8081 is the alt-HTTP port — one of the crowded defaults every proxy/dev server grabs — so it's collision-prone on a shared host. Move to 22672, a registered- range port in the sparse 20000s band, derived deterministically from the service name and recorded in architecture port-allocations.md. Updated everywhere the number appears: api bind config + default, firewalld service XML, nginx upstream, vite dev proxy, deploy workflow API_PORT, infra-setup (SELinux semanage label), and docs. Operator note: re-run script/infra-setup.sh on slartibartfast to relabel the SELinux port (22672) and ship the updated firewalld XML before the next deploy restarts the api on the new port. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016fKZzDpvjiJ9eYbPGgJvUP
21 lines
848 B
Cheetah
21 lines
848 B
Cheetah
# newsfeed-api configuration (production). Rendered to /etc/newsfeed/config.toml.
|
|
#
|
|
# This file contains no secrets — newsfeed uses SQLite (no DB password), and session
|
|
# cookies / API tokens are random values hashed at rest (no signing key). It is therefore
|
|
# committed as concrete values, not {{PLACEHOLDER}} templates. Env (NEWSFEED_*) still
|
|
# overrides any value at runtime.
|
|
|
|
# Bind the mesh-routable address so the oolon proxy can reach it. firewalld
|
|
# (newsfeed-api service) bounds who may connect; TLS terminates at oolon.
|
|
bind = "0.0.0.0:22672"
|
|
|
|
database_path = "/var/lib/newsfeed/newsfeed.db"
|
|
session_ttl_days = 30
|
|
max_db_connections = 5
|
|
|
|
# Same-origin in production (oolon serves the SPA and proxies the API), so no CORS.
|
|
cors_origins = []
|
|
|
|
# Cookies are only sent over HTTPS (the browser talks to oolon over TLS).
|
|
cookie_secure = true
|