Files
floonet-strfry/deploy/us-east/floonet-authority.service.d/10-us-east.conf
T
2ro be15c78121 floonet-strfry: us-east production deploy bundle for the nm.floonet.dev name authority
Bundle that stands the bundled name authority up behind nginx at
https://nm.floonet.dev in paid-name mode wired to the on-box GoblinPay:

  * nm.floonet.dev.conf         nginx vhost mirroring the relay.floonet.dev
                                pattern (same listen IP + certbot webroot),
                                TLS -> 127.0.0.1:8193, sets X-Real-IP (which
                                the per-IP rate limiter keys off).
  * floonet-authority.service.d/10-us-east.conf
                                drop-in over the generic hardened unit: swaps
                                DynamicUser for the stable unprivileged goblin
                                account and relocates the DB into the
                                /opt/goblin tree (one backup root), inheriting
                                every other sandbox directive.
  * floonet-authority.env.example
                                FLOONET_PAY_MODE=name, GOBLINPAY_URL at the
                                loopback GoblinPay; the real GP token is filled
                                from goblinpay.env at deploy time, never here.
  * deploy.sh                   idempotent runbook: build on-box, install,
                                two-phase certbot (acme :80 -> cert -> :443),
                                start. Never touches goblin-nip05d or firewalld.
2026-07-03 03:15:38 -04:00

28 lines
1.2 KiB
Plaintext

# us-east production overrides for the generic hardened unit
# (deploy/systemd/floonet-authority.service).
#
# The box keeps every Goblin service's data under /opt/goblin (a single backup
# root) and runs them as the unprivileged `goblin` account, so we swap the
# generic unit's DynamicUser for a stable owner and relocate the writable path.
# The base unit's own comment sanctions exactly this ("If you need a stable
# owner for the data dir ... set User="). Every other hardening directive from
# the base unit (ProtectSystem=strict, NoNewPrivileges, ProtectHome, the
# @system-service syscall filter, RestrictAddressFamilies, ...) is inherited
# unchanged — goblin's home is /opt/goblin/nip05d, not under /home, so
# ProtectHome=yes stays safe.
[Service]
DynamicUser=no
User=goblin
Group=goblin
# The base unit ships StateDirectory=floonet-authority plus a matching
# /var/lib writable path. Clear both (empty assignment resets the list) and
# point everything at the /opt/goblin tree instead.
StateDirectory=
ReadWritePaths=
ReadWritePaths=/opt/goblin/floonet-authority
WorkingDirectory=/opt/goblin/floonet-authority
# Applied after the base unit, so this wins over the base Environment= line.
Environment=FLOONET_NAMES_DB=/opt/goblin/floonet-authority/names.db