RogueWave/pyre
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
571e5d04d288e8def22435dde6c336b23d115c22
pyre/infra/nginx/feedthepyre.com.conf
RogueWave 571e5d04d2 feat(infra): Phase 0 provisioning + dev status dashboard 
- scripts/phase0-provision.sh: idempotent root setup (nginx, PostgreSQL,
  Redis, certbot/TLS, UFW). Opens 22/2222/80/443 before enabling UFW so SSH
  and Gitea git-SSH can't be locked out. Redis/Postgres stay localhost-only.
- infra/nginx/feedthepyre.com.conf: vhost serving the status page; commented
  web(:3000)/api(:4000) reverse-proxy blocks ready for app deploy.
- infra/status/: data-driven dev status dashboard (status.json + gen-status.mjs
  + prebuilt index.html), served at feedthepyre.com.
- ecosystem.config.cjs (PM2), infra/systemd/pm2-pyre.service, infra/logrotate/pyre,
  scripts/backup.sh — process mgmt + ops (inert until apps are built).

Built by 4 parallel agents, reviewed by 2 audit agents; audit fixes applied
(logs dir creation, port-citation accuracy, status truthfulness). pm2 installed
user-level. Privileged steps gated on `sudo bash scripts/phase0-provision.sh`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 02:34:13 +00:00

110 lines
4.6 KiB
Plaintext
Raw Blame History

# ============================================================================
# PYRE / Prometheus Protocol — nginx virtual host for feedthepyre.com
# ----------------------------------------------------------------------------
# Install path: /etc/nginx/sites-available/feedthepyre.com
# (the provision script symlinks this into sites-enabled/)
#
# TLS: Managed by certbot. Run `certbot --nginx` AFTER this config is
# installed — it will inject the listen 443 ssl server block,
# the ssl_certificate / ssl_certificate_key lines, and the
# HTTP->HTTPS redirect automatically. Do NOT hand-edit those in.
#
# App ports (see docs/PYRE_MVP_DESIGN.md §11 and .env.example):
# web (Next.js) -> 127.0.0.1:3000 (WEB_PORT)
# api (Fastify) -> 127.0.0.1:4000 (API_PORT)
#
# Current behaviour: serves the static status dashboard from
# /var/www/feedthepyre/status. The reverse-proxy blocks below
# are commented out until the apps are deployed.
# ============================================================================
server {
listen 80;
listen [::]:80;
server_name feedthepyre.com www.feedthepyre.com;
# --- Static status site (current site root) -----------------------------
root /var/www/feedthepyre/status;
index index.html;
# --- Logging ------------------------------------------------------------
access_log /var/log/nginx/feedthepyre.access.log;
error_log /var/log/nginx/feedthepyre.error.log;
# --- ACME HTTP-01 challenge --------------------------------------------
# Explicit so certbot's HTTP-01 validation works even before its --nginx
# tweaks are applied. ^~ ensures this wins over the regex/proxy locations.
location ^~ /.well-known/acme-challenge/ {
root /var/www/feedthepyre/status;
allow all;
}
# --- Basic hardening ----------------------------------------------------
# gzip for text-ish content types.
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
# NOTE: `server_tokens off;` is intentionally NOT set here — it belongs in
# the http{} block of /etc/nginx/nginx.conf so it applies globally. Set it
# there once rather than duplicating it per-vhost.
# --- Site root ----------------------------------------------------------
# Serve the static status dashboard for now.
#
# LATER: when apps/web (Next.js) is deployed, switch this location from the
# static status page to a reverse proxy. Replace the try_files body with:
#
# proxy_pass http://127.0.0.1:3000;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
#
location / {
try_files $uri $uri/ /index.html;
}
# ------------------------------------------------------------------------
# REVERSE-PROXY BLOCKS — enable when apps are running
# ------------------------------------------------------------------------
# Uncomment the /api/ block below once apps/api (Fastify, port 4000) is up.
# The trailing slash on proxy_pass strips the /api/ prefix so the backend
# sees /scan, /receipt, etc.
#
# location /api/ {
# proxy_pass http://127.0.0.1:4000/;
# proxy_http_version 1.1;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection $connection_upgrade;
# }
#
# The websocket Upgrade/Connection headers above rely on a $connection_upgrade
# map. Add this once in the http{} block of /etc/nginx/nginx.conf:
#
# map $http_upgrade $connection_upgrade {
# default upgrade;
# '' close;
# }
# ------------------------------------------------------------------------
}
Reference in New Issue View Git Blame Copy Permalink