# Desineuron Ingress

This directory contains the reproducible bootstrap artifacts for the
`desineuron-ingress-01` EC2 node.

Architecture:
- EC2 `t4g.micro` on-demand in `us-east-1`
- Amazon Linux 2023 ARM64
- `20 GB` gp3 root volume
- `Caddy` as the public HTTPS edge
- `rathole` as the reverse TCP relay from the Linux origin box

Traffic model:
- Public DNS stays in Cloudflare
- Public HTTPS terminates on EC2
- All six public hostnames proxy through EC2 to one local relay socket
- Linux origin continues to serve the actual apps on `https://localhost:443`

Key files:
- `user_data.sh`: first-boot provisioning for the EC2 ingress node
- `Caddyfile`: public edge routing
- `rathole-server.toml`: EC2-side relay config
- `rathole-client.toml`: Linux-side relay config template
- `install_linux_rathole_client.sh`: Linux-side installer/service script
- `sync_ingress_home_ip.py`: detects current home public IP and updates the ingress SSH allowlist rule
- `desineuron-ingress-home-ip-sync.service`: systemd oneshot service for the IP sync
- `desineuron-ingress-home-ip-sync.timer`: persistent timer that reruns the sync every 5 minutes and on boot
- `install_linux_ingress_ip_sync.sh`: Linux-side installer for the IP sync service

Manual Cloudflare work still required unless API credentials are provided:
- set the six hostnames to DNS-only
- point them to the ingress Elastic IP
- retire the Cloudflare Tunnel routes once public validation passes

Dynamic home IP handling:
- `rathole` control port `2333/tcp` is intentionally open on the ingress so public services do not break when the ISP IP changes
- SSH fallback on the ingress remains restricted to the current home public IP on `22/tcp`
- the Linux-side IP sync service keeps that SSH fallback rule current after ISP churn or reboot