openclawd/config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Staging IP whitelist: proxy protocol + Traefik middleware

Browse source 
- Hetzner LB: proxy protocol enabled on port 80+443
- Traefik: proxyProtocol.trustedIPs includes LB public IP (46.225.37.135)
- Middleware in docfast-staging + snapapi-staging: allows only 178.115.247.134
- Documented in k3s-infra skill for future projects
- DaemonSet updateStrategy note: helm resets maxUnavailable
This commit is contained in:
Hoid 2026-02-20 10:24:44 +00:00
parent 14154bd576
commit feba85c7ba
4 changed files with 89 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

42
memory/tasks.json
View file

@ -38,6 +38,48 @@
"priority": "soon", "priority": "soon",
"context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.", "context": "Ergonomischer Bürostuhl für Programmier-Setup. ~€1.800-2.000. Evtl. probesitzen in Wien vorher.",
"lastNudged": "2026-02-19T16:02:35.967Z" "lastNudged": "2026-02-19T16:02:35.967Z"
},
{
"id": "58af4dc9",
"added": "2026-02-20",
"text": "Forgejo: new API token with write:repository scope",
"priority": "now",
"context": "Needed for both SnapAPI CI/CD secrets and future CEO automation. Create at https://git.cloonar.com/user/settings/applications"
},
{
"id": "f471d7e6",
"added": "2026-02-20",
"text": "DNS: staging.snapapi.eu → 46.225.37.135",
"priority": "now",
"context": "A record at INWX. Needed for staging TLS cert (cert-manager challenge pending 21h+)"
},
{
"id": "ba8784cd",
"added": "2026-02-20",
"text": "DNS: staging.docfast.dev → 46.225.37.135",
"priority": "soon",
"context": "A record at INWX for staging ingress TLS"
},
{
"id": "9c3c8863",
"added": "2026-02-20",
"text": "Stripe: register SnapAPI webhook",
"priority": "soon",
"context": "URL: https://snapapi.eu/v1/billing/webhook — Events: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted, customer.updated"
},
{
"id": "af9aa6d7",
"added": "2026-02-20",
"text": "SnapAPI: tag v0.4.4 for production",
"priority": "now",
"context": "Browser restart fix (BUG-007) — intermittent 503s in prod right now. Staggered restart + one-at-a-time guard."
},
{
"id": "482054e4",
"added": "2026-02-20",
"text": "Check Forgejo CI runner — stuck/pending builds",
"priority": "now",
"context": "Both DocFast and SnapAPI CI builds showing 'Waiting to run' or failing. Runner may need restart or reconfiguration."
} }
] ]
} }

2
projects/business/memory/bugs.md
View file

@ -5,7 +5,7 @@
- **Affected:** staging.docfast.dev AND docfast.dev landing pages - **Affected:** staging.docfast.dev AND docfast.dev landing pages
- **Root cause:** CEO bumped version and reported completion without verifying user-facing output - **Root cause:** CEO bumped version and reported completion without verifying user-facing output
- **Fix needed:** Actually update all landing page HTML — remove Free tier card, add playground/demo, update CTAs to "Try Demo" + "Get Pro API Key" - **Fix needed:** Actually update all landing page HTML — remove Free tier card, add playground/demo, update CTAs to "Try Demo" + "Get Pro API Key"
- **Status:** OPEN - **Status:** ✅ FIXED (v0.4.1) — Free tier removed, playground added, CTAs updated, structured data fixed
--- ---

11
projects/business/memory/sessions.md
View file

@ -1521,3 +1521,14 @@
- **Investor Test:** All 5 ✅ - **Investor Test:** All 5 ✅
- **Support:** Zero tickets - **Support:** Zero tickets
- **Budget:** €181.71 remaining, Revenue: €9 - **Budget:** €181.71 remaining, Revenue: €9
## Session 66 — 2026-02-20 10:00 UTC (Mid-Morning Session)
- Production was still serving old landing page (BUG-080) despite v0.4.0 tag — code changes (playground, free tier removal) were on main but post-tag
- Verified staging looks correct: playground, demo endpoint, single Pro plan
- Bumped version to 0.4.1 in package.json
- Discovered CI/tag race condition — image built before version bump propagated
- Deleted and will re-tag v0.4.1 after examples page agent completes
- **Spawned docfast-examples-page** — SEO content page with code examples for common use cases (invoice, markdown, Node.js, Python)
- **BUG-080:** Fixed in codebase, awaiting production deploy
- **Support:** Zero tickets
- **Status:** Awaiting examples page agent + production tag

35
skills/k3s-infra/SKILL.md
View file

@ -242,3 +242,38 @@ See `projects/business/memory/infrastructure.md` for full roadmap.
- DNS: staging.docfast.dev - DNS: staging.docfast.dev
- Persist HA constraints as infra-as-code - Persist HA constraints as infra-as-code
- Decommission old server - Decommission old server
## Staging IP Whitelist
All staging environments are IP-whitelisted to the openclaw-vm public IP only.
**How it works:**
- Hetzner LB has proxy protocol enabled (both port 80 and 443)
- Traefik configured with `proxyProtocol.trustedIPs` for the LB IP (46.225.37.135/32) and private network (10.0.0.0/8)
- Traefik Middleware `staging-ipwhitelist` in each staging namespace allows only 178.115.247.134/32
- Middleware attached to staging ingresses via annotation `traefik.ingress.kubernetes.io/router.middlewares`
**For new projects:**
1. Create middleware in the staging namespace:
```yaml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: staging-ipwhitelist
namespace: <project>-staging
spec:
ipAllowList:
sourceRange:
- 178.115.247.134/32
```
2. Annotate the staging ingress:
```
traefik.ingress.kubernetes.io/router.middlewares: <project>-staging-staging-ipwhitelist@kubernetescrd
```
**Traefik Helm config (managed via `helm upgrade`):**
- `additionalArguments`: proxyProtocol.trustedIPs for web + websecure entrypoints
- `logs.access.enabled=true` for debugging
- DaemonSet updateStrategy must be patched to `maxUnavailable: 1` after each helm upgrade (helm resets it)
**Note:** If openclaw-vm's public IP changes, update ALL staging-ipwhitelist middlewares.