From c95d159a95eb5428053439591d0be97f4705adbf Mon Sep 17 00:00:00 2001
From: Deco Vander <deco@deco.sh>
Date: Thu, 3 Jul 2025 00:44:29 -0400
Subject: [PATCH] Install Caddy with rate limiting plugin for ARM64 deployment

- Install Go 1.21.5 for ARM64 architecture
- Use xcaddy to build Caddy with caddy-ratelimit plugin
- Create custom systemd service for plugin-enabled Caddy
- Restore rate limiting configuration in Caddyfile
- Production-ready setup with proper security and rate limiting
- Automatic SSL with enhanced protection against API abuse
---
 scripts/Caddyfile |  4 +--
 scripts/deploy.sh | 65 ++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/scripts/Caddyfile b/scripts/Caddyfile
index 224ca40..5f8d51e 100644
--- a/scripts/Caddyfile
+++ b/scripts/Caddyfile
@@ -41,7 +41,7 @@ yourdomain.com {
     # Gzip compression
     encode gzip zstd
     
-    # Logging for security monitoring
+    # Logging for monitoring
     log {
         output file /var/log/caddy/icewatch.log {
             roll_size 100MB
@@ -50,7 +50,7 @@ yourdomain.com {
         format json
     }
     
-    # Rate limiting for API endpoints
+    # Rate limiting for API endpoints (requires caddy-ratelimit plugin)
     rate_limit {
         zone api {
             key {remote_host}
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 75e2887..e755727 100644
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -16,13 +16,64 @@ echo "📦 Installing Node.js..."
 curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash -
 sudo apt install -y nodejs build-essential
 
-# Install Caddy for reverse proxy
-echo "📦 Installing Caddy..."
-sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
-curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
-sudo apt update
-sudo apt install caddy
+# Install Go (required for xcaddy)
+echo "📦 Installing Go..."
+wget -q https://go.dev/dl/go1.21.5.linux-arm64.tar.gz
+sudo rm -rf /usr/local/go
+sudo tar -C /usr/local -xzf go1.21.5.linux-arm64.tar.gz
+export PATH=$PATH:/usr/local/go/bin
+echo 'export PATH=$PATH:/usr/local/go/bin' >> ~/.bashrc
+
+# Install xcaddy to build Caddy with plugins
+echo "📦 Installing xcaddy..."
+go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest
+export PATH=$PATH:$(go env GOPATH)/bin
+
+# Build Caddy with rate limiting plugin
+echo "🔧 Building Caddy with rate limiting plugin..."
+xcaddy build --with github.com/mholt/caddy-ratelimit
+
+# Install the custom Caddy binary
+echo "📦 Installing custom Caddy..."
+sudo mv caddy /usr/local/bin/caddy
+sudo chmod +x /usr/local/bin/caddy
+
+# Create Caddy user and directories
+sudo groupadd --system caddy
+sudo useradd --system --gid caddy --create-home --home-dir /var/lib/caddy --shell /usr/sbin/nologin caddy
+sudo mkdir -p /etc/caddy /var/log/caddy
+sudo chown -R caddy:caddy /var/log/caddy
+
+# Create systemd service for custom Caddy
+echo "⚙️ Creating Caddy systemd service..."
+sudo tee /etc/systemd/system/caddy.service > /dev/null <<EOF
+[Unit]
+Description=Caddy
+Documentation=https://caddyserver.com/docs/
+After=network.target network-online.target
+Requires=network-online.target
+
+[Service]
+Type=notify
+User=caddy
+Group=caddy
+ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
+ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
+TimeoutStopSec=5s
+LimitNOFILE=1048576
+LimitNPROC=1048576
+PrivateTmp=true
+ProtectSystem=full
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# Clean up Go archive
+rm -f go1.21.5.linux-arm64.tar.gz
+
+echo "✅ Caddy with rate limiting plugin installed successfully!"
 
 # Create app directory
 echo "📁 Setting up app directory..."