Public-note kinds are now accepted only from an operator-configured list of
author pubkeys (FLOONET_AUTHORIZED_AUTHORS, hex or npub). Closed by default:
with no authors set, kinds 1 and 30023 are rejected for everyone, so random
notes cannot be spammed to the relay. Every other kind is unaffected and
kind 0 profiles stay open.
- add 30023 (long-form article) to the default kind whitelist
- check_authorized_authors runs right after check_kind; LOCKED_KINDS {1,30023}
- pure-python bech32 npub decoder (no new deps); invalid entries logged/skipped
- load_config also reads a KEY=VALUE floonet.env next to the plugin
(FLOONET_ENV_FILE), env vars win, so config changes need no container
recreate; strfry reloads the plugin on mtime change (no restart)
- extend test_policy.py (32 tests green)
- scripts/purge_public_notes.sh (dry-run default) to clean pre-existing notes
- scripts/smoke_test_lockdown.py post-deploy check
- README + .env.example config docs
The Goblin wallet moved off the Nym mixnet to Tor: it now reaches relays
over a Tor circuit to their clearnet endpoint, so the co-located mixnet
exit this package bundled is retired.
- delete the vendored `mixexit/` crate and the hardened
`deploy/systemd/floonet-mixexit.service` bare-metal unit
- docker-compose: drop the `mixexit` service (COMPOSE_PROFILES=exit) and
its `mixexit-data` volume; fix the top-of-file service list
- .env.example: replace the "Mixnet exit" block (COMPOSE_PROFILES=exit,
FLOONET_EXIT_UPSTREAM) with the Tor onion toggle
- README: replace the "Mixnet exit" section with "Tor onion", fix the
feature table, deploy paths, and the COMPOSE_PROFILES reference row
Add Tor as the first-class replacement deploy option, the same recipe
already proven in production: an optional `tor` compose service
(COMPOSE_PROFILES=tor) plus deploy/tor/torrc, a stock system tor daemon
whose hidden service forwards straight to strfry's websocket listener
(no TLS on that hop, the onion is already encrypted end to end). strfry
core stays stock; this is packaging and docs, no relay patch.
The default stack is unchanged (the onion is opt-in, as the exit was).
name-authority builds green; cargo test and clippy pass. docker-compose
validated (structure + YAML).
Serve the authority's NIP-05 lookup on the relay's own domain so
`name@relay.example` resolves, without giving the authority a second
vhost/cert. Live on us-east: relay.floonet.dev now answers
/.well-known/nostr.json from the co-located authority (127.0.0.1:8193)
while the WebSocket relay and NIP-11 stay untouched.
* deploy/us-east/colocated-authority.conf
The nginx opt-in: an exact-match `location = /.well-known/nostr.json`
proxied to the authority ahead of the relay's WebSocket catch-all.
Only the READ path is exposed; registration and the rest of /api/*
stay on the authority's own domain. Sets X-Real-IP (the per-IP rate
limiter keys off it). Same proxy shape as nm.floonet.dev.conf.
* README.md — "Co-locating names on the relay domain": the Caddy/compose
stack is co-located by default (single FLOONET_DOMAIN); a split nginx
deploy opts in with the snippet. Documents FLOONET_AUTHORITY_COLOCATED.
* deploy/Caddyfile, .env.example — note the single-domain stack is
co-located by default and point split deploys at the snippet.
The box vhost mirrors this snippet exactly; applied with nginx -t + reload
(no restart), firewalld untouched.
Match the advertised maxWebsocketPayloadSize so a maximum-size NIP-59
gift-wrapped slatepack payment (~66 KiB worst case) is accepted; the old
64 KiB cap could silently reject the largest payments on the money path.
Bundle that stands the bundled name authority up behind nginx at
https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay:
* nm.floonet.dev.conf nginx vhost mirroring the relay.floonet.dev
pattern (same listen IP + certbot webroot),
TLS -> 127.0.0.1:8193, sets X-Real-IP (which
the per-IP rate limiter keys off).
* floonet-authority.service.d/10-us-east.conf
drop-in over the generic hardened unit: swaps
DynamicUser for the stable unprivileged goblin
account and relocates the DB into the
/opt/goblin tree (one backup root), inheriting
every other sandbox directive.
* floonet-authority.env.example
FLOONET_PAY_MODE=name, GOBLINPAY_URL at the
loopback GoblinPay; the real GP token is filled
from goblinpay.env at deploy time, never here.
* deploy.sh idempotent runbook: build on-box, install,
two-phase certbot (acme :80 -> cert -> :443),
start. Never touches goblin-nip05d or firewalld.
Operating a NIP-98-gated endpoint (register / unregister / quote) needs signed
kind-27235 Authorization headers, and there is no nak on the target hosts. This
example reuses the crate's existing nostr/base64/sha2 deps to mint a
"Nostr <base64-event>" header for curl/CI: generate a throwaway identity or
reuse one via NIP98_SK, sign over the method/path/body, print the header to
stdout. The u-tag is built from FLOONET_BASE_URL to match server verification.
Extend the write-policy whitelist from the Goblin-wallet-only kinds to the
union with Magick Market so one relay serves both apps (default-deny for
everything else). Adds 1 note, 7 reaction, 14/16/17 order+receipt (Gamma),
1111 comment, 10000 mute/blacklist, 24133 remote signing, 30000/30003
NIP-51 sets, 30078 app data, 30402/30405/30406 listing/collection/shipping,
31990 handler info. Keeps the Goblin base including 13 seal and 27235
NIP-98. Plugin default, docstring, and tests updated together.
Stock strfry + a default-deny write-policy plugin (kinds 0,3,5,13,1059,
10002,10050,27235 only), NIP-42 auth, neutral NIP-11, a bundled name
authority (paid names/uses via GoblinPay), and a config-toggled co-located
mixnet exit. Docker Compose + Caddy + hardened systemd. strfry core stays
stock (plugin + config only). Validated end to end against real strfry.