grenade/moments
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(deploy): split ingress to oolon, expose api on nikola interface

Browse Source 
The per-site nginx ingress for rob.tn lives on oolon (the host the
external router forwards 443 traffic to), not on nikola. Adjust the
topology so:

- web (static ui + nginx) → oolon.hanzalova.internal
- api binds 0.0.0.0:42424 on nikola.kosherinata.internal so oolon
  can reverse-proxy across the WG mesh
- new firewalld service moments-api opens 42424 in the default zone
  on nikola
- oolon labels port 42424 http_port_t so httpd_t may name_connect
  outbound to it (httpd_can_network_connect was already set)
- nginx ssl_certificate switched to oolon's host cert; upstream
  rewritten to nikola.kosherinata.internal:42424

Plaintext between oolon and nikola for now — the WG mesh provides
the encryption layer and the data is already public. Documented
the deferral so a future move to per-hop mTLS is obvious.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
rob thijssen
2026-05-03 20:20:07 +03:00
parent 110b523fd0
commit 52b7d0be9b
6 changed files with 52 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
asset/nginx/rob.tn.conf
View File

@@ -1,12 +1,14 @@
# /etc/nginx/conf.d/rob.tn.conf — rob.tn site config for moments.
#
# Static frontend out of /var/www/moments; /api/* reverse-proxied to the
# moments-api binary on loopback. The UI fetches /api/v1/... so the strip
# matches what Vite's dev proxy does (drop the /api prefix before sending
# to axum, whose routes are mounted at /v1/*).
# Lives on oolon (the per-site nginx ingress that terminates rob.tn 443
# traffic). Static frontend out of /var/www/moments; /api/* reverse-
# proxied across the WG mesh to the moments-api binary on nikola. The
# UI fetches /api/v1/... so the strip matches what Vite's dev proxy
# does (drop the /api prefix before sending to axum, whose routes are
# mounted at /v1/*).
upstream moments_api {
server 127.0.0.1:42424 max_fails=3 fail_timeout=30s;
server nikola.kosherinata.internal:42424 max_fails=3 fail_timeout=30s;
keepalive 8;
}
@@ -15,8 +17,8 @@ server {
listen [::]:443 ssl http2;
server_name rob.tn;
ssl_certificate /etc/pki/tls/misc/nikola.kosherinata.internal.pem;
ssl_certificate_key /etc/pki/tls/private/nikola.kosherinata.internal.pem;
ssl_certificate /etc/pki/tls/misc/oolon.hanzalova.internal.pem;
ssl_certificate_key /etc/pki/tls/private/oolon.hanzalova.internal.pem;
# Public forge — visitors are not on the internal mTLS mesh, so no
# client-cert verification here. The X25519MLKEM768 default falls