wopr/wopr-rig-infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Rig (homerig) infrastructure: Caddy/cloudflared/composes/postgres/mail post-BLT
5 commits 1 branch 0 tags 128 KiB
Find a file
Exact
WOPR Rig ecc18888a9 SEO + security hardening (2026-06-17) 
- Remove block-crawlers from 9 public sites (was serving Google Disallow:/):
  wopr.foundation, thedudeabides.shop, brainjoos, asscast, barterra,
  artjoos, folkmoot, statestreettheater, sonicforge
- Add wopr-security-headers (HSTS/nosniff/etc) to 5 sites missing it:
  wopr.systems, blackoutlabs, powerforthepeople, project2028, cyoa
- Add compatibility CSP (set-if-absent) to wopr-security snippet (Joshua-safe)
- SonicForge: inject correct title+meta description
- Add /sitemap.xml handlers: barterra, artjoos, statestreettheater
- Bump global-nav stamp to v=20260616b (site-aware Joshua + joos removal)
2026-06-17 07:50:41 -05:00
caddy SEO + security hardening (2026-06-17) 2026-06-17 07:50:41 -05:00
cloudflared Initial: Rig infrastructure snapshot post-BLT 2026-05-28 2026-05-28 05:39:41 -05:00
docker Initial: Rig infrastructure snapshot post-BLT 2026-05-28 2026-05-28 05:39:41 -05:00
mail Initial: Rig infrastructure snapshot post-BLT 2026-05-28 2026-05-28 05:39:41 -05:00
postgres Initial: Rig infrastructure snapshot post-BLT 2026-05-28 2026-05-28 05:39:41 -05:00
README.md Initial: Rig infrastructure snapshot post-BLT 2026-05-28 2026-05-28 05:39:41 -05:00

README.md

wopr-rig-infra

Infrastructure config snapshot for the WOPR Rig (homerig 10.0.0.3) after the BLT consolidation push of 2026-05-20 → 2026-05-28.

This repo is the source of truth for Rig-side config — separate from individual app code, which lives in its own repos.

What's here

  • caddy/ — Rig Caddy reverse-proxy: 80+ sites-enabled/ blocks, snippets/, main Caddyfile. Caddy is the custom build (see docker/caddy/Dockerfile) with caddyserver/replace-response for global nav injection.
  • cloudflared/config.yml — tunnel ingress mapping public hostnames → local Rig services.
  • postgres/ — Rig host postgres config (postgresql.conf + pg_hba.conf) including the multi-bridge listen_addresses and pg_hba rules for the artjoos / falken / infisical_rig / forgejo / mcp / brainjoos databases.
  • docker/caddy/Dockerfile — xcaddy build adding replace-response + cloudflare DNS provider plugins to caddy:2-alpine.
  • docker/wazuh/ — Wazuh single-node compose (manager + indexer + dashboard).
  • docker/greenbone/ — Greenbone Community Containers compose.
  • docker/infisical/ — Infisical w/ network_mode: host, postgres at 127.0.0.1:5432/infisical_rig.
  • docker/crowdsec-dashboard/ — Metabase dashboard for CrowdSec.
  • mail/ — postfix + opendkim configs migrated from PROD for outbound mail (Saleor / Authentik / form-submissions etc.) through protonmail-bridge.

Sensitive values

This repo has had secrets sed-masked to REDACTED. The live runtime values live in:

  • Infisical (mgr.wopr.systems) for app-level secrets
  • /etc/forgejo/app.ini for git-side
  • /etc/postgresql/16/main/postgresql.conf for DB-side
  • The unredacted live files are on the Rig at the paths shown in each subdir's README.