2aec4d4d5e
Original commit added Caddy directly on phantom-ship and opened ports 80/443 — that would have exposed the home connection's public IP via DNS. Reverting that and using the existing relay pattern instead: vps-relay (Hetzner) terminates public TLS and reverse-proxies over ZeroTier to phantom-ship's ZT IPv6 on 8081. phantom-ship now just runs shelfish.service bound to 127.0.0.1:8081; it accepts connections only from the ZT mesh interface (since caddy/firewall changes are gone, the only listeners are the existing trusted-interface ones plus this loopback). vps-relay gets a third virtualHost alongside navidrome and bbbot. DNS: shelfish.dannydannydanny.me → 89.167.39.251 (vps-relay public IP), NOT phantom-ship's home IP. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| daniel-macbook-air.nix | ||
| phantom-ship-hardware.nix | ||
| phantom-ship.nix | ||
| server-install.nix | ||
| sunken-ship-hardware.nix | ||
| sunken-ship.nix | ||
| vps-relay.nix | ||
| wsl.nix | ||