feat: witryna 0.2.0HEADv0.2.0main

Switch, cleanup, and status CLI commands. Persistent build state via
state.json. Post-deploy hooks on success and failure with
WITRYNA_BUILD_STATUS. Dependency diet (axum→tiny_http, clap→argh,
tracing→log). Drop built-in rate limiting. Nix flake with NixOS module.
Arch Linux PKGBUILD. Centralized version management.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

5 files changed, 32 insertions, 4 deletions

diff --git a/examples/caddy/Caddyfile b/examples/caddy/Caddyfile
index b2285f6..6502830 100644
--- a/examples/caddy/Caddyfile
+++ b/examples/caddy/Caddyfile
@@ -10,6 +10,19 @@
 import /etc/caddy/sites.d/*.caddy
 
 # Webhook endpoint — reverse proxy to Witryna
+#
+# Rate limiting: Caddy does not include built-in rate limiting.
+# Install the caddy-ratelimit module for per-IP request limiting:
+#   https://github.com/mholt/caddy-ratelimit
+#
+# Example with caddy-ratelimit (uncomment after installing the module):
+#   rate_limit {
+#       zone webhook {
+#           key    {remote_host}
+#           events 10
+#           window 1m
+#       }
+#   }
 witryna.example.com {
 	reverse_proxy 127.0.0.1:8080
 
diff --git a/examples/hooks/caddy-deploy.sh b/examples/hooks/caddy-deploy.sh
index 7f2173b..ed05f20 100755
--- a/examples/hooks/caddy-deploy.sh
+++ b/examples/hooks/caddy-deploy.sh
@@ -5,8 +5,9 @@
 # Supports wildcard hosting domains and custom primary domains with redirects.
 #
 # Env vars from Witryna (automatic):
-#   WITRYNA_SITE       — site name
-#   WITRYNA_PUBLIC_DIR — stable "current" symlink path (document root)
+#   WITRYNA_SITE         — site name
+#   WITRYNA_PUBLIC_DIR   — stable "current" symlink path (document root)
+#   WITRYNA_BUILD_STATUS — build outcome: "success" or "failed"
 #
 # Env vars from [sites.env] in witryna.toml:
 #   BASE_DOMAIN      — wildcard hosting domain (e.g. mywitrynahost.com)
@@ -37,6 +38,12 @@
 
 set -eu
 
+# Only configure Caddy on successful builds
+if [ "${WITRYNA_BUILD_STATUS:-}" = "failed" ]; then
+    echo "Build failed — skipping Caddy configuration"
+    exit 0
+fi
+
 SITES_DIR="${CADDY_SITES_DIR:-/etc/caddy/sites.d}"
 CADDY_CONFIG="${CADDY_CONFIG:-/etc/caddy/Caddyfile}"
 
diff --git a/examples/nginx/witryna.conf b/examples/nginx/witryna.conf
index 5f56ef2..0b92e52 100644
--- a/examples/nginx/witryna.conf
+++ b/examples/nginx/witryna.conf
@@ -7,6 +7,11 @@
 # TLS is not configured here — use certbot or similar to add certificates:
 #   sudo certbot --nginx -d my-site.example.com -d witryna.example.com
 
+# Rate limiting: 10 requests per minute per source IP for webhook endpoints.
+# Place this directive at the http {} level (outside server blocks) or in a
+# separate file included from nginx.conf.
+limit_req_zone $binary_remote_addr zone=witryna_webhooks:10m rate=10r/m;
+
 # Public site — serves your built static files
 server {
     listen 80;
@@ -36,6 +41,9 @@ server {
             deny all;
         }
 
+        limit_req zone=witryna_webhooks burst=5 nodelay;
+        limit_req_status 429;
+
         proxy_pass http://127.0.0.1:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
diff --git a/examples/witryna.toml b/examples/witryna.toml
index 6256d63..a76e4bb 100644
--- a/examples/witryna.toml
+++ b/examples/witryna.toml
@@ -6,7 +6,6 @@ container_runtime = "podman"
 base_dir = "/var/lib/witryna"
 log_dir = "/var/log/witryna"
 log_level = "info"
-rate_limit_per_minute = 10
 max_builds_to_keep = 5
 # git_timeout = "2m"            # default: 60s, range: 5s..1h
 
@@ -48,7 +47,7 @@ max_builds_to_keep = 5
 # # command = "npm ci && npm run build"
 # # public = "dist"
 #
-# # Post-deploy hook (30s timeout, non-fatal)
+# # Post-deploy hook (runs on success and failure, 30s timeout, non-fatal)
 # # post_deploy = ["systemctl", "reload", "nginx"]
 #
 # # Caddy auto-configuration (see examples/hooks/caddy-deploy.sh)
diff --git a/examples/witryna.yaml b/examples/witryna.yaml
index 3d6a09f..3104718 100644
--- a/examples/witryna.yaml
+++ b/examples/witryna.yaml
@@ -1,3 +1,4 @@
+---
 # witryna.yaml — per-repository build configuration
 # Place this file in the root of your Git repository.
 # Supported filenames: .witryna.yaml, .witryna.yml, witryna.yaml, witryna.yml