Erich Blume
6e37abda5d
Adds the Adelaide / Heidi / Addie baby shower app — a Django guest
splash, raffle picker, and prize-assignment console — on ringtail k3s.
Public landing at shower.eblu.me (via fly proxy), tailnet admin at
shower.ops.eblu.me. App source: forge.eblu.me/eblume/adelaide-baby-shower-app,
wheel-published to the Forgejo Packages PyPI index.
Manifests under argocd/manifests/shower/: NFS-backed PVC for /app/media,
local-path PVC for SQLite, ExternalSecret pulling DJANGO_SECRET_KEY from
1Password (item "Shower (blumeops)"), Tailscale ProxyGroup ingress.
Defense-in-depth for the public surface:
- /admin/ blocked at the fly edge except /admin/login/ and /admin/logout/
- shower_auth rate limit on the login path
- new fail2ban filter+jail with a per-service shower-deny.conf
(nginx-deny action generalized to accept nginx_deny_file)
- django-axes (5 / 1h) keyed on (username, ip_address)
Plus: Caddy route on indri, Pulumi gandi CNAME, Grafana APM dashboard
mirroring docs-apm.json, runbook at how-to/operations/shower-app.md,
and a service-versions entry. X-Clacks-Overhead set on the new server
block — GNU Terry Pratchett.
Build: containers/shower/default.nix uses dockerTools to ship a
nixpkgs Python plus a startup wrapper that installs the wheel into
/app/data/.venv on first boot and execs gunicorn. Lets the wheel come
from forge PyPI without pinning hashes for every transitive dep.
Prerequisites tracked in the runbook (not yet executed):
- NFS share sifaka:/volume1/shower (manual Synology step)
- 1Password item "Shower (blumeops)" with secret-key field
- container build via `mise run container-build-and-release shower`
- Pulumi dns-up after merge
- fly certs add shower.eblu.me
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
47 lines
1.6 KiB
Bash
47 lines
1.6 KiB
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
# Connect to tailnet first — nginx needs MagicDNS for upstream resolution.
|
|
# With bluegreen deploys, the old machine serves traffic until this one is
|
|
# fully ready. Fly.io runs Firecracker microVMs that support TUN devices
|
|
# natively — no need for --tun=userspace-networking.
|
|
tailscaled --statedir=/var/lib/tailscale --port=41641 &
|
|
sleep 2
|
|
tailscale up --authkey="${TS_AUTHKEY}" --hostname=flyio-proxy
|
|
until tailscale status > /dev/null 2>&1; do sleep 1; done
|
|
echo "Tailscale connected"
|
|
|
|
# Wait for MagicDNS to be ready — upstream blocks resolve DNS at config
|
|
# load, so nginx will fail to start if MagicDNS can't resolve yet.
|
|
echo "Waiting for MagicDNS..."
|
|
until nslookup forge.tail8d86e.ts.net 100.100.100.100 > /dev/null 2>&1; do
|
|
sleep 1
|
|
done
|
|
echo "MagicDNS ready"
|
|
|
|
# Ensure fail2ban per-service deny files exist before nginx starts
|
|
# (the geo directive's `include` fails if the file is missing).
|
|
touch /etc/nginx/forge-deny.conf
|
|
touch /etc/nginx/shower-deny.conf
|
|
|
|
# Start nginx — MagicDNS is available, upstreams resolved.
|
|
nginx -g "daemon off;" &
|
|
NGINX_PID=$!
|
|
echo "Nginx started"
|
|
|
|
# Start fail2ban for login brute-force protection.
|
|
# Non-fatal — nginx rate limiting is the primary defense; fail2ban is additive.
|
|
if fail2ban-server -b; then
|
|
echo "fail2ban started"
|
|
else
|
|
echo "WARNING: fail2ban failed to start (nginx rate limiting still active)"
|
|
fi
|
|
|
|
# Start Alloy for observability (logs → Loki, metrics → Prometheus)
|
|
alloy run /etc/alloy/config.alloy \
|
|
--server.http.listen-addr=127.0.0.1:12345 \
|
|
--storage.path=/tmp/alloy-data &
|
|
echo "Alloy started"
|
|
|
|
# Block on nginx — container exits if nginx stops
|
|
wait $NGINX_PID
|