chore(deploy): strip infra commentary from asset/ config files
These ship in a public repo; topology narration in nginx, systemd, firewalld, and env templates is gratuitous. Keep the config terse — directives speak for themselves. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,6 +1,3 @@
|
||||
# /etc/moments/api.env — rendered by deploy.sh, do not edit on the host.
|
||||
# {{HOSTNAME}} resolves to the target host's FQDN at deploy time.
|
||||
|
||||
JOURNAL_STREAM=1
|
||||
RUST_LOG=info,sqlx=warn,tower_http=info
|
||||
|
||||
|
||||
@@ -1,8 +1,3 @@
|
||||
# /etc/moments/worker.env — rendered by deploy.sh, do not edit on the host.
|
||||
# {{HOSTNAME}} resolves to the target host's FQDN at deploy time.
|
||||
# {{GITHUB_TOKEN}} is resolved from `pass`; the rendered file lives in
|
||||
# /etc/moments/ chmod 0640 owned by root:moments.
|
||||
|
||||
JOURNAL_STREAM=1
|
||||
RUST_LOG=info,sqlx=warn
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<service>
|
||||
<short>moments-api</short>
|
||||
<description>moments read-only HTTP API. Reverse-proxied by nginx on oolon (the per-site rob.tn ingress) across the WG mesh; the data is the public timeline already exposed at rob.tn, so no source-IP restriction is currently applied. Add a <source/> element here if defence-in-depth scoping to oolon's WG IP becomes desirable.</description>
|
||||
<description>moments read-only HTTP API</description>
|
||||
<port protocol="tcp" port="42424"/>
|
||||
</service>
|
||||
|
||||
@@ -1,12 +1,3 @@
|
||||
# /etc/nginx/conf.d/rob.tn.conf — rob.tn site config for moments.
|
||||
#
|
||||
# Lives on oolon (the per-site nginx ingress that terminates rob.tn 443
|
||||
# traffic). Static frontend out of /var/www/moments; /api/* reverse-
|
||||
# proxied across the WG mesh to the moments-api binary on nikola. The
|
||||
# UI fetches /api/v1/... so the strip matches what Vite's dev proxy
|
||||
# does (drop the /api prefix before sending to axum, whose routes are
|
||||
# mounted at /v1/*).
|
||||
|
||||
upstream moments_api {
|
||||
server nikola.kosherinata.internal:42424 max_fails=3 fail_timeout=30s;
|
||||
keepalive 8;
|
||||
@@ -19,23 +10,16 @@ server {
|
||||
|
||||
ssl_certificate /etc/pki/tls/misc/oolon.hanzalova.internal.pem;
|
||||
ssl_certificate_key /etc/pki/tls/private/oolon.hanzalova.internal.pem;
|
||||
|
||||
# Public forge — visitors are not on the internal mTLS mesh, so no
|
||||
# client-cert verification here. The X25519MLKEM768 default falls
|
||||
# back to classical curves for clients that don't speak PQ yet.
|
||||
ssl_protocols TLSv1.3;
|
||||
|
||||
root /var/www/moments;
|
||||
index index.html;
|
||||
|
||||
# Static SPA: serve the file if it exists, else fall back to index.html
|
||||
# so client-side routing works.
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
add_header Cache-Control "no-cache" always;
|
||||
}
|
||||
|
||||
# Asset bundles are content-hashed by Vite — safe to cache aggressively.
|
||||
location ~* \.(js|css|woff2?|ttf|eot|svg|png|jpg|jpeg|gif|ico|webp|avif)$ {
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, max-age=2592000, immutable";
|
||||
@@ -43,7 +27,6 @@ server {
|
||||
}
|
||||
|
||||
location /api/ {
|
||||
# Strip /api so axum sees /v1/events, not /api/v1/events.
|
||||
rewrite ^/api/(.*)$ /$1 break;
|
||||
proxy_pass http://moments_api;
|
||||
proxy_http_version 1.1;
|
||||
|
||||
@@ -1,11 +1,7 @@
|
||||
[Unit]
|
||||
Description=Watch host cert for moments-api
|
||||
Documentation=https://git.lair.cafe/grenade/architecture
|
||||
|
||||
[Path]
|
||||
# Hostname is substituted at deploy time. step-ca rotates host certs every
|
||||
# 24h; rustls reads them at process start, so the API must restart on
|
||||
# rotation. Read-only public timeline — a few seconds of churn is fine.
|
||||
PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
|
||||
Unit=moments-api-cert-reload.service
|
||||
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
[Unit]
|
||||
Description=moments read-only HTTP API
|
||||
Documentation=https://git.lair.cafe/grenade/moments
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
@@ -13,7 +12,6 @@ ExecStart=/usr/local/bin/moments-api
|
||||
Restart=on-failure
|
||||
RestartSec=5s
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
|
||||
@@ -1,10 +1,7 @@
|
||||
[Unit]
|
||||
Description=Watch host cert for moments-worker
|
||||
Documentation=https://git.lair.cafe/grenade/architecture
|
||||
|
||||
[Path]
|
||||
# Worker holds a sqlx pool with rustls — restart on cert rotation. The
|
||||
# poller is idempotent, so dropping mid-poll is safe.
|
||||
PathChanged=/etc/pki/tls/misc/{{HOSTNAME}}.pem
|
||||
Unit=moments-worker-cert-reload.service
|
||||
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
[Unit]
|
||||
Description=moments ingestion worker
|
||||
Documentation=https://git.lair.cafe/grenade/moments
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
@@ -13,7 +12,6 @@ ExecStart=/usr/local/bin/moments-worker
|
||||
Restart=on-failure
|
||||
RestartSec=10s
|
||||
|
||||
# Hardening
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
|
||||
Reference in New Issue
Block a user