diff --git a/kez-chat/deploy/docker-compose.yml b/kez-chat/deploy/docker-compose.yml index f1fb9db..35978af 100644 --- a/kez-chat/deploy/docker-compose.yml +++ b/kez-chat/deploy/docker-compose.yml @@ -31,7 +31,7 @@ services: chat-server: build: - context: .. # repo root, so Dockerfile sees rust/ and kez-chat/ + context: ../.. # repo root: deploy/ → kez-chat/ → ; Dockerfile needs rust/ + kez-chat/ as siblings dockerfile: kez-chat/deploy/Dockerfile environment: KEZ_CHAT_BIND: 0.0.0.0:6969 @@ -48,7 +48,7 @@ services: sig-server: build: - context: .. + context: ../.. # same as chat-server — needs rust/ + rust-sig-server/ as siblings dockerfile: kez-chat/deploy/Dockerfile.sig-server environment: KEZ_BIND: 0.0.0.0:7878 diff --git a/kez-chat/deploy/nats.conf b/kez-chat/deploy/nats.conf index 3805c11..bf61f58 100644 --- a/kez-chat/deploy/nats.conf +++ b/kez-chat/deploy/nats.conf @@ -27,25 +27,24 @@ jetstream { # Monitoring / healthcheck. http_port: 8222 -# Auth callout: every connection's auth request is forwarded to our -# chat-server, which checks the handle registry and signs a response. -# Until we ship the v0.2 auth callout, the chat-server returns 501 and -# all connections are rejected. That's intentional — fail closed. -authorization { - auth_callout { - # The chat-server signs its callout responses with this nkey; NATS - # accepts responses signed by this key only. Generated once via - # `nsc generate nkey -o` (operator-level) and embedded in the - # chat-server's deployment secrets. - # - # PLACEHOLDER — replace before going live. - issuer: "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX" - - # NATS uses this user identity when invoking the callout endpoint. - # Distinct from real users; it's just an internal protocol marker. - auth_users: ["AUTHUSER"] - - # The account real users land in once the callout approves them. - account: "DEFAULT" - } -} +# Auth callout: COMMENTED OUT for v0.1. +# +# When the chat-server's NATS auth callout endpoint is implemented in +# v0.2, we'll generate real nkeys with `nsc` and put this block back. +# Until then, NATS runs without auth — fine because: +# - This deployment is behind a Cloudflare tunnel (not directly +# internet-exposed). +# - No KEZ client exists yet to connect. +# - The chat-server's /internal/nats/auth endpoint is a 501 stub +# anyway; even if NATS were configured to call it, every auth +# attempt would fail. +# +# Re-enable in v0.2 with real nkeys: +# +# authorization { +# auth_callout { +# issuer: "" +# auth_users: [""] +# account: "DEFAULT" +# } +# }