joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd62e935174f53553a1ffb1d9c357e45e3a053c6
rick-infra/docs/deployment-guide.md

2.7 KiB
Raw Blame History

Deployment Guide

This guide explains how to deploy your infrastructure using the updated Caddy API registration system.

Overview

The deployment system has been restructured to support:

  • Core Infrastructure: Caddy web server with API capabilities
  • Service Registration: Dynamic service registration via API
  • Zero Downtime: Services can be added/removed without restarts

Available Playbooks

1. site.yml - Core Infrastructure

Deploys security hardening followed by Caddy web server infrastructure.

ansible-playbook -i inventory/hosts.yml site.yml

What it does:

  • Phase 1 - Security: System updates, SSH hardening, nftables firewall, fail2ban
  • Phase 2 - Caddy: Installs Caddy with Cloudflare DNS plugin
  • Configures TLS with Let's Encrypt
  • Sets up named server for API targeting
  • Enables API persistence with --resume
  • Serves main domain (jnss.me)

Deployment Patterns

First-Time Deployment

⚠️ Important: First-time deployments include security hardening that may require a system reboot.

  1. Deploy Core Infrastructure

    # Option 1: Security + Basic infrastructure
ansible-playbook -i inventory/hosts.yml site.yml --ask-vault-pass

# Option 2: Complete deployment with comprehensive verification
ansible-playbook -i inventory/hosts.yml deploy.yml --ask-vault-pass

    Note: The security hardening phase may:

    • Update all system packages
    • Reboot the system if kernel updates are applied
    • Configure SSH, firewall, and fail2ban
    • This ensures a secure foundation before deploying web services

Configuration Management

Host Variables

Core infrastructure settings in host_vars/arch-vps/main.yml:

# TLS Configuration
caddy_tls_enabled: true
caddy_domain: "jnss.me"
caddy_tls_email: "{{ vault_caddy_tls_email }}"

# DNS Challenge
caddy_dns_provider: "cloudflare"
cloudflare_api_token: "{{ vault_cloudflare_api_token }}"

# API Configuration
caddy_api_enabled: true
caddy_server_name: "main"

# Logging
caddy_log_level: "INFO"
caddy_log_format: "json"
caddy_systemd_security: true

Vault Variables

Sensitive data in host_vars/arch-vps/vault.yml (encrypted):

vault_caddy_tls_email: "admin@jnss.me"
vault_cloudflare_api_token: "your-api-token-here"

Security

  • Always use vault for sensitive data
  • Test deployments on staging first
  • Monitor logs after deployment
  • Verify HTTPS certificates are working
  • Check that API is only accessible locally

Monitoring

  • Monitor Caddy logs: journalctl -u caddy -f
  • Check API status: curl http://localhost:2019/config/
  • Verify service health: curl https://domain.com/health
  • Monitor certificate expiration
Reference in New Issue View Git Blame Copy Permalink