7205ddbafd
Serve the authority's NIP-05 lookup on the relay's own domain so `name@relay.example` resolves, without giving the authority a second vhost/cert. Live on us-east: relay.floonet.dev now answers /.well-known/nostr.json from the co-located authority (127.0.0.1:8193) while the WebSocket relay and NIP-11 stay untouched. * deploy/us-east/colocated-authority.conf The nginx opt-in: an exact-match `location = /.well-known/nostr.json` proxied to the authority ahead of the relay's WebSocket catch-all. Only the READ path is exposed; registration and the rest of /api/* stay on the authority's own domain. Sets X-Real-IP (the per-IP rate limiter keys off it). Same proxy shape as nm.floonet.dev.conf. * README.md — "Co-locating names on the relay domain": the Caddy/compose stack is co-located by default (single FLOONET_DOMAIN); a split nginx deploy opts in with the snippet. Documents FLOONET_AUTHORITY_COLOCATED. * deploy/Caddyfile, .env.example — note the single-domain stack is co-located by default and point split deploys at the snippet. The box vhost mirrors this snippet exactly; applied with nginx -t + reload (no restart), firewalld untouched.
31 lines
1.5 KiB
Plaintext
31 lines
1.5 KiB
Plaintext
# Co-located Floonet name authority — the FLOONET_AUTHORITY_COLOCATED=on toggle.
|
|
#
|
|
# Serve NIP-05 names on the RELAY's own domain (so `name@relay.example`
|
|
# resolves) WITHOUT giving the authority its own vhost/cert. This is only
|
|
# needed for a split deploy where the relay and the authority live on separate
|
|
# subdomains behind nginx (the deploy/us-east/ pattern: relay.floonet.dev +
|
|
# nm.floonet.dev). The Docker Compose / Caddy stack is already co-located on a
|
|
# single FLOONET_DOMAIN, so it does not need this file.
|
|
#
|
|
# ENABLE (== FLOONET_AUTHORITY_COLOCATED=on): include this inside the relay's
|
|
# `:443` server block, BEFORE its `location /` WebSocket catch-all, e.g.
|
|
#
|
|
# include /etc/nginx/snippets/floonet-colocated-authority.conf;
|
|
#
|
|
# then `nginx -t && nginx -s reload`. DISABLE by removing the include.
|
|
#
|
|
# Only the exact-match READ lookup is exposed; registration and the rest of
|
|
# /api/* stay on the authority's own domain. The `location =` exact match wins
|
|
# over the relay catch-all regardless of file order, but keep it above
|
|
# `location /` for readability.
|
|
#
|
|
# Port 8193 is this box's authority bind (FLOONET_NAMES_BIND); the compose
|
|
# stack uses 8191 — match your own. X-Real-IP is SECURITY-CRITICAL: the
|
|
# authority keys ALL per-IP rate limiting off it, so a missing value collapses
|
|
# every client into one bucket and defeats the limiter.
|
|
location = /.well-known/nostr.json {
|
|
proxy_pass http://127.0.0.1:8193;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|