From fdd281f0e23084f2ce71b5820c83270c759bc58b Mon Sep 17 00:00:00 2001 From: Tudisco Date: Mon, 25 May 2026 11:41:44 -0600 Subject: [PATCH] deploy(nats): comment out auth_callout for v0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The auth_callout block required a real account nkey for the issuer field and we don't have one yet — chat-server's callout endpoint is a 501 stub for v0.1 anyway. NATS was crash-looping on startup rejecting the placeholder nkey: Expected callout user to be a valid public account nkey, got "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX" Commented the block out with clear notes on how to re-enable in v0.2 once we run `nsc generate nkey` for real issuer + user keys. In v0.1 NATS runs with no auth, which is fine because: - the deployment is behind a Cloudflare tunnel (not directly internet-exposed) - no KEZ client exists yet to connect - even if one did, the chat-server's callout endpoint is a stub Deployment verified live at tudisco@10.5.2.5: chat-server :6969 → {"server":"kez.lat","status":"ok","version":"0.1.0"} sig-server :7878 → {"status":"ok"} nats :4222 → INFO frame, v2.14.1, JetStream on :8222 → /varz monitoring :8443 → WebSocket transport for browser SPA --- kez-chat/deploy/docker-compose.yml | 4 +-- kez-chat/deploy/nats.conf | 43 +++++++++++++++--------------- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/kez-chat/deploy/docker-compose.yml b/kez-chat/deploy/docker-compose.yml index f1fb9db..35978af 100644 --- a/kez-chat/deploy/docker-compose.yml +++ b/kez-chat/deploy/docker-compose.yml @@ -31,7 +31,7 @@ services: chat-server: build: - context: .. # repo root, so Dockerfile sees rust/ and kez-chat/ + context: ../.. # repo root: deploy/ → kez-chat/ → ; Dockerfile needs rust/ + kez-chat/ as siblings dockerfile: kez-chat/deploy/Dockerfile environment: KEZ_CHAT_BIND: 0.0.0.0:6969 @@ -48,7 +48,7 @@ services: sig-server: build: - context: .. + context: ../.. # same as chat-server — needs rust/ + rust-sig-server/ as siblings dockerfile: kez-chat/deploy/Dockerfile.sig-server environment: KEZ_BIND: 0.0.0.0:7878 diff --git a/kez-chat/deploy/nats.conf b/kez-chat/deploy/nats.conf index 3805c11..bf61f58 100644 --- a/kez-chat/deploy/nats.conf +++ b/kez-chat/deploy/nats.conf @@ -27,25 +27,24 @@ jetstream { # Monitoring / healthcheck. http_port: 8222 -# Auth callout: every connection's auth request is forwarded to our -# chat-server, which checks the handle registry and signs a response. -# Until we ship the v0.2 auth callout, the chat-server returns 501 and -# all connections are rejected. That's intentional — fail closed. -authorization { - auth_callout { - # The chat-server signs its callout responses with this nkey; NATS - # accepts responses signed by this key only. Generated once via - # `nsc generate nkey -o` (operator-level) and embedded in the - # chat-server's deployment secrets. - # - # PLACEHOLDER — replace before going live. - issuer: "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX" - - # NATS uses this user identity when invoking the callout endpoint. - # Distinct from real users; it's just an internal protocol marker. - auth_users: ["AUTHUSER"] - - # The account real users land in once the callout approves them. - account: "DEFAULT" - } -} +# Auth callout: COMMENTED OUT for v0.1. +# +# When the chat-server's NATS auth callout endpoint is implemented in +# v0.2, we'll generate real nkeys with `nsc` and put this block back. +# Until then, NATS runs without auth — fine because: +# - This deployment is behind a Cloudflare tunnel (not directly +# internet-exposed). +# - No KEZ client exists yet to connect. +# - The chat-server's /internal/nats/auth endpoint is a 501 stub +# anyway; even if NATS were configured to call it, every auth +# attempt would fail. +# +# Re-enable in v0.2 with real nkeys: +# +# authorization { +# auth_callout { +# issuer: "" +# auth_users: [""] +# account: "DEFAULT" +# } +# }