From 4a9616a0f7390a0e8589bff7fae8aca8eb13ede5 Mon Sep 17 00:00:00 2001
From: DigiServer Admin <admin@digiserver.local>
Date: Thu, 11 Dec 2025 16:56:44 +0200
Subject: [PATCH] Add HTTPS support with Caddy and clean up legacy files

- Add Caddy reverse proxy for automatic HTTPS with Let's Encrypt
- Update docker-compose.yml with Caddy service and internal networking
- Remove all Redis dependencies (not needed for this deployment)
- Fix Dockerfile permissions for instance and uploads directories
- Move legacy scripts to old_code_documentation folder
  - add_muted_column.py, check_fix_player.py, migrate_add_edit_enabled.py
  - docker-start.sh, run_dev.sh, start.sh, clean_for_deployment.sh
- Add HTTPS_SETUP.md documentation for Caddy configuration
- Update .env.example with DOMAIN and EMAIL variables
- Remove redis package from requirements.txt
- Remove rate limiting Redis storage from config.py
---
 Caddyfile                                     | 43 +++++++++++
 app/config.py                                 |  3 -
 docker-compose.yml                            | 41 +++++++---
 .../.env.example                              |  8 +-
 old_code_documentation/HTTPS_SETUP.md         | 75 +++++++++++++++++++
 .../add_muted_column.py                       |  0
 .../check_fix_player.py                       |  0
 .../clean_for_deployment.sh                   |  8 ++
 .../docker-start.sh                           |  0
 .../migrate_add_edit_enabled.py               |  0
 .../run_dev.sh                                |  0
 start.sh => old_code_documentation/start.sh   |  0
 requirements.txt                              |  3 -
 13 files changed, 160 insertions(+), 21 deletions(-)
 create mode 100644 Caddyfile
 rename .env.example => old_code_documentation/.env.example (83%)
 create mode 100644 old_code_documentation/HTTPS_SETUP.md
 rename add_muted_column.py => old_code_documentation/add_muted_column.py (100%)
 rename check_fix_player.py => old_code_documentation/check_fix_player.py (100%)
 rename clean_for_deployment.sh => old_code_documentation/clean_for_deployment.sh (91%)
 rename docker-start.sh => old_code_documentation/docker-start.sh (100%)
 rename migrate_add_edit_enabled.py => old_code_documentation/migrate_add_edit_enabled.py (100%)
 rename run_dev.sh => old_code_documentation/run_dev.sh (100%)
 rename start.sh => old_code_documentation/start.sh (100%)

diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..eb53472
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,43 @@
+{
+    # Global options
+    email {$EMAIL}
+    # Uncomment for testing to avoid rate limits
+    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+}
+
+{$DOMAIN:localhost} {
+    # Automatic HTTPS (Caddy handles Let's Encrypt automatically)
+    
+    # Reverse proxy to Flask app
+    reverse_proxy digiserver:5000 {
+        # Headers
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-For {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+        
+        # Timeouts for large uploads
+        transport http {
+            read_timeout 300s
+            write_timeout 300s
+        }
+    }
+    
+    # File upload size limit (2GB)
+    request_body {
+        max_size 2GB
+    }
+    
+    # Security headers
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Frame-Options "SAMEORIGIN"
+        X-Content-Type-Options "nosniff"
+        X-XSS-Protection "1; mode=block"
+    }
+    
+    # Logging
+    log {
+        output file /var/log/caddy/access.log
+    }
+}
diff --git a/app/config.py b/app/config.py
index cc0af24..bcda914 100644
--- a/app/config.py
+++ b/app/config.py
@@ -87,9 +87,6 @@ class ProductionConfig(Config):
     # Security
     SESSION_COOKIE_SECURE = True
     WTF_CSRF_ENABLED = True
-    
-    # Rate Limiting
-    RATELIMIT_STORAGE_URL = f"redis://{os.getenv('REDIS_HOST', 'redis')}:6379/1"
 
 
 class TestingConfig(Config):
diff --git a/docker-compose.yml b/docker-compose.yml
index d943e24..7480e56 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,8 +4,8 @@ services:
   digiserver:
     build: .
     container_name: digiserver-v2
-    ports:
-      - "80:5000"
+    expose:
+      - "5000"
     volumes:
       - ./instance:/app/instance
       - ./app/static/uploads:/app/app/static/uploads
@@ -21,14 +21,33 @@ services:
       timeout: 10s
       retries: 3
       start_period: 40s
+    networks:
+      - digiserver-network
 
-  # Optional: Redis for caching (uncomment if needed)
-  # redis:
-  #   image: redis:7-alpine
-  #   container_name: digiserver-redis
-  #   restart: unless-stopped
-  #   volumes:
-  #     - redis-data:/data
+  caddy:
+    image: caddy:2-alpine
+    container_name: digiserver-caddy
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"  # HTTP/3
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - caddy-data:/data
+      - caddy-config:/config
+    environment:
+      - DOMAIN=${DOMAIN:-localhost}
+      - EMAIL=${EMAIL:-admin@localhost}
+    depends_on:
+      - digiserver
+    restart: unless-stopped
+    networks:
+      - digiserver-network
 
-# volumes:
-#   redis-data:
+networks:
+  digiserver-network:
+    driver: bridge
+
+volumes:
+  caddy-data:
+  caddy-config:
diff --git a/.env.example b/old_code_documentation/.env.example
similarity index 83%
rename from .env.example
rename to old_code_documentation/.env.example
index 93d7790..7665ab7 100644
--- a/.env.example
+++ b/old_code_documentation/.env.example
@@ -5,13 +5,13 @@ FLASK_ENV=development
 # Security
 SECRET_KEY=change-this-to-a-random-secret-key
 
+# Domain & SSL (for HTTPS with Caddy)
+DOMAIN=your-domain.com
+EMAIL=admin@your-domain.com
+
 # Database
 DATABASE_URL=sqlite:///instance/dev.db
 
-# Redis (for production)
-REDIS_HOST=redis
-REDIS_PORT=6379
-
 # Admin User Credentials (used during initial Docker deployment)
 # These credentials are set when the database is first created
 ADMIN_USERNAME=admin
diff --git a/old_code_documentation/HTTPS_SETUP.md b/old_code_documentation/HTTPS_SETUP.md
new file mode 100644
index 0000000..61ce5bc
--- /dev/null
+++ b/old_code_documentation/HTTPS_SETUP.md
@@ -0,0 +1,75 @@
+# DigiServer v2 - HTTPS Setup with Caddy
+
+This setup uses **Caddy** as a reverse proxy with automatic HTTPS via Let's Encrypt.
+
+## Quick Setup
+
+### 1. Configure Domain
+Create a `.env` file or edit the existing one:
+
+```bash
+cp .env.example .env
+```
+
+Edit `.env` and set:
+```
+DOMAIN=your-domain.com
+EMAIL=admin@your-domain.com
+```
+
+### 2. Point Your Domain
+Make sure your domain's DNS A record points to your server's IP address.
+
+### 3. Start Services
+```bash
+docker compose up -d
+```
+
+That's it! Caddy will **automatically**:
+- Obtain SSL certificates from Let's Encrypt
+- Renew certificates before expiration
+- Redirect HTTP to HTTPS
+- Enable HTTP/2 and HTTP/3
+
+## Access Your Site
+
+- **HTTP**: http://your-domain.com (redirects to HTTPS)
+- **HTTPS**: https://your-domain.com
+
+## Testing Locally (Without Domain)
+
+If you don't have a domain yet, leave DOMAIN as `localhost`:
+```
+DOMAIN=localhost
+```
+
+Then access: http://localhost (no HTTPS, but app works)
+
+## Certificate Storage
+
+SSL certificates are stored in Docker volumes:
+- `caddy-data` - Certificate data
+- `caddy-config` - Caddy configuration
+
+## Troubleshooting
+
+### Check Caddy logs:
+```bash
+docker logs digiserver-caddy
+```
+
+### Verify certificates:
+```bash
+docker exec digiserver-caddy caddy list-certificates
+```
+
+### Force certificate renewal:
+```bash
+docker exec digiserver-caddy caddy reload --config /etc/caddy/Caddyfile
+```
+
+## Port Forwarding
+
+Make sure your firewall/router allows:
+- Port 80 (HTTP - for Let's Encrypt challenge)
+- Port 443 (HTTPS)
diff --git a/add_muted_column.py b/old_code_documentation/add_muted_column.py
similarity index 100%
rename from add_muted_column.py
rename to old_code_documentation/add_muted_column.py
diff --git a/check_fix_player.py b/old_code_documentation/check_fix_player.py
similarity index 100%
rename from check_fix_player.py
rename to old_code_documentation/check_fix_player.py
diff --git a/clean_for_deployment.sh b/old_code_documentation/clean_for_deployment.sh
similarity index 91%
rename from clean_for_deployment.sh
rename to old_code_documentation/clean_for_deployment.sh
index 1105cca..e02f0b8 100755
--- a/clean_for_deployment.sh
+++ b/old_code_documentation/clean_for_deployment.sh
@@ -4,7 +4,12 @@
 
 set -e
 
+# Get the root directory of the application
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+APP_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
 echo "🧹 Cleaning DigiServer v2 for deployment..."
+echo "📍 App root: $APP_ROOT"
 echo ""
 
 # Confirm action
@@ -18,6 +23,9 @@ fi
 echo ""
 echo "📦 Cleaning development data..."
 
+# Change to app root directory
+cd "$APP_ROOT"
+
 # Remove database files
 if [ -d "instance" ]; then
     echo "  🗄️  Removing database files..."
diff --git a/docker-start.sh b/old_code_documentation/docker-start.sh
similarity index 100%
rename from docker-start.sh
rename to old_code_documentation/docker-start.sh
diff --git a/migrate_add_edit_enabled.py b/old_code_documentation/migrate_add_edit_enabled.py
similarity index 100%
rename from migrate_add_edit_enabled.py
rename to old_code_documentation/migrate_add_edit_enabled.py
diff --git a/run_dev.sh b/old_code_documentation/run_dev.sh
similarity index 100%
rename from run_dev.sh
rename to old_code_documentation/run_dev.sh
diff --git a/start.sh b/old_code_documentation/start.sh
similarity index 100%
rename from start.sh
rename to old_code_documentation/start.sh
diff --git a/requirements.txt b/requirements.txt
index e75ad91..cff7eae 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -16,9 +16,6 @@ Flask-Caching==2.1.0
 SQLAlchemy==2.0.37
 alembic==1.14.1
 
-# Redis (for caching in production)
-redis==5.0.1
-
 # Date parsing
 python-dateutil==2.9.0