Files
2ro be15c78121 floonet-strfry: us-east production deploy bundle for the nm.floonet.dev name authority
Bundle that stands the bundled name authority up behind nginx at
https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay:

  * nm.floonet.dev.conf         nginx vhost mirroring the relay.floonet.dev
                                pattern (same listen IP + certbot webroot),
                                TLS -> 127.0.0.1:8193, sets X-Real-IP (which
                                the per-IP rate limiter keys off).
  * floonet-authority.service.d/10-us-east.conf
                                drop-in over the generic hardened unit: swaps
                                DynamicUser for the stable unprivileged goblin
                                account and relocates the DB into the
                                /opt/goblin tree (one backup root), inheriting
                                every other sandbox directive.
  * floonet-authority.env.example
                                FLOONET_PAY_MODE=name, GOBLINPAY_URL at the
                                loopback GoblinPay; the real GP token is filled
                                from goblinpay.env at deploy time, never here.
  * deploy.sh                   idempotent runbook: build on-box, install,
                                two-phase certbot (acme :80 -> cert -> :443),
                                start. Never touches goblin-nip05d or firewalld.
2026-07-03 03:15:38 -04:00

39 lines
1.6 KiB
Plaintext

# Floonet name authority — nm.floonet.dev
#
# TLS terminates here; the authority listens on 127.0.0.1:8193 and keys ALL
# per-IP rate limiting off X-Real-IP, so setting it from $remote_addr is
# SECURITY-CRITICAL: a missing value collapses every client into one bucket
# and defeats the limiter. Mirrors the relay.floonet.dev vhost (same listen
# IP, same certbot webroot, same header set) minus the WebSocket upgrade,
# since the authority is a plain JSON/REST service.
server {
listen 167.17.77.8:80;
server_name nm.floonet.dev;
location /.well-known/acme-challenge/ { root /var/www/acme-challenge; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 167.17.77.8:443 ssl http2;
server_name nm.floonet.dev;
ssl_certificate /etc/letsencrypt/live/nm.floonet.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nm.floonet.dev/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
add_header X-Content-Type-Options "nosniff" always;
access_log /var/log/nginx/nm.floonet.dev.access.log;
error_log /var/log/nginx/nm.floonet.dev.error.log;
# Registration / quote bodies are tiny JSON; cap to keep abuse cheap.
client_max_body_size 16k;
location / {
proxy_pass http://127.0.0.1:8193;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 30s;
proxy_send_timeout 30s;
}
}