bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a3c3c8de05ada06240b8da0d92f13d6243db55fd
deploy_home/CLAUDE.md
Bastian de Byl 9c9da4f47c Complete infrastructure migration from nginx + ModSecurity to Caddy 
This commit finalizes the comprehensive migration from nginx + ModSecurity + manual LetsEncrypt
to Caddy v2 with automatic HTTPS. The migration eliminates over 2000 lines of complex
configuration in favor of a single, simplified Caddyfile.

## Major Changes:

### Infrastructure Transformation
- **Web Server**: Replaced nginx with Caddy v2 for automatic HTTPS and simplified configuration
- **SSL/TLS**: Removed manual LetsEncrypt management, now fully automated by Caddy
- **Security**: Replaced ModSecurity WAF with Caddy's built-in security features
- **CI/CD**: Decommissioned Drone CI infrastructure completely

### Configuration Simplification
- **Before**: 20+ nginx site configs, ModSecurity rules, LetsEncrypt cron jobs
- **After**: Single Caddyfile with automatic HTTPS, security headers, and IP restrictions
- **Reduction**: 75% less configuration code while maintaining all functionality

### Files Added
- Caddy container deployment and configuration tasks
- Single Caddyfile template replacing all nginx configs
- Updated documentation (CLAUDE.md, TODO.md)

### Files Removed
- Complete nginx role and all site configurations (24 files)
- SSL role with LetsEncrypt management (6 files)
- Drone CI infrastructure (1 file)
- nginx static files and ModSecurity includes (2 files)

## Verified Functionality
All websites confirmed working with HTTPS certificates automatically provisioned:
- photos.bdebyl.net, parts.bdebyl.net, cloud.bdebyl.net
- wiki.skudakrennsport.com, cloud.skudakrennsport.com
- fulfillr.debyltech.com (with IP restrictions)
- Proper security headers and WebSocket support

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-11 20:38:45 -04:00

4.1 KiB
Raw Blame History

CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

Overview

This is a home infrastructure deployment repository using Ansible for automated server configuration and container deployment. The project follows a "one-button deployment" philosophy for managing a home server environment with various self-hosted services.

Development Commands

Core Commands

  • make or make lint - Run linting (yamllint + ansible-lint) on all YAML files
  • make deploy - Deploy all configurations to the home server
  • make deploy TAGS=sometag - Deploy only specific tagged tasks
  • make deploy TARGET=specific-host - Deploy to specific host instead of all
  • make check - Run deployment in dry-run mode showing potential changes
  • make vault - Edit encrypted Ansible vault file
  • make list-tags - List all available Ansible tags
  • make list-tasks - List all Ansible tasks

Environment Setup

The project uses Python virtualenv for dependency management:

  • Dependencies are locked in requirements.txt (ansible + yamllint)
  • Makefile automatically creates .venv/ and installs dependencies
  • Vault password is sourced from password manager via .pass.sh

Architecture

Directory Structure

ansible/
├── deploy.yml          # Main playbook entry point (imports deploy_home.yml)
├── deploy_home.yml     # Core playbook with role definitions
├── inventories/home/   # Inventory configuration
├── roles/              # Ansible roles organized by function
│   ├── common/        # Base system configuration
│   ├── git/           # Git repository management
│   ├── podman/        # Container orchestration
│   ├── ssl/           # Legacy SSL management (deprecated - Caddy handles certificates automatically)
│   ├── github-actions/# CI/CD runner setup
│   └── pihole/        # DNS filtering
└── vars/
    └── vault.yml      # Encrypted secrets

Container Organization

Containers are organized in ansible/roles/podman/tasks/containers/:

  • base/ - Core infrastructure containers (Caddy web server, AWS DDNS)
  • home/ - Home-specific services (Home Assistant, PartKeepr, Immich photos, Nextcloud, Redis)
  • debyltech/ - Personal/business services (Fulfillr)
  • skudak/ - Additional services (BookStack wiki, Nextcloud)

Security Model

  • Ansible vault for encrypted secrets management
  • Password sourced from external password manager
  • Git-crypt for repository-level encryption (see .gitattributes)
  • SSH key-based authentication to target hosts
  • Caddy provides automatic HTTPS with LetsEncrypt certificates
  • Built-in security headers and IP-based access restrictions

Key Patterns

Role Structure

Each Ansible role follows standard structure:

  • tasks/main.yml - Main task entry point
  • defaults/main.yml - Default variables
  • handlers/main.yml - Event handlers
  • meta/main.yml - Role metadata and dependencies

Container Deployment Pattern

Container tasks follow consistent patterns:

  • Firewall configuration
  • Container image specification via variables
  • Service configuration through imported task files
  • Tag-based selective deployment

Tagging Strategy

Tasks are tagged by service/component for selective deployment:

  • caddy - Web server tasks (replaced nginx)
  • ddns - Dynamic DNS tasks
  • drone - CI/CD tasks (decommissioned)
  • hass - Home Assistant tasks
  • Common infrastructure tags like common, ssl

Configuration Files

  • ansible.cfg - Ansible configuration with performance optimizations
  • .yamllint.yml - YAML linting rules (braces disabled)
  • .lint-vars.sh - Ansible-lint skip configuration
  • requirements.txt - Python dependencies with pinned versions

Target Environment

  • Single target host: home.bdebyl.net
  • OS: Fedora (ansible_user: fedora)
  • Container runtime: Podman
  • Web server: Caddy with automatic HTTPS and built-in security (replaced nginx + ModSecurity)
  • All services accessible via HTTPS with automatic certificate renewal
  • CI/CD: Drone CI infrastructure completely decommissioned
Reference in New Issue View Git Blame Copy Permalink