dev: add parallel dev environment under /docker/dev
Near-1:1 clone of the prod remote-access stack, isolated on a new external dev_edge network and fronted by the same shared Caddy instance (dual-homed on edge + dev_edge). Dev is manual-start (not on boot). - Hostnames: app-dev / api-dev .linumiq.net, tunnels under *.dev.linumiq.net, dev tunnel ingress on port 7001. - Dev Supabase (project supabase-dev, *-dev containers), web, frps, redis, stripe-stub, bandwidth-worker with fresh independent secrets (gitignored). - Shared Caddyfile: app-dev -> web-dev, api-dev -> dev kong (+webhook block), *.dev -> frps-dev vhost. Caddy compose dual-homed on dev_edge. - On-demand-TLS authorizer (prod check-subdomain, in gitignored volumes/) extended additively: app-dev/api-dev -> 200; *.dev delegated to the dev authorizer. Prod allow-list logic unchanged. - dev.sh manual up/down/ps helper; README documents topology + secrets. Secrets, frps.toml, volumes/, web worktree and data dirs are gitignored.
This commit is contained in:
@@ -68,3 +68,41 @@ api.linumiq.net {
|
||||
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
reverse_proxy frps:7080
|
||||
}
|
||||
|
||||
# ============================================================================
|
||||
# DEV environment (served by this same shared Caddy instance).
|
||||
# Dev upstreams live on the external "dev_edge" network; Caddy is dual-homed on
|
||||
# both "edge" (prod) and "dev_edge" (dev). On-demand TLS for these hosts is
|
||||
# authorized by the global ask endpoint, which recognises the dev hostnames.
|
||||
# ============================================================================
|
||||
|
||||
# Dev dashboard (Next.js, dev build)
|
||||
app-dev.linumiq.net {
|
||||
tls {
|
||||
on_demand
|
||||
}
|
||||
import security_headers
|
||||
reverse_proxy web-dev:3000
|
||||
}
|
||||
|
||||
# Dev Supabase API (dev Kong)
|
||||
api-dev.linumiq.net {
|
||||
tls {
|
||||
on_demand
|
||||
}
|
||||
import security_headers
|
||||
@blocked_webhooks path /functions/v1/auth-webhook* /functions/v1/stripe-webhook*
|
||||
respond @blocked_webhooks 403
|
||||
reverse_proxy supabase-dev-kong:8000
|
||||
}
|
||||
|
||||
# Dev wildcard tunnel subdomains -> dev frps vhost HTTP. More specific than
|
||||
# *.linumiq.net, so dev tunnels match here. Only HSTS injected (HA sets its own
|
||||
# framing/CSP headers).
|
||||
*.dev.linumiq.net {
|
||||
tls {
|
||||
on_demand
|
||||
}
|
||||
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
||||
reverse_proxy frps-dev:7080
|
||||
}
|
||||
|
||||
@@ -15,6 +15,9 @@ services:
|
||||
- ./config:/config
|
||||
networks:
|
||||
- edge
|
||||
- dev_edge
|
||||
networks:
|
||||
edge:
|
||||
external: true
|
||||
dev_edge:
|
||||
external: true
|
||||
|
||||
Reference in New Issue
Block a user