C1: deploy adelaide-baby-shower-app to ringtail k3s (#349)

## Summary

Brings up the Adelaide / Heidi / Addie baby shower app on ringtail k3s with the public/private split that the app's hosting contract calls for: `shower.eblu.me` (public, via Fly proxy) and `shower.ops.eblu.me` (tailnet). App is consumed as a wheel from the Forgejo PyPI index — source lives at [`adelaide-baby-shower-app`](https://forge.eblu.me/eblume/adelaide-baby-shower-app).

### What's included

- **ArgoCD app + manifests** under `argocd/manifests/shower/` (deployment, service, ProxyGroup ingress, ConfigMap for `DJANGO_DEBUG`/`DJANGO_ADMIN_URL`, ExternalSecret for `DJANGO_SECRET_KEY` from 1Password item `Shower (blumeops)`, NFS PV on sifaka, RWX media PVC, RWO local-path data PVC for SQLite). Recreate rollout because SQLite is single-writer.
- **Public surface** (`fly/`): new `shower.eblu.me` server block proxying to `shower.ops.eblu.me`. `/admin/` returns 403 at the edge except `/admin/login/` and `/admin/logout/`, which are rate-limited via a new `shower_auth` zone. `X-Clacks-Overhead` on. GNU Terry Pratchett.
- **fail2ban** filter (`shower-admin-login.conf`) matching 401/403/429 on `/admin/login/` and jail (`shower.conf`) with `maxretry=5/findtime=600/bantime=3600`. The `nginx-deny` action was generalized to take a per-jail `nginx_deny_file` so the shower has its own deny list (forge keeps using the legacy default).
- **Caddy** route on indri (`shower.ops.eblu.me` → `https://shower.tail8d86e.ts.net`).
- **Pulumi** Gandi CNAME `shower.eblu.me → blumeops-proxy.fly.dev.`.
- **Grafana** APM dashboard `configmap-shower-apm.yaml` (request rate, error rate, failed admin login count, latency percentiles, bandwidth, access logs) mirroring `docs-apm.json` with a `host="shower.eblu.me"` filter.
- **Container** `containers/shower/default.nix` — `dockerTools.buildLayeredImage` with a nixpkgs Python and a startup wrapper that creates `/app/data/.venv`, pip-installs `adelaide-baby-shower-app==1.0.0` from the forge PyPI index on first boot, runs migrations + collectstatic, and execs gunicorn. A `local_settings.py` shim pins `DATABASES.NAME`/`MEDIA_ROOT`/`STATIC_ROOT` to absolute paths so they don't end up in site-packages.
- **Docs** runbook at `docs/how-to/operations/shower-app.md` linked from the apps registry, plus changelog fragments.

### Defense layers on the public surface

1. fly nginx geo+fail2ban `$shower_banned` (per-service deny list)
2. fly nginx `limit_req zone=shower_auth` (3 r/s per Fly-Client-IP)
3. django-axes (5 fails / 1h, keyed on username+ip_address)
4. edge `/admin/` block (returns 403 for anything that isn't login/logout)

## Prerequisites for the user to do (NOT in this PR)

Halted on these per request — they touch shared/manual systems:

- [x] **NFS share** on sifaka: `/volume1/shower`, NFS rule for ringtail RW, `chown 1000:1000`
- [ ] **1Password item** `Shower (blumeops)` in the blumeops vault with a freshly minted `secret-key` field (`openssl rand -base64 48`) — do NOT reuse anything that has lived in git
- [ ] **Container build**: `mise run container-build-and-release shower`, then update `images[].newTag` in `argocd/manifests/shower/kustomization.yaml` to the resulting `v1.0.0-<sha>-nix`
- [x] **DNS**: `mise run dns-up` after merge
- [x] **Fly cert**: `fly certs add shower.eblu.me -a blumeops-proxy`
- [ ] **Caddy push**: `mise run provision-indri -- --tags caddy`
- [ ] **Fly redeploy** to pick up the new nginx block + fail2ban jail: `mise run fly-deploy`
- [ ] **ArgoCD sync**: `argocd app set shower --revision shower-app-deploy && argocd app sync shower` to test from this branch before merging

## Test plan

- [ ] Container builds successfully on nix-container-builder runner
- [ ] Pod starts, migrations run, gunicorn answers on :8000
- [ ] `kubectl --context=k3s-ringtail -n shower logs deploy/shower` clean
- [ ] `curl -sf https://shower.ops.eblu.me/` returns the splash page (tailnet)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 (pre-DNS verification)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/users/` returns 403 (edge block)
- [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/login/` returns a Django login response
- [ ] After DNS is up: `curl -I https://shower.eblu.me/` returns 200 with `X-Clacks-Overhead`
- [ ] Grafana dashboard "Shower APM" appears and starts showing traffic
- [ ] `mise run services-check` passes

Reviewed-on: #349

fly/fail2ban/action.d/nginx-deny.conf

@@ -2,13 +2,22 @@
 # Standard iptables banning won't work in Fly.io because $remote_addr
 # is Fly's internal proxy IP. Instead, we write banned IPs to a file
 # that nginx checks via a geo directive keyed on $http_fly_client_ip.
+#
+# The deny file is per-service: each jail sets `nginx_deny_file = ...`
+# (see jail.d/*.conf) and a matching `geo $http_fly_client_ip $..._banned`
+# block in nginx.conf includes the same path.
 
 [Definition]
 
-actionban = echo "<ip> 1;" >> /etc/nginx/forge-deny.conf && nginx -s reload
+actionban = echo "<ip> 1;" >> <nginx_deny_file> && nginx -s reload
 
-actionunban = sed -i '/<ip> 1;/d' /etc/nginx/forge-deny.conf && nginx -s reload
+actionunban = sed -i '/<ip> 1;/d' <nginx_deny_file> && nginx -s reload
 
 actionstart =
 actionstop =
 actioncheck =
+
+[Init]
+
+# Default for jails that don't override (preserves forge behaviour).
+nginx_deny_file = /etc/nginx/forge-deny.conf

fly/nginx.conf

@@ -34,6 +34,15 @@ http {
     # bucket. $http_fly_client_ip has the actual client IP.
     limit_req_zone $http_fly_client_ip zone=forge_auth:10m rate=3r/s;
 
+    # Shower-specific zone: loose enough that ~30 guests sharing a single
+    # venue-wifi NAT'd public IP can all scan the QR and load the splash
+    # (HTML + a handful of static asset hits each) without anyone tripping
+    # the limit. 50r/s + burst=200 covers the simultaneous-load spike;
+    # exploit scanners still trip it (e.g. the .env-sweeping bot we saw
+    # fired ~30 req in 2s — that pattern stays caught). See the
+    # shower.eblu.me server block for the matching `limit_req`.
+    limit_req_zone $http_fly_client_ip zone=shower_general:10m rate=50r/s;
+
     # fail2ban deny list — banned IPs are written here by fail2ban and
     # checked via the $forge_banned variable. The file is touched at
     # container start to ensure it exists.
@@ -184,6 +193,23 @@ http {
             return 200 "User-agent: *\nDisallow: /mirrors/\nDisallow: /user/\nDisallow: /users/\nDisallow: /*/archive/\nDisallow: /*/releases/download/\n";
         }
 
+        # Block the package registry at the public edge. Forgejo's per-user
+        # visibility model treats packages as world-readable when the owner
+        # has Visibility=Public — which means anyone on the internet can
+        # enumerate and download every wheel/sdist/generic artifact, even
+        # for private-repo releases (the sdist contains full source). We
+        # like keeping eblume's profile public, so we close the hole here
+        # at the proxy instead: WAN sees 403, tailnet (forge.ops.eblu.me)
+        # stays open for legitimate consumers (CI workflows, gilbert).
+        # See docs/tutorials/expose-service-publicly.md for the broader
+        # threat model on this proxy.
+        location /api/packages/ {
+            return 403 "Package downloads are tailnet-only — use forge.ops.eblu.me.\n";
+        }
+        location /api/v1/packages {
+            return 403 "Package enumeration is tailnet-only — use forge.ops.eblu.me.\n";
+        }
+
         # Block swagger API docs — use forge.ops.eblu.me from tailnet
         location /swagger {
             return 403 "API documentation is only available at forge.ops.eblu.me (tailnet).\n";
@@ -288,6 +314,140 @@ http {
         }
     }
 
+    # --- shower.eblu.me (Adelaide baby shower — guest-only public surface) ---
+    # Only the guest paths (`/`, `/prizes/<token>/`, /static/, /media/) are
+    # exposed on WAN. /host/, /admin/, and Django's login views are blocked
+    # at the edge with a 403 pointing at the tailnet hostname — staff sign
+    # in on shower.ops.eblu.me, which is reachable from any device with
+    # Tailscale installed. Defense layers reduce to: general per-IP rate
+    # limit + django-axes (5 fails / 1h) on the tailnet-side login. No
+    # fail2ban needed here because the public surface no longer takes
+    # credentials of any kind.
+    server {
+        listen 8080;
+        server_name shower.eblu.me;
+
+        # Per-IP rate limit. shower_general (50r/s, burst=200) instead of
+        # the global `general` zone because at the party, guests on the
+        # venue's wifi all NAT through a single Fly-Client-IP — 30 guests
+        # scanning the QR at once would each fetch HTML + a few static
+        # assets, easily clearing 20 burst on `general`. Exploit scanners
+        # still trip it (sustained ≫ 50r/s patterns).
+        limit_req zone=shower_general burst=200 nodelay;
+
+        # Image uploads from /host/'s prize cropper are ~150-300 KiB JPEGs.
+        # The host page itself isn't reachable here, but /media/ reads can
+        # be larger than 1 MiB so set the cap to 5 MiB to match Django.
+        client_max_body_size 5m;
+
+        # Security headers — HSTS matches Django's SECURE_HSTS_SECONDS.
+        add_header X-Frame-Options "DENY" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header Referrer-Policy "same-origin" always;
+        # GNU Terry Pratchett — keep the name moving.
+        add_header X-Clacks-Overhead "GNU Terry Pratchett" always;
+
+        error_page 502 503 504 /error.html;
+        location = /error.html {
+            root /usr/share/nginx/html;
+            internal;
+        }
+
+        # Reject indexers — there's nothing here we want crawled.
+        location = /robots.txt {
+            default_type text/plain;
+            return 200 "User-agent: *\nDisallow: /\n";
+        }
+
+        # Admin surface: tailnet-only. Anything under /admin/ — login,
+        # logout, CRUD UI, password reset — returns 403 with a pointer to
+        # the tailnet host. Django's `staff_member_required` will redirect
+        # /host/ to /admin/login/, which lands on this 403 if a guest
+        # device wanders into it. Staff hit the tailnet host directly.
+        location /admin/ {
+            return 403 "Authentication is tailnet-only — visit shower.ops.eblu.me.\n";
+        }
+
+        # Operator console: tailnet-only. Same rationale as /admin/.
+        location /host/ {
+            return 403 "The host console is tailnet-only — visit shower.ops.eblu.me.\n";
+        }
+
+        # Static assets — WhiteNoise + CompressedManifestStaticFilesStorage
+        # gives content-hashed filenames, so cache aggressively. Hashed
+        # names make cache invalidation automatic on app upgrades.
+        location /static/ {
+            proxy_pass https://indri_backend$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_ssl_name shower.ops.eblu.me;
+
+            proxy_http_version 1.1;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host shower.ops.eblu.me;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $http_fly_client_ip;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_cache services;
+            proxy_cache_valid 200 1y;
+            proxy_cache_valid 404 1m;
+            proxy_cache_use_stale error timeout updating;
+            proxy_cache_lock on;
+            proxy_cache_key $host$uri;
+            proxy_ignore_headers Cache-Control Set-Cookie;
+
+            add_header X-Cache-Status $upstream_cache_status;
+        }
+
+        # Prize photo uploads. Shorter TTL than /static/ because filenames
+        # aren't content-hashed — operators can re-upload a prize photo
+        # and we want guests to see the new image within a day.
+        location /media/ {
+            proxy_pass https://indri_backend$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_ssl_name shower.ops.eblu.me;
+
+            proxy_http_version 1.1;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_set_header Host shower.ops.eblu.me;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $http_fly_client_ip;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_cache services;
+            proxy_cache_valid 200 1d;
+            proxy_cache_valid 404 1m;
+            proxy_cache_use_stale error timeout updating;
+            proxy_cache_lock on;
+            proxy_cache_key $host$uri;
+            proxy_ignore_headers Cache-Control Set-Cookie;
+
+            add_header X-Cache-Status $upstream_cache_status;
+        }
+
+        location / {
+            proxy_pass https://indri_backend$request_uri;
+            proxy_ssl_verify off;
+            proxy_ssl_server_name on;
+            proxy_ssl_name shower.ops.eblu.me;
+            proxy_intercept_errors on;
+
+            # No proxy_cache — dynamic content with sessions and CSRF.
+
+            proxy_set_header Host shower.ops.eblu.me;
+            proxy_set_header X-Real-IP $http_fly_client_ip;
+            proxy_set_header X-Forwarded-For $http_fly_client_ip;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+        }
+    }
+
     # Catch-all: reject unknown hosts, but serve health check
     server {
         listen 8080 default_server;

fly/start.sh

@@ -20,6 +20,7 @@ done
 echo "MagicDNS ready"
 
 # Ensure fail2ban deny file exists before nginx starts
+# (the geo directive's `include` fails if the file is missing).
 touch /etc/nginx/forge-deny.conf
 
 # Start nginx — MagicDNS is available, upstreams resolved.