From 2aec4d4d5ecf8c1cefd98cc0c1b40f8a734ae001 Mon Sep 17 00:00:00 2001 From: Danny Date: Sun, 3 May 2026 06:29:48 +0200 Subject: [PATCH] shelfish: front via vps-relay (don't expose phantom-ship public IP) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit added Caddy directly on phantom-ship and opened ports 80/443 — that would have exposed the home connection's public IP via DNS. Reverting that and using the existing relay pattern instead: vps-relay (Hetzner) terminates public TLS and reverse-proxies over ZeroTier to phantom-ship's ZT IPv6 on 8081. phantom-ship now just runs shelfish.service bound to 127.0.0.1:8081; it accepts connections only from the ZT mesh interface (since caddy/firewall changes are gone, the only listeners are the existing trusted-interface ones plus this loopback). vps-relay gets a third virtualHost alongside navidrome and bbbot. DNS: shelfish.dannydannydanny.me → 89.167.39.251 (vps-relay public IP), NOT phantom-ship's home IP. Co-Authored-By: Claude Opus 4.7 (1M context) --- nixos/hosts/phantom-ship.nix | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index ea44e0e..f870929 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -250,18 +250,10 @@ in }; }; - # Caddy reverse proxy in front of the local HTTP services (shelfish, etc). - # Auto-Let's-Encrypt; ACME requires the subdomain to A-record to this host. - networking.firewall.allowedTCPPorts = [ 80 443 ]; - services.caddy = { - enable = true; - email = "powerhouseplayer@gmail.com"; - virtualHosts."shelfish.dannydannydanny.me".extraConfig = '' - reverse_proxy 127.0.0.1:8081 - ''; - }; - # Shelfish — Goodreads-flavoured book club Mini App. + # Public traffic comes through vps-relay's Caddy → ZeroTier → here. + # See vps-relay.nix for the public-facing virtualHost. We never expose + # this host's IP directly. # Code deployed out-of-band via rsync to /home/danny/shelfish/ # (staying in-tree in ~/python-projects/27_shelfish/ until spun out). # Auth: validates Telegram WebApp initData against shipyard's bot token