Erich Blume
702592bcc9
PR review caught that we didn't need an admin login surface on WAN.
App v1.0.1 adds DJANGO_PUBLIC_URL_BASE so QR codes generated from
/host/ (now tailnet-only) still point at shower.eblu.me for guest
phones — that closes the loop and lets us strip the WAN admin surface
entirely.
Container:
- bump version to 1.0.1
- outputHash → fakeHash (build will print the real one)
- entrypoint still does migrate + collectstatic before gunicorn —
the app is small enough that auto-migration is fine
Manifests:
- configmap adds DJANGO_PUBLIC_URL_BASE=https://shower.eblu.me
Fly nginx (shower.eblu.me):
- drop the /admin/(login|logout) carveout
- 403 anything under /admin/ AND /host/ with a "tailnet only" pointer
- drop the shower_auth limit_req zone and \$shower_banned geo
- drop the shower-admin-login fail2ban filter + jail
- drop the shower-deny.conf touch from start.sh
Docs:
- rename how-to docs/how-to/operations/shower-app.md →
shower-on-ringtail.md (mirrors cv-on-indri / docs-on-indri)
- new reference card docs/reference/services/shower-app.md per PR
review comment 2 (≈30s read; quick facts + cross-links)
- rewrite Defense layers section: collapses to general rate limit +
django-axes on the tailnet-side login (the only credential surface)
- rewrite the .infra.md changelog fragment to match
- add a 'Create the admin user' step (kubectl exec createsuperuser)
so first-time deploys aren't locked out
The nginx-deny action's per-jail \`nginx_deny_file\` generalization
stays — harmless future-proofing for the next public service.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1.9 KiB
1.9 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| Shower App | 2026-05-10 | 2026-05-10 |
|
Shower App
Django web app for Adelaide / Heidi / Addie's baby shower — guest splash with
a "what did you bring?" form, raffle picker, contest-prize ranking via
QR-coded /prizes/<token>/ URLs, and an /host/ operator console with
drag-rank assignment solving via scipy.
Quick Reference
| Property | Value |
|---|---|
| Public URL | shower.eblu.me (guest surface only — via flyio-proxy) |
| Private URL | shower.ops.eblu.me (admin + /host/ console — Caddy on indri) |
| Cluster | ringtail k3s, namespace shower |
| Container | registry.ops.eblu.me/blumeops/shower (built from containers/shower/default.nix) |
| App source | forge.eblu.me/eblume/adelaide-baby-shower-app (wheel on Forgejo PyPI) |
| Database | SQLite on a local-path PVC (shower-data, RWO 2 Gi) |
| Media (prize photos) | NFS RWX PVC shower-media → sifaka:/volume1/shower |
| Secrets | Shower (blumeops) 1Password item → DJANGO_SECRET_KEY |
Routing
Internet → shower.eblu.me (Fly nginx, guest-only 403s on /admin/ /host/)
│
▼
Caddy on indri (shower.ops.eblu.me — full surface)
│
▼
Tailscale ProxyGroup → k3s Service → Deployment
Backups
- SQLite dumped via
kubectl execto indri'sborgmatic_k8s_dump_diron every 2 a.m. run (mealie-pattern entry inborgmatic_k8s_sqlite_dumps) - Media picked up via
/Volumes/shower(sifaka SMB mount on indri) in the mainborgmatic_source_directorieslist
Both archive to sifaka + BorgBase.
Related
- shower-on-ringtail — onboarding + day-of runbook
- expose-service-publicly — Fly proxy + tailnet pattern this rides on
- ringtail — host cluster
- sifaka#NFS Exports — NFS share table
- borgmatic — backup system