deploy(nats): comment out auth_callout for v0.1
The auth_callout block required a real account nkey for the issuer
field and we don't have one yet — chat-server's callout endpoint is
a 501 stub for v0.1 anyway. NATS was crash-looping on startup
rejecting the placeholder nkey:
Expected callout user to be a valid public account nkey,
got "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX"
Commented the block out with clear notes on how to re-enable in
v0.2 once we run `nsc generate nkey` for real issuer + user keys.
In v0.1 NATS runs with no auth, which is fine because:
- the deployment is behind a Cloudflare tunnel (not directly
internet-exposed)
- no KEZ client exists yet to connect
- even if one did, the chat-server's callout endpoint is a stub
Deployment verified live at tudisco@10.5.2.5:
chat-server :6969 → {"server":"kez.lat","status":"ok","version":"0.1.0"}
sig-server :7878 → {"status":"ok"}
nats :4222 → INFO frame, v2.14.1, JetStream on
:8222 → /varz monitoring
:8443 → WebSocket transport for browser SPA
This commit is contained in:
Tudisco
parent
3d85b8e775
commit
fdd281f0e2
@ -31,7 +31,7 @@ services:
|
||||
|
||||
chat-server:
|
||||
build:
|
||||
context: .. # repo root, so Dockerfile sees rust/ and kez-chat/
|
||||
context: ../.. # repo root: deploy/ → kez-chat/ → <repo root>; Dockerfile needs rust/ + kez-chat/ as siblings
|
||||
dockerfile: kez-chat/deploy/Dockerfile
|
||||
environment:
|
||||
KEZ_CHAT_BIND: 0.0.0.0:6969
|
||||
@ -48,7 +48,7 @@ services:
|
||||
|
||||
sig-server:
|
||||
build:
|
||||
context: ..
|
||||
context: ../.. # same as chat-server — needs rust/ + rust-sig-server/ as siblings
|
||||
dockerfile: kez-chat/deploy/Dockerfile.sig-server
|
||||
environment:
|
||||
KEZ_BIND: 0.0.0.0:7878
|
||||
|
||||
@ -27,25 +27,24 @@ jetstream {
|
||||
# Monitoring / healthcheck.
|
||||
http_port: 8222
|
||||
|
||||
# Auth callout: every connection's auth request is forwarded to our
|
||||
# chat-server, which checks the handle registry and signs a response.
|
||||
# Until we ship the v0.2 auth callout, the chat-server returns 501 and
|
||||
# all connections are rejected. That's intentional — fail closed.
|
||||
authorization {
|
||||
auth_callout {
|
||||
# The chat-server signs its callout responses with this nkey; NATS
|
||||
# accepts responses signed by this key only. Generated once via
|
||||
# `nsc generate nkey -o` (operator-level) and embedded in the
|
||||
# chat-server's deployment secrets.
|
||||
#
|
||||
# PLACEHOLDER — replace before going live.
|
||||
issuer: "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX"
|
||||
|
||||
# NATS uses this user identity when invoking the callout endpoint.
|
||||
# Distinct from real users; it's just an internal protocol marker.
|
||||
auth_users: ["AUTHUSER"]
|
||||
|
||||
# The account real users land in once the callout approves them.
|
||||
account: "DEFAULT"
|
||||
}
|
||||
}
|
||||
# Auth callout: COMMENTED OUT for v0.1.
|
||||
#
|
||||
# When the chat-server's NATS auth callout endpoint is implemented in
|
||||
# v0.2, we'll generate real nkeys with `nsc` and put this block back.
|
||||
# Until then, NATS runs without auth — fine because:
|
||||
# - This deployment is behind a Cloudflare tunnel (not directly
|
||||
# internet-exposed).
|
||||
# - No KEZ client exists yet to connect.
|
||||
# - The chat-server's /internal/nats/auth endpoint is a 501 stub
|
||||
# anyway; even if NATS were configured to call it, every auth
|
||||
# attempt would fail.
|
||||
#
|
||||
# Re-enable in v0.2 with real nkeys:
|
||||
#
|
||||
# authorization {
|
||||
# auth_callout {
|
||||
# issuer: "<account nkey, generated via: nsc generate nkey -a>"
|
||||
# auth_users: ["<user nkey, generated via: nsc generate nkey -u>"]
|
||||
# account: "DEFAULT"
|
||||
# }
|
||||
# }
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user