Serve host manager at apex vhost · 39882a1

Serve host manager at apex vhost
Browse files

bogdan committed 3 days ago

main

1 parent f1cde52

commit 39882a1

Showing 2 changed files with 13 additions and 12 deletions

+7 -6

deploy/jumper/README.md

@@ -5,7 +5,7 @@ Host Manager rulează pe jumper ca serviciu Perl local, ascultând numai pe `127
 Vhost implicit:
 
 ```text
-hosts.madagascar.xdev.ro
+madagascar.xdev.ro
 ```
 
 Instanța curentă este instalată pe jumper în `/usr/local/xdev-host-manager` și publicată prin nginx. `/opt` rămâne rezervat pentru aplicații 3rd party/vendor.
@@ -41,7 +41,7 @@ sudo dnf install nginx
 /etc/xdev/host-manager.env
 /etc/systemd/system/host-manager.service
 /etc/systemd/system/host-manager-mdns.service
-/etc/nginx/conf.d/hosts.madagascar.xdev.ro.conf
+/etc/nginx/conf.d/madagascar.xdev.ro.conf
 ```
 
 ## Instalare manuală
@@ -54,10 +54,11 @@ sudo install -d -o host-manager -g host-manager /usr/local/xdev-host-manager
 sudo install -d -m 0750 /etc/xdev
 sudo install -m 0644 deploy/jumper/host-manager.service /etc/systemd/system/host-manager.service
 sudo install -m 0644 deploy/jumper/host-manager-mdns.service /etc/systemd/system/host-manager-mdns.service
-sudo install -m 0644 deploy/jumper/nginx-host-manager.conf /etc/nginx/conf.d/hosts.madagascar.xdev.ro.conf
+sudo install -m 0644 deploy/jumper/nginx-host-manager.conf /etc/nginx/conf.d/madagascar.xdev.ro.conf
 ```
 
 Copiază `deploy/jumper/host-manager.env.example` la `/etc/xdev/host-manager.env` și setează secretul TOTP real.
+Nginx așteaptă certificatul TLS local CA la `/etc/pki/tls/certs/madagascar.xdev.ro.crt` și cheia la `/etc/pki/tls/private/madagascar.xdev.ro.key`.
 
 La instalarea inițială se poate genera automat secretul TOTP. URI-ul de bootstrap rămâne doar pe jumper, root-only:
 
@@ -74,14 +75,14 @@ sudo systemctl enable --now host-manager-mdns
 sudo nginx -t
 sudo systemctl reload nginx
 curl -fsS http://127.0.0.1:8088/healthz
-curl -k -o /dev/null -w '%{http_code}\n' https://hosts.madagascar.xdev.ro/healthz
+curl -k -o /dev/null -w '%{http_code}\n' https://madagascar.xdev.ro/healthz
 # trebuie să întoarcă 404; healthcheck-ul public nu este expus prin nginx
 ```
 
 Verificări de securitate de bază:
 
 ```bash
-curl -k -o /dev/null -w '%{http_code}\n' -X POST https://hosts.madagascar.xdev.ro/api/render/local-hosts-tsv
+curl -k -o /dev/null -w '%{http_code}\n' -X POST https://madagascar.xdev.ro/api/render/local-hosts-tsv
 # trebuie să întoarcă 401 fără sesiune OTP
 ```
 
@@ -90,7 +91,7 @@ curl -k -o /dev/null -w '%{http_code}\n' -X POST https://hosts.madagascar.xdev.r
 Vhost-ul trebuie să existe în registrul intern:
 
 ```text
-hosts.madagascar.xdev.ro -> 192.168.2.100
+madagascar.xdev.ro -> jumper.madagascar.xdev.ro
 ```
 
 Nu se adaugă wildcard local. Doar acest nume exact trebuie publicat.


+6 -6

deploy/jumper/nginx-host-manager.conf

View

@@ -1,20 +1,20 @@
 server {
     listen 192.168.2.100:80;
-    server_name hosts.madagascar.xdev.ro;
+    server_name madagascar.xdev.ro;
 
     return 301 https://$host$request_uri;
 }
 
 server {
     listen 192.168.2.100:443 ssl;
-    server_name hosts.madagascar.xdev.ro;
+    server_name madagascar.xdev.ro;
 
-    ssl_certificate /etc/pki/tls/certs/jumper.madagascar.xdev.ro.crt;
-    ssl_certificate_key /etc/pki/tls/private/jumper.madagascar.xdev.ro.key;
+    ssl_certificate /etc/pki/tls/certs/madagascar.xdev.ro.crt;
+    ssl_certificate_key /etc/pki/tls/private/madagascar.xdev.ro.key;
     ssl_protocols TLSv1.2 TLSv1.3;
 
-    access_log /var/log/nginx/hosts.madagascar.xdev.ro.access.log main;
-    error_log /var/log/nginx/hosts.madagascar.xdev.ro.error.log warn;
+    access_log /var/log/nginx/madagascar.xdev.ro.access.log main;
+    error_log /var/log/nginx/madagascar.xdev.ro.error.log warn;
 
     client_max_body_size 256k;
 


	@@ -5,7 +5,7 @@ Host Manager rulează pe jumper ca serviciu Perl local, ascultând numai pe `127
5	5	Vhost implicit:
6	6
7	7	```text
8		-hosts.madagascar.xdev.ro
	8	+madagascar.xdev.ro
9	9	```
10	10
11	11	Instanța curentă este instalată pe jumper în `/usr/local/xdev-host-manager` și publicată prin nginx. `/opt` rămâne rezervat pentru aplicații 3rd party/vendor.
	@@ -41,7 +41,7 @@ sudo dnf install nginx
41	41	/etc/xdev/host-manager.env
42	42	/etc/systemd/system/host-manager.service
43	43	/etc/systemd/system/host-manager-mdns.service
44		-/etc/nginx/conf.d/hosts.madagascar.xdev.ro.conf
	44	+/etc/nginx/conf.d/madagascar.xdev.ro.conf
45	45	```
46	46
47	47	## Instalare manuală
	@@ -54,10 +54,11 @@ sudo install -d -o host-manager -g host-manager /usr/local/xdev-host-manager
54	54	sudo install -d -m 0750 /etc/xdev
55	55	sudo install -m 0644 deploy/jumper/host-manager.service /etc/systemd/system/host-manager.service
56	56	sudo install -m 0644 deploy/jumper/host-manager-mdns.service /etc/systemd/system/host-manager-mdns.service
57		-sudo install -m 0644 deploy/jumper/nginx-host-manager.conf /etc/nginx/conf.d/hosts.madagascar.xdev.ro.conf
	57	+sudo install -m 0644 deploy/jumper/nginx-host-manager.conf /etc/nginx/conf.d/madagascar.xdev.ro.conf
58	58	```
59	59
60	60	Copiază `deploy/jumper/host-manager.env.example` la `/etc/xdev/host-manager.env` și setează secretul TOTP real.
	61	+Nginx așteaptă certificatul TLS local CA la `/etc/pki/tls/certs/madagascar.xdev.ro.crt` și cheia la `/etc/pki/tls/private/madagascar.xdev.ro.key`.
61	62
62	63	La instalarea inițială se poate genera automat secretul TOTP. URI-ul de bootstrap rămâne doar pe jumper, root-only:
63	64
	@@ -74,14 +75,14 @@ sudo systemctl enable --now host-manager-mdns
74	75	sudo nginx -t
75	76	sudo systemctl reload nginx
76	77	curl -fsS http://127.0.0.1:8088/healthz
77		-curl -k -o /dev/null -w '%{http_code}\n' https://hosts.madagascar.xdev.ro/healthz
	78	+curl -k -o /dev/null -w '%{http_code}\n' https://madagascar.xdev.ro/healthz
78	79	# trebuie să întoarcă 404; healthcheck-ul public nu este expus prin nginx
79	80	```
80	81
81	82	Verificări de securitate de bază:
82	83
83	84	```bash
84		-curl -k -o /dev/null -w '%{http_code}\n' -X POST https://hosts.madagascar.xdev.ro/api/render/local-hosts-tsv
	85	+curl -k -o /dev/null -w '%{http_code}\n' -X POST https://madagascar.xdev.ro/api/render/local-hosts-tsv
85	86	# trebuie să întoarcă 401 fără sesiune OTP
86	87	```
87	88
	@@ -90,7 +91,7 @@ curl -k -o /dev/null -w '%{http_code}\n' -X POST https://hosts.madagascar.xdev.r
90	91	Vhost-ul trebuie să existe în registrul intern:
91	92
92	93	```text
93		-hosts.madagascar.xdev.ro -> 192.168.2.100
	94	+madagascar.xdev.ro -> jumper.madagascar.xdev.ro
94	95	```
95	96
96	97	Nu se adaugă wildcard local. Doar acest nume exact trebuie publicat.

	@@ -1,20 +1,20 @@
1	1	server {
2	2	listen 192.168.2.100:80;
3		- server_name hosts.madagascar.xdev.ro;
	3	+ server_name madagascar.xdev.ro;
4	4
5	5	return 301 https://$host$request_uri;
6	6	}
7	7
8	8	server {
9	9	listen 192.168.2.100:443 ssl;
10		- server_name hosts.madagascar.xdev.ro;
	10	+ server_name madagascar.xdev.ro;
11	11
12		- ssl_certificate /etc/pki/tls/certs/jumper.madagascar.xdev.ro.crt;
13		- ssl_certificate_key /etc/pki/tls/private/jumper.madagascar.xdev.ro.key;
	12	+ ssl_certificate /etc/pki/tls/certs/madagascar.xdev.ro.crt;
	13	+ ssl_certificate_key /etc/pki/tls/private/madagascar.xdev.ro.key;
14	14	ssl_protocols TLSv1.2 TLSv1.3;
15	15
16		- access_log /var/log/nginx/hosts.madagascar.xdev.ro.access.log main;
17		- error_log /var/log/nginx/hosts.madagascar.xdev.ro.error.log warn;
	16	+ access_log /var/log/nginx/madagascar.xdev.ro.access.log main;
	17	+ error_log /var/log/nginx/madagascar.xdev.ro.error.log warn;
18	18
19	19	client_max_body_size 256k;
20	20