Simplify Caddy infrastructure to use file-based configuration instead of complex API registration system

2025-11-15 00:11:46 +01:00
parent 7788410bfc
commit 8162e789ee
13 changed files with 706 additions and 216 deletions
--- a/playbooks/security.yml
+++ b/playbooks/security.yml
@@ -55,7 +55,7 @@

    - name: Reboot system if kernel/module mismatch detected
      reboot:
-        reboot_timeout: 60
+        reboot_timeout: 120
        test_command: uptime
      when: reboot_needed | bool

@@ -199,25 +199,6 @@
      changed_when: false
      when: nft_config_changed.changed

-    - name: Create firewall rollback safety script
-      copy:
-        content: |
-          #!/bin/bash
-          # Safety rollback script - automatically disables firewall after 5 minutes
-          echo "$(date): Starting 5-minute firewall safety timer"
-          sleep 300
-          echo "$(date): Safety timer expired, disabling firewall"
-          nft flush ruleset
-          systemctl stop nftables
-          rm -f /tmp/nft-rollback.sh
-        dest: /tmp/nft-rollback.sh
-        mode: '0755'
-      when: nft_config_changed.changed
-
-    - name: Start rollback safety timer in background
-      shell: nohup /tmp/nft-rollback.sh >> /tmp/nft-rollback.log 2>&1 &
-      when: nft_config_changed.changed
-
    - name: Enable and start nftables service
      systemd:
        name: nftables
@@ -239,10 +220,6 @@
      become: no
      when: nft_config_changed.changed

-    - name: Cancel rollback timer if SSH connection works
-      shell: pkill -f nft-rollback.sh || true
-      when: nft_config_changed.changed
-    
    - name: Verify nftables rules are loaded
      command: nft list ruleset
      register: nft_rules
@@ -330,7 +307,6 @@
        - { name: 'net.ipv6.conf.default.disable_ipv6', value: '0' }
  
  handlers:
-    
    - name: restart fail2ban
      systemd:
        name: fail2ban