RogueWave/pyre
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1a556f33a643319ebe3fdeea9fd6bf8608864523
pyre/infra/nginx/README.md
RogueWave 571e5d04d2 feat(infra): Phase 0 provisioning + dev status dashboard 
- scripts/phase0-provision.sh: idempotent root setup (nginx, PostgreSQL,
  Redis, certbot/TLS, UFW). Opens 22/2222/80/443 before enabling UFW so SSH
  and Gitea git-SSH can't be locked out. Redis/Postgres stay localhost-only.
- infra/nginx/feedthepyre.com.conf: vhost serving the status page; commented
  web(:3000)/api(:4000) reverse-proxy blocks ready for app deploy.
- infra/status/: data-driven dev status dashboard (status.json + gen-status.mjs
  + prebuilt index.html), served at feedthepyre.com.
- ecosystem.config.cjs (PM2), infra/systemd/pm2-pyre.service, infra/logrotate/pyre,
  scripts/backup.sh — process mgmt + ops (inert until apps are built).

Built by 4 parallel agents, reviewed by 2 audit agents; audit fixes applied
(logs dir creation, port-citation accuracy, status truthfulness). pm2 installed
user-level. Privileged steps gated on `sudo bash scripts/phase0-provision.sh`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 02:34:13 +00:00

3.8 KiB
Raw Blame History

nginx — feedthepyre.com virtual host

This directory holds the nginx virtual host config for feedthepyre.com, the public domain for the PYRE / Prometheus Protocol MVP.

What it does now

Right now the vhost serves a static status dashboard (a holding/status page) for both feedthepyre.com and www.feedthepyre.com.

  • Site root (location /) serves files from the webroot /var/www/feedthepyre/status (with index.html), using try_files $uri $uri/ /index.html.
  • The Next.js web app and Fastify API are not proxied yet — those blocks are present but commented out.
  • An explicit /.well-known/acme-challenge/ location is served from the same webroot so Let's Encrypt HTTP-01 validation works even before certbot applies its --nginx changes.
  • gzip is enabled for common text content types.

Ports (per .env.example; design §11 names the processes but not their ports):

service bind env var
web (Next.js) 127.0.0.1:3000 WEB_PORT
api (Fastify) 127.0.0.1:4000 API_PORT

How the provision script installs it

The provisioning script (run with sudo on the PYRE VPS) is expected to:

  1. Copy feedthepyre.com.conf to /etc/nginx/sites-available/feedthepyre.com.
  2. Symlink it into the enabled set: ln -s /etc/nginx/sites-available/feedthepyre.com /etc/nginx/sites-enabled/feedthepyre.com
  3. Ensure the webroot exists and has an index page: mkdir -p /var/www/feedthepyre/status (drop an index.html in it).
  4. Validate and reload: nginx -t && systemctl reload nginx.

These exact paths are a contract the script relies on — do not rename the install path or the webroot without updating the script too.

This config is file-only. Do not run nginx/sudo from this repo; the provision script owns that.

How certbot adds TLS

After the HTTP vhost is installed and nginx is reloaded, obtain certificates:

sudo certbot --nginx -d feedthepyre.com -d www.feedthepyre.com

certbot will edit feedthepyre.com.conf in place, adding:

  • a listen 443 ssl; server block,
  • ssl_certificate / ssl_certificate_key directives (and Let's Encrypt includes),
  • an HTTP->HTTPS redirect on the listen 80; server.

That is why the :80 server is written as a plain listen 80; block with both domains in server_name — it is the shape certbot expects to augment. Renewals are handled automatically by certbot's systemd timer/cron.

Flipping from the static status page to the live app + API proxy

Once apps/web (Next.js, port 3000) and apps/api (Fastify, port 4000) are deployed and running on the VPS:

  1. Edit /etc/nginx/sites-available/feedthepyre.com.

  2. Enable the API proxy: uncomment the location /api/ { ... } block. The trailing slash on proxy_pass http://127.0.0.1:4000/; strips the /api/ prefix so the backend sees /scan, /receipt, etc.

  3. Switch the root to the web app: in location / { ... }, replace the try_files ... line with the proxy_pass http://127.0.0.1:3000; block shown in the inline comment (Host / X-Real-IP / X-Forwarded-For / X-Forwarded-Proto plus the websocket Upgrade/Connection headers).

  4. Add the websocket map (one time) to the http{} block of /etc/nginx/nginx.conf:

    map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

  5. Optional global hardening: add server_tokens off; to the same http{} block (kept out of the vhost on purpose so it is not duplicated).

  6. Validate and reload:

    sudo nginx -t && sudo systemctl reload nginx

Keep the /.well-known/acme-challenge/ location in place so certificate renewals continue to work after the cutover.

Reference in New Issue View Git Blame Copy Permalink