From c81512fa3e5a957b12b49a6a6b64ccb2fdd04355 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Mon, 4 May 2026 07:54:23 +0300
Subject: [PATCH] fix: conventional paths, oolon fqdn, public cert

---
 asset/manifest.yml      |  4 ++--
 asset/nginx/rob.tn.conf | 19 ++++++-------------
 readme.md               |  2 +-
 script/certify.sh       | 17 +++++++++++++++++
 script/deploy.sh        | 10 +++++-----
 5 files changed, 31 insertions(+), 21 deletions(-)
 create mode 100644 script/certify.sh

diff --git a/asset/manifest.yml b/asset/manifest.yml
index 2dd80b4..92477a3 100644
--- a/asset/manifest.yml
+++ b/asset/manifest.yml
@@ -32,8 +32,8 @@ environments:
           GITHUB_TOKEN: github.com/grenade/admin-token
           # GITEA_TOKEN, BUGZILLA_API_KEY: optional, omit unless required.
       web:
-        hosts: [oolon.hanzalova.internal]
+        hosts: [oolon.kosherinata.internal]
         config:
           server_name: rob.tn
-          root: /var/www/moments
+          root: /var/www/rob.tn
           api_upstream: http://nikola.kosherinata.internal:42424
diff --git a/asset/nginx/rob.tn.conf b/asset/nginx/rob.tn.conf
index b2df44c..bca145a 100644
--- a/asset/nginx/rob.tn.conf
+++ b/asset/nginx/rob.tn.conf
@@ -4,15 +4,15 @@ upstream moments_api {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
     server_name rob.tn;
+    listen 443 ssl;
+    http2 on;
 
-    ssl_certificate     /etc/pki/tls/misc/oolon.hanzalova.internal.pem;
-    ssl_certificate_key /etc/pki/tls/private/oolon.hanzalova.internal.pem;
-    ssl_protocols TLSv1.3;
+    ssl_certificate /etc/letsencrypt/live/rob.tn/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/rob.tn/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
 
-    root /var/www/moments;
+    root /var/www/rob.tn;
     index index.html;
 
     location / {
@@ -41,10 +41,3 @@ server {
     access_log /var/log/nginx/rob.tn.access.log;
     error_log  /var/log/nginx/rob.tn.error.log;
 }
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name rob.tn;
-    return 301 https://$host$request_uri;
-}
diff --git a/readme.md b/readme.md
index 96d30d1..8e25b0d 100644
--- a/readme.md
+++ b/readme.md
@@ -51,7 +51,7 @@ Topology:
 | --------- | --------------------------------- | ------------------------------------------------------------------ |
 | api       | `nikola.kosherinata.internal`     | binds `0.0.0.0:42424`; firewalld service `moments-api`             |
 | worker    | `frootmig.kosherinata.internal`   | no listening port; pollers only                                    |
-| web       | `oolon.hanzalova.internal`        | per-site nginx ingress for rob.tn; `/api/*` → nikola across the WG |
+| web       | `oolon.kosherinata.internal`        | per-site nginx ingress for rob.tn; `/api/*` → nikola across the WG |
 | db        | `magrathea.kosherinata.internal`  | postgres mTLS, passwordless                                        |
 
 Postgres roles `moments_rw` and `moments_ro` must exist on the primary, with `pg_ident.conf` mappings in place for `nikola.kosherinata.internal` → `moments_ro` and `frootmig.kosherinata.internal` → `moments_rw`. See `asset/sql/bootstrap-moments.sql` and `asset/postgres/ident.conf.tmpl`.
diff --git a/script/certify.sh b/script/certify.sh
new file mode 100644
index 0000000..377c14a
--- /dev/null
+++ b/script/certify.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+tld=rob.tn
+fqdn=${tld}
+sudo certbot certonly \
+    -m ops@${tld} \
+    --agree-tos \
+    --no-eff-email \
+    --noninteractive \
+    --cert-name ${fqdn} \
+    --expand \
+    --allow-subset-of-names \
+    --key-type ecdsa \
+    --dns-cloudflare \
+    --dns-cloudflare-credentials /root/.cloudflare/${tld} \
+    --dns-cloudflare-propagation-seconds 60 \
+    -d ${fqdn}
diff --git a/script/deploy.sh b/script/deploy.sh
index cec995c..a7c37fa 100755
--- a/script/deploy.sh
+++ b/script/deploy.sh
@@ -277,7 +277,7 @@ deploy_web() {
     log "web -> $host"
 
     if (( dry_run )); then
-        printf '\033[2m[dry-run]\033[0m rsync ui/dist/ to %s:/var/www/moments/ + nginx config, run nginx -t/reload on %s\n' \
+        printf '\033[2m[dry-run]\033[0m rsync ui/dist/ to %s:/var/www/rob.tn/ + nginx config, run nginx -t/reload on %s\n' \
             "$host" "$host" >&2
         return 0
     fi
@@ -286,15 +286,15 @@ deploy_web() {
     stage="$(mktemp -d)"
     trap "rm -rf '$stage'" RETURN
 
-    install -d "$stage/var/www/moments" "$stage/etc/nginx/conf.d"
+    install -d "$stage/var/www/rob.tn" "$stage/etc/nginx/conf.d"
 
-    rsync -a "${repo_root}/ui/dist/" "$stage/var/www/moments/"
+    rsync -a "${repo_root}/ui/dist/" "$stage/var/www/rob.tn/"
     install -m 0644 "${repo_root}/asset/nginx/rob.tn.conf" "$stage/etc/nginx/conf.d/rob.tn.conf"
 
     if (( dry_run )); then
         printf '\033[2m[dry-run]\033[0m rsync staged -> %s:/\n' "$host" >&2
     else
-        rsync -aHAX --delete --rsync-path="sudo rsync" "$stage/var/www/moments/" "${host}:/var/www/moments/"
+        rsync -aHAX --delete --rsync-path="sudo rsync" "$stage/var/www/rob.tn/" "${host}:/var/www/rob.tn/"
         rsync -aHAX --rsync-path="sudo rsync" "$stage/etc/nginx/conf.d/rob.tn.conf" "${host}:/etc/nginx/conf.d/rob.tn.conf"
     fi
 
@@ -311,7 +311,7 @@ if ! semanage port -l | awk '{print $1, $3}' | grep -qE "^http_port_t .*42424";
     semanage port -m -t http_port_t -p tcp 42424
 fi
 
-restorecon -Rv /var/www/moments /etc/nginx/conf.d/rob.tn.conf
+restorecon -Rv /var/www/rob.tn /etc/nginx/conf.d/rob.tn.conf
 
 if ! nginx -t; then
     echo "nginx config check failed" >&2