rob thijssen
37c19aa985
All checks were successful
build-prerelease / Resolve version stamps + change detection (push) Successful in 30s
build-prerelease / Build neuron-blackwell (push) Successful in 1m32s
build-prerelease / Build neuron-ada (push) Successful in 2m15s
build-prerelease / Lint (fmt + clippy) (push) Successful in 2m29s
build-prerelease / Build helexa-bench binary (push) Successful in 2m25s
build-prerelease / Build cortex binary (push) Successful in 2m39s
build-prerelease / Build neuron-ampere (push) Successful in 2m48s
build-prerelease / Package helexa-bench RPM (push) Successful in 1m30s
build-prerelease / Test (push) Successful in 4m38s
build-prerelease / Package cortex RPM (push) Successful in 1m19s
build-prerelease / Package helexa-neuron-ampere RPM (push) Successful in 1m36s
build-prerelease / Package helexa-neuron-ada RPM (push) Successful in 1m37s
build-prerelease / Package helexa-neuron-blackwell RPM (push) Successful in 1m39s
build-prerelease / Publish to rpm.lair.cafe (unstable) (push) Successful in 51s
nginx on the gateway serves the bench SPA and reverse-proxies /api to the bob bench API over WireGuard — public, auth-less, same-origin (no CORS), internal API stays private. - asset/nginx/bench.helexa.ai.conf (full TLS vhost: SPA + /api proxy) and a bootstrap http-only vhost for the initial ACME challenge. - infra-setup.sh: one-time gateway setup — webroot, Let's Encrypt cert (certbot webroot, idempotent), install + enable the vhost. - deploy.yml: deploy-bench-ui builds the SPA (setup-node) and rsyncs dist/ to /var/www/bench.helexa.ai every deploy; built same-origin so no VITE_API_BASE. - cortex-host.conf: scoped gitea_ci rsync grant for the webroot. - bench/README: production hosting notes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
57 lines
1.8 KiB
Plaintext
57 lines
1.8 KiB
Plaintext
# Public, auth-less bench UI at https://bench.helexa.ai.
|
|
#
|
|
# Serves the static SPA from /var/www/bench.helexa.ai (rsynced by
|
|
# .gitea/workflows/deploy.yml's deploy-bench-ui job) and reverse-proxies
|
|
# /api to the helexa-bench read API on bob over the WireGuard mesh — so
|
|
# the browser stays same-origin (no CORS) and the internal API never
|
|
# needs to be exposed publicly.
|
|
#
|
|
# TLS via Let's Encrypt; the cert is obtained/renewed by certbot
|
|
# (bootstrapped one-time in script/infra-setup.sh). Mirrors the
|
|
# dev.swym.hanzalova.internal vhost convention on this host.
|
|
|
|
server {
|
|
listen 80;
|
|
server_name bench.helexa.ai;
|
|
|
|
# Keep serving the ACME webroot so certbot can renew.
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/bench.helexa.ai;
|
|
}
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
http2 on;
|
|
server_name bench.helexa.ai;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/bench.helexa.ai/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/bench.helexa.ai/privkey.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
|
|
root /var/www/bench.helexa.ai;
|
|
index index.html;
|
|
|
|
# Bench read API on bob (internal WireGuard); browser stays same-origin.
|
|
location /api/ {
|
|
proxy_pass http://bob.hanzalova.internal:13132;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
# SPA fallback — client-side routes (/trends, /runs) resolve to index.html.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|