Skip to content

feat: [#272] Add HTTPS support with Caddy for all HTTP services #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
josecelano wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

feat: [#272] Add HTTPS support with Caddy for all HTTP services #273

josecelano wants to merge 4 commits into from

Conversation

@josecelano
Copy link
Member

@josecelano josecelano commented Jan 13, 2026

Summary

Add HTTPS support with Caddy reverse proxy for automatic TLS termination on all HTTP services (Tracker API, HTTP Trackers, Grafana).

Closes #272

What's Implemented

Phase 1: Template Creation ✅

  • Created templates/caddy/Caddyfile.tera with conditional service blocks
  • Created docs/contributing/templates/caddy.md documenting template variables
  • Updated templates/docker-compose/docker-compose.yml.tera with Caddy service block
  • Registered templates in CaddyProjectGenerator with 14 unit tests

Phase 2: Configuration DTOs ✅

  • Added HttpsSection DTO with admin_email and use_staging fields
  • Added TlsSection DTO with domain field for service-specific TLS
  • Extended HttpApiSection, HttpTrackerSection, GrafanaSection with optional tls
  • Implemented validation (has_any_tls_configured, https/tls consistency)
  • Added Email type in src/shared/email.rs for email format validation
  • Added DomainName type in src/shared/domain_name.rs for domain validation

Phase 3: Template Rendering Integration ✅

  • Created RenderCaddyTemplatesStep for template rendering
  • Created DeployCaddyConfigStep for Ansible deployment
  • Created deploy-caddy-config.yml Ansible playbook
  • Added RenderCaddyTemplates and DeployCaddyConfigToRemote to ReleaseStep enum
  • Integrated CaddyContext into Docker Compose template rendering
  • Added CaddyConfigDeployment error variant with actionable help text

Phase 6: E2E Testing (Partial) ✅

Manual E2E testing verified:

  • ✅ HTTPS endpoints working for API, Grafana, and HTTP trackers
  • ✅ HTTP→HTTPS redirect (308 Permanent Redirect)
  • ✅ HTTP/2 and HTTP/3 enabled
  • ✅ Caddy Local CA for .local domains

What's Remaining (Work in Progress)

  • Phase 4: Security workflow updates (add Caddy to Docker security scans)
  • Phase 5: Documentation (create docs/user-guide/https-setup.md)
  • Phase 6: Automated E2E tests (currently only manual testing)
  • Phase 7: Schema generation (regenerate JSON schema with HTTPS config)
  • Phase 8: Create ADR documenting Caddy adoption decision

Configuration Example

{
  "https": {
    "admin_email": "admin@example.com",
    "use_staging": true
  },
  "tracker": {
    "http_api": {
      "bind_address": "0.0.0.0:1212",
      "admin_token": "secret",
      "tls": {
        "domain": "api.tracker.local"
      }
    },
    "http_trackers": [
      {
        "bind_address": "0.0.0.0:7070",
        "tls": {
          "domain": "http1.tracker.local"
        }
      }
    ]
  },
  "grafana": {
    "admin_user": "admin",
    "admin_password": "admin",
    "tls": {
      "domain": "grafana.tracker.local"
    }
  }
}

Testing

Notes for Reviewers

This is a draft PR - the implementation is functional but there are still remaining phases to complete. Early feedback on the architecture and approach is welcome.

Key files to review:

  • templates/caddy/Caddyfile.tera - Caddy template
  • src/application/command_handlers/create/config/https.rs - HTTPS configuration DTOs
  • src/application/command_handlers/release/handler.rs - Release workflow integration
  • src/infrastructure/templating/caddy/ - Caddy template rendering

@josecelano
docs: [#272] clarify context data preparation pattern for Tera templates
900aeac 
- Add Context Data Preparation Pattern section to template architecture docs
- Explain why templates receive pre-processed data instead of raw domain objects
- Document port extraction example: handled in Rust, not Tera filters
- Update issue spec to use port-as-integer pattern in Caddyfile template
- Remove extract_port Tera filter from implementation plan (not needed)

This follows existing patterns (e.g., PrometheusContext receives api_port: u16)
and maintains consistency with the codebase's approach to template rendering.
@josecelano
feat: [#272] add Caddy templates for HTTPS support
df19401 
- Add Caddyfile.tera template with conditional service blocks
- Update docker-compose.yml.tera with Caddy service configuration
- Add proxy_network and caddy volumes
- Add caddy.md documentation for template usage
- Update template-system-architecture.md with directory organization rule
- Update issue progress tracking
@josecelano
feat: [#272] add Caddy template rendering infrastructure
3bbaea1 
- Create CaddyProjectGenerator following Project Generator pattern
- Create CaddyContext with pre-processed data for template rendering
- Create CaddyService struct with domain and port fields
- Create CaddyfileRenderer for Caddyfile template processing
- Add 14 unit tests covering all HTTPS scenarios
- Update issue progress tracking (Phase 3 mostly complete)
@josecelano
feat: [#272] add HTTPS support with Caddy for all HTTP services
7882917 
Implement Caddy reverse proxy with TLS termination for automatic HTTPS:

Phase 1 - Template Creation:
- Create Caddyfile.tera template with conditional service blocks
- Create caddy.md documentation for template variables
- Update docker-compose.yml.tera with Caddy service block
- Register templates in CaddyProjectGenerator with 14 unit tests

Phase 2 - Configuration DTOs:
- Add HttpsSection DTO with admin_email and use_staging fields
- Add TlsSection DTO with domain field for service-specific TLS
- Extend HttpApiSection, HttpTrackerSection, GrafanaSection with optional tls
- Implement validation (has_any_tls_configured, https/tls consistency)
- Add Email type in src/shared/email.rs for email format validation
- Add DomainName type in src/shared/domain_name.rs for domain validation

Phase 3 - Template Rendering Integration:
- Create RenderCaddyTemplatesStep for template rendering
- Create DeployCaddyConfigStep for Ansible deployment
- Create deploy-caddy-config.yml Ansible playbook
- Add RenderCaddyTemplates and DeployCaddyConfigToRemote to ReleaseStep enum
- Integrate CaddyContext into Docker Compose template rendering
- Add CaddyConfigDeployment error variant with actionable help text

Manual E2E testing verified:
- HTTPS endpoints working for API, Grafana, and HTTP trackers
- HTTP→HTTPS redirect (308 Permanent Redirect)
- HTTP/2 and HTTP/3 enabled
- Caddy Local CA for .local domains

Work in progress - remaining phases:
- Phase 4: Security workflow updates
- Phase 5: Documentation
- Phase 6: Automated E2E tests
- Phase 7: Schema generation
- Phase 8: ADR creation
@josecelano josecelano self-assigned this Jan 13, 2026
@josecelano josecelano requested a review from da2ce7 January 13, 2026 22:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@da2ce7 da2ce7 Awaiting requested review from da2ce7

Assignees

@josecelano josecelano

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add HTTPS Support with Caddy for All HTTP Services

2 participants

@josecelano