101 lines
2.7 KiB
Markdown
101 lines
2.7 KiB
Markdown
# Deployment Guide
|
|
|
|
This guide explains how to deploy your infrastructure using the updated Caddy API registration system.
|
|
|
|
## Overview
|
|
|
|
The deployment system has been restructured to support:
|
|
- **Core Infrastructure**: Caddy web server with API capabilities
|
|
- **Service Registration**: Dynamic service registration via API
|
|
- **Zero Downtime**: Services can be added/removed without restarts
|
|
|
|
## Available Playbooks
|
|
|
|
### 1. `site.yml` - Core Infrastructure
|
|
Deploys security hardening followed by Caddy web server infrastructure.
|
|
|
|
```bash
|
|
ansible-playbook -i inventory/hosts.yml site.yml
|
|
```
|
|
|
|
**What it does:**
|
|
- **Phase 1 - Security**: System updates, SSH hardening, nftables firewall, fail2ban
|
|
- **Phase 2 - Caddy**: Installs Caddy with Cloudflare DNS plugin
|
|
- Configures TLS with Let's Encrypt
|
|
- Sets up named server for API targeting
|
|
- Enables API persistence with `--resume`
|
|
- Serves main domain (jnss.me)
|
|
|
|
## Deployment Patterns
|
|
|
|
### First-Time Deployment
|
|
|
|
⚠️ **Important**: First-time deployments include security hardening that may require a system reboot.
|
|
|
|
1. **Deploy Core Infrastructure**
|
|
```bash
|
|
# Option 1: Security + Basic infrastructure
|
|
ansible-playbook -i inventory/hosts.yml site.yml --ask-vault-pass
|
|
|
|
# Option 2: Complete deployment with comprehensive verification
|
|
ansible-playbook -i inventory/hosts.yml deploy.yml --ask-vault-pass
|
|
```
|
|
|
|
**Note**: The security hardening phase may:
|
|
- Update all system packages
|
|
- Reboot the system if kernel updates are applied
|
|
- Configure SSH, firewall, and fail2ban
|
|
- This ensures a secure foundation before deploying web services
|
|
|
|
## Configuration Management
|
|
|
|
### Host Variables
|
|
|
|
Core infrastructure settings in `host_vars/arch-vps/main.yml`:
|
|
|
|
```yaml
|
|
# TLS Configuration
|
|
caddy_tls_enabled: true
|
|
caddy_domain: "jnss.me"
|
|
caddy_tls_email: "{{ vault_caddy_tls_email }}"
|
|
|
|
# DNS Challenge
|
|
caddy_dns_provider: "cloudflare"
|
|
cloudflare_api_token: "{{ vault_cloudflare_api_token }}"
|
|
|
|
# API Configuration
|
|
caddy_api_enabled: true
|
|
caddy_server_name: "main"
|
|
|
|
# Logging
|
|
caddy_log_level: "INFO"
|
|
caddy_log_format: "json"
|
|
caddy_systemd_security: true
|
|
```
|
|
|
|
### Vault Variables
|
|
|
|
Sensitive data in `host_vars/arch-vps/vault.yml` (encrypted):
|
|
|
|
```yaml
|
|
vault_caddy_tls_email: "admin@jnss.me"
|
|
vault_cloudflare_api_token: "your-api-token-here"
|
|
```
|
|
|
|
|
|
### Security
|
|
|
|
- Always use vault for sensitive data
|
|
- Test deployments on staging first
|
|
- Monitor logs after deployment
|
|
- Verify HTTPS certificates are working
|
|
- Check that API is only accessible locally
|
|
|
|
### Monitoring
|
|
|
|
- Monitor Caddy logs: `journalctl -u caddy -f`
|
|
- Check API status: `curl http://localhost:2019/config/`
|
|
- Verify service health: `curl https://domain.com/health`
|
|
- Monitor certificate expiration
|
|
|