log</string>
+	<key>StandardOutPath</key>
+	<string>/var/log/caddy/info.log</string>
+</dict>
+</plist>