Compare commits

..

15 commits

Author SHA1 Message Date
671f7b5117 Wip 2026-06-08 04:05:28 -08:00
0a820b8e66 better auth 2026-06-08 04:00:29 -08:00
772c6c59a8 bump 2026-06-08 03:57:45 -08:00
Philip Peterson
b443162f0c encrypt 2026-06-08 04:49:55 -07:00
Philip Peterson
42a8b4a1cc Merge branch 'main' of github.com:philip-peterson/petersweb-infra 2026-06-08 04:42:33 -07:00
Philip Peterson
3687011061 Bump coldair 2026-06-08 04:42:27 -07:00
d383b9abc3 bump 2026-06-06 00:51:58 -08:00
Philip Peterson
f0209fbdc8 Add WebSocket proxy headers to paperless nginx vhost
Paperless-ngx uses WebSockets to push task completion status to the
browser. Without Upgrade/Connection headers the UI hangs indefinitely
after upload while waiting for the done notification.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-05 23:26:15 -07:00
Philip Peterson
047c4b2207 Fix paperless nginx: remove duplicate proxy_set_header directives
recommendedProxySettings already injects Host, X-Real-IP, X-Forwarded-*
via an include in the location block. Our explicit extraConfig set them
again, causing Django to receive 'host,host' and reject with DisallowedHost.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-05 23:20:27 -07:00
Philip Peterson
3fea6dddd7 Merge branch 'main' of github.com:philip-peterson/petersweb-infra 2026-06-05 22:58:26 -07:00
5a14d56cd2 add secret 2026-06-05 21:58:03 -08:00
07573489df bump 2026-06-04 23:13:29 -08:00
0776104f40 bump 2026-06-04 22:42:07 -08:00
f59200a349 bump 2026-06-04 22:10:40 -08:00
bbdd562af3 bump 2026-06-04 21:59:15 -08:00
7 changed files with 58 additions and 8 deletions

32
bump-coldairnetworks.sh Executable file
View file

@ -0,0 +1,32 @@
#!/usr/bin/env bash
set -euo pipefail
LINUX=/root/petersweb-infra/nixos/linux.nix
usage() {
echo "Usage: $0 <sha256-digest>"
echo " e.g. $0 sha256:2e2d92abae0ba68be780fff581523480ac05444690dbf38bf4330f1dda099e2a"
exit 1
}
[[ $# -eq 1 ]] || usage
NEW_DIGEST="${1#sha256:}" # strip leading "sha256:" if provided
# Validate: hex string of the right length
if ! [[ "$NEW_DIGEST" =~ ^[0-9a-f]{64}$ ]]; then
echo "Error: digest must be a 64-character lowercase hex string (got: $NEW_DIGEST)" >&2
exit 1
fi
OLD_LINE=$(grep -n 'coldairnetworks-com@sha256:' "$LINUX")
echo "Current: $OLD_LINE"
sed -i -E "s|(coldairnetworks-com@sha256:)[0-9a-f]{64}|\1${NEW_DIGEST}|" "$LINUX"
NEW_LINE=$(grep -n 'coldairnetworks-com@sha256:' "$LINUX")
echo "Updated: $NEW_LINE"
echo "Applying NixOS configuration..."
nixos-rebuild switch --flake /root/petersweb-infra/nixos#mainframe
echo "Done. Tail logs with: podman logs -f coldairnetworks"

View file

@ -7,7 +7,7 @@
services = {
app = {
service = {
image = "forge.quinefoundation.com/ironmagma/riverside@sha256:6ad578b0668ac91f37fc3677ce12960b5eeb23c3ba7238e1ba137d35e60fea58";
image = "forge.quinefoundation.com/ironmagma/riverside@sha256:567483665861b5a895d4330caa03635191b6554a68f6e471c81c9ff4dbdacfa7";
container_name = "riverside";
restart = "unless-stopped";
networks = [ "riverside" ];

View file

@ -83,6 +83,11 @@ in {
file = ./secrets/paperless.age;
owner = "root";
};
coldairnetworks = {
file = ./secrets/coldairnetworks.age;
owner = "root";
};
};
environment.systemPackages = [
@ -380,13 +385,15 @@ in {
"coldairnetworks" = {
autoStart = true;
image = "quineglobal/coldairnetworks-com:latest";
image = "quineglobal/coldairnetworks-com@sha256:36f16006502171d82a107b1bd67517b9d602b54de31630a4861fba1e78250857";
volumes = [];
environment = {
POSTMARK_SERVER_TOKEN = "e718a146-c590-4550-a750-a3b925056e29";
BETTER_AUTH_URL = "https://coldairnetworks.com";
NODE_TLS_REJECT_UNAUTHORIZED = "0";
};
environmentFiles = [ config.age.secrets.postmark.path ];
ports = ["3012:8081"];
environmentFiles = [ config.age.secrets.postmark.path config.age.secrets.coldairnetworks.path ];
ports = ["3012:3000"];
};
};

View file

@ -121,10 +121,10 @@
locations."/" = {
proxyPass = "http://127.0.0.1:8000/";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
client_max_body_size 100M;
'';
};

View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 NFD/vg 5yGAA19rlzC2wSX7buivwDVu6AkSz0joS9oT7gcomGk
YnrxzrNQ7rT6joa38uyz3JBs5NkZhqPOwCOyaTRHD5A
--- jeqx+rAgrPkbdKhzNsiYjGhzq3nVTBfXfl4wKbkski8
¯/ß‹P#¬!âŽ<C3A2>&Ïó` àF¾rf9|œö~"~ð§m?+Õenw±D£KUXkS¢=;.“Ç£m^!ÀÊ÷L6ßBä\˾† »„1S
<@Óp˜­Ag¿ç˜Þ™°°ÁwLãX…ŒÏHô¿ðôãA(%6‰/ñ©ïýt{ñªLO_˜üs<C3BC>!8Æ+œ“žaêX·/{úÛ/¾çÜeNè&
rbøÉ¡Ë ~2fG$6HÈB•Æì•â<E280A2>µB`ƒs+EžË4aGǺ5370-T£æJ° „‚#m÷òe=˜÷

View file

@ -30,4 +30,8 @@ in {
# PAPERLESS_ADMIN_PASSWORD=<password>
# PAPERLESS_ADMIN_EMAIL=peterson@sent.com
"./paperless.age".publicKeys = [mainframePublicKey];
# DATABASE_URL=<supabase postgres dsn>
# BETTER_AUTH_SECRET=<secret>
"./coldairnetworks.age".publicKeys = [mainframePublicKey];
}

BIN
nixos/secrets/paperless.age Normal file

Binary file not shown.