Project_Velocity/infrastructure/desineuron_ingress

Desineuron Ingress

This directory contains the reproducible bootstrap artifacts for the desineuron-ingress-01 EC2 node.

Architecture:

• EC2 t4g.micro on-demand in us-east-1
• Amazon Linux 2023 ARM64
• 20 GB gp3 root volume
• Caddy as the public HTTPS edge
• rathole as the reverse TCP relay from the Linux origin box

Traffic model:

• Public DNS stays in Cloudflare
• Public HTTPS terminates on EC2
• All six public hostnames proxy through EC2 to one local relay socket
• Linux origin continues to serve the actual apps on https://localhost:443

Key files:

• user_data.sh: first-boot provisioning for the EC2 ingress node
• Caddyfile: public edge routing
• rathole-server.toml: EC2-side relay config
• rathole-client.toml: Linux-side relay config template
• install_linux_rathole_client.sh: Linux-side installer/service script
• sync_ingress_home_ip.py: detects current home public IP and updates the ingress SSH allowlist rule
• desineuron-ingress-home-ip-sync.service: systemd oneshot service for the IP sync
• desineuron-ingress-home-ip-sync.timer: persistent timer that reruns the sync every 5 minutes and on boot
• install_linux_ingress_ip_sync.sh: Linux-side installer for the IP sync service
• deploy_velocity_site.sh: canonical manual, timer, and webhook deploy entrypoint on the Linux origin
• gitea_velocity_webhook_receiver.py: authenticated Gitea push-hook receiver on Linux origin
• desineuron-velocity-gitea-webhook.service: systemd service for the webhook receiver
• install_linux_velocity_webhook.sh: targeted installer for the webhook receiver

Manual Cloudflare work still required unless API credentials are provided:

• set the six hostnames to DNS-only
• point them to the ingress Elastic IP
• retire the Cloudflare Tunnel routes once public validation passes

Dynamic home IP handling:

• rathole control port 2333/tcp is intentionally open on the ingress so public services do not break when the ISP IP changes
• SSH fallback on the ingress remains restricted to the current home public IP on 22/tcp
• the Linux-side IP sync service keeps that SSH fallback rule current after ISP churn or reboot

Project Velocity deploy triggers:

• Manual:
  • sudo systemctl start desineuron-velocity-site-update.service
  • or sudo /usr/local/bin/deploy_velocity_site.sh
• Timer:
  • desineuron-velocity-site-update.timer
• Webhook:
  • https://velocity.desineuron.in/hooks/gitea/project-velocity
  • secret is stored in /etc/desineuron-velocity-webhook.env
  • only push events for refs/heads/main on sagnik/Project_Velocity trigger deploy

Webhook design:

• receiver binds 127.0.0.1:8788 only
• nginx proxies the public HTTPS hook path to the local receiver
• signature is verified with X-Gitea-Signature
• deploy execution is serialized with flock so overlapping pushes cannot race each other