From ce0dbf6b249956700c6a1705bf4ad85a09d53e8c Mon Sep 17 00:00:00 2001
From: Dawid Rycerz <dawid@rycerz.xyz>
Date: Sun, 15 Feb 2026 21:27:00 +0100
Subject: feat: witryna 0.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switch, cleanup, and status CLI commands. Persistent build state via
state.json. Post-deploy hooks on success and failure with
WITRYNA_BUILD_STATUS. Dependency diet (axum→tiny_http, clap→argh,
tracing→log). Drop built-in rate limiting. Nix flake with NixOS module.
Arch Linux PKGBUILD. Centralized version management.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 examples/nginx/witryna.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'examples/nginx/witryna.conf')

diff --git a/examples/nginx/witryna.conf b/examples/nginx/witryna.conf
index 5f56ef2..0b92e52 100644
--- a/examples/nginx/witryna.conf
+++ b/examples/nginx/witryna.conf
@@ -7,6 +7,11 @@
 # TLS is not configured here — use certbot or similar to add certificates:
 #   sudo certbot --nginx -d my-site.example.com -d witryna.example.com
 
+# Rate limiting: 10 requests per minute per source IP for webhook endpoints.
+# Place this directive at the http {} level (outside server blocks) or in a
+# separate file included from nginx.conf.
+limit_req_zone $binary_remote_addr zone=witryna_webhooks:10m rate=10r/m;
+
 # Public site — serves your built static files
 server {
     listen 80;
@@ -36,6 +41,9 @@ server {
             deny all;
         }
 
+        limit_req zone=witryna_webhooks burst=5 nodelay;
+        limit_req_status 429;
+
         proxy_pass http://127.0.0.1:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
-- 
cgit v1.2.3