be15c78121
Bundle that stands the bundled name authority up behind nginx at https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay: * nm.floonet.dev.conf nginx vhost mirroring the relay.floonet.dev pattern (same listen IP + certbot webroot), TLS -> 127.0.0.1:8193, sets X-Real-IP (which the per-IP rate limiter keys off). * floonet-authority.service.d/10-us-east.conf drop-in over the generic hardened unit: swaps DynamicUser for the stable unprivileged goblin account and relocates the DB into the /opt/goblin tree (one backup root), inheriting every other sandbox directive. * floonet-authority.env.example FLOONET_PAY_MODE=name, GOBLINPAY_URL at the loopback GoblinPay; the real GP token is filled from goblinpay.env at deploy time, never here. * deploy.sh idempotent runbook: build on-box, install, two-phase certbot (acme :80 -> cert -> :443), start. Never touches goblin-nip05d or firewalld.
39 lines
1.6 KiB
Plaintext
39 lines
1.6 KiB
Plaintext
# Floonet name authority — nm.floonet.dev
|
|
#
|
|
# TLS terminates here; the authority listens on 127.0.0.1:8193 and keys ALL
|
|
# per-IP rate limiting off X-Real-IP, so setting it from $remote_addr is
|
|
# SECURITY-CRITICAL: a missing value collapses every client into one bucket
|
|
# and defeats the limiter. Mirrors the relay.floonet.dev vhost (same listen
|
|
# IP, same certbot webroot, same header set) minus the WebSocket upgrade,
|
|
# since the authority is a plain JSON/REST service.
|
|
server {
|
|
listen 167.17.77.8:80;
|
|
server_name nm.floonet.dev;
|
|
location /.well-known/acme-challenge/ { root /var/www/acme-challenge; }
|
|
location / { return 301 https://$host$request_uri; }
|
|
}
|
|
server {
|
|
listen 167.17.77.8:443 ssl http2;
|
|
server_name nm.floonet.dev;
|
|
ssl_certificate /etc/letsencrypt/live/nm.floonet.dev/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/nm.floonet.dev/privkey.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
access_log /var/log/nginx/nm.floonet.dev.access.log;
|
|
error_log /var/log/nginx/nm.floonet.dev.error.log;
|
|
|
|
# Registration / quote bodies are tiny JSON; cap to keep abuse cheap.
|
|
client_max_body_size 16k;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8193;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto https;
|
|
proxy_read_timeout 30s;
|
|
proxy_send_timeout 30s;
|
|
}
|
|
}
|