fdd281f0e2
The auth_callout block required a real account nkey for the issuer
field and we don't have one yet — chat-server's callout endpoint is
a 501 stub for v0.1 anyway. NATS was crash-looping on startup
rejecting the placeholder nkey:
Expected callout user to be a valid public account nkey,
got "ABACVOI4POPS3SBFLDQYTQHHHACRVMCM2HK7PXX4UTI7XYWQHQGOA3PX"
Commented the block out with clear notes on how to re-enable in
v0.2 once we run `nsc generate nkey` for real issuer + user keys.
In v0.1 NATS runs with no auth, which is fine because:
- the deployment is behind a Cloudflare tunnel (not directly
internet-exposed)
- no KEZ client exists yet to connect
- even if one did, the chat-server's callout endpoint is a stub
Deployment verified live at tudisco@10.5.2.5:
chat-server :6969 → {"server":"kez.lat","status":"ok","version":"0.1.0"}
sig-server :7878 → {"status":"ok"}
nats :4222 → INFO frame, v2.14.1, JetStream on
:8222 → /varz monitoring
:8443 → WebSocket transport for browser SPA
51 lines
1.7 KiB
Plaintext
51 lines
1.7 KiB
Plaintext
# NATS config for kez-chat home server.
|
|
#
|
|
# - Native NATS protocol on 4222 for CLI clients (TLS terminated by your
|
|
# reverse proxy in production).
|
|
# - WebSocket on 8443 for the browser SPA. Also TLS-terminated upstream.
|
|
# - JetStream on for offline message buffering (durable consumers).
|
|
# - auth_callout points at our chat-server's /internal/nats/auth endpoint.
|
|
# The chat-server is the source of truth for which nkeys are allowed
|
|
# to connect and what subjects they can publish/subscribe to.
|
|
|
|
# Standard NATS listener (CLI clients use this).
|
|
listen: 0.0.0.0:4222
|
|
|
|
# WebSocket listener (browser SPA uses this via nats.ws).
|
|
websocket {
|
|
port: 8443
|
|
no_tls: true # TLS terminated by Cloudflare tunnel / reverse proxy
|
|
}
|
|
|
|
# Persistent storage for durable consumers (offline buffering).
|
|
jetstream {
|
|
store_dir: /data/jetstream
|
|
max_mem: 1G
|
|
max_file: 10G
|
|
}
|
|
|
|
# Monitoring / healthcheck.
|
|
http_port: 8222
|
|
|
|
# Auth callout: COMMENTED OUT for v0.1.
|
|
#
|
|
# When the chat-server's NATS auth callout endpoint is implemented in
|
|
# v0.2, we'll generate real nkeys with `nsc` and put this block back.
|
|
# Until then, NATS runs without auth — fine because:
|
|
# - This deployment is behind a Cloudflare tunnel (not directly
|
|
# internet-exposed).
|
|
# - No KEZ client exists yet to connect.
|
|
# - The chat-server's /internal/nats/auth endpoint is a 501 stub
|
|
# anyway; even if NATS were configured to call it, every auth
|
|
# attempt would fail.
|
|
#
|
|
# Re-enable in v0.2 with real nkeys:
|
|
#
|
|
# authorization {
|
|
# auth_callout {
|
|
# issuer: "<account nkey, generated via: nsc generate nkey -a>"
|
|
# auth_users: ["<user nkey, generated via: nsc generate nkey -u>"]
|
|
# account: "DEFAULT"
|
|
# }
|
|
# }
|