be15c78121
Bundle that stands the bundled name authority up behind nginx at https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay: * nm.floonet.dev.conf nginx vhost mirroring the relay.floonet.dev pattern (same listen IP + certbot webroot), TLS -> 127.0.0.1:8193, sets X-Real-IP (which the per-IP rate limiter keys off). * floonet-authority.service.d/10-us-east.conf drop-in over the generic hardened unit: swaps DynamicUser for the stable unprivileged goblin account and relocates the DB into the /opt/goblin tree (one backup root), inheriting every other sandbox directive. * floonet-authority.env.example FLOONET_PAY_MODE=name, GOBLINPAY_URL at the loopback GoblinPay; the real GP token is filled from goblinpay.env at deploy time, never here. * deploy.sh idempotent runbook: build on-box, install, two-phase certbot (acme :80 -> cert -> :443), start. Never touches goblin-nip05d or firewalld.
41 lines
1.8 KiB
Bash
41 lines
1.8 KiB
Bash
# /etc/floonet-authority.env — us-east production template (nm.floonet.dev).
|
|
#
|
|
# Copy to /etc/floonet-authority.env, fill GOBLINPAY_TOKEN from
|
|
# /opt/goblin/goblinpay/goblinpay.env (GP_API_TOKEN), then:
|
|
# install -m0640 -o root -g goblin floonet-authority.env /etc/floonet-authority.env
|
|
# Keep the real file (with the token) OUT of git — this is only the template.
|
|
|
|
# --- Identity ---
|
|
# Names are name@nm.floonet.dev; the well-known is served at this host, so the
|
|
# @domain and BASE_URL host must both equal nm.floonet.dev (the authority
|
|
# refuses to start otherwise). BASE_URL is load-bearing: NIP-98 `u`-tags are
|
|
# verified against <BASE_URL><path>.
|
|
FLOONET_DOMAIN=nm.floonet.dev
|
|
FLOONET_BASE_URL=https://nm.floonet.dev
|
|
FLOONET_RELAYS=wss://relay.floonet.dev
|
|
FLOONET_NAMES_BIND=127.0.0.1:8193
|
|
# FLOONET_NAMES_DB is set by the systemd drop-in:
|
|
# /opt/goblin/floonet-authority/names.db
|
|
|
|
# --- Paid names via GoblinPay (Grin), admin-priced ---
|
|
# off | name | write. `name` = claiming name@domain costs FLOONET_NAME_PRICE_GRIN.
|
|
FLOONET_PAY_MODE=name
|
|
FLOONET_NAME_PRICE_GRIN=1
|
|
# GoblinPay runs on the same box (goblin-pay.service, 127.0.0.1:8192). The
|
|
# authority calls {GOBLINPAY_URL}/invoice and GET /invoice/{id} server-side
|
|
# with a Bearer token; payers still land on GoblinPay's public hosted pay_url
|
|
# (GP_PUBLIC_URL). Loopback avoids a needless public round-trip.
|
|
GOBLINPAY_URL=http://127.0.0.1:8192
|
|
GOBLINPAY_TOKEN=__REPLACE_WITH_GP_API_TOKEN__
|
|
# Optional: instant settlement instead of polling. If set, point a GoblinPay
|
|
# webhook at https://nm.floonet.dev/api/v1/goblinpay/webhook.
|
|
#GOBLINPAY_WEBHOOK_SECRET=
|
|
|
|
# --- Rate-limit ceilings (per X-Real-IP; nginx sets it from $remote_addr) ---
|
|
FLOONET_READ_RATE_MAX=120
|
|
FLOONET_READ_RATE_WINDOW_SECS=60
|
|
FLOONET_WRITE_RATE_MAX=10
|
|
FLOONET_WRITE_RATE_WINDOW_SECS=3600
|
|
|
|
RUST_LOG=info
|