CD Mode
CD mode runs on the production multi-dev server (nirn.clarity-innovations.com) and is accessible on the public internet. It provides the same core reverse proxy and dashboard as local mode but with production-grade TLS via Let's Encrypt.
Production environment
The CD environment is publicly accessible on the internet. Treat it as a production system. Do not deploy untested configuration changes directly to this environment — use dev mode to validate changes locally first.
When to use CD mode
- You are deploying to the shared multi-dev server at
nirn.clarity-innovations.com - You need publicly accessible HTTPS URLs for services
- You need valid TLS certificates from Let's Encrypt
Services
| Service | URL | Description |
|---|---|---|
| Homepage | https://dashboard.cd.ciservers.net | Service dashboard with auto-discovery |
| Traefik | https://traefik.cd.ciservers.net/dashboard/ | Reverse proxy dashboard |
| Prometheus | https://prometheus.cd.ciservers.net | Metrics collection |
| cAdvisor | https://cadvisor.cd.ciservers.net | Container resource monitoring |
CD mode does not include Portainer, IT Tools, or other local-only services.
Setup
CD mode should only be configured on the multi-dev server:
ssh nirn.clarity-innovations.com
cd /path/to/claritools
task init # Select option 3 (cd)
task start
Note
No certificate generation is needed. Let's Encrypt certificates are provisioned and renewed automatically by Traefik.
TLS
CD mode uses Let's Encrypt for automatic TLS certificate provisioning. Two ACME resolvers are configured in config/cd/traefik.yml:
| Resolver | Purpose | CA server |
|---|---|---|
staging |
Testing certificate issuance without rate limits | Let's Encrypt staging |
prod |
Production certificates | Let's Encrypt production |
Services default to the prod resolver via Traefik labels. Certificates are stored in certs/acme.json and renewed automatically before expiry.
Rate limits
Let's Encrypt production has rate limits. If you are testing certificate issuance, switch to the staging resolver first to avoid hitting limits.
How it works
Internet
|
| HTTPS (Let's Encrypt cert)
v
Traefik (ports 80, 443)
|
| HTTP (internal Docker network)
v
Application containers
The architecture is the same as local mode, with two key differences:
- TLS certificates are issued by Let's Encrypt instead of being self-signed
- Service exposure is opt-in —
exposedByDefaultis set tofalsein the CD Traefik config, meaning containers must explicitly settraefik.enable: trueto be routed
Docker Compose files
CD mode uses only the base compose file:
docker-compose.yml— Core services (Traefik, Homepage, Prometheus, cAdvisor)
No additional overlay files are used. Local-only services (Portainer, IT Tools) and dev-only services (Keycloak, oauth2-proxy) are not deployed.
Differences from local mode
| Aspect | Local | CD |
|---|---|---|
| TLS | Self-signed wildcard cert | Let's Encrypt per-service certs |
| URL pattern | *.local.ciservers.net |
*.cd.ciservers.net |
| Default exposure | All containers exposed | Opt-in via traefik.enable: true |
| Log level | INFO | WARN |
| Network access | Localhost only | Public internet |
| Extra services | Portainer, IT Tools | None |
Security considerations
Since CD runs on the public internet:
- Services are publicly accessible to anyone who knows the URL
- The Traefik dashboard is currently accessible without authentication
- Prometheus metrics are publicly exposed
- Authentication via OIDC (as prototyped in dev mode) is planned for a future release
Remote access
To SSH into the multi-dev server:
task ssh-cd
# or
task ssh-multidev