feat: witryna 0.2.0HEADv0.2.0main

Switch, cleanup, and status CLI commands. Persistent build state via
state.json. Post-deploy hooks on success and failure with
WITRYNA_BUILD_STATUS. Dependency diet (axum→tiny_http, clap→argh,
tracing→log). Drop built-in rate limiting. Nix flake with NixOS module.
Arch Linux PKGBUILD. Centralized version management.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1 files changed, 8 insertions, 0 deletions

diff --git a/examples/nginx/witryna.conf b/examples/nginx/witryna.conf
index 5f56ef2..0b92e52 100644
--- a/examples/nginx/witryna.conf
+++ b/examples/nginx/witryna.conf
@@ -7,6 +7,11 @@
 # TLS is not configured here — use certbot or similar to add certificates:
 #   sudo certbot --nginx -d my-site.example.com -d witryna.example.com
 
+# Rate limiting: 10 requests per minute per source IP for webhook endpoints.
+# Place this directive at the http {} level (outside server blocks) or in a
+# separate file included from nginx.conf.
+limit_req_zone $binary_remote_addr zone=witryna_webhooks:10m rate=10r/m;
+
 # Public site — serves your built static files
 server {
     listen 80;
@@ -36,6 +41,9 @@ server {
             deny all;
         }
 
+        limit_req zone=witryna_webhooks burst=5 nodelay;
+        limit_req_status 429;
+
         proxy_pass http://127.0.0.1:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;