From abce3803cac8860ed9066b87e34d30be4928243f Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Sun, 3 May 2026 20:23:11 +0300
Subject: [PATCH] chore(deploy): strip infra commentary from asset/ config
 files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These ship in a public repo; topology narration in nginx, systemd,
firewalld, and env templates is gratuitous. Keep the config terse —
directives speak for themselves.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 asset/config/api.env.tmpl              |  3 ---
 asset/config/worker.env.tmpl           |  5 -----
 asset/firewalld/moments-api.xml        |  2 +-
 asset/nginx/rob.tn.conf                | 17 -----------------
 asset/systemd/moments-api-cert.path    |  4 ----
 asset/systemd/moments-api.service      |  2 --
 asset/systemd/moments-worker-cert.path |  3 ---
 asset/systemd/moments-worker.service   |  2 --
 8 files changed, 1 insertion(+), 37 deletions(-)

diff --git a/asset/config/api.env.tmpl b/asset/config/api.env.tmpl
index f602915..fddfa11 100644
--- a/asset/config/api.env.tmpl
+++ b/asset/config/api.env.tmpl
@@ -1,6 +1,3 @@
-# /etc/moments/api.env — rendered by deploy.sh, do not edit on the host.
-# {{HOSTNAME}} resolves to the target host's FQDN at deploy time.
-
 JOURNAL_STREAM=1
 RUST_LOG=info,sqlx=warn,tower_http=info
 
diff --git a/asset/config/worker.env.tmpl b/asset/config/worker.env.tmpl
index 625a3ab..dc8175b 100644
--- a/asset/config/worker.env.tmpl
+++ b/asset/config/worker.env.tmpl
@@ -1,8 +1,3 @@
-# /etc/moments/worker.env — rendered by deploy.sh, do not edit on the host.
-# {{HOSTNAME}} resolves to the target host's FQDN at deploy time.
-# {{GITHUB_TOKEN}} is resolved from `pass`; the rendered file lives in
-# /etc/moments/ chmod 0640 owned by root:moments.
-
 JOURNAL_STREAM=1
 RUST_LOG=info,sqlx=warn
 
diff --git a/asset/firewalld/moments-api.xml b/asset/firewalld/moments-api.xml
index 55a912c..7ee8779 100644
--- a/asset/firewalld/moments-api.xml
+++ b/asset/firewalld/moments-api.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <service>
   <short>moments-api</short>
-  <description>moments read-only HTTP API. Reverse-proxied by nginx on oolon (the per-site rob.tn ingress) across the WG mesh; the data is the public timeline already exposed at rob.tn, so no source-IP restriction is currently applied. Add a &lt;source/&gt; element here if defence-in-depth scoping to oolon's WG IP becomes desirable.</description>
+  <description>moments read-only HTTP API</description>
   <port protocol="tcp" port="42424"/>
 </service>
diff --git a/asset/nginx/rob.tn.conf b/asset/nginx/rob.tn.conf
index 71239ec..b2df44c 100644
--- a/asset/nginx/rob.tn.conf
+++ b/asset/nginx/rob.tn.conf
@@ -1,12 +1,3 @@
-# /etc/nginx/conf.d/rob.tn.conf — rob.tn site config for moments.
-#
-# Lives on oolon (the per-site nginx ingress that terminates rob.tn 443
-# traffic). Static frontend out of /var/www/moments; /api/* reverse-
-# proxied across the WG mesh to the moments-api binary on nikola. The
-# UI fetches /api/v1/... so the strip matches what Vite's dev proxy
-# does (drop the /api prefix before sending to axum, whose routes are
-# mounted at /v1/*).
-
 upstream moments_api {
     server nikola.kosherinata.internal:42424 max_fails=3 fail_timeout=30s;
     keepalive 8;
@@ -19,23 +10,16 @@ server {
 
     ssl_certificate     /etc/pki/tls/misc/oolon.hanzalova.internal.pem;
     ssl_certificate_key /etc/pki/tls/private/oolon.hanzalova.internal.pem;
-
-    # Public forge — visitors are not on the internal mTLS mesh, so no
-    # client-cert verification here. The X25519MLKEM768 default falls
-    # back to classical curves for clients that don't speak PQ yet.
     ssl_protocols TLSv1.3;
 
     root /var/www/moments;
     index index.html;
 
-    # Static SPA: serve the file if it exists, else fall back to index.html
-    # so client-side routing works.
     location / {
         try_files $uri $uri/ /index.html;
         add_header Cache-Control "no-cache" always;
     }
 
-    # Asset bundles are content-hashed by Vite — safe to cache aggressively.
     location ~* \.(js|css|woff2?|ttf|eot|svg|png|jpg|jpeg|gif|ico|webp|avif)$ {
         expires 30d;
         add_header Cache-Control "public, max-age=2592000, immutable";
@@ -43,7 +27,6 @@ server {
     }
 
     location /api/ {
-        # Strip /api so axum sees /v1/events, not /api/v1/events.
         rewrite ^/api/(.*)$ /$1 break;
         proxy_pass http://moments_api;
         proxy_http_version 1.1;
diff --git a/asset/systemd/moments-api-cert.path b/asset/systemd/moments-api-cert.path
index a845d1b..2fc204b 100644
--- a/asset/systemd/moments-api-cert.path
+++ b/asset/systemd/moments-api-cert.path
@@ -1,11 +1,7 @@
 [Unit]
 Description=Watch host cert for moments-api
-Documentation=https://git.lair.cafe/grenade/architecture
 
 [Path]
-# Hostname is substituted at deploy time. step-ca rotates host certs every
-# 24h; rustls reads them at process start, so the API must restart on
-# rotation. Read-only public timeline — a few seconds of churn is fine.
 PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
 Unit=moments-api-cert-reload.service
 
diff --git a/asset/systemd/moments-api.service b/asset/systemd/moments-api.service
index 7184180..ec914bd 100644
--- a/asset/systemd/moments-api.service
+++ b/asset/systemd/moments-api.service
@@ -1,6 +1,5 @@
 [Unit]
 Description=moments read-only HTTP API
-Documentation=https://git.lair.cafe/grenade/moments
 After=network-online.target
 Wants=network-online.target
 
@@ -13,7 +12,6 @@ ExecStart=/usr/local/bin/moments-api
 Restart=on-failure
 RestartSec=5s
 
-# Hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true
diff --git a/asset/systemd/moments-worker-cert.path b/asset/systemd/moments-worker-cert.path
index dced840..282a483 100644
--- a/asset/systemd/moments-worker-cert.path
+++ b/asset/systemd/moments-worker-cert.path
@@ -1,10 +1,7 @@
 [Unit]
 Description=Watch host cert for moments-worker
-Documentation=https://git.lair.cafe/grenade/architecture
 
 [Path]
-# Worker holds a sqlx pool with rustls — restart on cert rotation. The
-# poller is idempotent, so dropping mid-poll is safe.
 PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
 Unit=moments-worker-cert-reload.service
 
diff --git a/asset/systemd/moments-worker.service b/asset/systemd/moments-worker.service
index 546d52c..b2d77aa 100644
--- a/asset/systemd/moments-worker.service
+++ b/asset/systemd/moments-worker.service
@@ -1,6 +1,5 @@
 [Unit]
 Description=moments ingestion worker
-Documentation=https://git.lair.cafe/grenade/moments
 After=network-online.target
 Wants=network-online.target
 
@@ -13,7 +12,6 @@ ExecStart=/usr/local/bin/moments-worker
 Restart=on-failure
 RestartSec=10s
 
-# Hardening
 NoNewPrivileges=true
 ProtectSystem=strict
 ProtectHome=true