diff --git a/asset/manifest.yml b/asset/manifest.yml index 92477a3..5ec3300 100644 --- a/asset/manifest.yml +++ b/asset/manifest.yml @@ -3,18 +3,15 @@ environments: prod: components: api: - hosts: [nikola.kosherinata.internal] + hosts: [anjie.kosherinata.internal] config: - # Reachable across the WG mesh from oolon (the per-site nginx - # ingress for rob.tn). Firewalld restricts ingress; see - # asset/firewalld/moments-api.xml. bind: 0.0.0.0:42424 db_role: moments_ro db_host: magrathea.kosherinata.internal db_port: 5432 db_name: moments worker: - hosts: [frootmig.kosherinata.internal] + hosts: [anjie.kosherinata.internal] config: db_role: moments_rw db_host: magrathea.kosherinata.internal @@ -36,4 +33,4 @@ environments: config: server_name: rob.tn root: /var/www/rob.tn - api_upstream: http://nikola.kosherinata.internal:42424 + api_upstream: http://anjie.kosherinata.internal:42424 diff --git a/asset/nginx/rob.tn.conf b/asset/nginx/rob.tn.conf index bca145a..709a0bb 100644 --- a/asset/nginx/rob.tn.conf +++ b/asset/nginx/rob.tn.conf @@ -1,5 +1,5 @@ upstream moments_api { - server nikola.kosherinata.internal:42424 max_fails=3 fail_timeout=30s; + server anjie.kosherinata.internal:42424 max_fails=3 fail_timeout=30s; keepalive 8; } diff --git a/readme.md b/readme.md index 8e25b0d..c4001ef 100644 --- a/readme.md +++ b/readme.md @@ -49,14 +49,16 @@ Topology: | Component | Host | Notes | | --------- | --------------------------------- | ------------------------------------------------------------------ | -| api | `nikola.kosherinata.internal` | binds `0.0.0.0:42424`; firewalld service `moments-api` | -| worker | `frootmig.kosherinata.internal` | no listening port; pollers only | -| web | `oolon.kosherinata.internal` | per-site nginx ingress for rob.tn; `/api/*` → nikola across the WG | +| api | `anjie.kosherinata.internal` | binds `0.0.0.0:42424`; firewalld service `moments-api` | +| worker | `anjie.kosherinata.internal` | no listening port; pollers only | +| web | `oolon.kosherinata.internal` | per-site nginx ingress for rob.tn; `/api/*` → anjie across the WG | | db | `magrathea.kosherinata.internal` | postgres mTLS, passwordless | -Postgres roles `moments_rw` and `moments_ro` must exist on the primary, with `pg_ident.conf` mappings in place for `nikola.kosherinata.internal` → `moments_ro` and `frootmig.kosherinata.internal` → `moments_rw`. See `asset/sql/bootstrap-moments.sql` and `asset/postgres/ident.conf.tmpl`. +api and worker are co-located on `anjie` while `nikola` and `frootmig` are out for drive replacement. -Inter-host traffic over the WG mesh: oolon's nginx connects to `http://nikola.kosherinata.internal:42424` in plaintext. The mesh provides the encryption layer; per-hop TLS for an internal HTTP read-only API on already-public data is deferred. If that changes, swap the api binary to rustls + the host cert pair, and update the nginx upstream to `https://`. +Postgres roles `moments_rw` and `moments_ro` must exist on the primary, with `pg_ident.conf` mapping `anjie.kosherinata.internal` to **both** roles (one cert_cn line per mapping). See `asset/sql/bootstrap-moments.sql` and `asset/postgres/ident.conf.tmpl`. + +Inter-host traffic over the WG mesh: oolon's nginx connects to `http://anjie.kosherinata.internal:42424` in plaintext. The mesh provides the encryption layer; per-hop TLS for an internal HTTP read-only API on already-public data is deferred. If that changes, swap the api binary to rustls + the host cert pair, and update the nginx upstream to `https://`. Secrets resolved by `deploy.sh` via `pass`: @@ -68,6 +70,6 @@ Optional, set if needed in `worker.env`: `GITEA_TOKEN`, `BUGZILLA_API_KEY`. `rob.tn` currently resolves to GitHub Pages. After the first successful prod deploy: -1. Update Cloudflare DNS for `rob.tn` to the WAN IP that fronts `nikola` (unproxied — see architecture doc §11). +1. Update Cloudflare DNS for `rob.tn` to the WAN IP that fronts `oolon` (unproxied — see architecture doc §11). 2. Confirm `curl -fsS https://rob.tn/api/v1/healthz` returns `ok`. 3. Add an archival notice to the top of [grenade-events-react/readme.md](https://github.com/grenade/grenade-events-react) pointing at this repo, and archive the GitHub repo.