feat(infra): provision the public rob.fyi vhost + LE cert in infra-setup
Some checks failed
deploy / build-api (push) Waiting to run
deploy / build-web (push) Successful in 1m33s
deploy / deploy-api (push) Has been cancelled
deploy / deploy-web (push) Has been cancelled

infra-setup only handled the internal (newsfeed.internal) cert and vhost and
just printed a generic "set it up yourself" note for the WAN name. Now it also,
on the web host:

- issues the Let's Encrypt cert for rob.fyi idempotently (certbot, Cloudflare
  DNS-01, ECDSA, --keep-until-expiring), skipping cleanly if the CF token or
  certbot is absent;
- installs the certbot renew deploy-hook (reload nginx);
- installs the public vhost, gated on the cert existing so a missing cert can't
  break `nginx -t` for all of nginx (external-tls.md §4).

PUBLIC_FQDN/CERT_EMAIL/CF_CREDS are infra-truth vars at the top; set PUBLIC_FQDN
empty to skip. Cloudflare A record + OPNsense :443 forward remain manual and are
called out in the closing output.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016fKZzDpvjiJ9eYbPGgJvUP
This commit is contained in:
2026-07-08 12:19:31 +03:00
parent 62d5bc6569
commit 19dfe793e0
2 changed files with 69 additions and 5 deletions

View File

@@ -132,9 +132,12 @@ sudoers, the `newsfeed` service account, directories, the `newsfeed.internal` TL
renewal, and the nginx vhost). Thereafter every push to `main` builds static musl
binaries + the SPA bundle and rsyncs them to the targets.
Mesh users reach `https://newsfeed.internal`. Public access is at `https://rob.fyi`
(`asset/nginx/newsfeed.public.conf`) — provision its Let's Encrypt cert, then symlink the
vhost into `sites-enabled`.
Mesh users reach `https://newsfeed.internal`; public access is at `https://rob.fyi`.
`infra-setup.sh` provisions **both** vhosts on oolon — the internal one (internal-CA cert)
and the public one (Let's Encrypt via certbot + Cloudflare DNS-01, gated on the cert
existing). The public cert needs the Cloudflare API token at `/root/.certbot-internal` on
oolon; you still add the Cloudflare A record (`rob.fyi` → kosherinata WAN, unproxied) and
the OPNsense `:443` forward separately.
For the workspace-wide architectural conventions this project inherits, see the
[architecture repo](https://git.lair.cafe/grenade/architecture).