bf15d4a2f7
Replicates main.py's AuthMiddleware so /go/ can be exposed safely:
- internal-trust: private source IP AND no X-Forwarded-For => skip auth
(loopback/compose callers; nginx adds XFF to all internet traffic).
- session cookie: byte-compatible itsdangerous URLSafeTimedSerializer verify
(HMAC-SHA1, django-concat key derivation sha1("itsdangerous"+"signer"+key),
Unix-epoch timestamp, urlsafe-b64 no pad, optional zlib payload), keyed on the
same SECRET_KEY. 30-day max-age. Public allowlist (/login,/logout,login assets,
/icons/,/health); 302->/login for html, 401 JSON otherwise.
Validated on the server: internal-trust loopback 200; external no-cookie 401;
html 302; valid cookie 200; tampered 401; /health public 200; and the SAME
Python-issued cookie authenticates BOTH services (cross-compat proof).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
44 lines
1.8 KiB
YAML
44 lines
1.8 KiB
YAML
# Compose OVERRIDE that adds the Go services alongside the live Python stack.
|
|
# It only ADDS containers; it never modifies the tracked docker-compose.yml or
|
|
# any running Python service.
|
|
#
|
|
# Invoke from the repo root so the Compose project name resolves to
|
|
# "mosswartoverlord" (same as the live stack) and the new container joins the
|
|
# existing default network — letting it reach the `db` service by name:
|
|
#
|
|
# cd /home/erik/MosswartOverlord
|
|
# export BUILD_VERSION="$(date -u +%Y.%-m.%-d.%H%M)-$(git rev-parse --short HEAD)"
|
|
# docker compose -f docker-compose.yml -f go-services/docker-compose.go.yml \
|
|
# build dereth-tracker-go
|
|
# docker compose -f docker-compose.yml -f go-services/docker-compose.go.yml \
|
|
# up -d --no-deps dereth-tracker-go
|
|
#
|
|
# --no-deps keeps Compose from touching the already-running `db` (and anything
|
|
# else). The service is loopback-bound (127.0.0.1:8770); external reach is only
|
|
# ever via the host nginx `location /go/` block (added separately).
|
|
services:
|
|
dereth-tracker-go:
|
|
build:
|
|
context: ./go-services/tracker-go
|
|
args:
|
|
BUILD_VERSION: ${BUILD_VERSION:-dev}
|
|
container_name: dereth-tracker-go
|
|
ports:
|
|
- "127.0.0.1:8770:8770"
|
|
environment:
|
|
PORT: "8770"
|
|
# Read-only use of the same dereth TimescaleDB the Python tracker writes.
|
|
DATABASE_URL: "postgresql://postgres:${POSTGRES_PASSWORD}@db:5432/dereth"
|
|
INVENTORY_SERVICE_URL: "http://inventory-service:8000"
|
|
# Same signing key as the Python tracker so the same login cookie verifies
|
|
# on both during the parallel run.
|
|
SECRET_KEY: "${SECRET_KEY}"
|
|
LOG_LEVEL: "INFO"
|
|
depends_on:
|
|
- db
|
|
restart: unless-stopped
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|