boma/inventories/production/group_vars/all
sjat b7e919d6b3 refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image)
Switch from a custom caddy-dns/gandi image built on-host to the official
caddy:2 image with per-host ACME HTTP-01 certificates. Removes the
Dockerfile, env.j2 (Gandi token), on-host image build/ship/load tasks,
the caddy-image Makefile target, and the wildcard DNS-01 Caddyfile.
Each route now gets its own server block and automatic certificate.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 18:11:20 +02:00
..
firewall.yml feat(base): shared firewall catalog/zones + firewall defaults 2026-06-06 18:49:40 +02:00
public_dns.yml feat(offsite): *.askari.wingu.me wildcard + offsite.yml (docker_host + reverse_proxy) 2026-06-14 17:39:44 +02:00
reverse_proxy.yml refactor(reverse_proxy): vanilla Caddy + HTTP-01 (drop DNS-01 custom image) 2026-06-14 18:11:20 +02:00
vars.yml feat(base): ssh hardening + fail2ban (hardening concern, ADR-002) 2026-06-14 16:42:56 +02:00
vault.yml secrets(vault): rotate Gandi PAT (via make edit-vault) 2026-06-14 10:30:58 +02:00