rob thijssen
52b7d0be9b
The per-site nginx ingress for rob.tn lives on oolon (the host the external router forwards 443 traffic to), not on nikola. Adjust the topology so: - web (static ui + nginx) → oolon.hanzalova.internal - api binds 0.0.0.0:42424 on nikola.kosherinata.internal so oolon can reverse-proxy across the WG mesh - new firewalld service moments-api opens 42424 in the default zone on nikola - oolon labels port 42424 http_port_t so httpd_t may name_connect outbound to it (httpd_can_network_connect was already set) - nginx ssl_certificate switched to oolon's host cert; upstream rewritten to nikola.kosherinata.internal:42424 Plaintext between oolon and nikola for now — the WG mesh provides the encryption layer and the data is already public. Documented the deferral so a future move to per-hop mTLS is obvious. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 lines
476 B
XML
7 lines
476 B
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<service>
|
|
<short>moments-api</short>
|
|
<description>moments read-only HTTP API. Reverse-proxied by nginx on oolon (the per-site rob.tn ingress) across the WG mesh; the data is the public timeline already exposed at rob.tn, so no source-IP restriction is currently applied. Add a <source/> element here if defence-in-depth scoping to oolon's WG IP becomes desirable.</description>
|
|
<port protocol="tcp" port="42424"/>
|
|
</service>
|