fix: conventional paths, oolon fqdn, public cert

2026-05-04 07:54:23 +03:00
parent abce3803ca
commit c81512fa3e
5 changed files with 31 additions and 21 deletions
--- a/asset/manifest.yml
+++ b/asset/manifest.yml
@@ -32,8 +32,8 @@ environments:
          GITHUB_TOKEN: github.com/grenade/admin-token
          # GITEA_TOKEN, BUGZILLA_API_KEY: optional, omit unless required.
      web:
-        hosts: [oolon.hanzalova.internal]
+        hosts: [oolon.kosherinata.internal]
        config:
          server_name: rob.tn
-          root: /var/www/moments
+          root: /var/www/rob.tn
          api_upstream: http://nikola.kosherinata.internal:42424
--- a/asset/nginx/rob.tn.conf
+++ b/asset/nginx/rob.tn.conf
@@ -4,15 +4,15 @@ upstream moments_api {
 }

 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
    server_name rob.tn;
+    listen 443 ssl;
+    http2 on;

-    ssl_certificate     /etc/pki/tls/misc/oolon.hanzalova.internal.pem;
-    ssl_certificate_key /etc/pki/tls/private/oolon.hanzalova.internal.pem;
-    ssl_protocols TLSv1.3;
+    ssl_certificate /etc/letsencrypt/live/rob.tn/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/rob.tn/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;

-    root /var/www/moments;
+    root /var/www/rob.tn;
    index index.html;

    location / {
@@ -41,10 +41,3 @@ server {
    access_log /var/log/nginx/rob.tn.access.log;
    error_log  /var/log/nginx/rob.tn.error.log;
 }
-
-server {
-    listen 80;
-    listen [::]:80;
-    server_name rob.tn;
-    return 301 https://$host$request_uri;
-}
--- a/readme.md
+++ b/readme.md
@@ -51,7 +51,7 @@ Topology:
 | --------- | --------------------------------- | ------------------------------------------------------------------ |
 | api       | `nikola.kosherinata.internal`     | binds `0.0.0.0:42424`; firewalld service `moments-api`             |
 | worker    | `frootmig.kosherinata.internal`   | no listening port; pollers only                                    |
-| web       | `oolon.hanzalova.internal`        | per-site nginx ingress for rob.tn; `/api/*` → nikola across the WG |
+| web       | `oolon.kosherinata.internal`        | per-site nginx ingress for rob.tn; `/api/*` → nikola across the WG |
 | db        | `magrathea.kosherinata.internal`  | postgres mTLS, passwordless                                        |

 Postgres roles `moments_rw` and `moments_ro` must exist on the primary, with `pg_ident.conf` mappings in place for `nikola.kosherinata.internal` → `moments_ro` and `frootmig.kosherinata.internal` → `moments_rw`. See `asset/sql/bootstrap-moments.sql` and `asset/postgres/ident.conf.tmpl`.
--- a/script/certify.sh
+++ b/script/certify.sh
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+tld=rob.tn
+fqdn=${tld}
+sudo certbot certonly \
+    -m ops@${tld} \
+    --agree-tos \
+    --no-eff-email \
+    --noninteractive \
+    --cert-name ${fqdn} \
+    --expand \
+    --allow-subset-of-names \
+    --key-type ecdsa \
+    --dns-cloudflare \
+    --dns-cloudflare-credentials /root/.cloudflare/${tld} \
+    --dns-cloudflare-propagation-seconds 60 \
+    -d ${fqdn}
--- a/script/deploy.sh
+++ b/script/deploy.sh
@@ -277,7 +277,7 @@ deploy_web() {
    log "web -> $host"

    if (( dry_run )); then
-        printf '\033[2m[dry-run]\033[0m rsync ui/dist/ to %s:/var/www/moments/ + nginx config, run nginx -t/reload on %s\n' \
+        printf '\033[2m[dry-run]\033[0m rsync ui/dist/ to %s:/var/www/rob.tn/ + nginx config, run nginx -t/reload on %s\n' \
            "$host" "$host" >&2
        return 0
    fi
@@ -286,15 +286,15 @@ deploy_web() {
    stage="$(mktemp -d)"
    trap "rm -rf '$stage'" RETURN

-    install -d "$stage/var/www/moments" "$stage/etc/nginx/conf.d"
+    install -d "$stage/var/www/rob.tn" "$stage/etc/nginx/conf.d"

-    rsync -a "${repo_root}/ui/dist/" "$stage/var/www/moments/"
+    rsync -a "${repo_root}/ui/dist/" "$stage/var/www/rob.tn/"
    install -m 0644 "${repo_root}/asset/nginx/rob.tn.conf" "$stage/etc/nginx/conf.d/rob.tn.conf"

    if (( dry_run )); then
        printf '\033[2m[dry-run]\033[0m rsync staged -> %s:/\n' "$host" >&2
    else
-        rsync -aHAX --delete --rsync-path="sudo rsync" "$stage/var/www/moments/" "${host}:/var/www/moments/"
+        rsync -aHAX --delete --rsync-path="sudo rsync" "$stage/var/www/rob.tn/" "${host}:/var/www/rob.tn/"
        rsync -aHAX --rsync-path="sudo rsync" "$stage/etc/nginx/conf.d/rob.tn.conf" "${host}:/etc/nginx/conf.d/rob.tn.conf"
    fi

@@ -311,7 +311,7 @@ if ! semanage port -l | awk '{print $1, $3}' | grep -qE "^http_port_t .*42424";
    semanage port -m -t http_port_t -p tcp 42424
 fi

-restorecon -Rv /var/www/moments /etc/nginx/conf.d/rob.tn.conf
+restorecon -Rv /var/www/rob.tn /etc/nginx/conf.d/rob.tn.conf

 if ! nginx -t; then
    echo "nginx config check failed" >&2