cinny: version-control the production nginx site config
Lint / Shell (shellcheck) (push) Successful in 7s
Lint / JS (eslint) (push) Successful in 6s
Lint / Python (ruff) (push) Successful in 5s
Lint / Python deps (pip-audit) (push) Successful in 50s
Lint / Secret scan (gitleaks) (push) Successful in 9s

The chat.lotusguild.org nginx config (LXC 106) was edited directly on the box
and never tracked — which is how its CSP drifted (kept a dead Sentry URL and
blocked matrix.org logins). Snapshot it as cinny/nginx.conf (verbatim from prod,
incl. the corrected connect-src that now allows matrix.org/*.matrix.org) and
deploy it via lxc106-cinny.sh: back up the live file, swap, `nginx -t`, and
reload only on success (auto-restore the backup if validation fails, so a bad
config can't take the site down). TLS terminates at the NPM proxy, so this is a
plain HTTP server block with no secrets.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-30 13:14:49 -04:00
parent 45444e5118
commit 40ceb43672
2 changed files with 100 additions and 3 deletions
+21 -3
View File
@@ -1,7 +1,8 @@
#!/bin/bash
# Auto-deploy script for LXC 106 (cinny)
# Handles: cinny/config.json, cinny/upstream-check.sh, cinny/lotus-build.sh,
# deploy/hooks-lxc106.json, systemd/cinny-upstream-check.cron
# Handles: cinny/config.json, cinny/nginx.conf, cinny/upstream-check.sh,
# cinny/lotus-build.sh, deploy/hooks-lxc106.json,
# systemd/cinny-upstream-check.cron
# Triggered by: Gitea webhook on push to main
set -euo pipefail
@@ -14,7 +15,7 @@ echo "=== $(date) === LXC106 deploy triggered ==="
if [ ! -d "$REPO_DIR/.git" ]; then
git clone "$CLONE_URL" "$REPO_DIR"
CHANGED="cinny/config.json cinny/upstream-check.sh cinny/lotus-build.sh deploy/hooks-lxc106.json systemd/cinny-upstream-check.cron"
CHANGED="cinny/config.json cinny/nginx.conf cinny/upstream-check.sh cinny/lotus-build.sh deploy/hooks-lxc106.json systemd/cinny-upstream-check.cron"
else
cd "$REPO_DIR"
git fetch --all
@@ -31,6 +32,23 @@ if echo "$CHANGED" | grep -q '^cinny/config.json'; then
echo "✓ config.json deployed"
fi
if echo "$CHANGED" | grep -q '^cinny/nginx.conf'; then
echo "Deploying cinny nginx site config..."
# Back up the live config, swap in the repo copy, and validate before
# reloading. If `nginx -t` fails, restore the backup and skip the reload so
# a bad config can never take the site down.
BACKUP="/etc/nginx/sites-available/cinny.bak-$(date +%Y%m%d%H%M%S)"
cp /etc/nginx/sites-available/cinny "$BACKUP"
cp "$REPO_DIR/cinny/nginx.conf" /etc/nginx/sites-available/cinny
if nginx -t; then
systemctl reload nginx
echo "✓ nginx site config deployed + reloaded"
else
echo "✗ nginx -t FAILED — restoring previous config, skipping reload"
cp "$BACKUP" /etc/nginx/sites-available/cinny
fi
fi
if echo "$CHANGED" | grep -q '^cinny/upstream-check.sh'; then
echo "Deploying upstream-check.sh..."
cp "$REPO_DIR/cinny/upstream-check.sh" /usr/local/bin/cinny-upstream-check.sh