From 426fe025d33354e3e5992ed3f85f781d489bd6dc Mon Sep 17 00:00:00 2001
From: Erik <erik.nihlen@gmail.com>
Date: Wed, 24 Jun 2026 09:51:25 +0200
Subject: [PATCH] chore(go-services): ready-to-apply nginx /go/ snippet (user
 must sudo)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The agent cannot sudo (password required), so nginx deploy is a user step.
go-services/nginx/go-location.conf holds the `location /go/` block + the
`upstream tracker_go` line with apply instructions. Not required for the
parallel run (the Go service is parity-verified on loopback); this is for
browser-reachable /go/ access. Live overlord.conf has drifted from the repo
copy — reconcile by hand, don't cp-overwrite.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 go-services/nginx/go-location.conf | 41 ++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 go-services/nginx/go-location.conf

diff --git a/go-services/nginx/go-location.conf b/go-services/nginx/go-location.conf
new file mode 100644
index 00000000..eec52819
--- /dev/null
+++ b/go-services/nginx/go-location.conf
@@ -0,0 +1,41 @@
+# Parallel-run nginx wiring for the Go tracker (dereth-tracker-go, 127.0.0.1:8770).
+#
+# Deploying needs root (the agent cannot sudo). Apply on the host:
+#
+#   1) Add the upstream to the http{} block of /etc/nginx/nginx.conf, next to the
+#      existing `tracker` and `grafana` upstreams (around line 55):
+#
+#         upstream tracker_go { server 127.0.0.1:8770; }
+#
+#   2) Insert the `location /go/` block below into the server{} block of
+#      /etc/nginx/sites-enabled/overlord (anywhere in server{}; nginx matches the
+#      longer /go/ prefix before /, so order doesn't matter). Mirror it into the
+#      repo copy nginx/overlord.conf too — but note the live file has DRIFTED from
+#      the repo copy, so reconcile by hand rather than cp-overwriting.
+#
+#   3) sudo nginx -t && sudo nginx -s reload
+#
+# After reload:
+#   https://overlord.snakedesert.se/go/health      -> 200 (public)
+#   https://overlord.snakedesert.se/go/api-version -> 200 (logged-in) / 401 (no cookie)
+#   https://overlord.snakedesert.se/go/live        -> matches /live (same login cookie)
+#
+# The Go service is auth-gated identically to Python (session cookie + internal
+# trust), and X-Forwarded-For below is REQUIRED — without it the Go service would
+# treat all internet traffic as internal-trust and skip auth (security invariant).
+
+location /go/ {
+    proxy_pass             http://tracker_go/;   # trailing slash strips the /go/ prefix
+    proxy_http_version     1.1;
+    proxy_set_header       Host              $host;
+    proxy_set_header       X-Real-IP         $remote_addr;
+    proxy_set_header       X-Forwarded-For   $proxy_add_x_forwarded_for;   # REQUIRED — security invariant
+    proxy_set_header       X-Forwarded-Proto $scheme;
+    proxy_set_header       Upgrade           $http_upgrade;
+    proxy_set_header       Connection        "upgrade";
+    proxy_cache_bypass     $http_upgrade;
+    # Go will serve long-lived browser WebSockets in a later phase; match the
+    # /websocket/ and / blocks so idle sockets aren't cut at nginx's default 60s.
+    proxy_read_timeout     1d;
+    proxy_send_timeout     1d;
+}