Erich Blume
292d354902
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m12s
## Summary Brings up the Adelaide / Heidi / Addie baby shower app on ringtail k3s with the public/private split that the app's hosting contract calls for: `shower.eblu.me` (public, via Fly proxy) and `shower.ops.eblu.me` (tailnet). App is consumed as a wheel from the Forgejo PyPI index — source lives at [`adelaide-baby-shower-app`](https://forge.eblu.me/eblume/adelaide-baby-shower-app). ### What's included - **ArgoCD app + manifests** under `argocd/manifests/shower/` (deployment, service, ProxyGroup ingress, ConfigMap for `DJANGO_DEBUG`/`DJANGO_ADMIN_URL`, ExternalSecret for `DJANGO_SECRET_KEY` from 1Password item `Shower (blumeops)`, NFS PV on sifaka, RWX media PVC, RWO local-path data PVC for SQLite). Recreate rollout because SQLite is single-writer. - **Public surface** (`fly/`): new `shower.eblu.me` server block proxying to `shower.ops.eblu.me`. `/admin/` returns 403 at the edge except `/admin/login/` and `/admin/logout/`, which are rate-limited via a new `shower_auth` zone. `X-Clacks-Overhead` on. GNU Terry Pratchett. - **fail2ban** filter (`shower-admin-login.conf`) matching 401/403/429 on `/admin/login/` and jail (`shower.conf`) with `maxretry=5/findtime=600/bantime=3600`. The `nginx-deny` action was generalized to take a per-jail `nginx_deny_file` so the shower has its own deny list (forge keeps using the legacy default). - **Caddy** route on indri (`shower.ops.eblu.me` → `https://shower.tail8d86e.ts.net`). - **Pulumi** Gandi CNAME `shower.eblu.me → blumeops-proxy.fly.dev.`. - **Grafana** APM dashboard `configmap-shower-apm.yaml` (request rate, error rate, failed admin login count, latency percentiles, bandwidth, access logs) mirroring `docs-apm.json` with a `host="shower.eblu.me"` filter. - **Container** `containers/shower/default.nix` — `dockerTools.buildLayeredImage` with a nixpkgs Python and a startup wrapper that creates `/app/data/.venv`, pip-installs `adelaide-baby-shower-app==1.0.0` from the forge PyPI index on first boot, runs migrations + collectstatic, and execs gunicorn. A `local_settings.py` shim pins `DATABASES.NAME`/`MEDIA_ROOT`/`STATIC_ROOT` to absolute paths so they don't end up in site-packages. - **Docs** runbook at `docs/how-to/operations/shower-app.md` linked from the apps registry, plus changelog fragments. ### Defense layers on the public surface 1. fly nginx geo+fail2ban `$shower_banned` (per-service deny list) 2. fly nginx `limit_req zone=shower_auth` (3 r/s per Fly-Client-IP) 3. django-axes (5 fails / 1h, keyed on username+ip_address) 4. edge `/admin/` block (returns 403 for anything that isn't login/logout) ## Prerequisites for the user to do (NOT in this PR) Halted on these per request — they touch shared/manual systems: - [x] **NFS share** on sifaka: `/volume1/shower`, NFS rule for ringtail RW, `chown 1000:1000` - [ ] **1Password item** `Shower (blumeops)` in the blumeops vault with a freshly minted `secret-key` field (`openssl rand -base64 48`) — do NOT reuse anything that has lived in git - [ ] **Container build**: `mise run container-build-and-release shower`, then update `images[].newTag` in `argocd/manifests/shower/kustomization.yaml` to the resulting `v1.0.0-<sha>-nix` - [x] **DNS**: `mise run dns-up` after merge - [x] **Fly cert**: `fly certs add shower.eblu.me -a blumeops-proxy` - [ ] **Caddy push**: `mise run provision-indri -- --tags caddy` - [ ] **Fly redeploy** to pick up the new nginx block + fail2ban jail: `mise run fly-deploy` - [ ] **ArgoCD sync**: `argocd app set shower --revision shower-app-deploy && argocd app sync shower` to test from this branch before merging ## Test plan - [ ] Container builds successfully on nix-container-builder runner - [ ] Pod starts, migrations run, gunicorn answers on :8000 - [ ] `kubectl --context=k3s-ringtail -n shower logs deploy/shower` clean - [ ] `curl -sf https://shower.ops.eblu.me/` returns the splash page (tailnet) - [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/` returns 200 (pre-DNS verification) - [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/users/` returns 403 (edge block) - [ ] `curl -I -H "Host: shower.eblu.me" https://blumeops-proxy.fly.dev/admin/login/` returns a Django login response - [ ] After DNS is up: `curl -I https://shower.eblu.me/` returns 200 with `X-Clacks-Overhead` - [ ] Grafana dashboard "Shower APM" appears and starts showing traffic - [ ] `mise run services-check` passes Reviewed-on: #349
46 lines
1.6 KiB
Bash
46 lines
1.6 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Connect to tailnet first — nginx needs MagicDNS for upstream resolution.
|
|
# With bluegreen deploys, the old machine serves traffic until this one is
|
|
# fully ready. Fly.io runs Firecracker microVMs that support TUN devices
|
|
# natively — no need for --tun=userspace-networking.
|
|
tailscaled --statedir=/var/lib/tailscale --port=41641 &
|
|
sleep 2
|
|
tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
|
|
until tailscale status > /dev/null 2>&1; do sleep 1; done
|
|
echo "Tailscale connected"
|
|
|
|
# Wait for MagicDNS to be ready — upstream blocks resolve DNS at config
|
|
# load, so nginx will fail to start if MagicDNS can't resolve yet.
|
|
echo "Waiting for MagicDNS..."
|
|
until nslookup forge.tail8d86e.ts.net 100.100.100.100 > /dev/null 2>&1; do
|
|
sleep 1
|
|
done
|
|
echo "MagicDNS ready"
|
|
|
|
# Ensure fail2ban deny file exists before nginx starts
|
|
# (the geo directive's `include` fails if the file is missing).
|
|
touch /etc/nginx/forge-deny.conf
|
|
|
|
# Start nginx — MagicDNS is available, upstreams resolved.
|
|
nginx -g "daemon off;" &
|
|
NGINX_PID=$!
|
|
echo "Nginx started"
|
|
|
|
# Start fail2ban for login brute-force protection.
|
|
# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
|
|
if fail2ban-server -b; then
|
|
echo "fail2ban started"
|
|
else
|
|
echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
|
|
fi
|
|
|
|
# Start Alloy for observability (logs → Loki, metrics → Prometheus)
|
|
alloy run /etc/alloy/config.alloy \
|
|
--server.http.listen-addr=127.0.0.1:12345 \
|
|
--storage.path=/tmp/alloy-data &
|
|
echo "Alloy started"
|
|
|
|
# Block on nginx — container exits if nginx stops
|
|
wait $NGINX_PID
|