Files
floonet-strfry/deploy/us-east/floonet-authority.env.example
2ro be15c78121 floonet-strfry: us-east production deploy bundle for the nm.floonet.dev name authority
Bundle that stands the bundled name authority up behind nginx at
https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay:

  * nm.floonet.dev.conf         nginx vhost mirroring the relay.floonet.dev
                                pattern (same listen IP + certbot webroot),
                                TLS -> 127.0.0.1:8193, sets X-Real-IP (which
                                the per-IP rate limiter keys off).
  * floonet-authority.service.d/10-us-east.conf
                                drop-in over the generic hardened unit: swaps
                                DynamicUser for the stable unprivileged goblin
                                account and relocates the DB into the
                                /opt/goblin tree (one backup root), inheriting
                                every other sandbox directive.
  * floonet-authority.env.example
                                FLOONET_PAY_MODE=name, GOBLINPAY_URL at the
                                loopback GoblinPay; the real GP token is filled
                                from goblinpay.env at deploy time, never here.
  * deploy.sh                   idempotent runbook: build on-box, install,
                                two-phase certbot (acme :80 -> cert -> :443),
                                start. Never touches goblin-nip05d or firewalld.
2026-07-03 03:15:38 -04:00

41 lines
1.8 KiB
Bash

# /etc/floonet-authority.env — us-east production template (nm.floonet.dev).
#
# Copy to /etc/floonet-authority.env, fill GOBLINPAY_TOKEN from
# /opt/goblin/goblinpay/goblinpay.env (GP_API_TOKEN), then:
# install -m0640 -o root -g goblin floonet-authority.env /etc/floonet-authority.env
# Keep the real file (with the token) OUT of git — this is only the template.
# --- Identity ---
# Names are name@nm.floonet.dev; the well-known is served at this host, so the
# @domain and BASE_URL host must both equal nm.floonet.dev (the authority
# refuses to start otherwise). BASE_URL is load-bearing: NIP-98 `u`-tags are
# verified against <BASE_URL><path>.
FLOONET_DOMAIN=nm.floonet.dev
FLOONET_BASE_URL=https://nm.floonet.dev
FLOONET_RELAYS=wss://relay.floonet.dev
FLOONET_NAMES_BIND=127.0.0.1:8193
# FLOONET_NAMES_DB is set by the systemd drop-in:
# /opt/goblin/floonet-authority/names.db
# --- Paid names via GoblinPay (Grin), admin-priced ---
# off | name | write. `name` = claiming name@domain costs FLOONET_NAME_PRICE_GRIN.
FLOONET_PAY_MODE=name
FLOONET_NAME_PRICE_GRIN=1
# GoblinPay runs on the same box (goblin-pay.service, 127.0.0.1:8192). The
# authority calls {GOBLINPAY_URL}/invoice and GET /invoice/{id} server-side
# with a Bearer token; payers still land on GoblinPay's public hosted pay_url
# (GP_PUBLIC_URL). Loopback avoids a needless public round-trip.
GOBLINPAY_URL=http://127.0.0.1:8192
GOBLINPAY_TOKEN=__REPLACE_WITH_GP_API_TOKEN__
# Optional: instant settlement instead of polling. If set, point a GoblinPay
# webhook at https://nm.floonet.dev/api/v1/goblinpay/webhook.
#GOBLINPAY_WEBHOOK_SECRET=
# --- Rate-limit ceilings (per X-Real-IP; nginx sets it from $remote_addr) ---
FLOONET_READ_RATE_MAX=120
FLOONET_READ_RATE_WINDOW_SECS=60
FLOONET_WRITE_RATE_MAX=10
FLOONET_WRITE_RATE_WINDOW_SECS=3600
RUST_LOG=info