bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c9da4f47cdab2272941477d79f7c679c79a4fc8
deploy_home/TODO.md
Bastian de Byl 9c9da4f47c Complete infrastructure migration from nginx + ModSecurity to Caddy 
This commit finalizes the comprehensive migration from nginx + ModSecurity + manual LetsEncrypt
to Caddy v2 with automatic HTTPS. The migration eliminates over 2000 lines of complex
configuration in favor of a single, simplified Caddyfile.

## Major Changes:

### Infrastructure Transformation
- **Web Server**: Replaced nginx with Caddy v2 for automatic HTTPS and simplified configuration
- **SSL/TLS**: Removed manual LetsEncrypt management, now fully automated by Caddy
- **Security**: Replaced ModSecurity WAF with Caddy's built-in security features
- **CI/CD**: Decommissioned Drone CI infrastructure completely

### Configuration Simplification
- **Before**: 20+ nginx site configs, ModSecurity rules, LetsEncrypt cron jobs
- **After**: Single Caddyfile with automatic HTTPS, security headers, and IP restrictions
- **Reduction**: 75% less configuration code while maintaining all functionality

### Files Added
- Caddy container deployment and configuration tasks
- Single Caddyfile template replacing all nginx configs
- Updated documentation (CLAUDE.md, TODO.md)

### Files Removed
- Complete nginx role and all site configurations (24 files)
- SSL role with LetsEncrypt management (6 files)
- Drone CI infrastructure (1 file)
- nginx static files and ModSecurity includes (2 files)

## Verified Functionality
All websites confirmed working with HTTPS certificates automatically provisioned:
- photos.bdebyl.net, parts.bdebyl.net, cloud.bdebyl.net
- wiki.skudakrennsport.com, cloud.skudakrennsport.com
- fulfillr.debyltech.com (with IP restrictions)
- Proper security headers and WebSocket support

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-11 20:38:45 -04:00

3.2 KiB
Raw Blame History

TODO

Caddy Migration - COMPLETED

  • Migrate from nginx + ModSecurity to Caddy
  • Automatic HTTPS certificate provisioning
  • All sites working with proper IP restrictions
  • Remove migration_mode logic - Caddy is now default

Infrastructure Cleanup Tasks

Phase 1: System LetsEncrypt to Caddy Migration - COMPLETED

  • Create dedicated Caddy certificates volume - Not needed, Caddy manages in /data
  • Copy existing system LetsEncrypt certificates - Not needed, Caddy generated new ones
  • Set proper permissions - Already correct, Caddy runs as podman user
  • Remove LetsEncrypt cron jobs from Ansible (cleanup.yml created)
  • Remove LetsEncrypt cron jobs from remote host (both weekly + 5min jobs removed)
  • Disable ssl role tasks and certificate generation (disabled in deploy_home.yml)
  • Remove certbot installation from common role - Not installed there
  • Uninstall certbot/letsencrypt packages from remote host (removed via dnf)
  • Stop any running LetsEncrypt services (certbot.timer not running)
  • Backup and remove /etc/letsencrypt directory (backup created, directory removed)
  • Remove /srv/http/letsencrypt directory (webroot removed)

Phase 2: nginx + ModSecurity Cleanup - COMPLETED

  • Remove nginx container configuration and tasks (deleted all conf-nginx*.yml, nginx.yml)
  • Remove nginx configuration templates and files (removed entire templates/nginx/ directory)
  • Remove ModSecurity rules and configuration (removed from defaults/main.yml variables)
  • Remove nginx/ModSecurity volume mounts and directories (nginx volume backed up and removed)
  • Clean up nginx-related variables from defaults/main.yml (nginx_path removed)
  • Remove firewall rules for nginx - Not needed, Caddy uses same ports
  • Remove nginx systemd services from remote host (container-nginx service removed)
  • Uninstall nginx/ModSecurity packages - Were never system-installed, container-only
  • Clean up nginx log directories and files (/var/log/nginx, /var/log/modsecurity removed)
  • Remove ModSecurity installation directories (/usr/share/modsecurity, /usr/share/coreruleset removed)
  • Create backup of nginx configuration (nginx-backup-{timestamp}.tar.gz created)

Phase 3: Final Cleanup - COMPLETED

  • Remove Drone CI infrastructure and ci.bdebyl.net host
    • Remove Drone container from podman configuration (drone.yml deleted)
    • Remove ci.bdebyl.net from Caddyfile (site configuration removed)
    • Clean up drone-related volumes and data (drone volume backed up and removed)
    • Update firewall rules to remove CI ports (ports were not explicitly opened)
  • Review and remove unused variables and templates
    • Removed ci_server_name variable
    • Removed drone-related variables (drone_path, drone_server_proto, etc.)
    • Cleaned up nginx handler in handlers/main.yml
    • Updated firewall.yml comments
  • Update documentation to reflect Caddy as web server
    • Updated CLAUDE.md container organization section
    • Updated tagging strategy (nginx→caddy, drone marked decommissioned)
    • Updated target environment description (nginx→Caddy)
  • Verify all services working after cleanup (sites tested and working)
Reference in New Issue View Git Blame Copy Permalink