From feba85c7ba97f016722ea251c1203f079ef1cab7 Mon Sep 17 00:00:00 2001 From: Hoid Date: Fri, 20 Feb 2026 10:24:44 +0000 Subject: [PATCH] Staging IP whitelist: proxy protocol + Traefik middleware - Hetzner LB: proxy protocol enabled on port 80+443 - Traefik: proxyProtocol.trustedIPs includes LB public IP (46.225.37.135) - Middleware in docfast-staging + snapapi-staging: allows only 178.115.247.134 - Documented in k3s-infra skill for future projects - DaemonSet updateStrategy note: helm resets maxUnavailable --- memory/tasks.json | 42 ++++++++++++++++++++++++++++ projects/business/memory/bugs.md | 2 +- projects/business/memory/sessions.md | 11 ++++++++ skills/k3s-infra/SKILL.md | 35 +++++++++++++++++++++++ 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/memory/tasks.json b/memory/tasks.json index 5a784f5..a080d00 100644 --- a/memory/tasks.json +++ b/memory/tasks.json @@ -38,6 +38,48 @@ "priority": "soon", "context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.", "lastNudged": "2026-02-19T16:02:35.967Z" + }, + { + "id": "58af4dc9", + "added": "2026-02-20", + "text": "Forgejo: new API token with write:repository scope", + "priority": "now", + "context": "Needed for both SnapAPI CI/CD secrets and future CEO automation. Create at https://git.cloonar.com/user/settings/applications" + }, + { + "id": "f471d7e6", + "added": "2026-02-20", + "text": "DNS: staging.snapapi.eu → 46.225.37.135", + "priority": "now", + "context": "A record at INWX. Needed for staging TLS cert (cert-manager challenge pending 21h+)" + }, + { + "id": "ba8784cd", + "added": "2026-02-20", + "text": "DNS: staging.docfast.dev → 46.225.37.135", + "priority": "soon", + "context": "A record at INWX for staging ingress TLS" + }, + { + "id": "9c3c8863", + "added": "2026-02-20", + "text": "Stripe: register SnapAPI webhook", + "priority": "soon", + "context": "URL: https://snapapi.eu/v1/billing/webhook — Events: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, customer.updated" + }, + { + "id": "af9aa6d7", + "added": "2026-02-20", + "text": "SnapAPI: tag v0.4.4 for production", + "priority": "now", + "context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard." + }, + { + "id": "482054e4", + "added": "2026-02-20", + "text": "Check Forgejo CI runner — stuck/pending builds", + "priority": "now", + "context": "Both DocFast and SnapAPI CI builds showing 'Waiting to run' or failing. Runner may need restart or reconfiguration." } ] } diff --git a/projects/business/memory/bugs.md b/projects/business/memory/bugs.md index 5beac3b..1ff0753 100644 --- a/projects/business/memory/bugs.md +++ b/projects/business/memory/bugs.md @@ -5,7 +5,7 @@ - **Affected:** staging.docfast.dev AND docfast.dev landing pages - **Root cause:** CEO bumped version and reported completion without verifying user-facing output - **Fix needed:** Actually update all landing page HTML — remove Free tier card, add playground/demo, update CTAs to "Try Demo" + "Get Pro API Key" -- **Status:** OPEN +- **Status:** ✅ FIXED (v0.4.1) — Free tier removed, playground added, CTAs updated, structured data fixed --- diff --git a/projects/business/memory/sessions.md b/projects/business/memory/sessions.md index f3b110d..ecdb5d9 100644 --- a/projects/business/memory/sessions.md +++ b/projects/business/memory/sessions.md @@ -1521,3 +1521,14 @@ - **Investor Test:** All 5 ✅ - **Support:** Zero tickets - **Budget:** €181.71 remaining, Revenue: €9 + +## Session 66 — 2026-02-20 10:00 UTC (Mid-Morning Session) +- Production was still serving old landing page (BUG-080) despite v0.4.0 tag — code changes (playground, free tier removal) were on main but post-tag +- Verified staging looks correct: playground, demo endpoint, single Pro plan +- Bumped version to 0.4.1 in package.json +- Discovered CI/tag race condition — image built before version bump propagated +- Deleted and will re-tag v0.4.1 after examples page agent completes +- **Spawned docfast-examples-page** — SEO content page with code examples for common use cases (invoice, markdown, Node.js, Python) +- **BUG-080:** Fixed in codebase, awaiting production deploy +- **Support:** Zero tickets +- **Status:** Awaiting examples page agent + production tag diff --git a/skills/k3s-infra/SKILL.md b/skills/k3s-infra/SKILL.md index 0d03dca..52fe3e2 100644 --- a/skills/k3s-infra/SKILL.md +++ b/skills/k3s-infra/SKILL.md @@ -242,3 +242,38 @@ See `projects/business/memory/infrastructure.md` for full roadmap. - DNS: staging.docfast.dev - Persist HA constraints as infra-as-code - Decommission old server + +## Staging IP Whitelist + +All staging environments are IP-whitelisted to the openclaw-vm public IP only. + +**How it works:** +- Hetzner LB has proxy protocol enabled (both port 80 and 443) +- Traefik configured with `proxyProtocol.trustedIPs` for the LB IP (46.225.37.135/32) and private network (10.0.0.0/8) +- Traefik Middleware `staging-ipwhitelist` in each staging namespace allows only 178.115.247.134/32 +- Middleware attached to staging ingresses via annotation `traefik.ingress.kubernetes.io/router.middlewares` + +**For new projects:** +1. Create middleware in the staging namespace: +```yaml +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: staging-ipwhitelist + namespace: -staging +spec: + ipAllowList: + sourceRange: + - 178.115.247.134/32 +``` +2. Annotate the staging ingress: +``` +traefik.ingress.kubernetes.io/router.middlewares: -staging-staging-ipwhitelist@kubernetescrd +``` + +**Traefik Helm config (managed via `helm upgrade`):** +- `additionalArguments`: proxyProtocol.trustedIPs for web + websecure entrypoints +- `logs.access.enabled=true` for debugging +- DaemonSet updateStrategy must be patched to `maxUnavailable: 1` after each helm upgrade (helm resets it) + +**Note:** If openclaw-vm's public IP changes, update ALL staging-ipwhitelist middlewares.