be15c78121
Bundle that stands the bundled name authority up behind nginx at https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay: * nm.floonet.dev.conf nginx vhost mirroring the relay.floonet.dev pattern (same listen IP + certbot webroot), TLS -> 127.0.0.1:8193, sets X-Real-IP (which the per-IP rate limiter keys off). * floonet-authority.service.d/10-us-east.conf drop-in over the generic hardened unit: swaps DynamicUser for the stable unprivileged goblin account and relocates the DB into the /opt/goblin tree (one backup root), inheriting every other sandbox directive. * floonet-authority.env.example FLOONET_PAY_MODE=name, GOBLINPAY_URL at the loopback GoblinPay; the real GP token is filled from goblinpay.env at deploy time, never here. * deploy.sh idempotent runbook: build on-box, install, two-phase certbot (acme :80 -> cert -> :443), start. Never touches goblin-nip05d or firewalld.
28 lines
1.2 KiB
Plaintext
28 lines
1.2 KiB
Plaintext
# us-east production overrides for the generic hardened unit
|
|
# (deploy/systemd/floonet-authority.service).
|
|
#
|
|
# The box keeps every Goblin service's data under /opt/goblin (a single backup
|
|
# root) and runs them as the unprivileged `goblin` account, so we swap the
|
|
# generic unit's DynamicUser for a stable owner and relocate the writable path.
|
|
# The base unit's own comment sanctions exactly this ("If you need a stable
|
|
# owner for the data dir ... set User="). Every other hardening directive from
|
|
# the base unit (ProtectSystem=strict, NoNewPrivileges, ProtectHome, the
|
|
# @system-service syscall filter, RestrictAddressFamilies, ...) is inherited
|
|
# unchanged — goblin's home is /opt/goblin/nip05d, not under /home, so
|
|
# ProtectHome=yes stays safe.
|
|
[Service]
|
|
DynamicUser=no
|
|
User=goblin
|
|
Group=goblin
|
|
|
|
# The base unit ships StateDirectory=floonet-authority plus a matching
|
|
# /var/lib writable path. Clear both (empty assignment resets the list) and
|
|
# point everything at the /opt/goblin tree instead.
|
|
StateDirectory=
|
|
ReadWritePaths=
|
|
ReadWritePaths=/opt/goblin/floonet-authority
|
|
WorkingDirectory=/opt/goblin/floonet-authority
|
|
|
|
# Applied after the base unit, so this wins over the base Environment= line.
|
|
Environment=FLOONET_NAMES_DB=/opt/goblin/floonet-authority/names.db
|