Commit Graph

17 Commits

Author SHA1 Message Date
nineap 4a8816b908 Build the Caddy image in CI instead of on the dev VPS
The previous deploy attempt confirmed the failure mode directly: `docker
compose build caddy` over SSH got most of the way through compiling
xcaddy (downloading Go modules) and then the whole SSH command hit
appleboy/ssh-action's timeout mid-build, aborting the deploy before it
ever reached `up -d`. Compiling anything on that VPS was already a
deliberate anti-pattern here — see DEPLOYMENT.md's "compilation happens
in GitHub Actions, never on the VPS" — this just hadn't been applied to
the new Caddy service yet.

Added a build-caddy job to build.yml pushing
ghcr.io/nineap/netrunner-caddy-cloudflare:latest (hardcoded lowercase
owner — github.repository_owner resolves to "nineAp" and Docker rejects
mixed-case image refs, same fix already applied to the main image's
deploy script). docker-compose.dev-remote.yml now just pulls that image;
deploy.yml no longer builds it over SSH or ships Dockerfile.caddy to the
server at all.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-05 13:52:07 +07:00
nineap d22cd0de41 Add Caddy for real TLS on dev — Telegram Web Apps require https://
Bot buttons that open a Web App (Личный Кабинет/Тарифы/Синдикат) appeared
to load and then silently do nothing on the dev stand. Root cause:
teloxide's WebAppInfo::url (and the underlying Bot API) requires an HTTPS
URL — Telegram's client refuses to render a Web App served over plain
HTTP, with no error surfaced to the user, just a stuck loading state.
WEB_APP_BASE_URL was http://dev.netrunner-vpn.com:8080.

Port 443 on the dev VPS is already in use by a VPN node, and port 80 is
closed, so a normal HTTP-01 ACME challenge won't work. Added a custom
Caddy build (caddy-dns/cloudflare) terminating TLS via DNS-01 on port
8443 instead, reverse-proxying to the existing plain-HTTP app container.
WEB_APP_BASE_URL and the CORS/CSRF allowlists now point at the :8443
origin, and COOKIE_SECURE reverts to true (the default, matching prod) —
now that the backend actually has real TLS to serve it over, we no
longer need the plain-HTTP workaround introduced for the earlier
cookie-drop bug. Verified the custom image builds and the Caddyfile
validates (only the dummy Cloudflare token used for the local test is
rejected, as expected).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 19:36:38 +07:00
nineap 588adbb92b fix: lowercase GHCR image path, drop broken SSH env-forwarding in prod deploy too
github.repository_owner resolves to "nineAp" (mixed case), which Docker
rejects as an invalid repository reference — hardcode the lowercase
"nineap" used by the GHCR package and the compose files' image default.
Also apply the same secrets-interpolation fix from the dev job to
deploy-prod so a future manual prod deploy doesn't hit the same
"password is empty" failure from unforwarded SSH env vars.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 12:55:59 +07:00
nineap 7da6e341d1 fix: stop relying on SSH env-var forwarding for GHCR_TOKEN in dev deploy
appleboy/ssh-action's envs: mechanism forwards vars via SSH SendEnv,
which sshd silently drops unless AcceptEnv is configured server-side.
On the freshly bootstrapped dev VPS that left GHCR_TOKEN empty on the
remote end, so `docker login --password-stdin` failed with "password
is empty" even though the SSH connection itself was fine. Interpolate
the secret directly into the script text instead.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-04 12:48:54 +07:00
nineap 465570267d ci: split deploy pipeline into dev (auto) and prod (manual) jobs
Add slim docker-compose.dev-remote.yml (app+db+redis, no monitoring)
for the remote dev VPS, and a deploy-dev job that auto-runs after a
successful image build on main. Bump Dockerfile.dev's Rust image so
edition2024 dependencies build. Stop tracking .env.dev (real secrets
were committed) in favor of .env.dev.example / .env.dev-remote.example
templates.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
2026-07-03 15:56:16 +07:00
Kirill f06cc48763 security: fix CSRF/ownership/timing vulns; add billing reconciliation
- auth/guard: добавить CSRF-проверку Origin/Referer для cookie-мутаций,
  исправить инвертированную логику admin_guard (пускал всех, блокировал админов),
  перевести admin_guard на from_fn_with_state
- auth/service: timing-safe сравнение HMAC через verify_slice вместо != по hex;
  криптостойкий Seed через Alphanumeric (был цифровой 0-9)
- billing: confirm_payment проверяет owner (caller_id == invoice.user_id);
  активация триала только для Telegram-аккаунтов (Sybil-защита);
  реализована reconcile_pending_payments — сверка blockchain->pending-инвойсы
- billing/providers: get_recent_transactions перенесён в трейт PaymentProvider
- nodes/service: unwrap() -> map_err по всему SSH-пути; убран TcpStream import
- docker: multi-stage build с cargo-chef, non-root user, healthcheck;
  prod-compose добавляет one-shot migrate-сервис, убирает проброс порта БД
- deploy.yml: параметр image_tag, set -e, pull всего стека вместо только app
- users/service: обработка NO_TICKETS / NO_USER из БД вместо catch-all

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-29 17:58:24 +07:00
nineap 26d6f2db8a deploy change, update token system, fix abuses and add admin verify 2026-05-26 12:50:25 +07:00
nineap 693e48af59 backend sliced by modules 2026-05-02 18:24:57 +07:00
nineap b3543c8fac deploy update 2026-04-28 19:43:57 +07:00
nineap fb88fd34a8 update and fixes 2026-04-28 18:08:56 +07:00
nineap 2e673a18ba deploy update 2026-04-28 16:19:38 +07:00
nineap 9b4190f20e pipeline update 2026-04-28 16:07:40 +07:00
nineap 3a9c3b59ca pipeline update 2026-04-28 15:27:14 +07:00
nineap 75312d035a api fixes 2026-04-24 15:06:54 +07:00
nineap 5aecd41d4f update pipeline, create cache, optimized build 2026-04-23 14:50:36 +07:00
nineap 0ea37900bd pipeline update 2026-04-23 14:47:46 +07:00
nineap 4057d039b8 pipeline and codebase updates 2026-04-22 10:16:58 +07:00