cinny: version-control the production nginx site config
The chat.lotusguild.org nginx config (LXC 106) was edited directly on the box and never tracked — which is how its CSP drifted (kept a dead Sentry URL and blocked matrix.org logins). Snapshot it as cinny/nginx.conf (verbatim from prod, incl. the corrected connect-src that now allows matrix.org/*.matrix.org) and deploy it via lxc106-cinny.sh: back up the live file, swap, `nginx -t`, and reload only on success (auto-restore the backup if validation fails, so a bad config can't take the site down). TLS terminates at the NPM proxy, so this is a plain HTTP server block with no secrets. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
+21
-3
@@ -1,7 +1,8 @@
|
||||
#!/bin/bash
|
||||
# Auto-deploy script for LXC 106 (cinny)
|
||||
# Handles: cinny/config.json, cinny/upstream-check.sh, cinny/lotus-build.sh,
|
||||
# deploy/hooks-lxc106.json, systemd/cinny-upstream-check.cron
|
||||
# Handles: cinny/config.json, cinny/nginx.conf, cinny/upstream-check.sh,
|
||||
# cinny/lotus-build.sh, deploy/hooks-lxc106.json,
|
||||
# systemd/cinny-upstream-check.cron
|
||||
# Triggered by: Gitea webhook on push to main
|
||||
set -euo pipefail
|
||||
|
||||
@@ -14,7 +15,7 @@ echo "=== $(date) === LXC106 deploy triggered ==="
|
||||
|
||||
if [ ! -d "$REPO_DIR/.git" ]; then
|
||||
git clone "$CLONE_URL" "$REPO_DIR"
|
||||
CHANGED="cinny/config.json cinny/upstream-check.sh cinny/lotus-build.sh deploy/hooks-lxc106.json systemd/cinny-upstream-check.cron"
|
||||
CHANGED="cinny/config.json cinny/nginx.conf cinny/upstream-check.sh cinny/lotus-build.sh deploy/hooks-lxc106.json systemd/cinny-upstream-check.cron"
|
||||
else
|
||||
cd "$REPO_DIR"
|
||||
git fetch --all
|
||||
@@ -31,6 +32,23 @@ if echo "$CHANGED" | grep -q '^cinny/config.json'; then
|
||||
echo "✓ config.json deployed"
|
||||
fi
|
||||
|
||||
if echo "$CHANGED" | grep -q '^cinny/nginx.conf'; then
|
||||
echo "Deploying cinny nginx site config..."
|
||||
# Back up the live config, swap in the repo copy, and validate before
|
||||
# reloading. If `nginx -t` fails, restore the backup and skip the reload so
|
||||
# a bad config can never take the site down.
|
||||
BACKUP="/etc/nginx/sites-available/cinny.bak-$(date +%Y%m%d%H%M%S)"
|
||||
cp /etc/nginx/sites-available/cinny "$BACKUP"
|
||||
cp "$REPO_DIR/cinny/nginx.conf" /etc/nginx/sites-available/cinny
|
||||
if nginx -t; then
|
||||
systemctl reload nginx
|
||||
echo "✓ nginx site config deployed + reloaded"
|
||||
else
|
||||
echo "✗ nginx -t FAILED — restoring previous config, skipping reload"
|
||||
cp "$BACKUP" /etc/nginx/sites-available/cinny
|
||||
fi
|
||||
fi
|
||||
|
||||
if echo "$CHANGED" | grep -q '^cinny/upstream-check.sh'; then
|
||||
echo "Deploying upstream-check.sh..."
|
||||
cp "$REPO_DIR/cinny/upstream-check.sh" /usr/local/bin/cinny-upstream-check.sh
|
||||
|
||||
Reference in New Issue
Block a user