Erich Blume
702592bcc9
PR review caught that we didn't need an admin login surface on WAN.
App v1.0.1 adds DJANGO_PUBLIC_URL_BASE so QR codes generated from
/host/ (now tailnet-only) still point at shower.eblu.me for guest
phones — that closes the loop and lets us strip the WAN admin surface
entirely.
Container:
- bump version to 1.0.1
- outputHash → fakeHash (build will print the real one)
- entrypoint still does migrate + collectstatic before gunicorn —
the app is small enough that auto-migration is fine
Manifests:
- configmap adds DJANGO_PUBLIC_URL_BASE=https://shower.eblu.me
Fly nginx (shower.eblu.me):
- drop the /admin/(login|logout) carveout
- 403 anything under /admin/ AND /host/ with a "tailnet only" pointer
- drop the shower_auth limit_req zone and \$shower_banned geo
- drop the shower-admin-login fail2ban filter + jail
- drop the shower-deny.conf touch from start.sh
Docs:
- rename how-to docs/how-to/operations/shower-app.md →
shower-on-ringtail.md (mirrors cv-on-indri / docs-on-indri)
- new reference card docs/reference/services/shower-app.md per PR
review comment 2 (≈30s read; quick facts + cross-links)
- rewrite Defense layers section: collapses to general rate limit +
django-axes on the tailnet-side login (the only credential surface)
- rewrite the .infra.md changelog fragment to match
- add a 'Create the admin user' step (kubectl exec createsuperuser)
so first-time deploys aren't locked out
The nginx-deny action's per-jail \`nginx_deny_file\` generalization
stays — harmless future-proofing for the next public service.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
34 lines
1.4 KiB
Docker
34 lines
1.4 KiB
Docker
# nginx 1.30.0-alpine
|
|
FROM nginx@sha256:0272e4604ed93c1792f03695a033a6e8546840f86e0de20a884bb17d2c924883
|
|
|
|
# Copy tailscale binaries from official image (v1.94.2)
|
|
COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
|
|
/usr/local/bin/tailscaled /usr/local/bin/tailscaled
|
|
COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
|
|
/usr/local/bin/tailscale /usr/local/bin/tailscale
|
|
|
|
RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
|
|
&& apk add --no-cache iptables ip6tables \
|
|
&& apk add --no-cache libc6-compat \
|
|
&& apk add --no-cache fail2ban \
|
|
&& rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
|
|
|
|
# Copy Alloy binary from official image (v1.16.0, Ubuntu-based, needs libc6-compat)
|
|
COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76fce922f8199004e73d5eca46b6b8 \
|
|
/bin/alloy /usr/local/bin/alloy
|
|
|
|
RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data
|
|
|
|
COPY fail2ban/filter.d/forge-login.conf /etc/fail2ban/filter.d/forge-login.conf
|
|
COPY fail2ban/jail.d/forge.conf /etc/fail2ban/jail.d/forge.conf
|
|
COPY fail2ban/action.d/nginx-deny.conf /etc/fail2ban/action.d/nginx-deny.conf
|
|
|
|
COPY nginx.conf /etc/nginx/nginx.conf
|
|
COPY error.html /usr/share/nginx/html/error.html
|
|
COPY alloy.river /etc/alloy/config.alloy
|
|
COPY start.sh /start.sh
|
|
RUN chmod +x /start.sh
|
|
|
|
EXPOSE 8080
|
|
|
|
CMD ["/start.sh"]
|