# Deployment Guide

This guide explains how to deploy your infrastructure using the updated Caddy API registration system.

## Overview

The deployment system has been restructured to support:
- **Core Infrastructure**: Caddy web server with API capabilities
- **Service Registration**: Dynamic service registration via API
- **Zero Downtime**: Services can be added/removed without restarts

## Available Playbooks

### 1. `site.yml` - Core Infrastructure
Deploys security hardening followed by Caddy web server infrastructure.

```bash
ansible-playbook -i inventory/hosts.yml site.yml
```

**What it does:**
- **Phase 1 - Security**: System updates, SSH hardening, nftables firewall, fail2ban
- **Phase 2 - Caddy**: Installs Caddy with Cloudflare DNS plugin
- Configures TLS with Let's Encrypt
- Sets up named server for API targeting
- Enables API persistence with `--resume`
- Serves main domain (jnss.me)

## Deployment Patterns

### First-Time Deployment

⚠️ **Important**: First-time deployments include security hardening that may require a system reboot.

1. **Deploy Core Infrastructure**
   ```bash
   # Option 1: Security + Basic infrastructure
   ansible-playbook -i inventory/hosts.yml site.yml --ask-vault-pass
   
   # Option 2: Complete deployment with comprehensive verification
   ansible-playbook -i inventory/hosts.yml deploy.yml --ask-vault-pass
   ```

   **Note**: The security hardening phase may:
   - Update all system packages
   - Reboot the system if kernel updates are applied
   - Configure SSH, firewall, and fail2ban
   - This ensures a secure foundation before deploying web services

## Configuration Management

### Host Variables

Core infrastructure settings in `host_vars/arch-vps/main.yml`:

```yaml
# TLS Configuration
caddy_tls_enabled: true
caddy_domain: "jnss.me"
caddy_tls_email: "{{ vault_caddy_tls_email }}"

# DNS Challenge
caddy_dns_provider: "cloudflare"
cloudflare_api_token: "{{ vault_cloudflare_api_token }}"

# API Configuration
caddy_api_enabled: true
caddy_server_name: "main"

# Logging
caddy_log_level: "INFO"
caddy_log_format: "json"
caddy_systemd_security: true
```

### Vault Variables

Sensitive data in `host_vars/arch-vps/vault.yml` (encrypted):

```yaml
vault_caddy_tls_email: "admin@jnss.me"
vault_cloudflare_api_token: "your-api-token-here"
```


### Security

- Always use vault for sensitive data
- Test deployments on staging first
- Monitor logs after deployment
- Verify HTTPS certificates are working
- Check that API is only accessible locally

### Monitoring

- Monitor Caddy logs: `journalctl -u caddy -f`
- Check API status: `curl http://localhost:2019/config/`
- Verify service health: `curl https://domain.com/health`
- Monitor certificate expiration