diff --git a/bin/disinto b/bin/disinto index bf8edc4..18179df 100755 --- a/bin/disinto +++ b/bin/disinto @@ -1488,15 +1488,28 @@ p.write_text(text) touch "${FACTORY_ROOT}/.env" fi - # Configure Forgejo and Woodpecker subpath URLs when EDGE_TUNNEL_FQDN is set + # Configure Forgejo and Woodpecker URLs when EDGE_TUNNEL_FQDN is set. + # In subdomain mode, uses per-service FQDNs at root path instead of subpath URLs. if [ -n "${EDGE_TUNNEL_FQDN:-}" ]; then - # Forgejo ROOT_URL with /forge/ subpath (note trailing slash - Forgejo needs it) - if ! grep -q '^FORGEJO_ROOT_URL=' "${FACTORY_ROOT}/.env" 2>/dev/null; then - echo "FORGEJO_ROOT_URL=https://${EDGE_TUNNEL_FQDN}/forge/" >> "${FACTORY_ROOT}/.env" - fi - # Woodpecker WOODPECKER_HOST with /ci subpath (no trailing slash for v3) - if ! grep -q '^WOODPECKER_HOST=' "${FACTORY_ROOT}/.env" 2>/dev/null; then - echo "WOODPECKER_HOST=https://${EDGE_TUNNEL_FQDN}/ci" >> "${FACTORY_ROOT}/.env" + local routing_mode="${EDGE_ROUTING_MODE:-subpath}" + if [ "$routing_mode" = "subdomain" ]; then + # Subdomain mode: Forgejo at forge..disinto.ai (root path) + if ! grep -q '^FORGEJO_ROOT_URL=' "${FACTORY_ROOT}/.env" 2>/dev/null; then + echo "FORGEJO_ROOT_URL=https://${EDGE_TUNNEL_FQDN_FORGE:-forge.${EDGE_TUNNEL_FQDN}}/" >> "${FACTORY_ROOT}/.env" + fi + # Subdomain mode: Woodpecker at ci..disinto.ai (root path) + if ! grep -q '^WOODPECKER_HOST=' "${FACTORY_ROOT}/.env" 2>/dev/null; then + echo "WOODPECKER_HOST=https://${EDGE_TUNNEL_FQDN_CI:-ci.${EDGE_TUNNEL_FQDN}}" >> "${FACTORY_ROOT}/.env" + fi + else + # Subpath mode: Forgejo ROOT_URL with /forge/ subpath (trailing slash required) + if ! grep -q '^FORGEJO_ROOT_URL=' "${FACTORY_ROOT}/.env" 2>/dev/null; then + echo "FORGEJO_ROOT_URL=https://${EDGE_TUNNEL_FQDN}/forge/" >> "${FACTORY_ROOT}/.env" + fi + # Subpath mode: Woodpecker WOODPECKER_HOST with /ci subpath (no trailing slash for v3) + if ! grep -q '^WOODPECKER_HOST=' "${FACTORY_ROOT}/.env" 2>/dev/null; then + echo "WOODPECKER_HOST=https://${EDGE_TUNNEL_FQDN}/ci" >> "${FACTORY_ROOT}/.env" + fi fi fi @@ -1603,9 +1616,15 @@ p.write_text(text) create_woodpecker_oauth "$forge_url" "$forge_repo" # Create OAuth2 app on Forgejo for disinto-chat (#708) + # In subdomain mode, callback is at chat. root instead of /chat/ subpath. local chat_redirect_uri if [ -n "${EDGE_TUNNEL_FQDN:-}" ]; then - chat_redirect_uri="https://${EDGE_TUNNEL_FQDN}/chat/oauth/callback" + local chat_routing_mode="${EDGE_ROUTING_MODE:-subpath}" + if [ "$chat_routing_mode" = "subdomain" ]; then + chat_redirect_uri="https://${EDGE_TUNNEL_FQDN_CHAT:-chat.${EDGE_TUNNEL_FQDN}}/oauth/callback" + else + chat_redirect_uri="https://${EDGE_TUNNEL_FQDN}/chat/oauth/callback" + fi else chat_redirect_uri="http://localhost/chat/oauth/callback" fi @@ -2805,15 +2824,29 @@ disinto_edge() { # Write to .env (replace existing entries to avoid duplicates) local tmp_env tmp_env=$(mktemp) - grep -Ev "^EDGE_TUNNEL_(HOST|PORT|FQDN)=" "$env_file" > "$tmp_env" 2>/dev/null || true + grep -Ev "^EDGE_TUNNEL_(HOST|PORT|FQDN|FQDN_FORGE|FQDN_CI|FQDN_CHAT)=" "$env_file" > "$tmp_env" 2>/dev/null || true mv "$tmp_env" "$env_file" echo "EDGE_TUNNEL_HOST=${edge_host}" >> "$env_file" echo "EDGE_TUNNEL_PORT=${port}" >> "$env_file" echo "EDGE_TUNNEL_FQDN=${fqdn}" >> "$env_file" + # Subdomain mode: write per-service FQDNs (#1028) + local reg_routing_mode="${EDGE_ROUTING_MODE:-subpath}" + if [ "$reg_routing_mode" = "subdomain" ]; then + echo "EDGE_TUNNEL_FQDN_FORGE=forge.${fqdn}" >> "$env_file" + echo "EDGE_TUNNEL_FQDN_CI=ci.${fqdn}" >> "$env_file" + echo "EDGE_TUNNEL_FQDN_CHAT=chat.${fqdn}" >> "$env_file" + fi + echo "Registered: ${project}" echo " Port: ${port}" echo " FQDN: ${fqdn}" + if [ "$reg_routing_mode" = "subdomain" ]; then + echo " Mode: subdomain" + echo " Forge: forge.${fqdn}" + echo " CI: ci.${fqdn}" + echo " Chat: chat.${fqdn}" + fi echo " Saved to: ${env_file}" ;; diff --git a/docker/chat/server.py b/docker/chat/server.py index 6748354..ef37fb1 100644 --- a/docker/chat/server.py +++ b/docker/chat/server.py @@ -45,6 +45,8 @@ FORGE_URL = os.environ.get("FORGE_URL", "http://localhost:3000") CHAT_OAUTH_CLIENT_ID = os.environ.get("CHAT_OAUTH_CLIENT_ID", "") CHAT_OAUTH_CLIENT_SECRET = os.environ.get("CHAT_OAUTH_CLIENT_SECRET", "") EDGE_TUNNEL_FQDN = os.environ.get("EDGE_TUNNEL_FQDN", "") +EDGE_TUNNEL_FQDN_CHAT = os.environ.get("EDGE_TUNNEL_FQDN_CHAT", "") +EDGE_ROUTING_MODE = os.environ.get("EDGE_ROUTING_MODE", "subpath") # Shared secret for Caddy forward_auth verify endpoint (#709). # When set, only requests carrying this value in X-Forward-Auth-Secret are @@ -102,6 +104,8 @@ MIME_TYPES = { def _build_callback_uri(): """Build the OAuth callback URI based on tunnel configuration.""" + if EDGE_ROUTING_MODE == "subdomain" and EDGE_TUNNEL_FQDN_CHAT: + return f"https://{EDGE_TUNNEL_FQDN_CHAT}/oauth/callback" if EDGE_TUNNEL_FQDN: return f"https://{EDGE_TUNNEL_FQDN}/chat/oauth/callback" return "http://localhost/chat/oauth/callback" diff --git a/lib/ci-setup.sh b/lib/ci-setup.sh index 319e83e..507affb 100644 --- a/lib/ci-setup.sh +++ b/lib/ci-setup.sh @@ -142,6 +142,7 @@ _create_forgejo_oauth_app() { # Set up Woodpecker CI to use Forgejo as its forge backend. # Creates an OAuth2 app on Forgejo for Woodpecker, activates the repo. +# Respects EDGE_ROUTING_MODE: in subdomain mode, uses EDGE_TUNNEL_FQDN_CI for redirect URI. # Usage: create_woodpecker_oauth _create_woodpecker_oauth_impl() { local forge_url="$1" @@ -150,7 +151,13 @@ _create_woodpecker_oauth_impl() { echo "" echo "── Woodpecker OAuth2 setup ────────────────────────────" - _create_forgejo_oauth_app "woodpecker-ci" "http://localhost:8000/authorize" || return 0 + local wp_redirect_uri="http://localhost:8000/authorize" + local routing_mode="${EDGE_ROUTING_MODE:-subpath}" + if [ "$routing_mode" = "subdomain" ] && [ -n "${EDGE_TUNNEL_FQDN_CI:-}" ]; then + wp_redirect_uri="https://${EDGE_TUNNEL_FQDN_CI}/authorize" + fi + + _create_forgejo_oauth_app "woodpecker-ci" "$wp_redirect_uri" || return 0 local client_id="${_OAUTH_CLIENT_ID}" local client_secret="${_OAUTH_CLIENT_SECRET}" @@ -158,10 +165,15 @@ _create_woodpecker_oauth_impl() { # WP_FORGEJO_CLIENT/SECRET match the docker-compose.yml variable references # WOODPECKER_HOST must be host-accessible URL to match OAuth2 redirect_uri local env_file="${FACTORY_ROOT}/.env" + local wp_host="http://localhost:8000" + if [ "$routing_mode" = "subdomain" ] && [ -n "${EDGE_TUNNEL_FQDN_CI:-}" ]; then + wp_host="https://${EDGE_TUNNEL_FQDN_CI}" + fi + local wp_vars=( "WOODPECKER_FORGEJO=true" "WOODPECKER_FORGEJO_URL=${forge_url}" - "WOODPECKER_HOST=http://localhost:8000" + "WOODPECKER_HOST=${wp_host}" ) if [ -n "${client_id:-}" ]; then wp_vars+=("WP_FORGEJO_CLIENT=${client_id}") diff --git a/lib/generators.sh b/lib/generators.sh index eb223e8..739ca50 100644 --- a/lib/generators.sh +++ b/lib/generators.sh @@ -607,9 +607,12 @@ COMPOSEEOF - EDGE_TUNNEL_USER=${EDGE_TUNNEL_USER:-tunnel} - EDGE_TUNNEL_PORT=${EDGE_TUNNEL_PORT:-} - EDGE_TUNNEL_FQDN=${EDGE_TUNNEL_FQDN:-} - # Subdomain fallback (#713): if subpath routing (#704/#708) fails, add: - # EDGE_TUNNEL_FQDN_FORGE, EDGE_TUNNEL_FQDN_CI, EDGE_TUNNEL_FQDN_CHAT - # See docs/edge-routing-fallback.md for the full pivot plan. + # Subdomain fallback (#1028): per-service FQDNs for subdomain routing mode. + # Set EDGE_ROUTING_MODE=subdomain to activate. See docs/edge-routing-fallback.md. + - EDGE_ROUTING_MODE=${EDGE_ROUTING_MODE:-subpath} + - EDGE_TUNNEL_FQDN_FORGE=${EDGE_TUNNEL_FQDN_FORGE:-} + - EDGE_TUNNEL_FQDN_CI=${EDGE_TUNNEL_FQDN_CI:-} + - EDGE_TUNNEL_FQDN_CHAT=${EDGE_TUNNEL_FQDN_CHAT:-} # Shared secret for Caddy ↔ chat forward_auth (#709) - FORWARD_AUTH_SECRET=${FORWARD_AUTH_SECRET:-} volumes: @@ -700,6 +703,8 @@ COMPOSEEOF CHAT_OAUTH_CLIENT_ID: ${CHAT_OAUTH_CLIENT_ID:-} CHAT_OAUTH_CLIENT_SECRET: ${CHAT_OAUTH_CLIENT_SECRET:-} EDGE_TUNNEL_FQDN: ${EDGE_TUNNEL_FQDN:-} + EDGE_TUNNEL_FQDN_CHAT: ${EDGE_TUNNEL_FQDN_CHAT:-} + EDGE_ROUTING_MODE: ${EDGE_ROUTING_MODE:-subpath} DISINTO_CHAT_ALLOWED_USERS: ${DISINTO_CHAT_ALLOWED_USERS:-} # Shared secret for Caddy forward_auth verify endpoint (#709) FORWARD_AUTH_SECRET: ${FORWARD_AUTH_SECRET:-} @@ -805,6 +810,11 @@ _generate_agent_docker_impl() { # Output path: ${FACTORY_ROOT}/docker/Caddyfile (gitignored — generated artifact). # The edge compose service mounts this path as /etc/caddy/Caddyfile. # On a fresh clone, `disinto init` calls generate_caddyfile before first `disinto up`. +# +# Routing mode (EDGE_ROUTING_MODE env var): +# subpath — (default) all services under .disinto.ai/{forge,ci,chat,staging} +# subdomain — per-service subdomains: forge., ci., chat. +# See docs/edge-routing-fallback.md for the full pivot plan. _generate_caddyfile_impl() { local docker_dir="${FACTORY_ROOT}/docker" local caddyfile="${docker_dir}/Caddyfile" @@ -814,8 +824,22 @@ _generate_caddyfile_impl() { return fi + local routing_mode="${EDGE_ROUTING_MODE:-subpath}" + + if [ "$routing_mode" = "subdomain" ]; then + _generate_caddyfile_subdomain "$caddyfile" + else + _generate_caddyfile_subpath "$caddyfile" + fi + + echo "Created: ${caddyfile} (routing_mode=${routing_mode})" +} + +# Subpath Caddyfile: all services under a single :80 block with path-based routing. +_generate_caddyfile_subpath() { + local caddyfile="$1" cat > "$caddyfile" <<'CADDYFILEEOF' -# Caddyfile — edge proxy configuration +# Caddyfile — edge proxy configuration (subpath mode) # IP-only binding at bootstrap; domain + TLS added later via vault resource request :80 { @@ -858,8 +882,50 @@ _generate_caddyfile_impl() { } } CADDYFILEEOF +} - echo "Created: ${caddyfile}" +# Subdomain Caddyfile: four host blocks per docs/edge-routing-fallback.md. +# Uses env vars EDGE_TUNNEL_FQDN_FORGE, EDGE_TUNNEL_FQDN_CI, EDGE_TUNNEL_FQDN_CHAT, +# and EDGE_TUNNEL_FQDN (main project domain → staging). +_generate_caddyfile_subdomain() { + local caddyfile="$1" + cat > "$caddyfile" <<'CADDYFILEEOF' +# Caddyfile — edge proxy configuration (subdomain mode) +# Per-service subdomains; see docs/edge-routing-fallback.md + +# Main project domain — staging / landing +{$EDGE_TUNNEL_FQDN} { + reverse_proxy staging:80 +} + +# Forgejo — root path, no subpath rewrite needed +{$EDGE_TUNNEL_FQDN_FORGE} { + reverse_proxy forgejo:3000 +} + +# Woodpecker CI — root path +{$EDGE_TUNNEL_FQDN_CI} { + reverse_proxy woodpecker:8000 +} + +# Chat — with forward_auth (#709, on its own host) +{$EDGE_TUNNEL_FQDN_CHAT} { + handle /login { + reverse_proxy chat:8080 + } + handle /oauth/callback { + reverse_proxy chat:8080 + } + handle /* { + forward_auth chat:8080 { + uri /auth/verify + copy_headers X-Forwarded-User + header_up X-Forward-Auth-Secret {$FORWARD_AUTH_SECRET} + } + reverse_proxy chat:8080 + } +} +CADDYFILEEOF } # Generate docker/index.html default page. diff --git a/projects/disinto.toml.example b/projects/disinto.toml.example index ebe6eed..34eacae 100644 --- a/projects/disinto.toml.example +++ b/projects/disinto.toml.example @@ -59,6 +59,23 @@ check_pipeline_stall = false # compact_pct = 60 # poll_interval = 60 +# Edge routing mode (default: subpath) +# +# Controls how services are exposed through the edge proxy. +# subpath — all services under .disinto.ai/{forge,ci,chat,staging} +# subdomain — per-service subdomains: forge., ci., chat. +# +# Set to "subdomain" if subpath routing causes unfixable issues (redirect loops, +# OAuth callback mismatches, cookie collisions). See docs/edge-routing-fallback.md. +# +# Set in .env (not TOML) since it's consumed by docker-compose and shell scripts: +# EDGE_ROUTING_MODE=subdomain +# +# In subdomain mode, `disinto edge register` also writes: +# EDGE_TUNNEL_FQDN_FORGE=forge..disinto.ai +# EDGE_TUNNEL_FQDN_CI=ci..disinto.ai +# EDGE_TUNNEL_FQDN_CHAT=chat..disinto.ai + # [mirrors] # github = "git@github.com:johba/disinto.git" # codeberg = "git@codeberg.org:johba/disinto.git" diff --git a/tools/edge-control/register.sh b/tools/edge-control/register.sh index 3ac0d09..ee12ef7 100755 --- a/tools/edge-control/register.sh +++ b/tools/edge-control/register.sh @@ -39,13 +39,10 @@ EOF exit 1 } -# TODO(#713): Subdomain fallback — if subpath routing (#704/#708) fails, this -# function would need to register additional routes for forge., -# ci., chat. subdomains (or accept a --subdomain parameter). -# See docs/edge-routing-fallback.md for the full pivot plan. - # Register a new tunnel # Usage: do_register +# When EDGE_ROUTING_MODE=subdomain, also registers forge., ci., +# and chat. subdomain routes (see docs/edge-routing-fallback.md). do_register() { local project="$1" local pubkey="$2" @@ -79,17 +76,32 @@ do_register() { local port port=$(allocate_port "$project" "$full_pubkey" "${project}.${DOMAIN_SUFFIX}") - # Add Caddy route + # Add Caddy route for main project domain add_route "$project" "$port" + # Subdomain mode: register additional routes for per-service subdomains + local routing_mode="${EDGE_ROUTING_MODE:-subpath}" + if [ "$routing_mode" = "subdomain" ]; then + local subdomain + for subdomain in forge ci chat; do + add_route "${subdomain}.${project}" "$port" + done + fi + # Rebuild authorized_keys for tunnel user rebuild_authorized_keys # Reload Caddy reload_caddy - # Return JSON response - echo "{\"port\":${port},\"fqdn\":\"${project}.${DOMAIN_SUFFIX}\"}" + # Build JSON response + local response="{\"port\":${port},\"fqdn\":\"${project}.${DOMAIN_SUFFIX}\"" + if [ "$routing_mode" = "subdomain" ]; then + response="${response},\"routing_mode\":\"subdomain\"" + response="${response},\"subdomains\":{\"forge\":\"forge.${project}.${DOMAIN_SUFFIX}\",\"ci\":\"ci.${project}.${DOMAIN_SUFFIX}\",\"chat\":\"chat.${project}.${DOMAIN_SUFFIX}\"}" + fi + response="${response}}" + echo "$response" } # Deregister a tunnel @@ -109,9 +121,18 @@ do_deregister() { # Remove from registry free_port "$project" >/dev/null - # Remove Caddy route + # Remove Caddy route for main project domain remove_route "$project" + # Subdomain mode: also remove per-service subdomain routes + local routing_mode="${EDGE_ROUTING_MODE:-subpath}" + if [ "$routing_mode" = "subdomain" ]; then + local subdomain + for subdomain in forge ci chat; do + remove_route "${subdomain}.${project}" + done + fi + # Rebuild authorized_keys for tunnel user rebuild_authorized_keys