Files
57_Wolve 7faa9098de feat: unified launcher, multi-OS hardening, login alerts & auto-updates
Restructure around a single entry point (automations.sh) with a Gum wizard and
a self-extracting bundle for repo-less installs. Add scripts/oslib.sh so the
provisioning scripts (setup-host, harden-ssh, harden-jumphost, sshuser) run on
Alpine/Debian/Alma; seed root keys from globals/.

- ntfy SSH-login alerts (user, source IP, key, region, jump target) via pam_exec
- daily auto-updates with AUTO_REBOOT=idle (reboots only when no SSH active) and
  opt-in Alpine stable-branch upgrades
- generic + per-deployment cloud-init; Gitea release workflow on tag
- README/LICENSE/.gitignore/.gitattributes (force LF); repo URLs -> Gitea
2026-06-12 14:56:02 -05:00

1.2 KiB

webfinger

A single Caddy container that serves /.well-known/webfinger at an apex domain (for OIDC issuer discovery — used by Tailscale and others) and 301-redirects everything else to a target URL.

Required .env values

Variable Notes
BASE_DOMAIN Apex domain to serve from (e.g. example.com).
ISSUER_URL OIDC issuer for the WebFinger response (your pocket-id).
REDIRECT_URL Where non-WebFinger traffic is redirected (path + query preserved).
ACME_EMAIL Let's Encrypt registration email.

See .env.example.

Deploy

./automations.sh        # Deploy on this host → deploy: webfinger

Or build + run the self-contained artifact:

./build.sh
scp deploy.sh root@host:
ssh root@host 'bash deploy.sh'
# non-interactive:
#   BASE_DOMAIN=example.com ISSUER_URL=https://auth.example.com \
#   REDIRECT_URL=https://example.org ACME_EMAIL=me@example.com SKIP_PROMPTS=1 bash deploy.sh

Unattended provisioning: cloud-init.yml.

Notes

  • Standalone: binds 80/443 itself, so don't co-locate with another stack that wants those ports.
  • DNS for BASE_DOMAIN must resolve to the host and 80/443 be reachable before deploy.