Built the Sentinel Tab

infrastructure/desineuron_ingress/README.md

@@ -0,0 +1,38 @@
+# Desineuron Ingress
+
+This directory contains the reproducible bootstrap artifacts for the
+`desineuron-ingress-01` EC2 node.
+
+Architecture:
+- EC2 `t4g.micro` on-demand in `us-east-1`
+- Amazon Linux 2023 ARM64
+- `20 GB` gp3 root volume
+- `Caddy` as the public HTTPS edge
+- `rathole` as the reverse TCP relay from the Linux origin box
+
+Traffic model:
+- Public DNS stays in Cloudflare
+- Public HTTPS terminates on EC2
+- All six public hostnames proxy through EC2 to one local relay socket
+- Linux origin continues to serve the actual apps on `https://localhost:443`
+
+Key files:
+- `user_data.sh`: first-boot provisioning for the EC2 ingress node
+- `Caddyfile`: public edge routing
+- `rathole-server.toml`: EC2-side relay config
+- `rathole-client.toml`: Linux-side relay config template
+- `install_linux_rathole_client.sh`: Linux-side installer/service script
+- `sync_ingress_home_ip.py`: detects current home public IP and updates the ingress SSH allowlist rule
+- `desineuron-ingress-home-ip-sync.service`: systemd oneshot service for the IP sync
+- `desineuron-ingress-home-ip-sync.timer`: persistent timer that reruns the sync every 5 minutes and on boot
+- `install_linux_ingress_ip_sync.sh`: Linux-side installer for the IP sync service
+
+Manual Cloudflare work still required unless API credentials are provided:
+- set the six hostnames to DNS-only
+- point them to the ingress Elastic IP
+- retire the Cloudflare Tunnel routes once public validation passes
+
+Dynamic home IP handling:
+- `rathole` control port `2333/tcp` is intentionally open on the ingress so public services do not break when the ISP IP changes
+- SSH fallback on the ingress remains restricted to the current home public IP on `22/tcp`
+- the Linux-side IP sync service keeps that SSH fallback rule current after ISP churn or reboot