sagnik/Project_Velocity
2
1
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
61258978e15ea75a23e09634f6caae3d3c42b7a4
Project_Velocity/infrastructure/desineuron_ingress/README.md
sagnik e519339cc9 feat: Oracle Canvas Component Schema and Qwen 3.6 integration (#31) 
Co-authored-by: Sagnik <sagnik7896@gmail.com>
Reviewed-on: #31
2026-04-20 01:43:39 +05:30

60 lines
2.8 KiB
Markdown
Raw Blame History

# Desineuron Ingress
This directory contains the reproducible bootstrap artifacts for the
`desineuron-ingress-01` EC2 node.
Architecture:
- EC2 `t4g.micro` on-demand in `us-east-1`
- Amazon Linux 2023 ARM64
- `20 GB` gp3 root volume
- `Caddy` as the public HTTPS edge
- `rathole` as the reverse TCP relay from the Linux origin box
Traffic model:
- Public DNS stays in Cloudflare
- Public HTTPS terminates on EC2
- All six public hostnames proxy through EC2 to one local relay socket
- Linux origin continues to serve the actual apps on `https://localhost:443`
Key files:
- `user_data.sh`: first-boot provisioning for the EC2 ingress node
- `Caddyfile`: public edge routing
- `rathole-server.toml`: EC2-side relay config
- `rathole-client.toml`: Linux-side relay config template
- `install_linux_rathole_client.sh`: Linux-side installer/service script
- `sync_ingress_home_ip.py`: detects current home public IP and updates the ingress SSH allowlist rule
- `desineuron-ingress-home-ip-sync.service`: systemd oneshot service for the IP sync
- `desineuron-ingress-home-ip-sync.timer`: persistent timer that reruns the sync every 5 minutes and on boot
- `install_linux_ingress_ip_sync.sh`: Linux-side installer for the IP sync service
- `deploy_velocity_site.sh`: canonical manual, timer, and webhook deploy entrypoint on the Linux origin
- `gitea_velocity_webhook_receiver.py`: authenticated Gitea push-hook receiver on Linux origin
- `desineuron-velocity-gitea-webhook.service`: systemd service for the webhook receiver
- `install_linux_velocity_webhook.sh`: targeted installer for the webhook receiver
Manual Cloudflare work still required unless API credentials are provided:
- set the six hostnames to DNS-only
- point them to the ingress Elastic IP
- retire the Cloudflare Tunnel routes once public validation passes
Dynamic home IP handling:
- `rathole` control port `2333/tcp` is intentionally open on the ingress so public services do not break when the ISP IP changes
- SSH fallback on the ingress remains restricted to the current home public IP on `22/tcp`
- the Linux-side IP sync service keeps that SSH fallback rule current after ISP churn or reboot
Project Velocity deploy triggers:
- Manual:
- `sudo systemctl start desineuron-velocity-site-update.service`
- or `sudo /usr/local/bin/deploy_velocity_site.sh`
- Timer:
- `desineuron-velocity-site-update.timer`
- Webhook:
- `https://velocity.desineuron.in/hooks/gitea/project-velocity`
- secret is stored in `/etc/desineuron-velocity-webhook.env`
- only `push` events for `refs/heads/main` on `sagnik/Project_Velocity` trigger deploy
Webhook design:
- receiver binds `127.0.0.1:8788` only
- nginx proxies the public HTTPS hook path to the local receiver
- signature is verified with `X-Gitea-Signature`
- deploy execution is serialized with `flock` so overlapping pushes cannot race each other
Reference in New Issue View Git Blame Copy Permalink