diff options
Diffstat (limited to 'examples')
| -rw-r--r-- | examples/caddy/Caddyfile | 13 | ||||
| -rwxr-xr-x | examples/hooks/caddy-deploy.sh | 11 | ||||
| -rw-r--r-- | examples/nginx/witryna.conf | 8 | ||||
| -rw-r--r-- | examples/witryna.toml | 3 | ||||
| -rw-r--r-- | examples/witryna.yaml | 1 |
5 files changed, 32 insertions, 4 deletions
diff --git a/examples/caddy/Caddyfile b/examples/caddy/Caddyfile index b2285f6..6502830 100644 --- a/examples/caddy/Caddyfile +++ b/examples/caddy/Caddyfile @@ -10,6 +10,19 @@ import /etc/caddy/sites.d/*.caddy # Webhook endpoint — reverse proxy to Witryna +# +# Rate limiting: Caddy does not include built-in rate limiting. +# Install the caddy-ratelimit module for per-IP request limiting: +# https://github.com/mholt/caddy-ratelimit +# +# Example with caddy-ratelimit (uncomment after installing the module): +# rate_limit { +# zone webhook { +# key {remote_host} +# events 10 +# window 1m +# } +# } witryna.example.com { reverse_proxy 127.0.0.1:8080 diff --git a/examples/hooks/caddy-deploy.sh b/examples/hooks/caddy-deploy.sh index 7f2173b..ed05f20 100755 --- a/examples/hooks/caddy-deploy.sh +++ b/examples/hooks/caddy-deploy.sh @@ -5,8 +5,9 @@ # Supports wildcard hosting domains and custom primary domains with redirects. # # Env vars from Witryna (automatic): -# WITRYNA_SITE — site name -# WITRYNA_PUBLIC_DIR — stable "current" symlink path (document root) +# WITRYNA_SITE — site name +# WITRYNA_PUBLIC_DIR — stable "current" symlink path (document root) +# WITRYNA_BUILD_STATUS — build outcome: "success" or "failed" # # Env vars from [sites.env] in witryna.toml: # BASE_DOMAIN — wildcard hosting domain (e.g. mywitrynahost.com) @@ -37,6 +38,12 @@ set -eu +# Only configure Caddy on successful builds +if [ "${WITRYNA_BUILD_STATUS:-}" = "failed" ]; then + echo "Build failed — skipping Caddy configuration" + exit 0 +fi + SITES_DIR="${CADDY_SITES_DIR:-/etc/caddy/sites.d}" CADDY_CONFIG="${CADDY_CONFIG:-/etc/caddy/Caddyfile}" diff --git a/examples/nginx/witryna.conf b/examples/nginx/witryna.conf index 5f56ef2..0b92e52 100644 --- a/examples/nginx/witryna.conf +++ b/examples/nginx/witryna.conf @@ -7,6 +7,11 @@ # TLS is not configured here — use certbot or similar to add certificates: # sudo certbot --nginx -d my-site.example.com -d witryna.example.com +# Rate limiting: 10 requests per minute per source IP for webhook endpoints. +# Place this directive at the http {} level (outside server blocks) or in a +# separate file included from nginx.conf. +limit_req_zone $binary_remote_addr zone=witryna_webhooks:10m rate=10r/m; + # Public site — serves your built static files server { listen 80; @@ -36,6 +41,9 @@ server { deny all; } + limit_req zone=witryna_webhooks burst=5 nodelay; + limit_req_status 429; + proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; diff --git a/examples/witryna.toml b/examples/witryna.toml index 6256d63..a76e4bb 100644 --- a/examples/witryna.toml +++ b/examples/witryna.toml @@ -6,7 +6,6 @@ container_runtime = "podman" base_dir = "/var/lib/witryna" log_dir = "/var/log/witryna" log_level = "info" -rate_limit_per_minute = 10 max_builds_to_keep = 5 # git_timeout = "2m" # default: 60s, range: 5s..1h @@ -48,7 +47,7 @@ max_builds_to_keep = 5 # # command = "npm ci && npm run build" # # public = "dist" # -# # Post-deploy hook (30s timeout, non-fatal) +# # Post-deploy hook (runs on success and failure, 30s timeout, non-fatal) # # post_deploy = ["systemctl", "reload", "nginx"] # # # Caddy auto-configuration (see examples/hooks/caddy-deploy.sh) diff --git a/examples/witryna.yaml b/examples/witryna.yaml index 3d6a09f..3104718 100644 --- a/examples/witryna.yaml +++ b/examples/witryna.yaml @@ -1,3 +1,4 @@ +--- # witryna.yaml — per-repository build configuration # Place this file in the root of your Git repository. # Supported filenames: .witryna.yaml, .witryna.yml, witryna.yaml, witryna.yml |