chore(installer): remove bundled Caddy reverse proxy — TLS is upstream's job#254
Merged
Conversation
…m's job
Per the v0.3 dashboard handoff (issue tracker: see PLAN.md §1 Stream 4),
hal0 no longer ships an edge TLS terminator. Operators front the API
with whatever upstream they already run — Traefik, nginx, Cloudflare
Tunnel, a standalone Caddy outside hal0's lifecycle. On this codebase
the relevant LXC has been deployed through Traefik (10.0.1.200) since
v0.2; the bundled Caddy was redundant middleman.
What changes:
- `installer/install.sh`
- drop the `--no-tls` flag (now the only path)
- drop the entire `install_caddy_tls()` block (~135 lines) — apt /
pacman install, Caddyfile render, hal0-caddy systemd unit drop-in,
avahi mDNS service file
- drop the `NO_TLS` branch in the api-bind-host conditional; always
bind 0.0.0.0:8080
- drop the `--dev implies --no-tls` shim
- drop the TLS recovery hint in the ERR trap
- drop the `+1` step counter for the TLS step
- drop the `HAL0_TLS_EMAIL` env passthrough on sudo re-exec
- drop the post-install Caddy systemctl-enable + Avahi reload
- simplify REACH_LINES to always emit `http://<ip>:<port>/` (no
https/hal0.local default)
- simplify the summary box to one always-on Dashboard line + a
`TLS upstream-only` hint
- `packaging/caddy/Caddyfile.template` — deleted
- `packaging/systemd/hal0-caddy.service` — deleted
- `installer/README.md`
- rewrite the "TLS" section to describe upstream-proxy patterns
(Traefik / nginx / Cloudflare Tunnel / standalone Caddy)
- drop the `--no-tls` subsection
- drop `HAL0_PUBLIC_HOST` + `HAL0_TLS_EMAIL` from the env table
- update the "Upgrade notes" section to reflect that the installer
no longer manages any edge proxy
- `README.md` — drop the "default install runs Caddy" paragraph;
update the v0.2 feature bullet to drop `Caddy + HTTPS`
- `docs/api/mcp.md` — swap the example URL pair from
`https://hal0.local/mcp/admin (TLS via Caddy)` to a direct-HTTP +
upstream-proxy pair
- `pyproject.toml` — trim the Caddy-comparison comments on the
`argon2-cffi` and `bcrypt` deps
Intentionally NOT touched in this PR:
- `installer/uninstall.sh` still tears down `hal0-caddy.service` so
existing v0.1.x / v0.2.x installs with a bundled Caddy unit get
cleaned up properly on uninstall.
- `docs/internal/adr/0001-collapse-edge-auth-into-fastapi.md` is
history. ADR-0011 (separate PR) will mark it superseded.
- `src/hal0/openwebui/env_writer.py` still references the Caddy
`X-Forwarded-Email` SSO header. The forthcoming auth-removal PR
rewrites that to either talk to Traefik's equivalent or to drop
SSO entirely.
- `PLAN.md` has Caddy mentions — parallel session is actively editing
it; left alone to avoid stomping their work.
bash -n installer/install.sh clean. Zero `caddy`/`NO_TLS`/`HAL0_TLS` /
`HAL0_PUBLIC_HOST` references remaining in install.sh.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 23, 2026
thinmintdev
added a commit
that referenced
this pull request
May 23, 2026
… (Slice C) (#266) Slice C of the Phase 1 auth removal. With the entire backend auth surface gone (Slice A #256) and the dashboard auth UI gone (Slice B #255), the installer no longer needs to mint a one-time-password lockfile to scope the first-run wizard's claim window — there is no wizard claim window because there's no password to claim. What goes: installer/install.sh - drop the First-run claim lockfile block (FIRST_RUN_LOCK + FIRST_RUN_OTP mint with uuidgen / /proc/sys/kernel/random/uuid / python fallback; atomic temp-file + rename; idempotent reuse on rerun) — ~42 lines - drop the corresponding `HAL0_AUTH_DISABLED=1` comment block from the api.env template generation - drop the Summary-block "First-run OTP" stanza (the dim-grey "lockfile: /var/lib/hal0/.first-run.lock" line + the "paste this into the wizard" hint) — ~13 lines - drop the late-stage "First-run setup token" lookup that re-reads the lockfile after services start + adds it to the summary — ~40 lines - change the `Auth` summary row from "locked — finish first-run wizard to set a password" to "open on the trusted LAN — front with a reverse proxy if exposed" Total: 109 lines removed, 1 line edited. Intentionally NOT touched - installer/uninstall.sh still removes the legacy /var/lib/hal0/.first-run.lock file on uninstall so existing v0.1.x / v0.2.x installs with a leftover lockfile get cleaned up properly. Same pattern as the Caddy unit teardown in #254. Sequence (Phase 1 auth removal) - Slice B (#255, merged) — frontend useAuth + Settings Auth panel - Slice A (#256, in CI) — backend auth modules + tests + dependency arrays - Slice C (this PR) — installer first-run-lock / OTP / password prompt - Slice D — ADR-0011 marking ADR-0001 superseded, README, docs/operate/auth.md delete, CHANGELOG, version bump Verification - bash -n installer/install.sh clean - Zero FIRST_RUN_LOCK / FIRST_RUN_OTP / first-run-wizard-password refs remain in install.sh Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
thinmintdev
added a commit
that referenced
this pull request
May 23, 2026
…ice D) (#267) Final slice of the Phase 1 auth removal. Closes the architectural loop opened by ADR-0001, surfaces the breaking change to operators, bumps the version, and patches the one test that #256 missed. ADR - New: docs/internal/adr/0012-remove-auth-and-caddy.md — accepts the removal direction, references the four implementing PRs (#254, #255, #256, #266), records what was deleted (~6,000 LOC) and what stays (uninstall cleanup, MCPAuthMiddleware as identity stash, bcrypt/PyJWT/argon2 deps untouched), and frames the v0.3 stream-4 follow-up work (MCPIdentityMiddleware rename, Hermes header swap). Note: numbered 0012 because 0011 was taken by agent-identity-cards via PR #239 while the auth-removal work was in flight — the original briefing's "ADR-0011" suggestion was stale by the time it landed. - ADR-0001 frontmatter flipped to `Status: Superseded by ADR-0012 (2026-05-23)` with a paragraph explaining why "FastAPI owns auth" ended up being transitional. Docs - docs/operate/auth.mdx — full rewrite. The old page documented Caddy + basic_auth + the LAN-vs-WAN wizard flow; the new page tells operators hal0 ships open on a trusted LAN and gives three concrete upstream-proxy patterns (Traefik, nginx, Cloudflare Tunnel) with copy-pasteable configs. OpenWebUI's own `WEBUI_AUTH_TRUSTED_EMAIL_HEADER` override is documented for the upstream-proxy SSO case. - README.md - drop "password setup → bundle pick" from the first-run feature line - rewrite the "Auth posture" section: references ADR-0012, drops the FIRST_RUN_LOCK / OTP / wizard-password-step prose, points at docs/operate/auth.mdx for upstream-proxy patterns - CHANGELOG.md - new top-level [v0.3.0-alpha.1] — 2026-05-23 entry - Breaking: auth gone, Caddy gone, `--no-tls` gone, HAL0_AUTH_* env vars are no-ops, Bearer tokens minted under v0.2.x stop working - New / improved: v3 dashboard on main + normalizers (#235/#249/#253), /v1/* proxy (#248/#212), footer nullability (#252/#221), Settings default tab → Secrets - Removed code: per-file accounting of the ~6,000 deletions - Upgrade notes: lose-your-password warning, drop --no-tls flag Tests - tests/openwebui/test_env_writer.py - delete `test_auth_disabled_keeps_webui_auth_false` (covered by the rewritten test below) - delete `test_auth_enabled_flips_webui_auth_true` (the one test that failed CI on #256 — was asserting the now-removed HAL0_AUTH_ENABLED→WEBUI_AUTH=True branching) - delete `test_auth_falsy_values_keep_defaults` (parametrized sibling, same removed branching) - delete `test_overrides_still_win_under_auth` (same) - add `test_webui_auth_is_always_false_by_default` (defensive: the env vars are gone, WEBUI_AUTH stays False regardless) - add `test_trusted_email_header_via_explicit_override` (documents the new opt-in path through the `overrides` parameter) Version - pyproject.toml: 0.2.0-alpha.3 → 0.3.0-alpha.1 (single source of truth per memory hal0_version_two_locations — src/hal0/__init__.py reads via importlib.metadata) Sequence (Phase 1 complete) - Slice B (#255, merged) - Slice A (#256, merged with admin-override since this test failure was the only blocker; resolved here) - Slice C (#266, in CI) - Slice D (this PR) Follow-up (per the user's briefing, not in this PR) - Update Hermes bootstrap plan + ADR-0011 (agent identity cards) to drop bearer references and switch to X-hal0-Agent identity header - Edit issues #240 / #243 / #246 to drop bearer-token acceptance criteria - Rename MCPAuthMiddleware → MCPIdentityMiddleware in mcp_mount.py - Update auto-memory feedback-caddy-reduction-divergence to note the direction landed Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
hal0 no longer ships an edge TLS terminator. The installer used to install Caddy, render a Caddyfile, and run
hal0-caddy.serviceas the front door for:443 → 127.0.0.1:8080. In practice every real deployment fronts hal0 with an upstream proxy that already terminates TLS (Traefik on the LAN gateway here, Cloudflare Tunnel for hal0.dev, nginx in a few cases). The bundled Caddy was middleman.Per PLAN.md §1 Stream 4 (the v0.3 admin/auth simplification), Caddy collapses out entirely. Auth stays in FastAPI for a follow-up sweep.
Changes
installer/install.sh(net −321 lines)--no-tlsflag (it's now the only path — removed from--help, the arg parser, the--devimplies-it shim, and the API-bind-host conditional; always bind0.0.0.0:8080)install_caddy_tls()block (~135 lines): apt / pacman install, Caddyfile render,hal0-caddy.servicedrop-in, Avahi mDNS service file+1step counter for the TLS stepHAL0_TLS_EMAILenv passthrough on sudo re-execsystemctl enable --now hal0-caddy+ Avahi reloadREACH_LINESto always emithttp://<ip>:<port>/TLS upstream-onlyhint pointing at example proxy configsFiles deleted
packaging/caddy/Caddyfile.templatepackaging/systemd/hal0-caddy.serviceDocs
installer/README.md— rewrite the TLS section to describe upstream-proxy patterns (Traefik / nginx / Cloudflare Tunnel / standalone Caddy). Drop the--no-tlssubsection. DropHAL0_PUBLIC_HOST+HAL0_TLS_EMAILfrom the env table. Update Upgrade notes to reflect that the installer no longer manages any edge proxyREADME.md— drop the "default install runs Caddy" paragraph; update the v0.2 feature bullet to dropCaddy + HTTPSdocs/api/mcp.md— swap example URL pair to a direct-HTTP + upstream-proxy pairpyproject.toml— trim Caddy-comparison comments onargon2-cffiandbcryptdepsIntentionally NOT in this PR
installer/uninstall.shstill tears downhal0-caddy.serviceso existing v0.1.x / v0.2.x installs with a bundled Caddy unit get cleaned up properlydocs/internal/adr/0001-collapse-edge-auth-into-fastapi.mdis history. ADR-0011 (separate doc PR) will mark it supersededsrc/hal0/openwebui/env_writer.pystill references the CaddyX-Forwarded-EmailSSO header. The auth-removal sweep will rewrite thatPLAN.mdCaddy mentions are left alone — parallel session is actively editing PLAN.mdVerification
bash -n installer/install.shcleancaddy/NO_TLS/HAL0_TLS/HAL0_PUBLIC_HOSTreferences remain ininstall.shhal0.thinmint.dev) is already deployed without a bundled Caddy — Traefik on10.0.1.200handles TLS upstream. This PR aligns the installer with how the box has been operating all alongTest plan
--devinstall — confirm no Caddy artifacts written, dashboard reachable onhttp://<host>:8080/🤖 Generated with Claude Code