Simplify Caddy infrastructure to use file-based configuration instead of complex API registration system
This commit is contained in:
100
docs/deployment-guide.md
Normal file
100
docs/deployment-guide.md
Normal file
@@ -0,0 +1,100 @@
|
||||
# Deployment Guide
|
||||
|
||||
This guide explains how to deploy your infrastructure using the updated Caddy API registration system.
|
||||
|
||||
## Overview
|
||||
|
||||
The deployment system has been restructured to support:
|
||||
- **Core Infrastructure**: Caddy web server with API capabilities
|
||||
- **Service Registration**: Dynamic service registration via API
|
||||
- **Zero Downtime**: Services can be added/removed without restarts
|
||||
|
||||
## Available Playbooks
|
||||
|
||||
### 1. `site.yml` - Core Infrastructure
|
||||
Deploys security hardening followed by Caddy web server infrastructure.
|
||||
|
||||
```bash
|
||||
ansible-playbook -i inventory/hosts.yml site.yml
|
||||
```
|
||||
|
||||
**What it does:**
|
||||
- **Phase 1 - Security**: System updates, SSH hardening, nftables firewall, fail2ban
|
||||
- **Phase 2 - Caddy**: Installs Caddy with Cloudflare DNS plugin
|
||||
- Configures TLS with Let's Encrypt
|
||||
- Sets up named server for API targeting
|
||||
- Enables API persistence with `--resume`
|
||||
- Serves main domain (jnss.me)
|
||||
|
||||
## Deployment Patterns
|
||||
|
||||
### First-Time Deployment
|
||||
|
||||
⚠️ **Important**: First-time deployments include security hardening that may require a system reboot.
|
||||
|
||||
1. **Deploy Core Infrastructure**
|
||||
```bash
|
||||
# Option 1: Security + Basic infrastructure
|
||||
ansible-playbook -i inventory/hosts.yml site.yml --ask-vault-pass
|
||||
|
||||
# Option 2: Complete deployment with comprehensive verification
|
||||
ansible-playbook -i inventory/hosts.yml deploy.yml --ask-vault-pass
|
||||
```
|
||||
|
||||
**Note**: The security hardening phase may:
|
||||
- Update all system packages
|
||||
- Reboot the system if kernel updates are applied
|
||||
- Configure SSH, firewall, and fail2ban
|
||||
- This ensures a secure foundation before deploying web services
|
||||
|
||||
## Configuration Management
|
||||
|
||||
### Host Variables
|
||||
|
||||
Core infrastructure settings in `host_vars/arch-vps/main.yml`:
|
||||
|
||||
```yaml
|
||||
# TLS Configuration
|
||||
caddy_tls_enabled: true
|
||||
caddy_domain: "jnss.me"
|
||||
caddy_tls_email: "{{ vault_caddy_tls_email }}"
|
||||
|
||||
# DNS Challenge
|
||||
caddy_dns_provider: "cloudflare"
|
||||
cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
|
||||
|
||||
# API Configuration
|
||||
caddy_api_enabled: true
|
||||
caddy_server_name: "main"
|
||||
|
||||
# Logging
|
||||
caddy_log_level: "INFO"
|
||||
caddy_log_format: "json"
|
||||
caddy_systemd_security: true
|
||||
```
|
||||
|
||||
### Vault Variables
|
||||
|
||||
Sensitive data in `host_vars/arch-vps/vault.yml` (encrypted):
|
||||
|
||||
```yaml
|
||||
vault_caddy_tls_email: "admin@jnss.me"
|
||||
vault_cloudflare_api_token: "your-api-token-here"
|
||||
```
|
||||
|
||||
|
||||
### Security
|
||||
|
||||
- Always use vault for sensitive data
|
||||
- Test deployments on staging first
|
||||
- Monitor logs after deployment
|
||||
- Verify HTTPS certificates are working
|
||||
- Check that API is only accessible locally
|
||||
|
||||
### Monitoring
|
||||
|
||||
- Monitor Caddy logs: `journalctl -u caddy -f`
|
||||
- Check API status: `curl http://localhost:2019/config/`
|
||||
- Verify service health: `curl https://domain.com/health`
|
||||
- Monitor certificate expiration
|
||||
|
||||
Reference in New Issue
Block a user