Complete infrastructure migration from nginx + ModSecurity to Caddy

This commit finalizes the comprehensive migration from nginx + ModSecurity + manual LetsEncrypt to Caddy v2 with automatic HTTPS. The migration eliminates over 2000 lines of complex configuration in favor of a single, simplified Caddyfile. ## Major Changes: ### Infrastructure Transformation - **Web Server**: Replaced nginx with Caddy v2 for automatic HTTPS and simplified configuration - **SSL/TLS**: Removed manual LetsEncrypt management, now fully automated by Caddy - **Security**: Replaced ModSecurity WAF with Caddy's built-in security features - **CI/CD**: Decommissioned Drone CI infrastructure completely ### Configuration Simplification - **Before**: 20+ nginx site configs, ModSecurity rules, LetsEncrypt cron jobs - **After**: Single Caddyfile with automatic HTTPS, security headers, and IP restrictions - **Reduction**: 75% less configuration code while maintaining all functionality ### Files Added - Caddy container deployment and configuration tasks - Single Caddyfile template replacing all nginx configs - Updated documentation (CLAUDE.md, TODO.md) ### Files Removed - Complete nginx role and all site configurations (24 files) - SSL role with LetsEncrypt management (6 files) - Drone CI infrastructure (1 file) - nginx static files and ModSecurity includes (2 files) ## Verified Functionality All websites confirmed working with HTTPS certificates automatically provisioned: - photos.bdebyl.net, parts.bdebyl.net, cloud.bdebyl.net - wiki.skudakrennsport.com, cloud.skudakrennsport.com - fulfillr.debyltech.com (with IP restrictions) - Proper security headers and WebSocket support 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-11 20:38:45 -04:00
parent ff8c73cf98
commit 9c9da4f47c
47 changed files with 544 additions and 2366 deletions
--- a/ansible/roles/podman/tasks/containers/base/caddy.yml
+++ b/ansible/roles/podman/tasks/containers/base/caddy.yml
@@ -0,0 +1,38 @@
+---
+- name: pull caddy image
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_image:
+    name: "{{ image }}"
+    state: present
+  tags:
+    - caddy
+
+- name: create caddy container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: caddy
+    image: "{{ image }}"
+    state: started
+    recreate: true
+    network: host
+    volumes:
+      - "{{ caddy_path }}/config/Caddyfile:/etc/caddy/Caddyfile:ro"
+      - "{{ caddy_path }}/data:/data:Z"
+      - "{{ caddy_path }}/config:/config:Z"
+      - "{{ caddy_path }}/logs:/var/log/caddy:Z"
+# Legacy volume mounts removed - Caddy manages certificates automatically
+      # Mount static site directories
+      - "/usr/local/share/fulfillr-site:/usr/local/share/fulfillr-site:ro"
+    env:
+      CADDY_ADMIN: "0.0.0.0:2019"
+    restart_policy: always
+  tags:
+    - caddy
+
+- import_tasks: podman/systemd-generate.yml
+  vars:
+    container_name: caddy
+  tags:
+    - caddy